Abhishek Bhatia:
I have a question on certificates. When connecting to the kube-apiserver from a client, why does the client have to provide the private key? I assumed private key is for decryption and never goes out
Matthew Robinson:
The key and certificate (and certificate authority (CA) certificate) are being passed to curl in this case as client credentials so that the kube-apiserver can trust the client. PKI uses asymmetric encryption so the client (curl) will use the private key to encrypt the data it sends which the server can decrypt using the client public key. The data can only be decrypted by the client public key and the key was signed by a certificate authority (CA) that the server trusts which means the server can trust the client.
Matthew Robinson:
The communication to initiate the secure connection will consist of encrypting symmetric keys (to be used to encrypt the bulk of the communication) using both the clients keys and the servers keys simultaneously which ensures that the client and server can trust each other.
If the client makes a request that is encrypted with the client’s private key and then the server’s public key then only the server can decrypt the message with it’s private key and then decrypt again with the client’s public key ensuring that the message can only be read by the server and also ensuring that the message was sent by a trusted client.
Matthew Robinson:
PKI is an expensive (i.e. slow) CPU operation so it is only used to establish initial trust and to securely transfer a shared key to be used for symmetric encryption which is much less CPU intensive.
Abhishek Bhatia:
@Matthew Robinson This is awesome. Thank you for taking time to explain it. There’s just one doubt though. I know private and public keys are pairs and one can be used to encrypt and other to decrypt(not necessarily public for encrypt and private for decrypt). However the usual pattern is to encrypt using public and decrypt using private. Here I see in your statement that the other pattern is being followed: server can decrypt using the client public key . The question is:
- Why is that?
- How does the server get it?
- Won’t anyone else get the public key as its freely available?
Matthew Robinson:
The keys are asymmetric, data can be encrypted with the public key and decrypted with the private key OR data can be encrypted with the private key and decrypted with the public key.
Which keys (public/private) are used to encrypt and decrypt depends on the direction of the message. If the client is sending data to the server then it can use the servers public key to encrypt and only the server can decrypt with its private key.
If the server is sending to the client then it encrypts the data with the private key and then the client can decrypt with the public key.
Abhishek Bhatia:
that makes sense, the last part is still in doubt for me – if client can decrypt using public key, can this not be done by anyone else as public keys are available to all?
Matthew Robinson:
In the case of a normal web request (browser to server).l. The browser makes a request to the server. The server replies with it’s public key. The browser checks the public key is signed by a trusted certificate authority. Then the client encrypts a randomly generated key to be used for symmetric encryption with the public key and then sends this to the server. Only the server can decrypt this key. The server and client now use the shared symmetric key to communicate.
Matthew Robinson:
If the server encrypts something with its private key then anyone with the public key can be sure that they are talking to the trusted server because only the server has the private key.
Matthew Robinson:
But as you say anyone with the public key can decrypt the data which is why the client/server switch to symmetric encryption once a key has been passed.
Matthew Robinson:
But don’t forget that PKI ensures both security AND/OR trust depending on the particular transaction.
Abhishek Bhatia:
That also clarifies things furthers. Let me ask you this… i think you already mentioned. in case of client and server both having certificates… how is the symmetric key encrypted? is this using this, quoting you above
using both the clients keys and the servers keys simultaneously which ensures that the client and server can trust each other
Matthew Robinson:
Now that we are starting to get into the exact details it is probably better to defer to someone with more knowledge than me (plus it is 1am here). Check out the following that might explain the details.
https://blog.cloudflare.com/introducing-tls-client-auth/
Matthew Robinson:
There are probably other pages out there, search for PKI or TLS or SSL handshake with client authentication.
Abhishek Bhatia:
this is good now… i have a very decent understanding now… thanks @Matthew Robinson once again