Ssl Tls Overview - Learning Module

Loading content...

0/240

Security Services

The Services TLS Provides

TLS is not a single security mechanism but a framework of coordinated security services working in concert to protect network communications. Each service addresses a specific threat, and together they create a comprehensive security envelope around application data.

Understanding these services at a deep technical level is essential for security professionals. When analyzing whether a system is properly secured, you must be able to determine which services are actually being provided, how they are implemented, and what their limitations are.

What You Will Learn

By the end of this page, you will understand the four core security services TLS provides: Confidentiality, Integrity, Authentication, and Anti-Replay. You'll learn exactly how each is implemented cryptographically, what threats each addresses, and the precise guarantees they provide.

Security Services Overview

TLS provides a carefully integrated set of security services that work together to create a secure channel. A secure channel is an abstraction that presents the network to applications as if it were a private, authenticated, tamper-proof communication medium.

The Four Pillars of TLS Security:

TLS Security Services at a Glance
Service	Threat Addressed	Implementation	Failure Impact
Confidentiality	Eavesdropping	Symmetric encryption (AES-GCM, ChaCha20)	Attackers read all traffic
Integrity	Data modification	MAC/AEAD authentication tags	Attackers modify data undetected
Authentication	Impersonation	X.509 certificates + PKI	Attackers pose as legitimate servers
Anti-Replay	Transaction replay	Sequence numbers + nonces	Old transactions reprocessed

The Interdependence of Services:

These services are not independent—they form a coherent system where each depends on others:

Confidentiality without Authentication is useless: you might be securely communicating with an attacker
Integrity without Confidentiality reveals what you're protecting
Authentication without Integrity allows attackers to modify authenticated sessions
All services depend on proper Key Management: compromised keys break everything

This interconnection is why TLS provides all services together rather than allowing applications to pick and choose.

The Secure Channel Abstraction

Think of TLS as a secure tunnel through hostile territory. The tunnel walls are encryption (confidentiality), the tunnel lining that detects damage is integrity verification, the guards at each end who verify identities are authentication, and the one-way turnstiles that prevent going backward are anti-replay protection.

Confidentiality in Depth

Confidentiality ensures that only authorized parties can read the content of communications. In TLS, this is achieved through symmetric encryption using keys established during the handshake.

The Encryption Pipeline:

When an application sends data through TLS, it undergoes a transformation process:

TLS Encryption Pipeline

Diagram

Application Data
        │
        ▼
┌───────────────────────────────────────────────────────────────┐
│                      TLS Record Layer                          │
│                                                                 │
│  1. FRAGMENT: Split data into ≤16KB chunks                     │
│        │                                                        │
│        ▼                                                        │
│  2. COMPRESS: (Disabled in modern TLS)                          │
│        │                                                        │
│        ▼                                                        │
│  3. PROTECT:                                                    │
│     ┌─────────────────────────────────────────────────────┐    │
│     │  For TLS 1.2 with AEAD (GCM):                       │    │
│     │                                                      │    │
│     │  additional_data = seq_num || type || version || len│    │
│     │  nonce = iv || explicit_nonce (12 bytes total)      │    │
│     │                                                      │    │
│     │  ciphertext || auth_tag = AES-GCM-Encrypt(          │    │
│     │      key = session_key,                              │    │
│     │      nonce = nonce,                                  │    │
│     │      plaintext = fragment,                           │    │
│     │      additional_data = additional_data               │    │
│     │  )                                                   │    │
│     └─────────────────────────────────────────────────────┘    │
│        │                                                        │
│        ▼                                                        │
│  4. OUTPUT: TLS Record (header + encrypted data + auth tag)    │
└───────────────────────────────────────────────────────────────┘
        │
        ▼
   TCP/IP Stack

Modern Encryption Algorithms in TLS:

AES-GCM (Galois/Counter Mode):

Most widely deployed TLS cipher
Hardware acceleration (AES-NI) on modern CPUs
128-bit or 256-bit keys
128-bit authentication tag
Nonce: 12 bytes (4-byte implicit + 8-byte explicit in TLS 1.2, or derived in TLS 1.3)

ChaCha20-Poly1305:

Alternative for systems without AES hardware acceleration
256-bit key
96-bit nonce
128-bit authentication tag
Higher performance on mobile/embedded devices without AES-NI
Preferred cipher in TLS 1.3 when AES-NI is unavailable

