IBM Support

When transmitting files using Secure+, what is Client Authentication and when should it be used?

Technical Blog Post


Abstract

When transmitting files using Secure+, what is Client Authentication and when should it be used?

Body

What is Client Authentication?
 
With any Secure+ transmission, the sending side (the initiator) is the “client" and the receiving side (the recipient) is the "server."  When using either the SSL or TLS protocol, certificates are exchanged between the client and the server and are authenticated.
 
All Secure+ transactions perform "Server Authentication," meaning that on the handshake to establish the session, the server sends its certificate to the client and that certificate is then authenticated against the “server” certificate that is stored in the client's key ring (or key database). If this certificate sent from the server does not match the server certificate in the client's key ring, then the authentication fails, the transmission is halted and the session ends. In this way, the recipient, or destination, of the file is authenticated.
 
If the "Client Authentication" setting is turned on at the server (recipient), after the server’s certificate is authenticated, the server will then request the client (sender) to send its certificate, which will then be authenticated against what the client certificate already stored in the server’s key ring or trusted root (depending on the platform of the server). Client Authentication is always requested from the server and if the client certificate sent back to the server does not match the client certificate already stored in the server's key ring, just like with server authentication, the authentication fails, the transmission is halted and the session ends. In this way, the server is authenticating the sender of the file.
 
 
When Should Client Authentication Be Used?
 
In most cases, performing the server authentication is sufficient; that is, it is typically sufficient to authenticate the recipient, or destination, of the file being sent without authenticating the sender. However, there are instances where both the recipient and the sender of the file require authentication to insure exactly who is sending the file and where it is being sent.
 
For example, assume one is ordering an item from a retail website. When signing on to the website, server authentication is done to make sure that the correct website is being accessed. However, the website itself does not care who signed on, only that the person signing on has money and wants to purchase an item. In this case, only server authentication is required to insure a secure transaction.
 
Now, let's say that this same person signs onto his online banking website. Again, server authentication is done to make sure the correct website is being accessed. However, this time the website (i.e. bank) now needs to know who is attempting to sign in, so the website will then require the client to authenticate who they are in order to make sure that they have the correct authority to sign onto this website. In this case, both server and client authentication are required to insure a secure transaction
 
So when should Client Authentication be used? When both the sending and the receiving sides need to be authenticated to insure the secure transaction.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS4PJT","label":"IBM Sterling Connect:Direct"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

UID

ibm11124271