PKI Blog

SCEP Shortcomings

Posted by Ted Shorter on Mar 27, 2017 4:17:51 PM

Despite the documented shortcomings of the Simple Certificate Enrollment Protocol (SCEP), it is still in widespread use today. This is in large part due to the lack of better options when it comes to certificate enrollment – especially when it comes to more limited devices such as mobile phones, tablets, and constrained Internet-of-Things (IoT) devices such as embedded systems, sensors, automotive components, or medical devices. The simplicity of SCEP makes it an attractive choice for implementers that are bent on meeting tight timelines, but this simplicity can come at a cost.

Read More

Topics: SCEP, Simple Certificate Enrollment Protocol

Fog Computing and the IoT

Posted by CSS Technical Team on Nov 28, 2016 2:06:17 PM

Fog Computing: When the Cloud is Not Enough

How Do We Manage the Massive Amounts of Data Generated by the IoT?

The Internet of Things (IoT) market and its exponential growth are bringing many improvements and considerable revenue to almost every conceivable vertical. Now that most industries have a handle on what the IoT is, the public is watching it benefit both consumers and businesses alike. The IoT is generating detailed insights into consumer behavior, thereby improving product design and functionality, and also, according to Cisco, accelerates response to events, which ultimately enhances safety, improves service levels and increases output.

Read More

Topics: embedded certificates, SCEP, X.509 digital certificates, Internet of Things, IoT, PKI for IoT, Fog Computing, Root of Trust, Device Security

How Cloud-Based Services and IoT are Influencing PKI Deployments

Posted by CSS Technical Team on Nov 20, 2016 10:19:13 PM

Cloud-based Services and the Internet of Things (IoT) Driving PKI

The Explosion of Cloud-based Apps and the IoT are Creating the Need to Reinforce PKI Environments 

The takeover of the cloud has brought countless businesses to pursue cloud migration over the past few years in an effort to take advantage of cost and operational efficiencies. The shift began with storage and simpler applications such as email, and has progressed to more complex applications, many of which require authorization and security to be used.

Read More

Topics: embedded certificates, SCEP, PKI, X.509 digital certificates, Internet of Things, IoT, Cyber Security, PKI in the Cloud, Cloud based, Root of Trust, IoT Identity Management

IoT Security Concerns in the World of Healthcare Devices

Posted by CSS Technical Team on Apr 26, 2016 11:25:11 AM

Healthcare Devices: Then and Now

Healthcare devices through the ages: what was once a cumbersome trip to the doctor for testing, followed by a series of manual documentation steps, is now a convenient, internet-connected wearable device that automates the transmission of patient information. Implanted devices are only one of many different wearable devices out on the market today. The majority of wearable healthcare devices connect to an internet or cloud-based system that allows users to interact with those devices while transmitting information to be used for actionable medical insight.

Read More

Topics: embedded certificates, SCEP, X.509 digital certificates, Internet of Things (IoT), IoT Healthcare, Healthcare, Wearables Security, Root of Trust, Device Security, PKI Integration, embedded encryption

Why is IoT Security So Critical?

Posted by CSS Technical Team on Mar 18, 2016 11:12:22 AM
IoT Security: the area of the information security industry aimed at securing devices, data, people and applications within the Internet of things (IoT).


What makes IoT Security so important? The growth of internet-connected data, devices, applications and users has exploded exponentially. IoT is carrying over into such a wide array of products and services: mobile devices, wearables, medical devices; everything under the sun can now be connected to the internet.

Read More

Topics: embedded certificates, SCEP, Internet of Things (IoT), IoT Security, PKI for IoT, Root of Trust, Device Security

SCEP Validation Service Integration with 3rd-party MDM Applications

Posted by CSS Technical Team on Aug 16, 2012 12:27:00 PM

CSS recently discovered and published information on a potential privilege escalation attack in SCEP-based Certificate Issuance Systems. After this discovery, CSS created the SCEP Validation Service, which aims to close this attack by validating the certificate contents before the Certificate Authority sends it to the requestor. CSS’ patent-pending solution ships today with our Mobile Certificate Management System (mCMS) v 1.1 software. CSS’ SCEP Validation Service is architected as a set of components that can also be integrated into 3rd-party Mobile Device Management (MDM) products.

