Page cover

Connection Authentication

To ensure secure communication between Orchestrators and Media Nodes in the Chroom network, a robust authentication mechanism is implemented. This mechanism leverages Public-Private Key Cryptography and time-sensitive payloads to verify the integrity and authenticity of RPC calls.

Authentication Process Overview

Each Orchestrator generates and maintains a Public-Private Key Pair to facilitate secure interactions. For every RPC call, the Orchestrator creates a custom payload containing the following elements:

  1. Issuer (iss): The current timestamp in UTC, indicating when the payload was created.

  2. Expiration (exp): A timestamp two minutes into the future, defining the payload's validity period.

  3. Public Key (publicKey): The Orchestrator's public key, which serves as a credential for the Media Node to verify the signature.

The payload is structured as follows:

iss := time.Now().UTC().Format(time.RFC3339)
exp := time.Now().Add(2 * time.Minute).UTC().Format(time.RFC3339)
payload := map[string]string{
    "iss": iss,
    "exp": exp,
    "publicKey": "<PUBLIC_KEY>"
}

Payload Signing and Transmission

The Orchestrator signs the payload using its Private Key to ensure its authenticity. The signed payload, along with the signature, is transmitted to the Media Node as part of the RPC call using custom HTTP headers:

x-chroom-payload: Contains the JSON-encoded payload.
x-chroom-signature: Contains the digital signature of the payload.

Media Node Authentication Steps

Upon receiving the RPC call, the Media Node authenticates the request by following these steps:

Algorithm: Media Node RPC Call Authentication

1: procedure AuthenticateRPCCall(request)
2: payload ← ExtractHeader(request, 'x-chroom-payload')
3: signature ← ExtractHeader(request, 'x-chroom-signature')
4: {publicKey, iss, exp} ← DecodePayload(payload)
5: currentTime ← GetCurrentTime()
6: if currentTime < iss or currentTime > exp then
7:     return FALSE
8: end if
9: isValid ← VerifySignature(payload, signature, publicKey)
10: if isValid then
11:     return TRUE
12: else
13:     return FALSE
14: end if
15: end procedure

Authentication Details

  1. Extract Headers:

    • The Media Node extracts the x-chroom-payload and x-chroom-signature headers from the RPC call.

  2. Decode Payload:

    • The payload is decoded to retrieve the publicKey, iss, and exp fields.

  3. Validate Timestamps:

    • The Media Node verifies that the current time falls within the validity period defined by iss and exp.

  4. Verify Signature:

    • The payload's signature is validated using the provided publicKey.

  5. Authenticate Request:

    • If all checks pass, the Media Node considers the RPC call authenticated and processes the request. Otherwise, it rejects the call.

Security Highlights

  • Time-Sensitive Payloads: Payloads have a short lifespan, reducing the risk of replay attacks.

  • Cryptographic Signatures: Digital signatures ensure that only legitimate Orchestrators can send valid requests.

  • Decentralized Authentication: The use of public-private key pairs aligns with the Chroom network's decentralized architecture.

This robust authentication process guarantees secure, trusted communication between Orchestrators and Media Nodes, ensuring the integrity and reliability of the Chroom network.

PreviousOrchestratorNextMedia Node Allocations

Last updated