Confidentiality Guarantees and Limitations

•Content Protection: The actual data (HTTP requests, passwords, files) cannot be read by network observers
•Key Secrecy: Only the two endpoints possess the symmetric keys; even the CA cannot decrypt
•Forward Secrecy (with ECDHE): Compromise of long-term keys doesn't compromise past sessions
•Limitation - Metadata Visibility: IP addresses, connection timing, and data volume are visible
•Limitation - SNI Exposure: Server hostname sent in cleartext (TLS 1.2) or encrypted (TLS 1.3 with ECH)
•Limitation - Traffic Analysis: Patterns in encrypted traffic can sometimes reveal content

Encryption Is Necessary But Not Sufficient

Confidentiality alone doesn't guarantee security. An attacker could still modify encrypted data or impersonate servers. TLS encrypts toward authenticated endpoints precisely because encryption without authentication is encrypting toward potentially malicious parties.

Integrity Protection

Integrity protection ensures that any modification to data in transit is detected by the recipient. Without integrity, an attacker could silently alter financial transactions, inject malicious code, or modify commands.

How TLS Ensures Integrity:

TLS provides integrity through cryptographic authentication tags computed over the data. The approach differs between TLS versions:

TLS 1.2 with CBC (Encrypt-then-MAC):

In CBC mode, TLS 1.2 uses a separate MAC computation:

1. MAC_key = derived from master secret
2. mac = HMAC-SHA256(MAC_key, seq_num || type || version || length || plaintext)
3. padded_data = plaintext || mac || padding
4. ciphertext = CBC-Encrypt(encryption_key, IV, padded_data)

Verification:

1. Decrypt ciphertext
2. Remove and verify padding
3. Extract MAC
4. Compute expected MAC over plaintext
5. Compare computed MAC with extracted MAC
6. If match, accept; otherwise, reject entire record

Attack Surface: The separation of encryption and MAC led to padding oracle attacks (POODLE, Lucky13). The timing of error responses could leak whether padding or MAC verification failed.

Scope of Integrity Protection:

TLS integrity covers:

Component	Protection Level	Notes
Application Data	Full	Encrypted and authenticated
Record Header	Authenticated	Type, version, length protected by AAD
Sequence Number	Implicit	Part of nonce/AAD, prevents reordering
Handshake Messages	Finished hash	Entire handshake verified at conclusion
Alert Messages	Full	Prevents fake error injection

What Integrity Does NOT Protect:

IP Headers: Routing information visible and modifiable
TCP Headers: Port numbers, flags visible
TLS Record Boundaries: Attacker can observe record sizes
Connection Metadata: Timing, volume patterns

The Finished Message: Handshake Integrity

Beyond record-level integrity, TLS verifies the entire handshake hasn't been tampered with. The Finished message contains a MAC over all handshake messages. If any message was modified (e.g., cipher suite downgrade), the Finished verification fails and the connection is aborted.

Authentication Services

Authentication is perhaps the most complex service TLS provides. It ensures that parties can verify each other's identities before exchanging sensitive data. Without authentication, you might establish a perfectly encrypted channel—to an attacker.

The Authentication Problem:

On the internet, you connect to IP addresses, not identities. When you type https://bank.example.com, your browser:

Resolves the hostname to an IP address via DNS
Establishes a TCP connection to that IP
Initiates a TLS handshake

At no point so far have you verified that the server at that IP is actually bank.example.com. DNS can be spoofed. IP routing can be hijacked. TLS authentication solves this.

TLS Authentication Components

•X.509 Certificates: Digital documents binding a public key to an identity (hostname)
•Certificate Authorities (CAs): Trusted third parties that sign certificates after verifying identity
•Certificate Chain: Path from server certificate through intermediates to a trusted root
•Private Key Proof: Server proves it possesses the private key corresponding to the certificate
•Hostname Verification: Client confirms the certificate matches the intended server

The Authentication Flow:

