Mutual TLS

상호 TLS 인증 혹은 mTLS는 클라이언트에 대한 서버의 신원만 인증하는 TLS 인증(X.509 표준) 보다 더 강화된 보안 프로토콜로 B2B 서비스 혹은 마이크로서비스 애플리케이션 등 더 강화된 보안이 필요한 곳에서 사용한다.

영문 위키피디아 페이지에서 아래와 같이 소개한다. (링크)

Mutual authentication or two-way authentication (not to be confused with two-factor authentication) refers to two parties authenticating each other at the same time in an authentication protocol. It is a default mode of authentication in some protocols (IKE, SSH) and optional in others (TLS). Mutual authentication is a desired characteristic in verification schemes that transmit sensitive data, in order to ensure data security. Mutual authentication can be accomplished with two types of credentials: usernames and passwords, and public key certificates.

By default the TLS protocol only proves the identity of the server to the client using X.509 certificates, and the authentication of the client to the server is left to the application layer. TLS also offers client-to-server authentication using client-side X.509 authentication. As it requires provisioning of the certificates to the clients and involves less user-friendly experience, it's rarely used in end-user applications.

Mutual TLS authentication (mTLS) is more often used in business-to-business (B2B) applications, where a limited number of programmatic and homogeneous clients are connecting to specific web services, the operational burden is limited, and security requirements are usually much higher as compared to consumer environments. mTLS is also used in microservices-based applications based on runtimes such as Dapr, via systems like SPIFFE.

이에 대해 그림과 함께 쉽게 설명한 블로그가 있어서 여기에 소개한다.

• [Istio] PART12 - Mutual TLS (Link)