Solves three main problems:
- Confidentiality (can someone modify the data)
- Integrity (can someone modify the data)
- Authentication (is the server who it claims to be)
TLS uses two types of keys:
- Symmetric keys (same key is used to encrypt and decrypt)
- Asymmetric encryption (public and private key pair), this uses RSA
- Here, TLS uses asymmetric encryption to establish a shared secret, then symmetric encryption with that shared secret to speed things up
After the server selects a cipher suite from the proposed client list, it sends its certificate which contains the servers public key and a signature (which is verified by a certificate authority).
I believe the way a shared secret is established without sending it over the wire is basically the same process as XORing checksums where the server and client start with the same shared base and XOR their secret with that base (the result is a shared base XOR client secret XOR server secret). In practice, they don’t XOR secrets but rather use Modular Exponentiation. The session keys only exist for the duration of the living session (this is done by XORing the client and server session randoms to the secret). Then, you use this secret to encrypt your data, where without that same key, you cannot decrypt it. This happens through a pile of bitwise operations.