TLS Server Authentication Flow

Diagram

Client                                              Server
   │                                                    │
   │  1. ClientHello (supported versions, ciphers)     │
   │  ─────────────────────────────────────────────────>│
   │                                                    │
   │  2. ServerHello + Certificate Chain               │
   │  <─────────────────────────────────────────────────│
   │                                                    │
   │  3. Certificate Validation (Client-side):         │
   │     ┌────────────────────────────────────────┐    │
   │     │ a. Check cert not expired               │    │
   │     │ b. Verify signature chain to root CA    │    │
   │     │ c. Check root CA in trust store         │    │
   │     │ d. Check cert not revoked (CRL/OCSP)    │    │
   │     │ e. Verify hostname matches cert         │    │
   │     └────────────────────────────────────────┘    │
   │                                                    │
   │  4. Key Exchange (signed by server's private key) │
   │  <─────────────────────────────────────────────────│
   │                                                    │
   │  5. Verify signature with certificate public key  │
   │     (Proves server possesses private key)         │
   │                                                    │
   │  If all checks pass: Server is authenticated      │
   │                                                    │

Hostname Verification Details:

The most critical authentication check is verifying that the certificate matches the intended hostname. This prevents attacks where valid certificates for one domain are used to impersonate another.

Certificate Name Matching:

Subject Common Name (CN): Legacy field containing the hostname
Subject Alternative Name (SAN): Modern extension listing all valid hostnames
Wildcard Matching: *.example.com matches www.example.com but not mail.sub.example.com

Modern Practice:

SAN is authoritative; CN is deprecated for hostname matching
Certificates should contain all valid hostnames in SAN
Wildcard certificates match one level of subdomain only

Client Authentication (Mutual TLS)

By default, TLS authenticates only the server. Mutual TLS (mTLS) adds client certificates so servers can verify client identities. This is common in microservices, API authentication, and enterprise VPNs. In mTLS, both parties present and verify certificates.

Anti-Replay Protection

Replay attacks occur when an attacker captures legitimate traffic and retransmits it later. Without protection, an attacker could:

Re-submit a funds transfer request
Repeat authentication tokens
Duplicate commands or transactions

TLS provides robust anti-replay protection through several mechanisms that work together.

TLS Anti-Replay Mechanisms

•Sequence Numbers: Each TLS record contains an implicit sequence number that increments with every record. Replayed records have outdated sequence numbers.
•Nonces: AEAD encryption uses a unique nonce per record, derived partially from the sequence number. Reusing a nonce with the same key breaks GCM security.
•Session Keys: Each connection uses unique session keys. Replayed traffic from a different session uses wrong keys and fails decryption.
•Handshake Randomness: Client and server random values in the handshake are 32 bytes each, preventing handshake replay.
•Session Identifiers: Session tickets/IDs are bound to specific key material and have limited lifetime.

Sequence Number Implementation:

TLS maintains separate read and write sequence numbers for each direction:

Connection State:
  client_write_seq = 0
  client_read_seq = 0  
  server_write_seq = 0
  server_read_seq = 0

For each record sent:
  Include seq in MAC/nonce computation
  seq++

For each record received:
  Verify seq matches expected value
  seq++

Why This Works:

Sequence numbers are never transmitted (implicit, not explicit)
Each record's authentication tag is bound to its sequence number
Replaying a record means presenting it with wrong sequence number
Wrong sequence number → wrong nonce → authentication failure

The 0-RTT Replay Exception:

TLS 1.3 0-RTT Replay Risk

TLS 1.3's 0-RTT early data is explicitly NOT replay-protected by the protocol. Applications using 0-RTT must implement idempotent operations or their own replay mitigation. GET requests are generally safe; POST requests with side effects are not. Servers can disable 0-RTT or implement replay caches.

Record Layer Guarantees:

Property	Guarantee	Mechanism
No Replay	Old records rejected	Sequence numbers
No Reordering	Records must arrive in order	Sequential sequence numbers
No Truncation	Missing records detected	MAC/tag verification fails
No Insertion	Extra records detected	Wrong sequence number
No Modification	Changed data detected	Authentication tag mismatch

These guarantees make the TLS record stream behave like an authenticated, ordered, reliable channel—more like a secure pipe than raw network packets.

Forward Secrecy

Forward secrecy (also called Perfect Forward Secrecy or PFS) is a crucial security property that protects past communications even if long-term private keys are later compromised.

