Mutual TLS, Mutual Transport Layer Security, MTLS

Mutual Transport Layer Security

말그대로 양방향 TLS을 맺는 다는 의미인데, 주로 서버간에 소통을 위해 쓰인다.

위키 내용

In information technology, the Transport Layer Security (TLS) protocol provides connection security with mutual authentication, data confidentiality and integrity, key generation and distribution, and security parameters negotiation. However, missing from the protocol is a way to multiplex application data over a single TLS session.

Multiplexed Transport Layer Security (MTLS) protocol is a new TLS sub-protocol running over TLS or DTLS. The MTLS design provides application multiplexing over a single TLS (or DTLS) session. Therefore, instead of associating a TLS connection with each application, MTLS allows several applications to protect their exchanges over a single TLS session.

MTLS is currently in draft stage http://tools.ietf.org/html/draft-badra-hajjeh-mtls-05 which expired in October 2009.

*. DTLS : (Datagram) Transport Layer Security

아래는 TLS Handshake 일반 과정이다. (인터넷에 좋은 자료들이 많아서 막퍼옴.)

1. The client sends a ClientHello message with a list of the supported cipher suites, random number, the supported TLS versions and the compression methods.
2. The server sends a ServerHello message with the TLS version, a random number, the strongest cipher suite, and a compression method from the client's list.
3. The server sends its own certificate.
4. The server sends a ServerHelloDone message.
5. The client sends a key depending on the cipher selected, and then begins computing the master secret.
6. The client sends the ChangeCipherSpec message - authentication and encryption starts.
7. The client sends its Finished message, which the server decrypts and verifies.
8. The server sends a ChangeCipherSpec message, which the client decrypts and verifies.
9. The server sends a Finished message.

Mutual TLS provides mutual identity authentication of the server and the client through the exchange and verification of their digital certificates.(Sonus 라는 벤더에서 나온 내용인데 과정별로 잘나와 있어 참고할만하다.)

Step 3 - Always takes place when Mutual Authentication is enabled. If MTLS is disabled, then Verify Peer Server Certificate can be disabled.
Step 4 - This action takes place when MTLS is enabled and Validate Server FQDN is enabled. If Verify Peer Server Certificate is disabled, the Validate Server FQDN is also disabled. Validate Server FQDN is an enhanced security feature of Sonus SBC 1000/2000, which can be disabled if the common name in the certificate is an IP address (some ITSP's do that). The Validate Server FQDN Enabled option allows Sonus SBC 1000/2000 to perform an FQDN match of an incoming peer certificate CN or SAN against the host configured in the SIP Server table of Sonus SBC 1000/2000 (protocol must be TLS and the Host FQDN).
Steps 5, 6, 7 and 8 - If MTLS is enabled, steps 5, 6, and 7 are mandatory and point 8 could be made optional but the steps 5 through 8 are performed by default. If MTLS is disabled, steps 5 through 8 will not be performed.
Step 8 - This action takes place when MTLS is enabled and Validate Client FQDN is enabled. If MTLS is disabled, the Validate Client FQDN is also disabled. Validate Client FQDN is an enhanced security feature of Sonus SBC 1000/2000, which can be disabled if the common name in the certificate is an IP address (some ITSP's do that). The Validate Client FQDN Enabled option allows Sonus SBC 1000/2000 to perform an FQDN match of an incoming peer certificate CN or SAN against a reverse DNS lookup of the IP address to an FQDN.

아래는 OCS에서 TLS MTLS 쓰임이다.

아래는 Polycom IP-Phone 에서 사용되는 MTLS 이다.