Transport Layer Securityprotocol designed by Netscape Communications Corporation to provide secure communications on the Internet. SSL version 3.0, released in 1996, was later used as a basis to develop Transport Layer Security (TLS), an IETF standard protocol. TLS was first defined in RFC 2246: "The TLS Protocol Version 1.0".
These protocols provide endpoint authentication and communications privacy over the Internet using cryptography. In typical use, only the server is authenticated (i.e. its identity is ensured) while the client remains unauthenticated; PKI deployment is required for mutual authentication. The protocols allow client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.
They are layered beneath application protocols such as HTTP, SMTP and NNTP and above the TCP transport protocol, which is part of the TCP-IP protocol suite. While both SSL and TLS can be used to add security to any protocol that uses TCP, they are most commonly used in the HTTPS access method. HTTPS is used to secure World Wide Web pages for applications such as Electronic commerce. Both protocols use public key cryptography and public key certificates to verify the identity of endpoints.
Like SSL on which it was based, TLS is a modular protocol, designed to be extended, with support for forwards and backwards compatibility and negotiation between peers.
Both TLS and SSL involve a number of basic phases:
- Peer negotiation for algorithm support
- Public key encryption based key exchange and certificate-based authentication
- Symmetric cipher-based traffic encryption
TLS has subsequently been extended by other RFCs including:
- RFC 2712: "Addition of Kerberos Cipher Suites to Transport Layer Security (TLS)". The 40-bit ciphersuites defined in this memo are included only for the purpose of documenting the fact that those ciphersuite codes have already been assigned.
- RFC 2817: "Upgrading to TLS Within HTTP/1.1", explains how to use the Upgrade mechanism in HTTP/1.1 to initiate Transport Layer Security (TLS) over an existing TCP connection. This allows unsecured and secured HTTP traffic to share the same well known port (in this case, http: at 80 rather than https: at 443).
- RFC 2818: "HTTP Over TLS", distinguishes secured traffic from insecure traffic by the use of a different 'server port'.
- RFC 3268: "AES Ciphersuites for TLS". Adds enhanced by the addition of Advanced Encryption Standard (AES) ciphersuites to the previously existing symmetric ciphers, like RC2, RC4, International Data Encryption Algorithm (IDEA), Data Encryption Standard (DES), and Triple DES.
This article (or an earlier version of it) contains material from FOLDOC's article on SSL, used with permission.