I'm evaluating the security of an application system with multiple partners that talk to each other over TCP/IP. I want to validate using some cryptograhic method that the party I am talking to is the correct and legitimate partner that I expect to be talking to. What's the preferred way to do this? I'm assuming there would be some sort of secret exchange between both apps, but I'm wondering how to best do this. Thanks for any advice.
CodePudding user response:
The simplest and easiest solution here is to use mutual TLS. You can certainly build a different solution, but unless you have extensive knowledge about cryptography, you are likely to have problems designing a secure protocol.
For the programming piece, that generally looks like using OpenSSL (or your system's TLS library) from the client to set up a connection with the server, also using the same library. You'd have a shared custom CA structure to authenticate each party.
There are also systems with short-lived certificates which use TLS, such as SPIRE and SPIFFE.