Transport layer security (TLS) is a cryptographic protocol that protects data during transfer. It delivers authentication, encryption and integrity for information in motion. TLS replaced the older SSL protocol, which is now obsolete. It is a core standard for securing transfers such as HTTPS, SMTP and FTPS.
TLS relies on public-key cryptography to verify a server for the client. This step prevents spoofing attempts. After verification, the two sides create symmetric keys that keep traffic private. Integrity checks run during the session to confirm that files remain unchanged.
File transfer servers most often use TLS through FTPS. FTPS offers two security modes. Explicit FTPS begins with a client request for encryption. Implicit FTPS denies all unencrypted sessions. Both modes protect legacy file exchanges without redesigning them.
TLS versions and features
TLS 1.3, released in 2018, is the protocol’s most recent version. The protocol was originally defined in 1999, with each version introducing updates to encryption algorithms, handshake procedures and session handling to improve both performance and protection during file transfers.
Version 1.3’s features include:
- Certificate validation that confirms server identity and helps prevent impersonation attacks
- Forward secrecy that uses ephemeral keys to prevent decryption of past sessions
- Reduced handshake latency
- The removal of insecure algorithms, such as RSA key exchange
TLS 1.2 and 1.3 are now considered the baseline for secure file transfer protocols that must pass modern compliance checks.
What TLS does — and doesn’t do
TLS plays a key role in securing file transfers, but it does not provide complete protection on its own. It only operates during transit and depends on other systems and configurations to secure the broader file exchange process.
Here’s what TLS does in the context of managed file transfer (MFT) or file transfer protocol (FTP):
- Authenticates endpoints using digital certificates and public key infrastructure
- Encrypts data in transit to prevent eavesdropping or man-in-the-middle attacks
- Maintains session integrity to detect tampering or packet injection
TLS does not:
- Control user access or permissions, which requires server-side policy enforcement
- Encrypt data at rest, which must be handled separately
TLS must be combined with access controls, logging, automation and storage protections to meet end-to-end security and compliance requirements.
Enabling and managing TLS
Managing TLS connections requires you to configure the correct certificates, ports and protocol values on your web-facing servers (such as your file transfer server).
These configuration aspects include:
- Allowing TLS 1.2 or TLS 1.3 only on your web servers
- Applying cipher suites that satisfy policy and compliance goals
- Creating an SSL/TLS certificate to authenticate your servers
- Enabling ports 21, 990 and 989 for FTPS transfers, or port 443 for HTTPS
- Selecting explicit or implicit TLS modes to meet client needs
- Tracking handshake errors and certificate expiry through logs and alerts
TLS handshake: How a secure connection is made
A TLS handshake starts the secure connection between the client and server. It sets rules for ciphers, checks identity and prepares the path for private data. No user data moves until this phase ends.
The steps in a TLS handshake are:
- Client hello: The client lists supported TLS versions, cipher suites and a fresh random number for entropy.
- Server hello: The server chooses one version, selects one suite and sends its leaf certificate to the client to verify its identity.
- Key exchange: Both hosts derive a shared secret through an ephemeral Diffie‑Hellman method.
- Certificate verification: The client validates the certificate chain against trusted roots inside its store.
- Session confirmation: Each side returns a finished record that proves they share the same secret keys.
After the handshake finishes, traffic shifts to symmetric ciphers such as AES‑GCM to keep packets fast and private.
TLS encryption: Two types working together
TLS encryption uses both asymmetric and symmetric cryptography during a file transfer session. Each method serves a distinct purpose in establishing and maintaining secure communication between systems.
Asymmetric (public key)
Asymmetric encryption, also known as public key encryption, is used during the TLS handshake. The client uses the server’s public key to encrypt a shared secret, which only the server can decrypt with its private key. This process allows both parties to agree on encryption parameters without prior contact.
Symmetric (session key)
Once the handshake is complete, TLS shifts to symmetric encryption using a session key. This key is used for all subsequent communication to enable faster encryption and decryption. Both parties use the same key, which keeps the session confidential and efficient.
Together, these two methods allow TLS to combine secure key exchange with high-performance encryption. This layered approach protects both the setup phase and the file transfer itself.
Transport layer security FAQs
SSL and TLS are both cryptographic protocols created to protect data while it moves across public or private networks. SSL was created first, but it has been deprecated in favor of TLS due to TLS’s improved encryption, key exchange and session control features. SSL was found to be vulnerable to brute force attacks that were based on a flaw in its block cipher system, as well as other attacks that could force a security downgrade. TLS strips out these legacy options that once enabled downgrade and padding attacks against earlier browsers and servers.
Many professionals still mention SSL by habit during conversations or in documentation. Modern file transfer platforms, however, rely only on TLS when they need encrypted sessions for compliance and resilience.
Transmission control protocol (TCP) handles the packaging and integrity of data that moves between two hosts, while TLS ensures that data is encrypted.
TCP packages a larger file into discrete segments, tracks each data segment to prevent loss, keeps the right order, resends lost packets and applies flow control during a transfer. However, it offers no native encryption or authentication.
Transport layer security (TLS) is a layer on top of TCP that provides encryption, identity checks and integrity codes. TLS never replaces TCP; it only wraps each packet in a secure envelope before transit.
In practice, transfers run through FTPS, HTTPS or SMTP will rely on TCP to keep each byte intact and in sequence using TLS to ensure the data cannot be intercepted or tampered with.
TLS begins by setting up a secure connection on TCP. The exchange starts with a client/server handshake. The client will provide its supported protocol versions and the cipher suites. Once the server confirms this initial connection, the server will prove its identity by supplying an X.509 certificate.
At this point, an ephemeral key exchange will occur. Most deployments use ECDHE to derive a shared secret from that step. Once each partner verifies the shared secret, the handshake is complete and data can be sent.
TLS will commonly use AEAD ciphers, such as AES‑GCM or ChaCha20‑Poly1305.
HTTPS is simply TLS applied to HTTP in order to authenticate and encrypt web traffic. TLS secures the transport layer, while HTTPS secures browser‑to‑server communication by relying on TLS.
