Armour advantages

The Active API Armour has been designed to address all the above-described challenges of the currently used approaches and systems.

It is meant to provide an additional layer of security for networks that deal with sensitive data. It is also a software that – in our opinion – provides the most streamlined, cost-efficient, and developer-friendly pathway to compliance with the fast-changing regulatory requirements for APIs.

Key advantages of re:lock’s Active API Armour are:

Endpoint-to-endpoint authentication

The Armour offers a novel approach to authentication that is not based on bearer tokens, but on a persistent, entangled identity.

This approach prevents any attacks based on theft of bearer tokens, as well as eliminates the attack surface for most impersonation attempts and token misuse. You can read more about the entangled identity here.

Real-time network visibility and granular control

The use of entangled identity instead of bearer tokens has additional benefits for the configuration of authorizations. Permissions may be set at the level of each shared root secret, with multiple compartmentalized scopes possible for each pair of users.

Detachment of permissions from bearer tokens implies that the entire network of authorized users, as well as the scope of their authorizations, is visible and can be modified in real-time. Developers and security teams can identify all requests down to the exact machine level and disconnect any machine or modify its permissions instantaneously, eliminating the issue of scope and timeframe misuse.

Immediate response to impersonation attacks

Even in the event of a full compromise of the consumer server, the Armour allows for fast and automated detection of illegitimate traffic and incorporates a fail-safe disconnect mechanism. You can read more about it here.

This is achieved with our proprietary chained ticketing system. You can read more about it here.

Native end-to-end encryption with perfect forward secrecy

With the Active API Armour each single request may be encrypted with multiple, ephemeral, one-time-use keys. The keys are generated by both endpoints asynchronously and mutually and do not require sharing or exchange.

Thanks to this approach we achieve full forward secrecy of the payload and an automated continuous re-keying, with no need for any third party services or custom development. You can read more about our approach to encryption here.

Simplification of key management

Another benefit enabled by re:lock’s approach to key generation is that in the Active API Armour there is no need for key management, saving teams significant time, effort, and cost.

The underlying root secrets that form the shared, entangled identity are in a state of constant change, making any extraction attempts almost impracticable by default. They are also generated and used exclusively within the self-encrypted software enclaves of the users. There are no management tasks involved – you only need to keep the enclaves themselves isolated.

All other secrets used by the system, such as the tickets used for request authentication, or the multiple encryption keys generated for each call, are all ephemeral in nature. They are created only when used (typically for microseconds) and immediately dematerialized. The process is carried out in-memory only, within the software enclaves and requires no external input or management.

Mitigation of implementation errors

The Armour has been created to give you a “fire and forget” protection of your vulnerable APIs. We know it has to be a solution that you can rely on to do its job autonomously in the heat of the everyday battle. That’s why we have designed out all the tasks that typically lead to errors and implementation flaws.

The environment of the self-encrypted software enclave has been designed in such a way that it does not only automate and streamline the process of securing your sensitive APIs, but it also actively prevents any external input to eliminate threats from malicious or (much more frequent and unavoidable) negligent insiders.