TheRelay Security Architecture
TheRelay Security Architecture
TheRelay provides multiple layers of security for your RTSP camera streams without requiring port forwarding, VPNs, or firewall modifications. Our zero-trust architecture ensures only authorized users can access your streams.
Security Features
- End-to-end encryption (WireGuard + SRT)
- Zero-trust access control
- Token-based authentication
- On-premise credential storage
- No inbound port exposure
- Comprehensive audit logging
Architecture Benefits
- Credentials never leave your network
- No direct internet exposure of cameras
- Single outbound connection (WireGuard tunnel)
- Fine-grained access control per camera
- Instant token revocation
- Complete audit trail
TheRelay Security Model
Zero-Trust Architecture
TheRelay implements a zero-trust security model where:
- No Default Trust: Every request requires authentication
- Principle of Least Privilege: Users get minimum necessary access
- Continuous Verification: Access is re-verified on every request
- Explicit Permissions: Tokens grant specific, scoped access
- Audit Everything: All access is logged and reviewable
Three Security Layers
Layer 1 - Agent Authentication: WireGuard tunnel between agent and cloud
- Encrypts all control traffic
- Prevents unauthorized agent connection
- Ensures only legitimate agents can publish streams
Layer 2 - Stream Encryption: SRT encryption of media streams
- Encrypts all video and audio data
- Prevents eavesdropping on media
- Provides reliable, secure transport
Layer 3 - Access Control: Token-based viewer authentication
- Viewers must present valid token
- Tokens have specific camera scope
- Tokens can expire or be revoked
- Different tokens for different users
Encryption Details
Encryption Standards Used
- WireGuard: Modern VPN using Curve25519 key exchange
- SRT: AES-256 encryption for media streams
- TLS/HTTPS: All web traffic uses TLS 1.2+
- Key Exchange: Perfect forward secrecy for all connections
In-Transit Encryption
All data between your network and TheRelay cloud is encrypted:
- Agent-to-cloud control channel: WireGuard VPN
- Camera streams: SRT protocol with AES-256
- Web dashboard: TLS/HTTPS
- API communications: TLS 1.2+ with certificate pinning
At-Rest Security
Stored data protection:
- Credentials remain on-premise (not stored in cloud)
- Configuration data encrypted at rest on cloud
- Logs encrypted and access-controlled
- Regular backups encrypted with AES-256
Key Management
- Automatic key generation on agent registration
- Periodic key rotation (default every 24 hours)
- Keys stored securely on isolated systems
- Compromised keys isolated to single agent
- No shared keys between agents
Fine-Grained Access Control
Token-Based Authentication
All stream access requires a valid access token:
- Tokens are cryptographically signed and verified
- Tokens contain specific permissions and scope
- Tokens can be scoped to single camera or entire account
- Tokens can expire automatically
- Tokens can be revoked instantly
Permission Scopes
- Camera-level: Access only specific camera
- Agent-level: Access all cameras on specific agent
- Account-level: Access all cameras in account
- Protocol-level: Restrict to specific protocols (WebRTC, RTSP, etc.)
Token Lifecycle
- Creation: Generated with specific permissions
- Distribution: Shared securely with authorized users
- Usage: Validated on every stream access
- Monitoring: Usage tracked and logged
- Revocation: Can be disabled instantly
- Expiration: Automatically invalid after set time
Credential Management
On-Premise Credential Storage
A key security feature of TheRelay is that camera credentials never leave your network:
- Camera usernames and passwords stored only on agent
- Credentials encrypted at rest on agent
- Only agent has decryption keys
- Cloud servers never see raw credentials
- Credentials not backed up to cloud
Credential Handling
- Entered on dashboard and transmitted directly to agent
- Agent stores encrypted copy
- Dashboard shows credentials only to account owner
- Credentials can be rotated without disconnecting streams
- Failed authentication attempts logged
Best Practices
- Use strong, unique passwords for each camera
- Change default camera credentials immediately
- Rotate credentials every 90 days
- Use accounts with minimal necessary privileges
- Enable camera firmware updates for security patches
TheRelay vs Port Forwarding - Security Comparison
Port Forwarding Risks
- Direct Exposure: Camera directly exposed to internet
- No Intermediary: No protection layer between attacker and camera
- Automatic Discovery: Port scanners automatically find open ports
- Default Credentials: Many cameras ship with default passwords
- No Audit Trail: Difficult to track who accessed what and when
- Firmware Vulnerabilities: Camera firmware often contains exploitable bugs
- Unencrypted: Many camera streams not encrypted
- Brute Force Risk: Attackers can attempt password guessing
TheRelay Security Advantages
- No Port Exposure: Only outbound connection from your network
- Protection Layer: Cloud security proxy between users and cameras
- Hidden from Scanners: No open ports to discover
- Credential Protection: Credentials never exposed to internet
- Complete Audit Trail: Every access logged and auditable
- Zero Trust Access: Every access requires valid token
- Encrypted Transport: All data encrypted in transit
- Token-Based Auth: Tokens are single-use capable and expiring
- Instant Revocation: Compromised tokens disabled instantly
- Firewall Safe: Works through standard firewalls with no modifications
Security Comparison Table
| Feature | Port Forwarding | TheRelay |
|---|---|---|
| Direct Internet Exposure | Yes (High Risk) | No |
| Credential Protection | None | On-Premise Only |
| Access Control | Camera Level Only | Fine-Grained Tokens |
| Encryption | Often None | AES-256 Standard |
| Audit Logging | Limited | Comprehensive |
| Firewall Changes | Required | None |
Security Best Practices
Account Security
- Enable two-factor authentication (2FA) on your account
- Use a strong, unique password
- Never share your dashboard credentials
- Regularly review account access logs
- Update your email address if it changes
Token Management
- Create separate tokens for different users/systems
- Use camera-level tokens for least privilege
- Set expiration times for temporary access
- Regularly audit token usage in logs
- Revoke unused or compromised tokens immediately
- Rotate tokens every 90 days
- Never commit tokens to source code repositories
Agent Security
- Keep agent software updated
- Use strong credentials for all cameras
- Rotate camera passwords regularly
- Monitor agent logs for errors or warnings
- Restrict physical access to agent host
- Use isolated network segment if possible
Network Security
- Ensure agent host has secure, stable internet
- Monitor agent connectivity and uptime
- Use WireGuard encryption (enabled by default)
- Enable SRT encryption for all streams if possible
- Review firewall logs for suspicious activity
- Consider VPN for additional network protection
Compliance and Auditing
- Regularly review access logs
- Export logs for compliance if required
- Document token usage and permissions
- Maintain records of user access changes
- Alert on unusual access patterns
- Archive logs for required retention periods
Incident Response and Security Events
Potential Security Issues
If you suspect a security incident:
- Check access logs for suspicious activity
- Review which IP addresses accessed streams
- Look for access from unusual geographic locations
- Check for creation of unauthorized tokens
- Review camera configuration changes
Response Steps
- Identify: Determine what was compromised
- Contain: Revoke all suspicious tokens immediately
- Investigate: Review logs to understand scope
- Recover: Rotate compromised credentials
- Improve: Implement additional safeguards
When to Contact Support
- Suspected account compromise
- Unauthorized token creation
- Unusual access patterns or anomalies
- Suspected data breach
- Agent experiencing repeated disconnections