Mutual TLS in Action

Mutual TLS in Action

What is TLS?

Transport Layer Security (TLS) is the de-facto standard to secure communications between applications of today's world.

SSL vs TLS ?

When you are searching in the internet regarding TLS you will be able to find both SSL/TLS terms are often used interchangeably and confused. Actually TLS evolved from a previous encryption protocol called SSL (Secure Sockets Layer), which was developed by Netscape. But SSL has not been updated since SSL 3.0 in 1996 and is now considered to be deprecated.

How TLS works?

TLS uses a combination of cryptographic processes to provide secure communication over a network. TLS works on using public-key encryption, which relies on a pair of keys(public key and private key). Normally we called this private key as key and the public key as the certificate. Anything encrypted with the public key only is decrypted with this private key. TLS protocol is designed to three essential security services: Authentication, Encryption and Integrity. But technically it is not required to use all these three services in every situation. But in that case you need to take your own risk about the security concerns. Let’s see how TLS provide provide those services.

TLS Authentication

Authentication is the process of identifying and validating that a user or an application who they claim to be. By default, the TLS protocol only requires a server to authenticate itself to the client. Now see how server authentication happens using certificates. Certificate is something like your ID card. Identity Card contains several information to uniquely identify your identity and Identity card was issued by a specific trusted government agency(trusted third party).

One-way authentication, only the Client authenticates the Server
Figure 1. One-way authentication, Only the client authenticates the server
  1. Server presents its TLS certificate to the client
  2. Client verifies the server’s certificate
  3. Client and server exchange information over encrypted TLS connection

TLS Encryption

Encryption is the process of scrambling data so that only authorized parties can understand the information. Encryption protects data by scrambling it with a randomly generated pass-code, called an encryption key. Without the key, third parties will be unable to view your data. Therefore, data should be readable only by the receiver.

TLS Integrity

Integrity ensures that the data received by the receiver is the same data that was sent by the sender. TLS digitally signs data in order to provide data integrity, verifying that the data is not tampered with before reaching to the recipient.

What is Mutual TLS?

Now let’s see what’s the difference between TLS and Mutual TLS. As I described in the previous section using TLS the client was able to verify the identity of the server, but the server was not able to verify the identity of the client. By default, TLS provides one-way authentication, which means only requires a server to authenticate itself to the client.

Two-way / Mutual Authentication
Figure 2. Two-Way or Mutual Authentication. In mTLS both the Client and the Server authenticate each other

How mTLS works?

In mTLS both the client and server authenticate each other using their certificates. When compared to the typical TLS, there are some additional steps in the mTLS to verify both parties.

  1. Server presents it’s TLS certificate to the client
  2. Client verifies the server’s certificate
  3. Client presents it’s TLS certificate to the server
  4. Server verifies the client’s certificate
  5. Server grants access
  6. Client and server exchange information over encrypted TLS connection

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store