Process of determining whether someone or something is who or what it declares itself to be
Organizations issuing certificates by signing them
Encryption algorithm
Process of protecting information from being accessed by unauthorized parties
Mainly achieved via encryption
The process of preserving the accuracy and completeness of data over its entire lifecycle, so that they cannot be modified in an unauthorized or undetected manner
Add client authentication using a certificate
Standard for access delegation
Process
- Client gets a token from an authorization server
- Makes a request to a server using the token
- Server validates the token to the authorization server
Notes: some token types like JWT are self-contained, meaning the validation can be done by the server without a call to the authorization server
System for managing, storing, and distributing certificates
Relies on certificate revocation lists (CRLs)
With mutual TLS:
- Client hello: protocol, cipher, etc.
- Server hello: supported cipher, etc.
- Server sends its certificate
- Client checks the server certificate (e.g., make sure the CA are trusted in its truststore, etc.)
- Client sends its certificate
- Server checks the client certificate
- The client generates a session key encrypted with the public key of the client certificate (asymmetric encryption) and sends it to the server
- Client sends data and encrypts each packet using the session key (symmetric encryption)
One way: the session key is generated by the client
Encryption in transit
Encryption at rest
Symmetric: key is shared between a client and a server (faster)
Asymmetric: two keys are used, a private and a public one
- Client encrypts a message with the public key
- Server decrypts the message with its private key
Integrity and authentication
- Confidentiality
- Authentication
- Integrity