Client Certificate Authentication (Part 1) By Priyanka Pillai
阿新 • • 發佈:2021-12-10
Client Certificate Authentication (Part 1)
Here is a screenshot describing theSSL/TLS Handshake:
- Client sendsCLIENT HELLOas described in the above image
- Upon receiving theCLIENT HELLO, if the server is configured forClient Certificate Authentication, it will send a list ofDistinguished CA names&Client Certificate Request
-
Upon receiving the Server Hello containing theClient Certificate request& list ofDistinguished CA names, the client will perform the following steps:
- The client uses the CA list available in theSERVER HELLOto determine the mutually trusted CA certificates.
- The
client will then determine the Client Certificates that have been issued by the mutually trustedCertification Authorities. - The client will then present the client certificate list to the user so that they can select a certificate to be sent to the Server.
NOTE:
|
-
Upon selection, the client responds with a
- ClientKeyExchangemessage which contains thePre-master secret
- Certificatemessage which contains theClient certificate
(Doesn’t contain the private key). - CertificateVerify
message, which is used to provide explicit verification of a client certificate. This message is sent only if the Client Certificate message was sent. The client is authenticated by using its private key to sign a hash of all the messages up to this point. The recipient verifies the signature using the public key of the signer, thus ensuring it was signed with the client’s private key. ReferRFC 5246for more details.
- Post this Client & Server use the random numbers and thePre-Mastersecret to generate symmetric (or Master) keys which will used for encrypting & decrypting messages for further communication.
- Both respond withChangeCipherSpecindicating that they have finished the process.
- SSL Handshake stands completed now and both the parties own a copy of the master key which can be used for encryption and decryption.