Authentication

What is Authentication

Authentication is the act of confirming the identity of a user. Authentication is a key function of Exchange Network Nodes, since most Node services require authentication before they can be used.

Authenication to a Node is achieved by calling an “Authenticate” web method on the Node. This web method requires the user to supply credentials, typically in the form of a username and password. If the user is successfully authenticated, the Node returns a securityToken. This securityToken must then be included in subsequent service calls as a proof of identity. A securityToken is an opaque string that is meaningful only to the issuer or trusted peers.

Implementation Concerns for Node Providers

Security Token Expiration: Service providers must implement an aging strategy to prevent replay attack. An expired token should be discarded immediately. A suggested token life span is about ten minutes.

Authentication Transport: Authenticate messages must be sent through a secure transport such as secure socket layer (SSL). Note that while SSL is very good in securing the communication channel, its usage as an end-to-end security solution is problematic.

Authentication Implementation Options: The Exchange Network Node specification does not define exactly how users are authenticated. Each Node implementer is free to choose any available authentication process in the underlying operating system. Due to the Network connectivity, however, a security breach at one Node may have a grave impact to the overall operation. It is the responsibility of the Node operator to choose a secure authentication process. Network Security Guidelines and Recommendations describe security practices and implementation options for Network services.

NAAS: Most Nodes use NAAS (Network Authentication and Authorization Service) for Node authorization and authentication.