The Problem Without Forward Secrecy:

Traditional RSA key exchange works like this:

Client generates a random pre-master secret
Client encrypts pre-master secret with server's RSA public key
Server decrypts using RSA private key
Both derive session keys from pre-master secret

The Vulnerability:

An attacker records all encrypted traffic
Years later, the server's private key is compromised (breach, decommissioning, etc.)
Attacker decrypts all recorded pre-master secrets
Attacker derives all session keys and decrypts all historical traffic

Without Forward Secrecy (RSA)

•Server key is long-lived (years)
•Same key encrypts all sessions
•Recorded traffic decryptable later
•Single key compromise = all sessions
•Enables 'harvest now, decrypt later'

With Forward Secrecy (ECDHE)

•Ephemeral keys per session
•Keys discarded after use
•Recorded traffic CANNOT be decrypted
•Server key compromise: no past impact
•Protects against future threats

How Ephemeral Diffie-Hellman Provides Forward Secrecy:

With ECDHE (Elliptic Curve Diffie-Hellman Ephemeral):

For each connection:
  1. Server generates ephemeral ECDH key pair (private_s, public_s)
  2. Client generates ephemeral ECDH key pair (private_c, public_c)
  3. Exchange public keys (signed by server's certificate key)
  4. Both compute: shared_secret = ECDH(own_private, other_public)
  5. Derive session keys from shared_secret
  6. DISCARD ephemeral private keys

Why This Works:

The ephemeral private keys exist only in memory during the handshake
After key derivation, they are discarded (zeroed, never written to disk)
Even if the server's long-term signature key is later compromised, there's no way to recover the ephemeral private keys
Without ephemeral private keys, the shared secret cannot be computed
Without the shared secret, session keys cannot be derived
Without session keys, traffic cannot be decrypted

TLS 1.3 Mandates Forward Secrecy

TLS 1.3 removed static RSA key exchange entirely. Every TLS 1.3 connection uses ephemeral key exchange, ensuring forward secrecy by default with no configuration required. This represents a major security improvement over previous versions.

Key Establishment

All TLS security services ultimately depend on key establishment—the process of generating and distributing the cryptographic keys used for encryption and authentication. This is one of the most security-critical aspects of TLS.

The Key Hierarchy:

TLS uses a hierarchical key derivation structure:

TLS 1.3 Key Hierarchy

Diagram

ECDHE Shared Secret (from key exchange)
        │
        ▼
┌─────────────────────────────────────────────────────────────┐
│                    Key Derivation (HKDF)                     │
│                                                              │
│  Early Secret ◄─── PSK (if resuming) or 0                   │
│       │                                                      │
│       ├──► binder_key        (for PSK validation)            │
│       ├──► client_early_traffic_secret  (0-RTT data)         │
│       │                                                      │
│       ▼                                                      │
│  Handshake Secret ◄─── ECDHE shared secret                   │
│       │                                                      │
│       ├──► client_handshake_traffic_secret                   │
│       │         └──► client_handshake_key + IV               │
│       ├──► server_handshake_traffic_secret                   │
│       │         └──► server_handshake_key + IV               │
│       │                                                      │
│       ▼                                                      │
│  Master Secret                                               │
│       │                                                      │
│       ├──► client_application_traffic_secret_0               │
│       │         └──► client_traffic_key + IV                 │
│       ├──► server_application_traffic_secret_0               │
│       │         └──► server_traffic_key + IV                 │
│       ├──► resumption_master_secret (for session tickets)    │
│       └──► exporter_master_secret (for key export)           │
└─────────────────────────────────────────────────────────────┘

HKDF - HMAC-based Key Derivation Function:

TLS 1.3 uses HKDF (RFC 5869) for all key derivation:

// Extract: Concentrate randomness
PRK = HKDF-Extract(salt, input_keying_material)

// Expand: Generate keys of desired length
OKM = HKDF-Expand(PRK, info, length)

Why a Complex Hierarchy?

Separation of Concerns: Different keys for different phases (handshake vs application data)
Key Independence: Compromise of one key doesn't reveal others
Direction Separation: Client→Server uses different keys than Server→Client
Key Updates: Can rotate application keys without new handshake
Exportability: Applications can derive additional keys safely

Key Management Security Properties

•Key Separation: Different keys for encryption, MAC, and each direction
•Key Binding: Keys bound to handshake transcript via HKDF 'info' parameter
•Key Freshness: Ephemeral exchange ensures unique keys per session
•Key Erasure: Forward secrecy requires secure erasure of key material
•Key Confirmation: Finished messages prove both parties derived same keys

Why Both Parties Compute Keys

TLS never transmits session keys. Both parties independently compute the same keys from the shared secret. This means there's no point in the communication where keys exist in transit. An attacker would need to compromise the key derivation inputs, not intercept key transmission.

