Access Control

Access Control#

XCOMPUTE uses cryptographic credentials to enforce authentication, enabling you to connect with confidence.

Each team’s admin(s) control access. To join a project as:

  • full user: send your fingerprint and email to the admin(s) before connecting.

  • guest: simply connect for view-only access (assumes host has set guests_enabled=true)

Authentication#

Xplicit Web Services (XWS) issues credentials to access the xcompute network. Available and in-use fingerprints are listed in your account profile. Following package download, a license and its fingerprint are generated. Upon use, it is mapped to a computer with X509 key-cert cryptography.

Two pieces of credential information are required for users:

$email          human identifier
$fingerprint    license identifier

Email#

A validated email address is required. We assume you know how to use email and keep it safe.

Fingerprint#

A private key is generated for each XCOMPUTE license. Each private key has an associated fingerprint. A private key generates signed certificates to validate identities and connections.

  • If a viable key/cert is not found, XCOMPUTE will request a new set from XWS using the specified credentials.

  • Certificates expire 31 days after they are signed; automatic renewal will occur as required.

$fingerprint.key : digital license private key (permanent)
$fingerprint.crt : semi-public certificate (transient)

Keys and certificates are auto-managed by XCOMPUTE. Certificates are reissued every 31 days to maintain high-grade security.

Machine Id#

A third credential is provided by your computer, a machine identifier hash (aka “mash”) anonymously identifies the end-point.

The mash can be checked:

./xcompute-server --mash

or

./xcompute-client --mash

Security and Logistics#

These three credentials are never exposed by xcompute technologies and together make a powerful security trifecta. They are just about as strong as the measures wielder has in place.

Network Encryption#

Our X509 infrastructure provides 4096-bit security over WAN by establishing an advanced encryption standard (AES/GCM) connection via SSL/TLS handshake.

License Transfer#

If for some reason a mash changes, or you’d like to transfer the license to another computer, login to your account profile and copy the fingerprint associated with the mash into the field under “Unassign Machine/License” and click UNASSIGN to free the license. Now the license is free to be re-assigned (using the same email/user).