PKI Blog

SCEP Shortcomings

Posted by Ted Shorter on Mar 27, 2017 4:17:51 PM

Despite the documented shortcomings of the Simple Certificate Enrollment Protocol (SCEP), it is still in widespread use today. This is in large part due to the lack of better options when it comes to certificate enrollment – especially when it comes to more limited devices such as mobile phones, tablets, and constrained Internet-of-Things (IoT) devices such as embedded systems, sensors, automotive components, or medical devices. The simplicity of SCEP makes it an attractive choice for implementers that are bent on meeting tight timelines, but this simplicity can come at a cost.

Read More

Topics: SCEP, Simple Certificate Enrollment Protocol

SCEP Validation Service Integration with 3rd-party MDM Applications

Posted by CSS Technical Team on Aug 16, 2012 12:27:00 PM

CSS recently discovered and published information on a potential privilege escalation attack in SCEP-based Certificate Issuance Systems. After this discovery, CSS created the SCEP Validation Service, which aims to close this attack by validating the certificate contents before the Certificate Authority sends it to the requestor. CSS’ patent-pending solution ships today with our Mobile Certificate Management System (mCMS) v 1.1 software. CSS’ SCEP Validation Service is architected as a set of components that can also be integrated into 3rd-party Mobile Device Management (MDM) products.

Read More

Topics: consumerization of IT, Mobile Device Management, bring your own device, Certificate Management System (CMS), mCMS, Microsoft IT Security, MDM, SCEP, iOS management services, iOS management certificates, iOS, Blog, Simple Certificate Enrollment Protocol, VSCEP, BYOD, Validated SCEP

Is My MDM Deployment Vulnerable?

Posted by Ted Shorter on Jul 7, 2012 5:55:35 AM

If you’re reading this, there’s a good chance you’ve already seen the reports about the security ramifications of issuing certificates to mobile devices using the Simple Certificate Enrollment Protocol (more information on our site here). We’ve received many inquiries about how to determine whether a given system is at risk, and if so, what levels of exposure may be involved. Complicating the issue is the sheer number of Mobile Device Management (MDM) products that exist, and the wide variety of configuration options within them. Because of all this variability, simply asking, “Is {Product X} affected?” can lead to over-simplified answers that might still leave you exposed to risk.

Assessing the risk of a given MDM deployment can be a bit nuanced, as there are a number of factors that come into play. The primary criteria to examine when making an assessment are:

Read More

Topics: digital certificate, Mobile Device Management, bring your own device, Provisioning, Public Key Infrastructure, Certificate Management System (CMS), mCMS, MDM, SCEP, Identity and Access Management, iOS, US-CERT, Blog, Simple Certificate Enrollment Protocol, Active Directory, BYOD

CSS UNCOVERS SCEP VULNERABILITY FOR MOBILE DEVICES IN THE ENTERPRISE

Posted by CSS Technical Team on Jun 28, 2012 7:22:00 AM

Vulnerability Note VU#971035- Simple Certificate Enrollment Protocol (SCEP) does not strongly authenticate certificate requests

CLEVELAND, OH – June 28, 2012. Researchers at Certified Security Solutions, Inc. (CSS), a leading information security company, have uncovered a potentially serious security issue pertaining to the use of the Simple Certificate Enrollment Protocol (SCEP) in conjunction with mobile devices. Organizations that leverage SCEP to issue digital certificates to mobile devices may be subject to a privilege escalation attack.

Read More

Topics: digital certificates, MDM, SCEP, US-CERT, Press Releases, Simple Certificate Enrollment Protocol, privilege escalation attack, BYOD

Security Vulnerability- The Use of the Simple Certificate Enrollment Protocol (SCEP) and Untrusted Devices

Posted by Ted Shorter on Jun 27, 2012 11:19:38 AM

It’s been in the works for quite some time, but we are finally able to publicly announce a problem that we’ve encountered, related to the use of the Simple Certificate Enrollment Protocol, or SCEP, in conjunction with mobile devices. We’ve been working for months behind the scenes with the folks at the United States Computer Emergency Readiness Team (US-CERT) and CERT/CC at Carnegie Mellon our customers, and a number of vendors as well, to help raise awareness of the issue. The CERT report can be found here, and we have a whitepaper and video overview on our website to provide more information.

It should be noted that not all MDM usage of SCEP is equally vulnerable. The scenarios that cause the most concern to us are those that involve the use of SCEP to issue authentication certificates to enterprise systems such as ActiveSync, WiFi, and VPN. In some cases it may be possible to use alternative configurations that reduce or eliminate these risks; in others, it may be more difficult. CSS is willing to help customers assess their specific usage of SCEP and PKI to determine their degree of exposure.

Read More

Topics: digital certificate, consumerization of IT, IT Security, Microsoft Security Partner, Mobile Device Management, bring your own device, Public Key Infrastructure, Certificate Management System (CMS), Industry Trends, mCMS, MDM, SCEP, Certificate Reporting Tool (CRT), PKI, certification and remediation, mobile certificate, Microsoft-centric infrastructure, Blog, Simple Certificate Enrollment Protocol, CERT Coordination Center, BYOD, ActiveSync, Got PKI?

The NDES CA Thumbprint Hash

Posted by CSS Technical Team on Feb 21, 2012 6:00:32 AM

Recently, while working on a Microsoft Network Device Enrollment Services (NDES) deployment, a client asked a simple-enough question about the thumbprint for the Certificate Authority (CA) certificate that was displayed on the NDES admin enrollment GUI, “What is that hash? And why doesn’t it match any of the CA certificate thumbprint hashes in my chain-of-authority?”

Read More

Topics: digital certificate, microsoft ca, IT Security, Microsoft Security Partner, NDES, Public Key Infrastructure, Certificate Management System (CMS), Infrastructure Management, mCMS, SCEP, Microsoft Checksum Integrity Verifier, MD5 hash, Blog, FCIV, SHA-1, Simple Certificate Enrollment Protocol, Microsoft Network Device Enrollment Services (NDES, Microsoft Certificate Authority

Apple's iOS Devices and Certificate Lifecycle Planning

Posted by Ted Shorter on Apr 14, 2011 3:20:42 PM

iOS devices such as iPads and iPhones are quickly becoming a part of the enterprise IT landscape, in a trend sometimes referred to as “the consumerization of IT.” From a security practitioner’s standpoint, there are a number of factors here that are cause for concern, including the prospect of unmanaged or “under-managed” devices accessing corporate data, the variety of devices and form factors involved, and the rapid pace of adoption, to name a few.

Enterprise Public Key Infrastructure (PKI) and digital certificates can help. iPhones and iPads are natively capable of using digital certificates for authentication to corporate networks and data in a variety of ways:

  • Corporate wireless networks (802.1X and EAP-TLS)
  • VPN gateways via the built-in Cisco client
  • Microsoft ActiveSync
  • Mutually-authenticated SSL web sites via the Safari browser
Read More

Topics: digital certificate, apple, iPhone, consumerization, Microsoft Security Partner, digital pki, Certificate Reporting Tool, Public Key Infrastructure, Certificate Management System (CMS), mCMS, Microsoft Public Key Infrastructure, iPad, iOS management certificates, mobile certificate, iOS, Blog, Simple Certificate Enrollment Protocol, BYOD, Got PKI?

Recent Posts

Posts by Topic

see all

Subscribe to Email Updates

Want to Learn more about CSS?