In order to secure communications over Internet, the most widely adopted method is TLS: Transport Layer Security, formerly known as SSL. Let's discover how it works!
TLS, and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. For example, a cryptographic protocol encrypts the data that is exchanged between a web server and a user.
TLS provides 2 main features:
- Encryption: Encryption protects data by scrambling it with a randomly generated passcode, called an encryption key. Without the key, third parties will be unable to view your data. Therefore, data should be readable only by the receiver.
- Authentication: Authentication is the process of determining if a claim is true — usually a claim about someone or something’s identity. In other words, peers can claim to be who they pretend to be.
This technique relies on asymmetric cryptography. Each peer has a public and a private key. The public key allows for encryption only, the private key allows for decryption only.
Peers first exchange public keys. Then the sender encrypts data with the receiver's public key, and sends it over the network. The receiver uses his private key to decrypt the data. It's that simple!
You most probably have an ID card with your name on. You hand it to whoever needs to verify your identity. An ID card usually contains several mechanisms to verify it was issued by a specific and trusted state agency and that it contains the right information.
Using this example, what you do is delegate people authentication to a trusted third-party by the mean of ID cards.
TLS Authentication works the same way. The ID card is a file called certificate. The trusted third-party is a Certificate Authority. The authentication information written in the certificate is guaranteed by the signature of the Certificate Authority.
Certificate Authorities also are certificates pre-installed on your system. Certificates can sign other certificates using their associated private key. Signatures can be verified without the private keys, and the signed certificate is "sealed". If any information in the signed certificate changes, the signature is not valid anymore.
A common authentication information you can find in a certificate is a domain name. Let's say you navigate to
www.scaleway.com, the server will send you a certificate saying it is the one responsible for
www.scaleway.com and this certificate will be signed by a certificate authority your browser trusts. Your browser will verify the signature of the certificate and proceed to request the page, your browser knows it is on the genuine
mTLS : Mutual TLS Authentication
Now you know how a client authenticates a server using simple TLS Authentication, let's introduce the scenario where both peers authenticate themselves. They both send their certificate, both verify the received certificate with their known Certificate Authorities, and both proceed with exchanging data. Well, that is mTLS.