Introduction

This page is just to remind me how this works

TLS Handshake (TLS 1.3)

Overview

The TLS handshake creates a shared secret (session key) between the client and server so their traffic is encrypted and authenticated.

Steps

1. Client Hello: The client starts the handshake, sending supported TLS versions, cipher suites, and a random value.
2. Server Hello + Certificate: The server chooses a cipher suite, sends its certificate (public key + identity), and its random value.
3. Ephemeral Key Exchange (ECDHE): Client and server exchange ephemeral public keys. Each side uses its private ephemeral key and the other side’s public ephemeral key to compute the same shared secret.
4. Session Key Derivation: Both sides derive a symmetric session key from the shared secret and random values. This key is never sent over the network.
5. Secure Communication: All application data is encrypted with the symmetric session key. Only the client and server can decrypt it.

Notes

• Authentication: The server’s certificate lets the client verify the server’s identity (when the client trusts the certificate’s issuer).
• Forward Secrecy: Ephemeral keys ensure that even if a server’s long-term private key is stolen later, past traffic cannot be decrypted.