Key properties

Relock has been designed to include properties that collectively deliver advanced protection against modern cyber threats. This section details these key properties, each representing a fundamental aspect of Relock’s architecture, working in concert to reinforce client authentication and provide session integrity and threat mitigation capabilities that extend far beyond conventional authentication systems.

Interdependent client and server

The Relock mechanism establishes the inherent interdependence between the client and the server. This is achieved because the shared secret, crucial for client verification and session integrity, is never held entirely by either party alone. Instead, it is split: the client possesses an encrypted version of the shared secret, while the server holds the corresponding decryption key. This distributed knowledge of the shared secret provides several notable security benefits:

  • No single point of data compromise: Since neither the client nor the server individually possesses the full, decryptable shared secret, a compromise of isolated data stores on one side (e.g., exfiltration of client-side cookies or server-side decryption keys) does not grant an attacker access to the complete secret. Successfully reconstructing the shared secret from exfiltrated data requires a synchronized compromise and correlation of both client and server components, substantially increasing the difficulty for attackers.

  • Stronger client legitimacy proof: The client’s ability to present its encrypted shared secret, which the server then uses to validate and reconstruct the full secret, serves as a robust proof of legitimacy. This two-party validation makes it significantly more challenging for attackers to spoof a client’s identity or replay old session tokens.

  • Minimized impact of server exfiltration: In the event of a data breach (e.g., a server database compromise), any exfiltrated data relating to the shared secret (i.e., the server-side decryption keys) is inherently valueless to an attacker without the corresponding encrypted shared secret portions from the clients.

Triple verification of the client

A critical aspect of Relock’s continuous verification mechanism is its multi-layered approach to client legitimacy checks. For every client request within an established session, the server performs a three-fold verification, simultaneously checking the presence and correctness of three distinct pieces of evidence sent by the client:

  • The server-set, session-specific shared secret: This short-lived cookie, updated during session verification, confirms the client’s current session context and participation in the Relock protocol.

  • The proof of ephemeral key generation: This proof demonstrates that the client has successfully generated a new ephemeral key using the unique nonce embedded in the previous server-sent webpage. It validates the client’s live interaction and computational capability within the session.

  • The client’s signature: A digital signature generated using the client’s private key (which is never transmitted) authenticates the request itself, proving the request’s integrity and its origin from the legitimate client.

This triple verification provides strong security benefits:

  • Enhanced assurance of legitimacy: By requiring three distinct, cryptographically linked proofs for each request, Relock considerably increases the assurance that the client interacting with the server is indeed the legitimate, established user. This goes far beyond traditional single-factor session checks.

  • Defense against multiple attack vectors: Each verification element helps to counter different types of attacks. For instance, the cookie helps maintain session state, the ephemeral key proof combats replay attacks and verifies live interaction, and the client’s signature ensures message integrity and non-repudiation. An attacker would need to compromise all three layers simultaneously to succeed.

  • Reduced risk of impersonation: The dynamic and cryptographic nature of these proofs makes it exceedingly difficult for an unauthorized party to mimic a legitimate client. Even if one piece of evidence were compromised or forged, the absence or incorrectness of the other two would immediately flag the request as illegitimate.

Real-time threat mitigation

Relock’s inherent design enables real-time detection of potential compromises and significantly shrinks the attack surface. This dynamic approach ensures that threats are mitigated quickly and anomalous activities are identified as they occur:

  • Real-time compromise detection: The Relock system’s continuous verification is designed to detect and respond in real-time to suspicious activities such as key collisions (which indicate an unauthorized attempt to assume an identity) or changes in a client’s network location. These detections can trigger immediate automated responses, including forced user logout or lockout, preventing further unauthorized access.

  • Minimized attack window: Relock substantially reduces the window of opportunity for attackers. Unlike traditional authentication methods that establish trust only at the beginning of a session, Relock continuously validates the client’s legitimacy with every request. This constant re-evaluation, combined with the use of ephemeral cryptographic keys and frequent secret updates (directly controlled by the REKEYING_NONCE_TTL parameter (see Key rotation settings)) means that any compromised session information or key material has a uniquely short lifespan before it is invalidated or refreshed. This drastically limits the time an attacker has to exploit a breach, making long-term session hijacking or replay attacks highly improbable.