Read More

Topics: consumerization of IT, Mobile Device Management, bring your own device, Certificate Management System (CMS), mCMS, Microsoft IT Security, MDM, SCEP, iOS management services, iOS management certificates, iOS, Blog, Simple Certificate Enrollment Protocol, VSCEP, BYOD, Validated SCEP

Is My MDM Deployment Vulnerable?

Posted by Ted Shorter on Jul 7, 2012 5:55:35 AM

If you’re reading this, there’s a good chance you’ve already seen the reports about the security ramifications of issuing certificates to mobile devices using the Simple Certificate Enrollment Protocol (more information on our site here). We’ve received many inquiries about how to determine whether a given system is at risk, and if so, what levels of exposure may be involved. Complicating the issue is the sheer number of Mobile Device Management (MDM) products that exist, and the wide variety of configuration options within them. Because of all this variability, simply asking, “Is {Product X} affected?” can lead to over-simplified answers that might still leave you exposed to risk.

Assessing the risk of a given MDM deployment can be a bit nuanced, as there are a number of factors that come into play. The primary criteria to examine when making an assessment are:

Read More

Topics: digital certificate, Mobile Device Management, bring your own device, Provisioning, Public Key Infrastructure, Certificate Management System (CMS), mCMS, MDM, SCEP, Identity and Access Management, iOS, US-CERT, Blog, Simple Certificate Enrollment Protocol, Active Directory, BYOD

CSS UNCOVERS SCEP VULNERABILITY FOR MOBILE DEVICES IN THE ENTERPRISE

Posted by CSS Technical Team on Jun 28, 2012 7:22:00 AM

Vulnerability Note VU#971035- Simple Certificate Enrollment Protocol (SCEP) does not strongly authenticate certificate requests

CLEVELAND, OH – June 28, 2012. Researchers at Certified Security Solutions, Inc. (CSS), a leading information security company, have uncovered a potentially serious security issue pertaining to the use of the Simple Certificate Enrollment Protocol (SCEP) in conjunction with mobile devices. Organizations that leverage SCEP to issue digital certificates to mobile devices may be subject to a privilege escalation attack.

Read More

Topics: digital certificates, MDM, SCEP, US-CERT, Press Releases, Simple Certificate Enrollment Protocol, privilege escalation attack, BYOD

Security Vulnerability- The Use of the Simple Certificate Enrollment Protocol (SCEP) and Untrusted Devices

Posted by Ted Shorter on Jun 27, 2012 11:19:38 AM

It’s been in the works for quite some time, but we are finally able to publicly announce a problem that we’ve encountered, related to the use of the Simple Certificate Enrollment Protocol, or SCEP, in conjunction with mobile devices. We’ve been working for months behind the scenes with the folks at the United States Computer Emergency Readiness Team (US-CERT) and CERT/CC at Carnegie Mellon our customers, and a number of vendors as well, to help raise awareness of the issue. The CERT report can be found here, and we have a whitepaper and video overview on our website to provide more information.

It should be noted that not all MDM usage of SCEP is equally vulnerable. The scenarios that cause the most concern to us are those that involve the use of SCEP to issue authentication certificates to enterprise systems such as ActiveSync, WiFi, and VPN. In some cases it may be possible to use alternative configurations that reduce or eliminate these risks; in others, it may be more difficult. CSS is willing to help customers assess their specific usage of SCEP and PKI to determine their degree of exposure.

Read More

Topics: digital certificate, consumerization of IT, IT Security, Microsoft Security Partner, Mobile Device Management, bring your own device, Public Key Infrastructure, Certificate Management System (CMS), Industry Trends, mCMS, MDM, SCEP, Certificate Reporting Tool (CRT), PKI, certification and remediation, mobile certificate, Microsoft-centric infrastructure, Blog, Simple Certificate Enrollment Protocol, CERT Coordination Center, BYOD, ActiveSync, Got PKI?

How to Perform a Manual SCEP Client Installation

Posted by CSS Technical Team on May 16, 2012 8:02:00 AM

The following is an excerpt from my book Microsoft System Center 2012 Endpoint Protection Cookbook, http://www.packtpub.com/microsoft-system-center-2012-endpoint-protection-cookbook/book

Read More

Topics: FEP, IT Security, Microsoft Security Partner, Microsoft System Center, Win7, Desktop Security, SCEP, XP End of Life, System Center Configuration Manager, SCCM, Microsoft Forefront Endpoint Protection, Anti-Malware, Blog, System Center Endpoint Protection

Posts by Topic

see all

Want to Learn more about CSS?