What is Mutual Authentication?

ricardo_visa
Community Scholar

Mutual Authentication, also commonly referred to as Two-Way Authentication or Two-Way SSL, refers to the combination of both Server and Client Authentication. The authentication is mutual, or two-way, because the server is authenticating itself to the client, and the client is authenticating itself to the server in order to establish a secure encrypted channel between them.

 

Secure Sockets Layer (SSL) is used to secure communications over a network so that only the sender and receiver have access to the sensitive data that is contained within. This is done with the use of Certificates and Keys. A Certificate contains basic information and a digital signature that properly identifies the client or server that it is associated with. Keys comprise of public, private, and session working together to establish an encrypted connection.

 

Example

 If you have ever bought something from Amazon, you have used SSL. During checkout, you may have noticed the little padlock icon () in the status bar of your web browser, or that the URL field of your browser begins with https. This indicates that you are communicating with the website’s server through SSL to secure your personal information, your credit card number, etc. This type of SSL between a web browser and a website server includes what is commonly known as Server Authentication described below.

 

Server Authentication is a means of authenticating and identifying the server to the client using a Server Certificate. A Server Certificate is a required part of any SSL communication. The server certificate contains basic information and digital signature that properly identifies the server it is associated with.

 

Client Authentication, similar to server authentication is a means of authenticating and identifying the client to the server using a Client Certificate. A Client Certificate contains basic information about the client’s identity, and the digital signature on this certificate verifies that this information is authentic.

 

Steps for Mutual Authentication SSL

This sections lists the phase-wise steps for mutual authentication.

 

PHASE 1

In the first phase, Client connects to a web server (website) secured with SSL (https). The detailed steps are as follows:

  1. Client initiates the process by sending a "Client Hello" message to the Server. Client Hello message includes cryptographic information such as SSL/TLS version, CipherSuites (in the order of client's preference) and data compression methods supported by the client.
  2. The server responds with a "Server Hello" message to the client which contains:
    • SSL/TLS version (chosen by the server from the list provided by the client)
    • CipherSuite (chosen by the server from the list provided by the client)
    • Data compression method (chosen by the server from the list provided by the client)
    • Session ID
    • Client certificate request.

Server sends the client certificate request only in the case of mutual authentication.

 

PHASE 2

In the second phase, Server validation is performed by the client. This is the Mutual or Two-Way Authentication.

  1. Server sends its digital certificate (contains server public key) to the client.
  2. Server sends "Server Hello Done" message to the client.
  3. Client verifies the following server digital certificate information:
    • Certificate chain
    • Expiration date
    • Certificate revocation status
  4. Client sends a random string of data (encrypted with server public key) to the server.
  5. Server decrypts the data sent by client using its private key. This data will be used by both Client and Server to generate a symmetric key.

PHASE 3

In this phase, Client validation is performed by the Server.

  1. Client send its digital certificate (contains client public key) to the server.
  2. Client send "Certificate verify" message which contains the digitally signed copy of previous message. The message is signed using the client private key.
  3. Server verifies the client digital certificate (certificate chain, expiration date and certificate revocation status).
  4. Server verifies the client "Certificate Verify" message by using client public key.

PHASE 4

In this phase, both Client and Server complete the handshake process so that they may begin sending application data.

  1. Client sends the finished message which is encrypted with symmetric key.
  2. Server sends the finished message which is encrypted with symmetric key.

Once a successful handshake is completed, the client and server will use the symmetric key for encrypting/decrypting data.

 

Here is a quick illustration of the phases described above:

 

Mutual Auth FlowMutual Auth Flow