Configurable robust security controls

Relock’s comprehensive configuration capabilities (see Server configuration) provide administrators with granular control over the security posture and operational resilience, making it a highly adaptable and robust solution against evolving cyber threats. This extensive customizability translates directly into considerable security benefits:

  • Tailored security posture: Relock allows for precise adjustment of essential security behaviors, such as controlling the frequency of continuous client re-verification and managing HTTP route exposure. The former can be done via the REKEYING_NONCE_TTL parameter, which directly controls the frequency of the ephemeral key rotation. The latter can be done via the RELOCK_SERVICE_PROTECTED parameter, which ensures that all routes are protected unless explicitly declared otherwise. Crucially, these controls help balance robust security and operational considerations, while minimizing the attack surface from the outset.

  • Automated threat response and anomaly handling: Relock provides robust, configurable responses to various security-critical events and anomalies, bolstering its defense mechanisms:

  • Key collision management ( RELOCK_SERVICE_REPROCESS ): Define the system’s reaction to detected key collisions, which could indicate unauthorized access attempts. Relock can automatically log out affected users to clear corrupted states or lock them out for manual administrator investigation.

  • Integrity violation responses ( RELOCK_ABORT_ON_BAD_REQUEST, RELOCK_ABORT_ON_CONFLICT, RELOCK_ABORT_WHEN_GONE ): Configurable actions (e.g., automatic logout or user lockout) upon detection of invalid device cookies, corrupted device data, or missing cryptographic keys. This helps prevent manipulation, enforce data integrity, and enable rapid response to suspected tampering.

  • Network change detection ( RELOCK_ABORT_WHEN_NETWORK_CHANGE ): Automatically terminates sessions upon detecting suspicious changes in a client’s network location, effectively thwarting session hijacking attempts originating from new or unauthorized IPs.

  • Operational security visibility: Integration options for OpenTelemetry and Continuous Access Evaluation Profile (CAEP) enable comprehensive monitoring and real-time security signal sharing. This capability allows security teams to centralize Relock’s operational data and security events within their existing security information and event management (SIEM) systems, enhancing threat detection, analysis, and incident response.

Detailed, deterministic threat alerts

Whenever Relock identifies a potential compromise or an anomaly related to device trust, user authentication, or session integrity, it sends alerts that are deterministic and provide fine-grained breach context:

  • Deterministic detection: Unlike systems that rely on probabilistic risk scores or inherently variable inputs like behavioral biometrics, Relock’s signaling is deterministic. This means that if a security status code is returned indicating a problem, there is indeed a verifiable cryptographic or logical failure.

  • Fine-grained breach context: Relock employs a range of distinct status codes (see Status codes), each precisely indicating the nature of a detected issue, such as invalid client-side cookies, network changes, key validation failures, or probable session hijacking. This provides immediate, specific context about the security anomaly, going beyond generic error messages.

This deterministic, granular signaling, delivered through HTTP status codes, is a critical property that provides several important benefits:

  • Minimization of false positives: Relock’s deterministic signaling eliminates false positives, a common challenge in security monitoring. By relying on cryptographic and logical certainties rather than probabilistic assessments, Relock ensures that when an alert is triggered, it indicates a verifiable anomaly or potential compromise. This precision prevents alert fatigue for security teams, allowing them to focus resources on actual threats and trust the integrity of the system’s security posture.

  • Accelerated incident response: The immediate, specific, and trustworthy context provided by Relock’s status codes allows security teams and integrating applications to bypass lengthy debugging processes. They can instantly understand the type of threat, enabling a much faster and more targeted response and remediation.

  • Enables automated security workflows: The deterministic and specific nature of Relock alerts empowers applications to trigger precise, automated security actions. For example, a status code indicating session hijacking can be configured to automatically invalidate the session, notify the user of suspicious activity, and initiate a step-up authentication process, all without requiring manual intervention.