Thursday, October 8, 2009

One Way SSL and Two Way SSL

The Secure Sockets Layer (SSL) is a mostly used protocol for managing the security of transmission of a message on the Internet. SSL uses a program layer located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers.

Here in this article we are mainly concerned about the transmission of message between a SSL client and SSL server. There are two ways how SSL can be implemented between a client and a server. They are: One Way SSL and Two Way SSL.
One Way SSL:
One way SSL authentication enables a application to authenticate or identify itself to the user (client).

The best example of a one way SSL authentication is internet banking sites. Whenever you open those kinds of sites, it will generally ask for a warning. This warning pop up will also show you certificates. These certificates are the authentication of the application which you want to access. If you see, there is a lock sign at the right bottom corner of the status bar of the browser. If you double click on it, you will get all the details of the certificates. The certificates have expiry date and issuing authority details, which will confirm you the identification of the application.

Now technically speaking,
The application which we are going to connect is SSL server and the browser which will connect to the application is a SSL client. SSL client initiates a contact with a SSL server. The SSL server presents a signed certificate (public key) to the SSL client. SSL client verifies the identity of the server with the private key of the server stored in it (client) and the authentication is complete.




Two Way SSL:


In Two way SSL implementation as its name suggests that not only the client authenticates the server, however server also authenticates to the client. Hence, unlike above, here in both server and client, certificates are present and client application verifies the identity of server application and server application also verifies the identity of the client application.




As said above, here not only the server authenticates to the client, also client authenticates itself to the server, that’s why two way SSL is also referred to as client authentication.




The example of two way SSL would be applications which deals with sensitive and confidential data which is intended for a particular recipients. Thus the client who is having the certificates to authenticate itself to the server will only be able to access the application.



In the two way SSL applications, SSL client initiates a connection to a SSL server and server is set to use two way SSL client authentication. The SSL server presents it certificate [which is a public key of the server] to the client for verification. The SSL client verifies it with the private key store of the server. Then SSL server requests SSL client to send its public key to the SSL server to verify with the private key of the SSL client stored in the SSL server.



Any suggestions would very much be appreciated.

No comments:

Total Pageviews