SSL: What’s “two-way” authentication?
Let’s start with an explanation of two-way authentication, which involves three things — SSL, server authentication and client authentication.
SSL, or Secure Sockets Layer, is a means of securing communications over a network so that only the sender and receiver have access to the sensitive data that is contained within. Even if you’re not familiar with the technical details of how SSL works, chances are you’ve used it. If you’ve ever bought a book from Amazon or won an auction on eBay, you’ve used SSL. During the checkout process, you may have noticed the little padlock icon in the status bar of your web browser, or that the URL field of your browser begins with “https.” This is indicating that your web browser is communicating with the website’s server via SSL as a means of securing your personal information, your credit card number, etc. This type of SSL between an ‘anonymous’ web browser and a website server includes what is commonly referred to as Server Authentication.1
Now let’s talk about server authentication. SSL server authentication consists of two components:
1. A server certificate is a required part of any SSL communication. The server certificate is a digital certificate that contains basic information and a digital signature that properly identifies the server that it is associated with. It is the means by which a client is assured of the identity and authenticity of the server with which it is communicating.
2. Server address validation is an optional part of SSL server authentication that adds an extra layer of security and server address checking. Server address validation simply means that the client validates that the URL that is contained in the server certificate and the URL of the server with which the client is attempting to communicate are in fact identical.
These two components, server certificate and server address validation, work together to establish trust between the client and the server so that the client is assured that it is indeed communicating with the proper server and not with some other potentially malicious server.2
Now that we’ve established what we mean by server authentication, let’s move on to client authentication. Essentially, client authentication is the same as server authentication, only this time it is a means of authenticating and identifying the client to the server. One thing to note is that whether client authentication is required or not for a particular server is something that is specified by that server. A server can be configured to allow connections from any client, or it can be configured to require any clients that attempt to connect to it to be authenticated. So, for a client to authenticate, it involves a client certificate and optionally client address validation.
Just like a server certificate, a client certificate contains basic information about the client’s identity, and the digital signature on this certificate verifies that this information is authentic. Client address validation, like its server counterpart, validates the URL from which the client is communicating and validates that it matches the URL contained in the client certificate. These aspects of client authentication protect a server by ensuring that it is accepting a communication from a known client instead of from an unknown and potentially malicious entity.3
The use of client authentication is appropriate for a scenario where the server should only accept connections from a specific limited group of authorized/allowed clients. An example of such a scenario would be where a company wants to limit connections to its server to only be coming from the company’s legitimate business partners. Client authentication lends itself quite well to this type of scenario.
We’ve briefly talked about server authentication and client authentication, but at the beginning of this blog entry, we said that we would be discussing two-way authentication. So when are we finally going to get around to talking about that? Well, actually, we already have. Two-way authentication, also commonly referred to as mutual authentication, is a term used to refer to the combination of server and client authentication. The authentication that is occurring is mutual, or two-way, because the server is authenticating itself to the client, and the client is authenticating itself to the server.
One thing to note in all of this is that in an SSL communication, client authentication never occurs alone. As stated above, at the bare minimum an SSL communication requires server certificate authentication. So an SSL communication can either have server authentication only, or it can have two-way authentication.