SSL and TLS are different in their functionality, and to establish a secure connection, a specific cipher suite is required. A cipher suite includes a key exchange algorithm, authentication algorithm, bulk data encryption, message authentication code (MAC).
Each SSL and TLS version has its supported cipher suites, and upcoming updates make both stronger than their previous versions. In addition, you can check how the TLS handshake is performed.
- The client connects to the server for beginning a communication using a “client hello” message. It alerts the server about the client’s TLS version and cipher suites. A “client random” is named as a string of random bytes is included in the client hello.
- The server replies with a “server hello.” It includes the SSL/TLS certificate and the server’s selected cipher suite. Here, the server also sends “server random” (a string of random bytes).
- The client then verifies the server’s TLS certificate as well as the server’s identity.
- Now, the client sends ‘premaster secret,’ also known as a string of encrypted information bytes. The client uses the public key to encrypt the ‘premaster secret.’
- The server with its private key decodes the premaster secret.
- With the client and server’s random string of information and the premaster secret, both the client and the server create session keys.
- The client sends a ‘Finished’ message with its session key regarding completing the client-side handshake process.
- The server also sends a ‘Finished’ message with its session key regarding completing the server-side handshake process.
- Further communication between the server and the client continues with session keys.
Differences between SSL and TLS
SSL and TLS are both protocols to provide online security. However, SSL is now an obsolete protocol, and TLS is in use, but users still recognize a digital certificate as an SSL certificate instead of a TLS certificate. Below is a difference between SSL and TLS protocols.
- SSL signifies Secure Socket Layer, while TLS is named as Transport Layer Security.
- SSL was introduced in 1995 by Netscape, while TLS was introduced in 1999 by IETF (Internet Engineering Taskforce).
- SSL works on Fortezza cipher suite while TLS works on advanced cipher suites like Triple DES, AES, IDEA.
- Three versions of SSL have been released (SSL 1.0, 2.0, and 3.0), while TLS comes with TLS 1.0, 1.1, 1.2, and 1.3 versions.
- SSL is no longer used in certificates due to vulnerability, while TLS 1.0 and 1.1 have been found vulnerable, and TLS 1.2 is presently in use.
- SSL uses MAC (Message Authentication Code) after each encrypted message, while TLS uses HMAC (Hashed Message Authentication Code).
- SSL works on Message digest while TLS works on Pseudo-random function that creates a master secret.
- SSL supports Ad-hoc message authentication, while TLS supports standard message authentication.
- SSL versions are vulnerable, while TLS 1.0 and 1.1 versions are vulnerable against POODLE and BEAST attacks.