SSL Communication and Mutual Authentication

Educational Presentation

What is SSL?

• SSL, or Secure Sockets Layer, is a means of securing communications over a network so that only the sender and receiver have access to the sensitive data that is contained within.

• This is done with the use of Certificates and Keys.

• A Certificate contains basic information and a digital signature that properly identifies the client or server that it is associated with.

• Keys - public, private, and session - work together to establish an encrypted connection.

Certificates and Keys

If you’ve ever bought something from Amazon, you’ve used SSL. During checkout you may have noticed the little padlock icon ( ) in the status bar of your web browser, or that the URL field of your browser begins with “https.” This is indicating that you’re communicating with the website’s server via SSL to secure your personal information, your credit card number, etc.

This type of SSL between a web browser and a website server includes what is commonly referred to as Server Authentication.

Example of SSL with

Server Authentication

• Server Authentication is a means of authenticating and identifying the sever to the client using a Server Certificate.

• A Server Certificate is a required part of any SSL communication. The server certificate contains basic information and a digital signature that properly identifies the server it is associated with.

Steps for SSL Communication

1) Client connects to a web server (website) secured with SSL (https). Client requests that the server identify itself.

2) Server sends a copy of its SSL Certificate, including the server’s public key.

3) Client checks that the certificate is trusted: unexpired, unrevoked, and valid for the website that it is connecting to. If the client trusts the certificate, it creates, encrypts, and sends back a session key using the server’s public key.

4) Server decrypts the symmetric session key using its private key and begins an encrypted session with the client. The server and client now encrypt all transmitted data with the session key.

SSL Communication Diagram

Mutual or “Two-Way” Authentication

• Mutual Authentication, also commonly referred to as Two-Way Authentication, refers to the combination of both Server and Client Authentication.

• The authentication is mutual, or two-way, because the server is authenticating itself to the client, and the client is authenticating itself to the server.

Client Authentication

• Client Authentication, similar to server authentication, is a means of authenticating and identifying the client to the server using a Client Certificate.

• A Client Certificate contains basic information about the client’s identity, and the digital signature on this certificate verifies that this information is authentic.

Client Authentication (Continued)

• One thing to note is that whether client authentication is required or not is something that is specified by the server. A server can be configured to allow connections from any client, or it can be configured to require any clients that attempt to connect to it to be authenticated.

• The use of client authentication is appropriate for a scenario where the server should only accept connections from a specific group of authorized clients. An example of such a scenario would be where a company wants to limit connections to its server to only be coming from the company’s legitimate business partners.

Steps for Mutual Authentication SSL

1) Client connects to a web server (website) secured with SSL (https). Client requests that the server identify itself.

2) Server sends a copy of its SSL Certificate, including the server’s public key. Client responds by sending a copy of its own SSL Certificate for the server to verify (This is the Mutual or Two-Way Authentication).

3) Client checks that the certificate it received is trusted: unexpired, unrevoked, and valid for the website that it is connecting to. If the client trusts the certificate, it creates, encrypts, and sends back a session key using the server’s public key.

4) Server decrypts the symmetric session key using its private key and begins an encrypted session with the client. The server and client now encrypt all transmitted data with the session key.

Mutual Authentication Diagram

Need to do SSL communications?

www.extol.com/secure