Basic TLS Handshake
The basic TLS Handshake is negotiation between the client and server to verify the server’s authentication and negotiate the details on how to communicate. During this handshake process, the client and the server decide on the TLS version (the highest mutually supported) and cipher suite. Only the server is authenticated in the basic TLS handshake.
The full TLS Handshake requires mutual authentication between the client and the server. During this process, the client must also prove the authenticity of its identity to the server before a connection can be established.
A cipher suite is a an algorithm that encrypts the data being exchanged between the client and server. The client and server must agree on the cipher suite before proceeding to communicate past the handshake.
PKI (Public Key Infrastructure) defines a set of roles and procedures for the management of digital certificates. This system is responsible for ensuring the authenticity of each certificate issued by the server and client. Within PKI, the CA (Certificate Authority) is responsible for issuing digital certificates. These certificates are used to verify the authenticity of the owner (server/client).
Public and Private Key
A public keys is disseminated widely while private keys are known only to the owner to maintain security across the system. Messages that are transmitted are signed by the public key, but once received, the messages are decrypted by the user’s private key to read the message contents. A robust secure system will have use the private key with the public key to sign the message prior to transmission.
Root CA Certificate
The root CA certificate establishes the authenticity of the Certificate Authority. This root certificate is the top-most certificate and is used to the sign the certificates issued by the certificate authority. In the MQTT with TLS demo, the root CA certificate is provided by the Mosquitto MQTT broker (test.mosquitto.org).
mbed TLS is an implementation of TLS that is specifically designed for memory constrained embedded devices. It utilizes a minimal subset of the TLS stack.