The basic TLS Handshake is a negotiation between the client and server to verify the
server's authentication and negotiate the details on how to communicate. During this handshake process, the
client and the server decide on the TLS version (the highest mutually supported) and cipher suite. Only the
server is authenticated in the basic TLS handshake.
The full TLS Handshake requires mutual authentication between the client
and the server. During this process, the client must also prove the authenticity of its identity to the server
before a connection can be established.
A cipher suite
is the set of algorithms used for encrypting and authenticating data during secure communications between the client
and server. The client and server must agree on the cipher suite before proceeding to communicate past the
PKI (Public Key Infrastructure)
Key Infrastructure) defines a set of roles and procedures for the management of digital certificates. This system
is responsible for ensuring the authenticity of each certificate issued by the server and client. Within PKI, the CA
(Certificate Authority) is responsible for issuing digital certificates. These certificates are used to verify the
authenticity of the owner (server/client).
Public and Private Key
cryptography is a system in which a mathematically-related pair of keys are used for encrypting and signing data.
Each pair of keys in public key cryptography includes a widely disseminated public key and a private key known only to
one party. By signing or encrypting data with a private key, any recipient can authenticate and/or decrypt the data
using the matching public key. Data encrypted using a public key can only be decrypted by the holder of the private
key. TLS uses public key cryptography during the TLS handshake.
Root CA Certificate
The root CA
certificate establishes the authenticity of the Certificate Authority. This root certificate is the top-most
certificate and is used to the sign the certificates issued by the certificate authority. As an example, in the MQTT
with TLS demo, the root CA certificate could be configured to use a public MQTT broker (e.g.
test.mosquitto.org), or when using
AWS IoT Core, the root CA certificate would be one of the
recommended IoT Core CA certificates.
mbed TLS is an
implementation of TLS that is specifically designed for memory constrained embedded IoT devices. It utilizes a minimal
subset of the TLS stack.
Copyright (C) Amazon Web Services, Inc. or its affiliates. All rights reserved.