TLS 1.3

In the context of the TLS protocol, a connection is the state of mutual communication in which both parties possess a certain undisclosed sequence, shielded from third parties, for subsequent utilization within the the context of mutual data encryption/decryption. For example, the procedure of a server-client handshake in the instance of TLS 1.3 utilizing the TLS_AES_256_GCM_SHA384 cipher is as follows:

  1. The client generates ephemeral key pairs.
  2. Client Hello: The client sends a sequence containing the client random, administrative information (including a list of supported cipher suites, a list of supported protocol versions, session ID, and so forth), and client public keys.
  3. The server generates an ephemeral key pair according to the client's preferences.
  4. Server Hello: The server sends a sequence comprising the server random, administrative information (selected cipher, chosen protocol version, and so forth), and an ephemeral public key.
  5. The server generates an encryption key for subsequent client-server communication establishment, deriving it from the client's public key, the server's private key, and hashed values of ClientHello and ServerHello.
  6. The client generates the aforementioned key. Thus, all further communication from the client to the server is encrypted.
  7. Server Certificate: The server sends certificate(s).
  8. Server Certificate Verify: The server sends a signature and subsequent "Server Handshake Finished" message. Due to the mandatory generation of ephemeral key pairs during the connection establishment according to TLS version 1.3, for the purpose of certificate ownership confirmation, the server signs hashed values of the entire preceding server-client message using the certificate's private key, for subsequent validation by the client using the public key from the certificate.
  9. The server generates a shared secret, utilizing the values of the current encryption key and the hashes of each handshake message, commencing with ClientHello and concluding with Server Handshake Finished.
  10. The client generates a shared secret using a similar algorithm.
  11. Client Handshake Finished: The client sends an affirming message with a challenge.
  12. Client Application Data: The client sends data.
  13. Server New Session Ticket: The server sends two messages with one-time session tickets.
  14. Server Application Data: The server sends data.