Authenticate

From Exchange Network Wiki

Jump to: navigation, search

Authenticate is a key function (or "web method") of Exchange Network nodes. It authenticates a user using a supplied credential. It returns a securityToken when successful. The securityToken must be included in other method invocations (except NodePing) as a proof of identity. A securityToken is an opaque string that is meaningful only to the issuer or trusted peers.

  • The user ID or profile name.
  • A session ID for state management.
  • A timestamp for aging, expiration.


Service providers must implement an aging strategy to prevent replay attack. An expired token should be discarded immediately. A suggested token life span is about ten (10) minutes.


Authenticate messages must be sent through a secure transport such as secure socket layer (SSL). Note that although SSL is very good in securing communication channels, its usage, as an authentication system, is problematic; mutual verification of certificates in a large-scale distributed system is proven to be very expensive (public key infrastructure [PKI] required) and difficult to implement. The securityToken scheme presented here offers a simple yet effective way of identification and authentication.


Note also that the specification itself does not define exactly how users are authenticated. Each Node implementer is free to choose any available authentication process in the underlying operating system. However, due to the Network connectivity, a security breach at one Node may have a grave impact to the overall operation. It is the responsibility of the Node operator to choose a secure authentication process. Network Security Guidelines and Recommendations, describing security practices for Network services, were provided in a separate document dated February 28, 2003.


As described in the accompanying Network Exchange Protocol V1.0 document delivered on March 14, 2003, and the Network Security Guidelines document, initial implementations will rely on an Environmental Protection Agency (EPA) hosted Network Authentication and Authorization Services (NAAS), supplemented as needed by local security services.

For more information, see the Network Node Functional Specification 2.0 at: http://www.exchangenetwork.net/node/node2.0.htm

Retrieved from "http://www.exchangenetworkwiki.com/wiki/index.php/Authenticate"
Personal tools