Summary: TLS Security Services

We've explored the comprehensive security services that TLS provides to protect network communications. Let's consolidate the key insights:

Key Takeaways

•Confidentiality through Symmetric Encryption: AES-GCM or ChaCha20-Poly1305 encrypt all data with per-session keys, protecting content from eavesdroppers.
•Integrity through AEAD Authentication: Every record includes authentication tags verified atomically, detecting any modification.
•Authentication through Certificates and PKI: X.509 certificate chains verified against trusted roots prove server (and optionally client) identity.
•Anti-Replay through Sequence Numbers: Implicit sequence numbers in MACs/nonces prevent reuse of captured traffic.
•Forward Secrecy through Ephemeral Keys: ECDHE ensures that past sessions remain secure even if long-term keys are compromised.
•Hierarchical Key Derivation: HKDF creates separate, bound keys for each purpose, limiting damage from any single compromise.

What's Next:

Beyond the core security services we've examined, TLS's practical deployment centers on certificates. The next page explores certificate-based authentication in depth—how X.509 certificates work, how the PKI trust model functions, and the practical aspects of certificate management that every network security professional must understand.

Page Complete

You now have deep understanding of the security services TLS provides. This knowledge enables you to analyze TLS configurations, understand security audit findings, and make informed decisions about protocol deployment. Next, we'll dive into the certificate infrastructure that makes TLS authentication possible.

Security Services

The Services TLS Provides

What You Will Learn

Security Services Overview

The Four Pillars of TLS Security:

TLS Security Services at a Glance
Service	Threat Addressed	Implementation	Failure Impact
Confidentiality	Eavesdropping	Symmetric encryption (AES-GCM, ChaCha20)	Attackers read all traffic
Integrity	Data modification	MAC/AEAD authentication tags	Attackers modify data undetected
Authentication	Impersonation	X.509 certificates + PKI	Attackers pose as legitimate servers
Anti-Replay	Transaction replay	Sequence numbers + nonces	Old transactions reprocessed

The Interdependence of Services:

These services are not independent—they form a coherent system where each depends on others:

Confidentiality without Authentication is useless: you might be securely communicating with an attacker
Integrity without Confidentiality reveals what you're protecting
Authentication without Integrity allows attackers to modify authenticated sessions
All services depend on proper Key Management: compromised keys break everything

This interconnection is why TLS provides all services together rather than allowing applications to pick and choose.

The Secure Channel Abstraction

Confidentiality in Depth

Confidentiality ensures that only authorized parties can read the content of communications. In TLS, this is achieved through symmetric encryption using keys established during the handshake.

The Encryption Pipeline:

When an application sends data through TLS, it undergoes a transformation process:

TLS Encryption Pipeline

Diagram

Application Data
        │
        ▼
┌───────────────────────────────────────────────────────────────┐
│                      TLS Record Layer                          │
│                                                                 │
│  1. FRAGMENT: Split data into ≤16KB chunks                     │
│        │                                                        │
│        ▼                                                        │
│  2. COMPRESS: (Disabled in modern TLS)                          │
│        │                                                        │
│        ▼                                                        │
│  3. PROTECT:                                                    │
│     ┌─────────────────────────────────────────────────────┐    │
│     │  For TLS 1.2 with AEAD (GCM):                       │    │
│     │                                                      │    │
│     │  additional_data = seq_num || type || version || len│    │
│     │  nonce = iv || explicit_nonce (12 bytes total)      │    │
│     │                                                      │    │
│     │  ciphertext || auth_tag = AES-GCM-Encrypt(          │    │
│     │      key = session_key,                              │    │
│     │      nonce = nonce,                                  │    │
│     │      plaintext = fragment,                           │    │
│     │      additional_data = additional_data               │    │
│     │  )                                                   │    │
│     └─────────────────────────────────────────────────────┘    │
│        │                                                        │
│        ▼                                                        │
│  4. OUTPUT: TLS Record (header + encrypted data + auth tag)    │
└───────────────────────────────────────────────────────────────┘
        │
        ▼
   TCP/IP Stack

