Transport Layer Security (TLS), Secure Sockets Layer (SSL)

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols which are designed to provide communication security over the Internet. They use X.509 certificates and hence asymmetric cryptography to assure the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. This allows for data/message confidentiality, and message authentication codes for message integrity and as a by-product, message authentication. Several versions of the protocols are in widespread use in applications such as web browsing, electronic mail, Internet faxing, instant messaging, and voice-over-IP (VoIP). An important property in this context is forward secrecy, so the short term session key cannot be derived from the long term asymmetric secret key.

In the TCP/IP model view, TLS and SSL encrypt the data of network connections at a lower sublayer of its application layer. In OSI model equivalences, TLS/SSL is initialized at layer 5 (the session layer) then works at layer 6 (the presentation layer): first the session layer has a handshake using an asymmetric cipher in order to establish cipher settings and a shared key for that session; then the presentation layer encrypts the rest of the communication using a symmetric cipher and that session key. In both models, TLS and SSL work on behalf of the underlying transport layer, whose segments carry encrypted data.

The TLS protocol allows client-server applications to communicate across a network in a way designed to prevent eavesdropping and tampering.

In applications design, TLS is usually implemented on top of any of the Transport Layer protocols, encapsulating the application-specific protocols such as HTTP, FTP, SMTP, NNTP and XMPP. Historically it has been used primarily with reliable transport protocols such as the Transmission Control Protocol (TCP). However, it has also been implemented with datagram-oriented transport protocols, such as the User Datagram Protocol (UDP) and the Datagram Congestion Control Protocol (DCCP), usage which has been standardized independently using the term Datagram Transport Layer Security (DTLS).

Why We Use TLS/SSL?

They provide three critical security properties:

1. Encryption

Data is encrypted so attackers can’t read it.

2. Authentication

Verifies the identity of the server (and sometimes the client) using digital certificates.

3. Integrity

Ensures data isn’t altered during transmission.

How TLS Works?

TLS typically runs on top of Transmission Control Protocol.

Step 1: Handshake

• Client and server agree on encryption methods
• Server sends its certificate
• Keys are securely exchanged

Step 2: Secure Communication

• Data is encrypted using symmetric encryption
• Messages include integrity checks

Key Features

• Public key cryptography for secure key exchange
• Symmetric encryption for fast data transfer
• Digital certificates issued by trusted authorities
• Forward secrecy (in modern TLS)
• Cipher suites to define algorithms used

C# examples for using SSL/TLS in .NET

Modern applications should use:

• TLS (Transport Layer Security)
• not old SSL versions

In .NET, encryption is commonly implemented with:

• SslStream
• TcpClient
• TcpListener

1. TLS Server Example

This server:

• accepts TCP clients
• upgrades connection to TLS
• uses a certificate
• securely reads/writes messages

using System;
using System.Net;
using System.Net.Sockets;
using System.Net.Security;
using System.Security.Authentication;
using System.Security.Cryptography.X509Certificates;
using System.Text;

class SecureServer
{
    static void Main()
    {
        TcpListener listener =
            new TcpListener(IPAddress.Any, 5000);

        listener.Start();

        Console.WriteLine("TLS Server started...");

        X509Certificate2 certificate =
            new X509Certificate2("server.pfx", "password");

        while (true)
        {
            TcpClient client = listener.AcceptTcpClient();

            Console.WriteLine("Client connected");

            NetworkStream networkStream =
                client.GetStream();

            SslStream sslStream =
                new SslStream(networkStream, false);

            sslStream.AuthenticateAsServer(
                certificate,
                false,
                SslProtocols.Tls12,
                true
            );

            byte[] buffer = new byte[1024];

            int bytesRead =
                sslStream.Read(buffer, 0, buffer.Length);

            string message =
                Encoding.UTF8.GetString(
                    buffer,
                    0,
                    bytesRead
                );

            Console.WriteLine("Received: " + message);

            string response = "Secure hello from server";

            byte[] responseBytes =
                Encoding.UTF8.GetBytes(response);

            sslStream.Write(
                responseBytes,
                0,
                responseBytes.Length
            );

            sslStream.Close();
            client.Close();
        }
    }
}

2. TLS Client Example

This client:

• connects to the server
• creates a TLS-secured stream
• sends encrypted data

using System;
using System.Net.Security;
using System.Net.Sockets;
using System.Security.Authentication;
using System.Text;

class SecureClient
{
    static void Main()
    {
        TcpClient client = new TcpClient(
            "127.0.0.1",
            5000
        );

        SslStream sslStream =
            new SslStream(
                client.GetStream(),
                false,
                (sender, cert, chain, errors) => true
            );

        sslStream.AuthenticateAsClient(
            "localhost",
            null,
            SslProtocols.Tls12,
            false
        );

        Console.WriteLine("TLS connection established");

        string message = "Hello secure server";

        byte[] data =
            Encoding.UTF8.GetBytes(message);

        sslStream.Write(data, 0, data.Length);

        byte[] buffer = new byte[1024];

        int bytesRead =
            sslStream.Read(buffer, 0, buffer.Length);

        string response =
            Encoding.UTF8.GetString(
                buffer,
                0,
                bytesRead
            );

        Console.WriteLine("Server says: " + response);

        sslStream.Close();
        client.Close();
    }
}

3. Create a Self-Signed Certificate

You can generate a development certificate with:

Windows PowerShell

New-SelfSignedCertificate `
    -DnsName "localhost" `
    -CertStoreLocation "cert:\LocalMachine\My"

Export it as .pfx.

Advantages

• Strong security (especially TLS 1.2/1.3)
• Protects sensitive data (passwords, payments)
• Widely supported across browsers and servers
• Prevents eavesdropping and tampering

Disadvantages

• Performance overhead (encryption/decryption)
• Complex setup (certificates, configuration)
• Vulnerabilities if misconfigured
• Older SSL versions are insecure and deprecated

Comparison of TLS and SSL