The security requirements in place are:
The connection to the HUB is SSL-encrypted
The payload is further encrypted using the public certificate of the target actor, and signed using the certificate of the requestor.
There is a username and password, where the password is automatically renewed every day
If the above 3 items are not in place then the message to the EU Hub will not be successful, and as such National Blueprint Provider must have them all in place.
In addition, the NMVS adopt the following principles:
NBS behavior:
Messages sent over a secure connection (HTTPS).
Authentication through mutual certificate authentication (NBS, Hub) and session token.
WCF extension for security binding, applied to Hub clients:
Message security: WS-Security (Microsoft docs: “Basic Security Profile based on WS-Security 1.1, WS-Trust of February 2005, WS-SecureConversation of February 2005 and WS-SecurityPolicy 1.1 security specifications.”)
Encryption: Basic256Sha256Rsa15 (Microsoft docs: “Uses RSA15 as the key wrap algorithm, SHA256 for the signature digest, and 256-bit Basic as the message encryption algorithm”)
Timestamps included
Encrypts before signs