Modern Encryption Algorithms in TLS:

AES-GCM (Galois/Counter Mode):

Most widely deployed TLS cipher
Hardware acceleration (AES-NI) on modern CPUs
128-bit or 256-bit keys
128-bit authentication tag
Nonce: 12 bytes (4-byte implicit + 8-byte explicit in TLS 1.2, or derived in TLS 1.3)

ChaCha20-Poly1305:

Alternative for systems without AES hardware acceleration
256-bit key
96-bit nonce
128-bit authentication tag
Higher performance on mobile/embedded devices without AES-NI
Preferred cipher in TLS 1.3 when AES-NI is unavailable

Confidentiality Guarantees and Limitations

•Content Protection: The actual data (HTTP requests, passwords, files) cannot be read by network observers
•Key Secrecy: Only the two endpoints possess the symmetric keys; even the CA cannot decrypt
•Forward Secrecy (with ECDHE): Compromise of long-term keys doesn't compromise past sessions
•Limitation - Metadata Visibility: IP addresses, connection timing, and data volume are visible
•Limitation - SNI Exposure: Server hostname sent in cleartext (TLS 1.2) or encrypted (TLS 1.3 with ECH)
•Limitation - Traffic Analysis: Patterns in encrypted traffic can sometimes reveal content

Encryption Is Necessary But Not Sufficient

Integrity Protection

How TLS Ensures Integrity:

TLS provides integrity through cryptographic authentication tags computed over the data. The approach differs between TLS versions:

TLS 1.2 with CBC (Encrypt-then-MAC):

In CBC mode, TLS 1.2 uses a separate MAC computation:

1. MAC_key = derived from master secret
2. mac = HMAC-SHA256(MAC_key, seq_num || type || version || length || plaintext)
3. padded_data = plaintext || mac || padding
4. ciphertext = CBC-Encrypt(encryption_key, IV, padded_data)

Verification:

1. Decrypt ciphertext
2. Remove and verify padding
3. Extract MAC
4. Compute expected MAC over plaintext
5. Compare computed MAC with extracted MAC
6. If match, accept; otherwise, reject entire record

Attack Surface: The separation of encryption and MAC led to padding oracle attacks (POODLE, Lucky13). The timing of error responses could leak whether padding or MAC verification failed.

Scope of Integrity Protection:

TLS integrity covers:

Component	Protection Level	Notes
Application Data	Full	Encrypted and authenticated
Record Header	Authenticated	Type, version, length protected by AAD
Sequence Number	Implicit	Part of nonce/AAD, prevents reordering
Handshake Messages	Finished hash	Entire handshake verified at conclusion
Alert Messages	Full	Prevents fake error injection

What Integrity Does NOT Protect:

IP Headers: Routing information visible and modifiable
TCP Headers: Port numbers, flags visible
TLS Record Boundaries: Attacker can observe record sizes
Connection Metadata: Timing, volume patterns

The Finished Message: Handshake Integrity

Authentication Services

The Authentication Problem:

On the internet, you connect to IP addresses, not identities. When you type https://bank.example.com, your browser:

Resolves the hostname to an IP address via DNS
Establishes a TCP connection to that IP
Initiates a TLS handshake

At no point so far have you verified that the server at that IP is actually bank.example.com. DNS can be spoofed. IP routing can be hijacked. TLS authentication solves this.

TLS Authentication Components

•X.509 Certificates: Digital documents binding a public key to an identity (hostname)
•Certificate Authorities (CAs): Trusted third parties that sign certificates after verifying identity
•Certificate Chain: Path from server certificate through intermediates to a trusted root
•Private Key Proof: Server proves it possesses the private key corresponding to the certificate
•Hostname Verification: Client confirms the certificate matches the intended server

The Authentication Flow:

