Mutual authentication mechanisms that rely on certificates often have an expiry date attached to the certificates, which limits the usefulness of a certificate if it is exposed. The shorter the expiry, the better the protection; however, too short an expiry can cause service outages due to authentication failures if the certificate is not rotated in time. This disclosure describes techniques to re-authenticate an existing session upon demand by either party (client or server) of a mutual authentication scheme. If the new authentication fails (or if either certificate expires), the session is automatically broken. When re-authentication succeeds, it is transparent to application-level traffic flowing over the session, enabling continuously unbroken connections to persist across certificate rotations while still retaining absolute expiry enforcement. The described re-authentication techniques can offer a better service experience while retaining existing and even enabling tighter security guarantees, such as enabling hourly rotation without disrupting existing sessions.

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.