Learnitweb

Symmetric Keys in mTLS

Mutual TLS (mTLS) uses both asymmetric encryption (public/private keys) and symmetric encryption (session keys) to provide strong authentication and secure communication. While certificates prove identity, symmetric keys are used for fast, secure data transfer.

1. What is a Symmetric Key?

  • A symmetric key is a single secret key used for both encrypting and decrypting data.
  • In symmetric encryption, the same key is shared between the client and the server.

Key Characteristics:

  • Same key for encryption and decryption: Unlike asymmetric cryptography, which uses a public/private key pair, symmetric encryption uses one key.
  • High-performance: Symmetric encryption algorithms (like AES) are much faster than asymmetric encryption, making them ideal for large data transfers.
  • Temporary: Session keys are usually generated per connection and discarded after the session ends.

Analogy:
Think of a locked box: the sender locks it with a single key, and the receiver unlocks it with the same key. Both parties must keep the key secret.

2. Role of Symmetric Keys in mTLS

Even though mTLS involves mutual certificate verification, symmetric keys are crucial for actual data transmission.

  • Authentication: mTLS uses certificates (asymmetric keys) to verify identity.
  • Session key generation: Once identities are verified, client and server derive a shared symmetric key (session key).
  • Encrypted communication: The symmetric key is used to encrypt and decrypt all subsequent messages.

Why use symmetric keys?

  • Asymmetric encryption is computationally expensive, so it’s only used for authentication and key exchange.
  • Symmetric keys provide fast, efficient encryption for bulk data.
  • Each session gets a unique symmetric key, reducing risk of compromise.

3. How Symmetric Keys Are Established in mTLS

Symmetric keys are never sent directly over the network. Instead, they are derived using an asymmetric key exchange. Let’s break this down.

Step 1: Client Hello

  • The client initiates a TLS connection by sending:
    • Supported encryption algorithms (cipher suites)
    • TLS protocol version
    • Random number (used later for session key derivation)

Step 2: Server Hello + Certificate

  • Server responds with:
    • Chosen cipher suite
    • TLS protocol version
    • Server random number
    • Server certificate (from keystore)
  • Client verifies server certificate against its truststore.

Step 3: Client Certificate & Pre-Master Secret (for mTLS)

  • If mTLS is enabled, server requests the client certificate.
  • Client sends its certificate (from keystore).
  • Client generates a pre-master secret (random number) and encrypts it using the server’s public key.
  • Server decrypts the pre-master secret using its private key.

Step 4: Session Key Generation

  • Both client and server combine:
    • Pre-master secret
    • Random numbers exchanged in steps 1 & 2
  • Using a key derivation function (KDF), they independently generate the symmetric session key.
  • Both sides now have identical symmetric keys without transmitting them directly.

Step 5: Secure Communication

  • All further communication is encrypted with the symmetric session key.
  • Symmetric encryption ensures high performance while keeping messages confidential.
  • Any tampering is detected using message authentication codes (MACs) included in TLS.

4. Why Symmetric Keys Are Critical in mTLS

  1. Performance: Symmetric encryption is orders of magnitude faster than asymmetric encryption, making it suitable for high-throughput data.
  2. Confidentiality: Data is encrypted with a key known only to client and server.
  3. Forward secrecy: Session keys are temporary and unique per session, preventing reuse attacks.
  4. Scalability: Once session keys are derived, servers can handle many simultaneous connections efficiently.

5. Flow Diagram – mTLS with Symmetric Keys

Client                                    Server
   | --- ClientHello ------------------>  |
   | <--- ServerHello + Certificate ---- |
   | --- Client Certificate + Encrypted Pre-Master Secret --> |
   |      Both sides verify certificates                 |
   |      Both sides derive symmetric session key        |
   | <--- Encrypted Data (Symmetric Key) -------------  |
   | --- Encrypted Data (Symmetric Key) -------------  |