Mutual TLS: A Secure Way to Authenticate and Encrypt Network Communication

In today's digital environment, data security is a top priority for businesses of all sizes. As cyber security pitfalls continue to evolve and become more sophisticated, it is essential to administer robust security measures to protect sensitive data and resources. Two key security concepts gaining traction in the industry are Mutual Transport Layer Security (TLS) and Zero Trust. Mutual TLS is a protocol that enables secure communication between server and client by enforcing TLS authentication for every request. Zero Trust, on the other hand, is a security model that assumes that no device or user is inherently trusted and that access to sensitive resources is granted only, when necessary, based on the principle of least privilege. The combination of Mutual TLS with Zero Trust provides a powerful security solution that ensures secure communications and restricts access to sensitive data and resources, for devices and users at the edge of the network.

Mutual TLS (mTLS) is useful in the Zero Trust world to secure a variety of network services and applications. In this article, we examine the concept of TLS mutual authentication, its importance for network security, and how Keysight Technologies' IxLoad handles TLS mutual authentication testing. We will also discuss best practices for setting up and testing mutual TLS authentication with IxLoad to ensure the security and reliability of your network infrastructure.

What is Mutual TLS?

Mutual TLS is an extension of the traditional TLS protocol, also known as Secure Sockets Layer (SSL), that enables secure communication between clients and servers. While traditional TLS requires the server to present a valid TLS certificate, mutual TLS requires both the client and server to present valid TLS certificates for mutual authentication. This provides a more secure and reliable method of data transfer and prevents man-in-the-middle attacks and unauthorized access.

How Does Mutual TLS Work?

Mutual TLS works by using a combination of public-key cryptography and symmetric-key encryption. Here's how it works:

  1. The client initiates a TLS handshake by sending a ClientHello message to the server.
  2. The server responds with a ServerHello message, which includes the server's digital certificate, the public key, and the server's supported encryption algorithms. The client verifies the server's digital certificate by checking its signature against a trusted root CA certificate in its local certificate store. If the verification is successful, the client proceeds to the next step.
  3. The client sends its own digital certificate, along with its public key, to the server in a Certificate message. The server verifies the client's digital certificate by checking its signature against a trusted root CA certificate in its local certificate store. If the verification is successful, the server proceeds to the next step.
  4. The session keys are negotiated as per the normal TLS connection establishment phase and the TLS connection is established.

Graphical user interface, application Description automatically generated

Benefits of Mutual TLS

Mutual TLS provides several benefits for secure communication:

  1. Secure Authentication: Mutual TLS provides secure TLS authentication, ensuring that the client and server can verify each other's identities. This prevents man-in-the-middle attacks and unauthorized access to sensitive data.
  2. Data Privacy: Mutual TLS provides encryption for data in transit, ensuring that sensitive data is protected from eavesdropping and interception. This is particularly important for industries that deal with sensitive data, such as finance, healthcare, and government.
  3. Trust Verification: Mutual TLS allows the client and server to verify each other's trustworthiness by checking the validity of their respective TLS certificates. This prevents attackers from impersonating legitimate clients or servers and helps to prevent phishing attacks.
  4. Compliance: Many industries are subject to regulatory compliance requirements that mandate the use of mutual TLS for secure communication. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires the use of mutual TLS to secure payment transactions.

Use Cases for Mutual TLS

Mutual TLS can be used in a variety of scenarios where secure authentication is essential between the communicating endpoints.

  1. API Authentication: Mutual TLS can be used to secure API authentication between services. Generally, Enterprise and Service Providers who offer APIs to external parties use API authentication to control access to their APIs.
  2. Machine-to-Machine Communication: Mutual TLS can be used to secure communication between machines, such as IoT devices or other automated systems. This ensures that only trusted devices can communicate with each other, preventing unauthorized access and data theft.
  3. Financial Transactions: Mutual TLS can be used to secure financial transactions between banks and other financial institutions. By requiring mutual TLS authentication, banks can ensure that only authorized parties can access financial data and prevent fraudulent transactions.
  4. Healthcare: Mutual TLS can be used to secure communication between healthcare providers and patients. This ensures that patient data is only accessible to authorized personnel, protecting sensitive health information from unauthorized access.
  5. Government Services: Mutual TLS can be used to secure communication between government agencies and citizens. This ensures that sensitive government data is only accessible to authorized parties, preventing data breaches and identity theft.

