HTTPS
TLS HANDSHAKE
ClientHello Client sends supported TLS version, cipher suites, and a random number.
ServerHello Server picks a TLS version and cipher suite from the client's list, sends its own random number.
Server Certificate Server sends its digital certificate to prove its identity.
Key Exchange Client and server exchange cryptographic values to generate a shared premaster secret.
Master Secret Derivation Both sides compute the master secret using the premaster secret and both random values.
ChangeCipherSpec + Finished Client and server activate encryption and verify that handshake was successful.
Secure Communication All further messages are encrypted using session keys derived from the master secret.
TERMS
Certificate
Certificate is a digital identity document sent by the server to prove it is who it claims to be. It follows the X.509 standard and contains the server’s public key, along with identifying information like its domain name. The certificate is signed by a trusted Certificate Authority (CA), allowing the client to verify its authenticity. If the certificate is valid and trusted, the client continues the handshake.
Premaster Secret
Premaster Secret is a temporary value that client and server both calculate during the handshake using key exchange methods like RSA or Diffie-Hellman. It is not transmitted directly; instead, it’s derived securely from exchanged public and private values. This secret ensures that both sides have a common foundation for encryption without exposing it to eavesdroppers. The premaster secret is used only to create the master secret.
Master Secret
Master Secret is the final shared key derived from the premaster secret and both the client’s and server’s random numbers. It’s computed independently by both parties using a secure key derivation function. The master secret is never sent over the network; instead, it’s used to generate the actual encryption and authentication keys for the session. This key forms the cryptographic core of the secure connection.
Last updated