All,
I am building an interface for a system (ours) that contains sensitive data that must now be made available through a system interface (of our own design) to what will be built into a client's other systems.
Scenario :- SystemB calls SystemA.NewInterface.getData() where SystemA is the pre-existing one (ours) and SystemB is an authenticated authorised caller.
The question centres on: What authentication mechanism is a good one here?
Standard network level security (SSL/TLS, port blocking, IPAddress filtering) will, of course, be used. But IP addresses can be spoofed. The data that flows will be obfuscated (to protect sensitivity and anonymity of persons from whom the data was collected) but is nonetheless very valuable when obtained in bulk.
Issuing certificate(s) to the calling system is not an option.
I have a plan/design/cgarette packet view for a Two-factor (ish) authentication system that is modelled on the key exhange much like 'Diffie-Hellman' (wikipedia on Diffie-Hellman) but it is involved enough that the business people might ask questions of it's suitability. Valid questions where the valid answers are very technical.
I do not think the business will understand the reasons for such a technical choice/plan.
Are there any global or national guidelines or standards for authentication for system->system interfaces that do not use certificates in the regulated world (govt, millitary, medical regs)?
If I can cite a standard by a global org/standards commitee or a regulatory body then I will gladly use (extend?) that pattern ... then the business can know it is more than just technical 'wizardry'/smoke&mirrors.
Big thanks for the help!
Aidanapword