Testing Mutual TLS authentication with IxLoad

Keysight Technologies’ IxLoad provides a comprehensive package to test Mutual TLS for both the client and server side of your test network, ensuring the zero-trust principle between the communicating endpoints using TLS 1.2 and TLS 1.3, for both functional and performance testing. With fully stateful HTTP traffic, IxLoad can be used both in one-arm as well, with either the client or the server emulated by IxLoad or two arm mode, where both client and server is emulated by IxLoad. IxLoad supports testing of TLS 1.2 and TLS 1.3 protocols, with a variety of cipher suites and key exchange algorithms. It can also be configured to simulate real-world scenarios, such as multiple clients connecting to a server, or a server handling multiple simultaneous connections. Both TLS 1.2 and TLS 1.3 supports mutual TLS authentication. We will now take a detailed look how we can configure IxLoad for testing a mutual TLS authentication scenario.

In this example, both the traffic endpoints are emulated by IxLoad. The objective here is to run a test against a DUT (which can be a TLS / SSL inspecting device) in between the IxLoad client and server. The objective of this test, for the client and server is to validate the certificate sent by the other end and thus authenticate each other before data transmission. The test topology is as below.

IxLoad Mutual TLS authentication test topology

Configuring the IxLoad Client – Commands and TLS settings

We have used a simple GET command over TLS 1.2 in the IxLoad client with a 100 bytes page request and TLS 1.2 with EC cipher.

Graphical user interface, text, application Description automatically generated IxLoad Mutual TLS authentication client command

Enabling the Validate Certificate option in the IxLoad HTTP server, enables the server to request for the client’s certificate in the Server Hello where the server presents its own certificate to the client. The certificate from a trusted root CA can be imported in the CA Certificate details to validate the server certificate.

Graphical user interface, text, application, email Description automatically generated IxLoad Mutual TLS authentication server settings

Additionally, enabling the Validate Certificate option in the IxLoad HTTP client enables the IxLoad client to validate the certificate presented by the server based on the certificate and key from the CA (which both the client and server trusts). The IxLoad server as well validates the certificate presented by the client against the same CA. The certificate from a trusted root CA can be imported in the CA Certificate details to validate the client certificate.

Graphical user interface, application Description automatically generated IxLoad Mutual TLS authentication client settings

Configuring the timeline and objective

The purpose of this exercise is to demonstrate the Mutual TLS authentication using a single user. We will enable the capture from Analyzer section in the UI.

Assigning the Test Port – APS-ONE-100 with M1010 controller

We will use one pair of 100GE interfaces from an APS-ONE-100 appliance which is connected with the DUT.

A single APS-ONE-100 appliance can actively use up to four QSFP28 100GE interfaces per single test configuration to deliver unparalleled TLS performance of up to 325K TLS connections per second, 4.5M TLS concurrent connections and 160 Gbps of encrypted throughput powered by hardware-based TLS acceleration, significantly improving the transmission of realistic application mixes over TLS connections.

Graphical user interface, text, application Description automatically generated

Once we have assigned the test ports on the test nettraffics, we are now good to start the test traffic from APS-ONE-100 appliance.

This completes the IxLoad configuration!

Result analysis and statistics

IxLoad provides comprehensive set of statistics to help understand and interpret the result of the run. The following are some of the important statistics:

These statistics are available for both client and server sides based on the test settings.

IxLoad Mutual TLS authentication test statistics

All these statistics are further supplemented by more granular and per user drill down views.

Next Steps

Keysight’s network, applications, and security test products ensure that your test results are meaningful and deliver the right insights. Start testing your devices and networks for Mutual TLS authentication with IxLoad.

Learn more about how to use IxLoad in https://www.keysight.com/in/en/assets/7019-0052/application-notes/Application-Delivery.pdf.

For more information, visit our website https://www.keysight.com/in/en/products/network-test/protocol-load-test/ixload.html.

limit
3