What's Two-Way SSL, anyway?

In our previous blog post, we discussed one-way SSL, a security mechanism that enables a client to verify the server's identity using a server-side SSL certificate.

While one-way SSL provides a secure connection between the client and server, it does not verify the client's identity.

This is where two-way SSL comes in handy. Two-way SSL, also known as mutual SSL or client-authenticated SSL, adds an extra layer of security by requiring both the client and the server to present their SSL certificates for mutual authentication.

This ensures that both parties are trustworthy and can securely communicate with each other.

In this article, we will explore the steps involved in a two-way SSL handshake, building upon the one-way SSL example from our previous blog post.

If you're not familiar with one-way SSL, we highly recommend reading that post first to gain a better understanding of the SSL handshake process.

Step-by-Step Guide

In a two-way SSL handshake, both the client and the server verify each other's identity by validating their SSL certificates.

The process is similar to the one-way SSL handshake, with some additional steps for client-side authentication.

1. Client Hello: This step is the same as in one-way SSL. The client sends a "Client Hello" message to the server, containing its random number (Client Random), supported SSL/TLS versions, and supported cipher suites.

2. Server Hello: Just like in one-way SSL, the server responds with a "Server Hello" message, which includes the server's random number (Server Random), chosen SSL/TLS version, and chosen cipher suite.

3. Server Certificate: The server sends its SSL certificate to the client, just as in one-way SSL.

4. Client Verification: The client verifies the server's certificate, ensuring it's signed by a trusted Certificate Authority (CA), as described in our last post.

1. Client Certificate Request: At this point, the server requests the client's SSL certificate by sending a "CertificateRequest" message. This message specifies the acceptable types of client certificates and the trusted CAs that can sign them.

2. Client Certificate: The client sends its SSL certificate to the server. Like the server's certificate, the client's certificate contains its public key and information about the client's identity.

3. Server Verification: The server verifies the client's certificate, checking if it's signed by a trusted CA specified in the CertificateRequest message.

4. Pre-Master Secret Generation and Server Decryption: These steps are the same as in one-way SSL. The client generates a Pre-Master Secret (PMS), encrypts it with the server's public key, and sends it to the server. The server then decrypts the PMS using its private key.

5. Symmetric Encryption Key Generation: Both the client and the server independently generate the same session key using the ClientRandom, ServerRandom, and Premaster Secret.

6. Finished Messages: The client sends a Finished message encrypted with the newly generated session key. The server decrypts this message with the same session key, verifies its integrity, and sends its own Finished message encrypted with the session key.

   Once both the client and server have exchanged Finished messages, they can securely communicate using the established session keys.

Conclusion

Two-way SSL provides an extra layer of security by requiring both the client and the server to authenticate each other using SSL certificates. This mutual authentication ensures that both parties can trust each other and securely exchange data.

I hope this article, was helpful to make you understand the working of 2-way SSL

Do give a like and share this, if this helped you in anyway.
Thanks!