← Lessons

quiz vs the machine

Gold1450

Networking

Inside the TLS Handshake

Learn how TLS authenticates a server and agrees on a shared session key.

5 min read · core · beat Gold to climb

Why TLS Exists

TLS secures traffic by giving three guarantees: confidentiality through encryption, integrity through message authentication, and authentication of the server through certificates.

The Handshake Steps

  • The client sends a ClientHello listing supported cipher suites and a random value.
  • The server replies with a ServerHello, its certificate, and its key share.
  • The client validates the certificate against trusted certificate authorities and checks the name.
  • Both sides derive a shared session key using their key shares, then switch to encrypted records.

Modern TLS one point three completes this in a single round trip, and supports zero round trip resumption for returning clients.

Key Exchange

The session key is never sent on the wire. Instead both sides use an ephemeral Diffie Hellman exchange, which provides forward secrecy so that recording traffic today cannot decrypt it even if the server key later leaks.

After the Handshake

Once keys are set, all application data, including the HTTP request, travels inside encrypted records that an eavesdropper cannot read or tamper with.

Key idea

TLS authenticates the server with a certificate and derives a shared session key via ephemeral key exchange, giving forward secret encryption.

Check yourself

Answer to earn rating on the learn ladder.

1. What property does ephemeral Diffie Hellman provide?

2. How does the client confirm it is talking to the real server?