TLS Server Authentication Flow

Diagram

Client                                              Server
   │                                                    │
   │  1. ClientHello (supported versions, ciphers)     │
   │  ─────────────────────────────────────────────────>│
   │                                                    │
   │  2. ServerHello + Certificate Chain               │
   │  <─────────────────────────────────────────────────│
   │                                                    │
   │  3. Certificate Validation (Client-side):         │
   │     ┌────────────────────────────────────────┐    │
   │     │ a. Check cert not expired               │    │
   │     │ b. Verify signature chain to root CA    │    │
   │     │ c. Check root CA in trust store         │    │
   │     │ d. Check cert not revoked (CRL/OCSP)    │    │
   │     │ e. Verify hostname matches cert         │    │
   │     └────────────────────────────────────────┘    │
   │                                                    │
   │  4. Key Exchange (signed by server's private key) │
   │  <─────────────────────────────────────────────────│
   │                                                    │
   │  5. Verify signature with certificate public key  │
   │     (Proves server possesses private key)         │
   │                                                    │
   │  If all checks pass: Server is authenticated      │
   │                                                    │

Hostname Verification Details:

The most critical authentication check is verifying that the certificate matches the intended hostname. This prevents attacks where valid certificates for one domain are used to impersonate another.

Certificate Name Matching:

Subject Common Name (CN): Legacy field containing the hostname
Subject Alternative Name (SAN): Modern extension listing all valid hostnames
Wildcard Matching: *.example.com matches www.example.com but not mail.sub.example.com

Modern Practice:

SAN is authoritative; CN is deprecated for hostname matching
Certificates should contain all valid hostnames in SAN
Wildcard certificates match one level of subdomain only

Client Authentication (Mutual TLS)

Anti-Replay Protection

Replay attacks occur when an attacker captures legitimate traffic and retransmits it later. Without protection, an attacker could:

Re-submit a funds transfer request
Repeat authentication tokens
Duplicate commands or transactions

TLS provides robust anti-replay protection through several mechanisms that work together.

TLS Anti-Replay Mechanisms

•Sequence Numbers: Each TLS record contains an implicit sequence number that increments with every record. Replayed records have outdated sequence numbers.
•Nonces: AEAD encryption uses a unique nonce per record, derived partially from the sequence number. Reusing a nonce with the same key breaks GCM security.
•Session Keys: Each connection uses unique session keys. Replayed traffic from a different session uses wrong keys and fails decryption.
•Handshake Randomness: Client and server random values in the handshake are 32 bytes each, preventing handshake replay.
•Session Identifiers: Session tickets/IDs are bound to specific key material and have limited lifetime.

Sequence Number Implementation:

TLS maintains separate read and write sequence numbers for each direction:

Connection State:
  client_write_seq = 0
  client_read_seq = 0  
  server_write_seq = 0
  server_read_seq = 0

For each record sent:
  Include seq in MAC/nonce computation
  seq++

For each record received:
  Verify seq matches expected value
  seq++

Why This Works:

Sequence numbers are never transmitted (implicit, not explicit)
Each record's authentication tag is bound to its sequence number
Replaying a record means presenting it with wrong sequence number
Wrong sequence number → wrong nonce → authentication failure

The 0-RTT Replay Exception:

TLS 1.3 0-RTT Replay Risk

Record Layer Guarantees:

Property	Guarantee	Mechanism
No Replay	Old records rejected	Sequence numbers
No Reordering	Records must arrive in order	Sequential sequence numbers
No Truncation	Missing records detected	MAC/tag verification fails
No Insertion	Extra records detected	Wrong sequence number
No Modification	Changed data detected	Authentication tag mismatch

These guarantees make the TLS record stream behave like an authenticated, ordered, reliable channel—more like a secure pipe than raw network packets.

Forward Secrecy

Forward secrecy (also called Perfect Forward Secrecy or PFS) is a crucial security property that protects past communications even if long-term private keys are later compromised.

The Problem Without Forward Secrecy:

Traditional RSA key exchange works like this:

Client generates a random pre-master secret
Client encrypts pre-master secret with server's RSA public key
Server decrypts using RSA private key
Both derive session keys from pre-master secret

The Vulnerability:

An attacker records all encrypted traffic
Years later, the server's private key is compromised (breach, decommissioning, etc.)
Attacker decrypts all recorded pre-master secrets
Attacker derives all session keys and decrypts all historical traffic

Without Forward Secrecy (RSA)

•Server key is long-lived (years)
•Same key encrypts all sessions
•Recorded traffic decryptable later
•Single key compromise = all sessions
•Enables 'harvest now, decrypt later'

With Forward Secrecy (ECDHE)

•Ephemeral keys per session
•Keys discarded after use
•Recorded traffic CANNOT be decrypted
•Server key compromise: no past impact
•Protects against future threats

