Last Updated: 2023-08-20

TLS uses a combination of symmetric and asymmetric cryptography, as this provides a good compromise between performance and security when transmitting data securely.

  • asymmetric: TLS uses asymmetric cryptography for securely generating and exchanging a session key.
  • symmetric: The session key is then used for encrypting the data transmitted by one party, and for decrypting the data received at the other end. Once the session is over, the session key is discarded.

3 players:

  • CA
  • Server
  • Client

Keys involved:

  • CA private key, cert (with public key)
  • Server private key, cert (with public key)
  • Session Key: a cipher key for symmetric cryptography.

Long before the handshake

  • CA signs server cert with private key; distribute public keys to clients (browsers).
  • clients (browsers) have a list of public keys of different CAs.
  • CA verifies servers and grant certs.


  • The client hello message: The client initiates the handshake by sending a "hello" message to the server. The message will include which TLS version the client supports, the cipher suites supported, and a string of random bytes known as the "client random."
  • The server hello message: In reply to the client hello message, the server sends a message containing the server's TLS certificate, the server's chosen cipher suite, and the "server random," another random string of bytes that's generated by the server. The cert contains a public key and domain name of the server
  • Authentication: The client verifies the server's TLS certificate with the CA's public key. This confirms that the server is who it says it is, and that the client is interacting with the actual owner of the domain.
  • The premaster secret: The client sends one more random string of bytes, the "premaster secret." The premaster secret is encrypted with the server's public key (included in the server's cert) and can only be decrypted with the private key by the server.
  • Private key used: The server decrypts the premaster secret with the server's private key.
  • Session keys created: Both client and server generate session keys from the client random, the server random, and the premaster secret. They should arrive at the same results. The session key will be used as a symetric key.
  • Client is ready: The client sends a "finished" message that is encrypted with a session key.
  • Server is ready: The server sends a "finished" message encrypted with a session key.
  • Secure symmetric encryption achieved: The handshake is completed, and communication continues using the session keys.