The TLS 1.3 Handshake
One round trip to a secure, forward-secret connection. Plaintext stages are slate; encrypted stages blue; application data rust orange.
Plaintext (in the clear)
Encrypted with handshake keys
Application data (AEAD)
sequenceDiagram
autonumber
participant C as Client
participant S as Server
Note over C: Generates ephemeral DH key pair
private key kept secret C->>S: ClientHello — supported versions, cipher suites, key_share (DH public) Note over S: Generates ephemeral DH key pair
private key kept secret
shared_secret = ECDH(client_pub, server_priv) S->>C: ServerHello — selected version and cipher, key_share (DH public) Note over C,S: Both sides derive the SAME shared secret
ECDH(client_pub, server_priv) = ECDH(server_pub, client_priv)
Handshake keys derived — everything below is ENCRYPTED S-->>C: {EncryptedExtensions, Certificate, CertificateVerify, Finished} Note right of S: CertificateVerify — server signs the handshake
transcript with the cert private key.
Proves it holds the certified key. C-->>S: {Finished} Note over C,S: Handshake complete after ONE round trip (1-RTT) C->>S: Application Data (AEAD — AES-GCM or ChaCha20-Poly1305) S->>C: Application Data (AEAD — AES-GCM or ChaCha20-Poly1305) Note over C,S: Forward secrecy — ephemeral DH keys are discarded.
Stealing the long-term key later does NOT decrypt past sessions.
private key kept secret C->>S: ClientHello — supported versions, cipher suites, key_share (DH public) Note over S: Generates ephemeral DH key pair
private key kept secret
shared_secret = ECDH(client_pub, server_priv) S->>C: ServerHello — selected version and cipher, key_share (DH public) Note over C,S: Both sides derive the SAME shared secret
ECDH(client_pub, server_priv) = ECDH(server_pub, client_priv)
Handshake keys derived — everything below is ENCRYPTED S-->>C: {EncryptedExtensions, Certificate, CertificateVerify, Finished} Note right of S: CertificateVerify — server signs the handshake
transcript with the cert private key.
Proves it holds the certified key. C-->>S: {Finished} Note over C,S: Handshake complete after ONE round trip (1-RTT) C->>S: Application Data (AEAD — AES-GCM or ChaCha20-Poly1305) S->>C: Application Data (AEAD — AES-GCM or ChaCha20-Poly1305) Note over C,S: Forward secrecy — ephemeral DH keys are discarded.
Stealing the long-term key later does NOT decrypt past sessions.
Versus TLS 1.2: two round trips before any application data, a longer
menu of options and key-exchange modes, and several footguns (static RSA key
exchange with no forward secrecy, renegotiation, weak cipher suites). TLS 1.3
removed them — fewer options, faster, secure by default.