# Multiple Resource Identities

In the previous section, we covered the basics of authentication using HexaEight Encryption and Decryption process by demonstrating how two programs with distinct Generic Resource Identities can authenticate with each other. However, there may be instances where managing multiple identities of the same resource is necessary to address scalability concerns or handle different operations. The following diagram illustrates one such scenario

Scenario 1

Multiprocessing by Same Resource Identity by sending data to an external resource

%%{init: { 'theme': 'forest' } }%%
erDiagram
    Data-Set-A ||--|| Generic-Resource-Instance-1 : Reads
    Generic-Resource-Instance-1 ||--|{ Common-Data-Sink : And-Stores-In
    Generic-Resource-Instance-1 {
        Processes Data-Set-A
	Encrypts Data-Set-A
	Using Generic-Resource-2-Asymmetric-Shared-Key
    }

    Data-Set-B ||--|| Generic-Resource-Instance-2 : Reads
    Generic-Resource-Instance-2 ||--|{ Common-Data-Sink : And-Stores-In
    Generic-Resource-Instance-2 {
        Processes Data-Set-B
	Encrypts Data-Set-B
	Using Generic-Resource-2-Asymmetric-Shared-Key
    }

    Data-Set-C ||--|| Generic-Resource-Instance-3 : Reads
    Generic-Resource-Instance-3 ||--|{ Common-Data-Sink : And-Stores-In
    Generic-Resource-Instance-3 {
        Processes Data-Set-C
	Encrypts Data-Set-C
	Using Generic-Resource-2-Asymmetric-Shared-Key
    }

    Common-Data-Sink ||--|| Generic-Resource-2 : Reads
    Generic-Resource-2 {
        Processes Data-Received-From-Three-Instances
    }

In the scenario described above, it is not advisable to share resource identity credentials among all instances if they are running on different systems. This is because a credential leak on one instance can lead to an attack on all instances since they share the same password.
For better security, HexaEight Platform recommends generating multiple login tokens for the same resource with different passwords instead of sharing resource identity credentials across different instances.
By generating multiple login tokens with different passwords, potential compromises can be detected, and in this example Generic-Resource-2 can be alerted to stop processing requests from the vulnerable instance based on the source identifier.
It is important to understand that all the three instances of Generic-Resource-1 fetch different asymmetric shared keys from HexaEight Platform by using their individual Login Tokens.
In this scenario Generic-Resource-1 fetches 3 different asymmetric shared keys of Generic-Resource-2, however since Generic-Resource-2 runs only one instance, it fetches the same asymmetric shared key of Generic-Resource-1 from HexaEight Platform.

To demonstrate this scenario, we have developed four programs, three of them running instances of Generic-Resource-1 and one instance Generic-Resource-2. We are also dumping the encrypted data into a free third party site called dweet.io as the common datasink.

The link for the sample programs is available below. You will need an API Key to execute these programs.

Generic Resource 1 - Instance 1

Generic Resource 1 - Instance 2

Generic Resource 1 - Instance 3

Generic Resource 2 - Single Instance

The output of Generic Resource 1 Instances are below :

Generic Instance 1 Data Set A (1) 4314397284692961805 Posted To Common Sink With Response : OK
Generic Instance 1 Data Set A (2) 3291438943102099610 Posted To Common Sink With Response : OK
Generic Instance 1 Data Set B (3) 5724686109214581236 Posted To Common Sink With Response : OK
Generic Instance 1 Data Set C (4) 3761553603542083283 Posted To Common Sink With Response : OK
Generic Instance 1 Data Set C (5) 5257767062494391521 Posted To Common Sink With Response : OK

The output of Generic Resource 2 Single Instances is below :

Displaying Latest Received Data
-------------------------------
Sender :A9CB8EFAF7D258CC03DCD71C37295B5FE7BE435DF13A43239D34EEDD4C21D464 Message :Generic Instance 1 Data Set B (3) 5724686109214581236 Sent At : 2023-02-22T15:54:23.266Z
Sender :A9CB8EFAF7D258CC03DCD71C37295B5FE7BE435DF13A43239D34EEDD4C21D464 Message :Generic Instance 1 Data Set C (5) 5257767062494391521 Sent At : 2023-02-22T15:54:02.994Z
Sender :A9CB8EFAF7D258CC03DCD71C37295B5FE7BE435DF13A43239D34EEDD4C21D464 Message :Generic Instance 1 Data Set C (4) 3761553603542083283 Sent At : 2023-02-22T15:54:01.487Z
Sender :A9CB8EFAF7D258CC03DCD71C37295B5FE7BE435DF13A43239D34EEDD4C21D464 Message :Generic Instance 1 Data Set A (2) 3291438943102099610 Sent At : 2023-02-22T15:53:41.082Z
Sender :A9CB8EFAF7D258CC03DCD71C37295B5FE7BE435DF13A43239D34EEDD4C21D464 Message :Generic Instance 1 Data Set A (1) 4314397284692961805 Sent At : 2023-02-22T15:53:39.453Z

For optimal security, the HexaEight Platform employs Perfect Forward Secrecy, which generates new encryption keys every 15 minutes. Therefore, it is important to run the sample program within a 15-minute window to ensure Generic Resource 2 is able to process the incoming data and display the output.
Since multiple people might be looking at this documentation and trying to execute this program from various locations, it is possible that Generic Resource 2 displays a set of data that differs from the ones sent by your instances of Generic Resource 1. It's important to note that the common datasink can only store the last 5 incoming requests. If you encounter this situation, keep in mind that there might be other users executing this same program

Scenario 2

Below we just showcase another scenario where multiple instances of single Resource Identity accepts data from an multiple external resources

%%{init: { 'theme': 'forest' } }%%
erDiagram
    entrydoor-Instance-1 ||--|| Robot-A : Requests-Entry
    Robot-A {
        Scans Source-Identifer-Displayed-As-QrCode
	Encrypts Request-For-entrydoor
	Sends Request-Via-Bluetooth-placed-near-the-door
    }

    entrydoor-Instance-2 ||--|| Robot-B : Requests-Entry
    Robot-B {
        Scans Source-Identifer-Displayed-As-QrCode
	Encrypts Request-For-entrydoor
	Sends Request-Via-Bluetooth-placed-near-the-door
    }

    entrydoor-Instance-3 ||--|| Robot-C : Requests-Entry
    Robot-C {
        Scans Source-Identifer-Displayed-As-QrCode
	Encrypts Request-For-entrydoor
	Sends Request-Via-Bluetooth-placed-near-the-door
    }

Scenario - 2

If one of the entrydoors malfunctions in the example above, the stuck robot can still gain access by approaching the other entrydoors.
Each instance of entrydoor has its own unique combination of login token and password configured.

Summary

HexaEight Platform can issue multiple login tokens to the same resource using different passwords.

Its important to protect the password of a resource after the login token has been generated.
Multiple Login Tokens for a single Generic Resource Identity can only be managed by the owner of the Generic Resource
Multiple Login Tokens for a single Domain Resource Identity can be managed by multiple users.