Mutual TLS in Action

“What is mTLS?” I am sure this is the main question that you have at the start of this article. Mutual TLS(mTLS) or Mutual Transport Layer Security is a cryptographic protocol designed to provide secured and trusted communication between client and server over a computer network. Before diving into the mTLS we need to understand the Transport Layer Security (TLS)

What is TLS?

Transport Layer Security (TLS) is the de-facto standard to secure communications between applications of today's world.

“Transport Layer Security (TLS), the successor of the now-deprecated Secure Sockets Layer (SSL), is a cryptographic protocol designed to provide communications security over a computer network.”

Even though you don’t know, you may use TLS many times when you browse the internet. Any website you visit starts with http or https. Did you know what is the exact difference between these two? Hyper Text Transfer Protocol (HTTP) is a protocol used for transferring data over a network and this is generally considered as not encrypted and not secured. Hyper Text Transfer Protocol Secure(HTTPS) is the secured version of HTTP and HTTPS ensures that ongoing online communication between server and browser is encrypted and secure. HTTPS uses TLS to encrypt http requests and responses.

SSL vs TLS ?

When you are searching in the internet regarding TLS you will be able to find both SSL/TLS terms are often used interchangeably and confused. Actually TLS evolved from a previous encryption protocol called SSL (Secure Sockets Layer), which was developed by Netscape. But SSL has not been updated since SSL 3.0 in 1996 and is now considered to be deprecated.

How TLS works?

TLS uses a combination of cryptographic processes to provide secure communication over a network. TLS works on using public-key encryption, which relies on a pair of keys(public key and private key). Normally we called this private key as key and the public key as the certificate. Anything encrypted with the public key only is decrypted with this private key. TLS protocol is designed to three essential security services: Authentication, Encryption and Integrity. But technically it is not required to use all these three services in every situation. But in that case you need to take your own risk about the security concerns. Let’s see how TLS provide provide those services.

TLS Authentication

Authentication is the process of identifying and validating that a user or an application who they claim to be. By default, the TLS protocol only requires a server to authenticate itself to the client. Now see how server authentication happens using certificates. Certificate is something like your ID card. Identity Card contains several information to uniquely identify your identity and Identity card was issued by a specific trusted government agency(trusted third party).

Figure 1. One-way authentication, Only the client authenticates the server

The Typical TLS authentication process works using below steps.

1. Client connects to server
2. Server presents its TLS certificate to the client
3. Client verifies the server’s certificate
4. Client and server exchange information over encrypted TLS connection

TLS Encryption

Encryption is the process of scrambling data so that only authorized parties can understand the information. Encryption protects data by scrambling it with a randomly generated pass-code, called an encryption key. Without the key, third parties will be unable to view your data. Therefore, data should be readable only by the receiver.

TLS Integrity

Integrity ensures that the data received by the receiver is the same data that was sent by the sender. TLS digitally signs data in order to provide data integrity, verifying that the data is not tampered with before reaching to the recipient.

What is Mutual TLS?

Now let’s see what’s the difference between TLS and Mutual TLS. As I described in the previous section using TLS the client was able to verify the identity of the server, but the server was not able to verify the identity of the client. By default, TLS provides one-way authentication, which means only requires a server to authenticate itself to the client.

But sometimes the server may also need to verify the identity of the client to avoid anybody calling the service. This is the place where Mutual TLS comes into action. In Mutual TLS or two-way TLS, both the server and client authenticate each other to ensure that both parties are trusted. Using Mutual TLS, the server can verify the client’s identity before allowing them to make any request to the server.

Figure 2. Two-Way or Mutual Authentication. In mTLS both the Client and the Server authenticate each other

How mTLS works?

In mTLS both the client and server authenticate each other using their certificates. When compared to the typical TLS, there are some additional steps in the mTLS to verify both parties.

1. Client connects to server
2. Server presents it’s TLS certificate to the client
3. Client verifies the server’s certificate
4. Client presents it’s TLS certificate to the server
5. Server verifies the client’s certificate
6. Server grants access
7. Client and server exchange information over encrypted TLS connection

Here we come to the end. I hope you have got something from my Blog. Happy Learning!!!