5 Security

The following security modes are available to use with the Peer Channel Protocol:

  • Transport security: This mode dictates that the neighbor-to-neighbor connections be secured with a TLS over TCP connection. There are two modes of transport security:

    • X.509 certificate-based: In this mode, each node will have an X.509 certificate that is issued by a well-known authority. The neighbor-transport connection in this case is a TLS connection configured with that certificate. The certificate is used by the remote party to authenticate the requesting node before allowing the requesting node to join the mesh. Similarly, the requesting node also authenticates the accepting node (using the certificate that the accepting node has presented during the TLS connection negotiation).

    • Password-based: In case the mesh is secured by a password, the transport is still established using TLS over TCP. In this case, any X.509 certificate can be used. The nodes do not authenticate each other's certificate. Instead, they prove knowledge of the password to each other using the password security protocol. The requesting neighbor initiates the password security protocol as soon as the connection is established.

  • X.509 certificate-based message-level security: Independent of the transport security, a mesh can also be configured to have message-level security. In this mode, all senders include a digital signature along with the message. The signature is computed using a well-known X.509 certificate credential. The signature is computed over the application message and sent along with the application message. The message is secured, as specified in [WSTrust].