Best IT Recipes

Two-way SSL explanation

I'm a little confused about how two-way SSL works. How does the client create its certificate for sending to the server? Is it generated from the server and distributed by the client?

Also, what is the advantage of two-way SSL for one-way SSL?

+45
ssl two-way
May 23 '12 at 18:13
source share
3 answers

Both certificates must exist before connecting. They are usually created by certification authorities (not necessarily the same). (There are alternative cases where verification can be performed in different ways, but some verification is necessary.)

The server certificate must be created by a CA that the client trusts (and following the naming conventions specified in RFC 6125 ).

The client certificate must be created by a CA that the server trusts.

It depends on each side to choose what it hopes for.

There are online CA tools that will allow you to apply for a certificate in your browser and install it there as soon as the CA releases it. They do not have to be on a server that requests authentication of a client certificate.

Certificate distribution and trust management is the role of a public key infrastructure (PKI) implemented through a CA. The client and SSL / TLS servers, and then just the users of this PKI.

When a client connects to a server that requests authentication of a client certificate, the server sends a list of CAs that it agrees to accept as part of the client certificate request. Then the client can send his client certificate, if he wishes, and suitable.

The main benefits of client certificate authentication are:

  • Private information (private key) is never sent to the server. The client does not allow to completely hide it during authentication.
  • A server that does not know a user with this certificate can still authenticate this user if he trusts the CA that issued the certificate (and that the certificate is valid). This is very similar to how passports are used: you may have never met a person showing you a passport, but since you trust the authority to issue it, you can connect the person with the person.

You may be interested in Benefits of client certificates for client authentication? (in the Security.SE section) .

+70
May 23 '12 at 18:42
source share

What you call "Two-way SSL" is usually called TLS / SSL with client certificate authentication.

In a β€œnormal” TLS connection with example.com, only the client checks to see if it really communicates with the server for example.com. The server does not know what the client is. If the server wants to authenticate the client, it is common to use passwords, so the client needs to send a username and password to the server, but this happens inside the TLS connection as part of the internal protocol (for example, HTTP), and not part of the TLS protocol itself. The disadvantage is that you need a separate password for each site, because you send the password to the server. Therefore, if you use the same password, for example, PayPal and MyPonyForum, then every time you log into MyPonyForum, you send this password to the MyPonyForum server so that the operator of this server can intercept it and try it in PayPal and can make payments on your behalf.

Client certificate authentication offers another way to authenticate a client in a TLS connection. Unlike password entry, client certificate authentication is specified as part of the TLS protocol. It works similarly to how the client authenticates the server: the client generates a public private key pair and sends the public key to a trusted CA for signing. The CA returns a client certificate that can be used to authenticate the client. Now the client can use the same certificate for authentication on different servers (i.e. you can use the same certificate for PayPal and MyPonyForum without risking that it can be abused). The way it works is that after the server sends the certificate, it also requests a certificate from the client. Then some kind of public key magic happens (if you want to know the details, read RFC 5246 ), and now the client knows that he is talking to the right server, the server knows that he is exchanging data with the right client, and both have common material for encryption and connection verification.

+22
Apr 21 '14 at
source share

In two directions ssl, the client requests a digital certificate from the servers and the server requests the same from the client. It is more secure since it is both ways, although its bit is slow. As a rule, we do not monitor it, since the server does not care about the identity of the client, but the client must make sure the integrity of the server to which it connects.

+3
Oct 13 '16 at 10:00
source share


More articles:


All Articles