Abstract
Mutual authentication mechanisms that rely on certificates often have an expiry date attached to the certificates, which limits the usefulness of a certificate if it is exposed. The shorter the expiry, the better the protection; however, too short an expiry can cause service outages due to authentication failures if the certificate is not rotated in time. This disclosure describes techniques to re-authenticate an existing session upon demand by either party (client or server) of a mutual authentication scheme. If the new authentication fails (or if either certificate expires), the session is automatically broken. When re-authentication succeeds, it is transparent to application-level traffic flowing over the session, enabling continuously unbroken connections to persist across certificate rotations while still retaining absolute expiry enforcement. The described re-authentication techniques can offer a better service experience while retaining existing and even enabling tighter security guarantees, such as enabling hourly rotation without disrupting existing sessions.
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
Recommended Citation
n/a, "Continuous Security Certificate Rotation on a Mutually Authenticated Network Connection", Technical Disclosure Commons, (March 13, 2023)
https://www.tdcommons.org/dpubs_series/5731