Authentication and encryption
1. Authentication and encryption
Let's explore authentication and encryption with an example. In this example, Service A communicates with Service B by transferring data over a network. Because communication is indirect, intermediaries, like routers, switches, or other servers, have the ability to read or even modify the data, and Service A can't validate that Service B received the request as intended. To stop intermediaries from reading and modifying data, it can be encrypted with the Transport Layer Security protocol, or TLS. This process uses two keys, a public key to encrypt data, and a private key to decrypt data. Server A uses the public key from Server B to encrypt the message. Then server B decrypts the message with its own private key. This process is called asymmetric encryption. In a microservices architecture, services communicate in both directions, so traffic from Service B back to Service A must also be encrypted. To achieve this, Service A shares a symmetric key with Service B when it establishes the connection, which can be used by both services to encrypt and decrypt messages. The only services with access to the symmetric key are Services A and B, so the data cannot be encrypted by others. But what if an intermediate computer intercepts the traffic and claims to be Service B? The identity of Service B must be verified before it shares a public key. TLS standard can help solve this problem. When Service A first tries to establish an encrypted connection, it not only shares a symmetric key, but also asks Service B for a certificate of its identity in the form of X.509. A Certificate Authority, or CA, is like the trusted advisor of the requester service, in this case, Service A. CA validates the certificate provided by Service B and determines whether or not to proceed. This is the same process used by websites that run over HTTPS. When Service A wants to establish a connection with Service B, both certificates are exchanged and checked by the trusted CA. The symmetric key is used to encrypt the messages. The process of authenticating services and encrypting messages in both directions is called Mutual TLS or mTLS. In a microservices architecture, managing certificates in mTLS for a large number of services can be complex. Service meshes like Istio simplify this process by providing automated certificate management and mTLS enforcement.2. Let's practice!
Create Your Free Account
or
By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.