How Ephemeral Diffie-Hellman Provides Forward Secrecy:

With ECDHE (Elliptic Curve Diffie-Hellman Ephemeral):

For each connection:
  1. Server generates ephemeral ECDH key pair (private_s, public_s)
  2. Client generates ephemeral ECDH key pair (private_c, public_c)
  3. Exchange public keys (signed by server's certificate key)
  4. Both compute: shared_secret = ECDH(own_private, other_public)
  5. Derive session keys from shared_secret
  6. DISCARD ephemeral private keys

Why This Works:

The ephemeral private keys exist only in memory during the handshake
After key derivation, they are discarded (zeroed, never written to disk)
Even if the server's long-term signature key is later compromised, there's no way to recover the ephemeral private keys
Without ephemeral private keys, the shared secret cannot be computed
Without the shared secret, session keys cannot be derived
Without session keys, traffic cannot be decrypted

TLS 1.3 Mandates Forward Secrecy

Key Establishment

The Key Hierarchy:

TLS uses a hierarchical key derivation structure:

TLS 1.3 Key Hierarchy

Diagram

ECDHE Shared Secret (from key exchange)
        │
        ▼
┌─────────────────────────────────────────────────────────────┐
│                    Key Derivation (HKDF)                     │
│                                                              │
│  Early Secret ◄─── PSK (if resuming) or 0                   │
│       │                                                      │
│       ├──► binder_key        (for PSK validation)            │
│       ├──► client_early_traffic_secret  (0-RTT data)         │
│       │                                                      │
│       ▼                                                      │
│  Handshake Secret ◄─── ECDHE shared secret                   │
│       │                                                      │
│       ├──► client_handshake_traffic_secret                   │
│       │         └──► client_handshake_key + IV               │
│       ├──► server_handshake_traffic_secret                   │
│       │         └──► server_handshake_key + IV               │
│       │                                                      │
│       ▼                                                      │
│  Master Secret                                               │
│       │                                                      │
│       ├──► client_application_traffic_secret_0               │
│       │         └──► client_traffic_key + IV                 │
│       ├──► server_application_traffic_secret_0               │
│       │         └──► server_traffic_key + IV                 │
│       ├──► resumption_master_secret (for session tickets)    │
│       └──► exporter_master_secret (for key export)           │
└─────────────────────────────────────────────────────────────┘

HKDF - HMAC-based Key Derivation Function:

TLS 1.3 uses HKDF (RFC 5869) for all key derivation:

// Extract: Concentrate randomness
PRK = HKDF-Extract(salt, input_keying_material)

// Expand: Generate keys of desired length
OKM = HKDF-Expand(PRK, info, length)

Why a Complex Hierarchy?

Separation of Concerns: Different keys for different phases (handshake vs application data)
Key Independence: Compromise of one key doesn't reveal others
Direction Separation: Client→Server uses different keys than Server→Client
Key Updates: Can rotate application keys without new handshake
Exportability: Applications can derive additional keys safely

Key Management Security Properties

•Key Separation: Different keys for encryption, MAC, and each direction
•Key Binding: Keys bound to handshake transcript via HKDF 'info' parameter
•Key Freshness: Ephemeral exchange ensures unique keys per session
•Key Erasure: Forward secrecy requires secure erasure of key material
•Key Confirmation: Finished messages prove both parties derived same keys

Why Both Parties Compute Keys

Summary: TLS Security Services

We've explored the comprehensive security services that TLS provides to protect network communications. Let's consolidate the key insights:

Key Takeaways

•Confidentiality through Symmetric Encryption: AES-GCM or ChaCha20-Poly1305 encrypt all data with per-session keys, protecting content from eavesdroppers.
•Integrity through AEAD Authentication: Every record includes authentication tags verified atomically, detecting any modification.
•Authentication through Certificates and PKI: X.509 certificate chains verified against trusted roots prove server (and optionally client) identity.
•Anti-Replay through Sequence Numbers: Implicit sequence numbers in MACs/nonces prevent reuse of captured traffic.
•Forward Secrecy through Ephemeral Keys: ECDHE ensures that past sessions remain secure even if long-term keys are compromised.
•Hierarchical Key Derivation: HKDF creates separate, bound keys for each purpose, limiting damage from any single compromise.

What's Next:

Page Complete