Validated SCEP (VSCEP)

Keyfactor exposed and published information on a potential privilege escalation attack in SCEP-based Certificate Issuance Systems. To mitigate risk of an attack, Keyfactor created the SCEP Validation Service, which validates certificate contents before the Certificate Authority sends it to the requestor. The patent-pending solution ships today with our Keyfactor Command certificate management platform. Keyfactor’s SCEP Validation Service is architected as a set of components that can also be integrated into 3rd-party Mobile Device Management (MDM) products. For more information, contact us at [email protected]

For more information on the SCEP Vulnerability, view the report issued by US-CERT: Vulnerability Note VU#971035 or visit our resource center: https://www.keyfactor.com/scep/http://www.css-security.com/scep/

SCEP Validation Service Integration with 3rd-party MDM Applications

Keyfactor discovered and published information on a potential privilege escalation attack in SCEP-based Certificate Issuance Systems.  After this discovery, Keyfactor created the SCEP Validation Service, which aims to close this attack by validating the certificate contents before the Certificate Authority sends it to the requestor.  Keyfactor’s patent-pending solution ships today with our Enterprise Certificate Management System (Keyfactor Command) software. Keyfactor’s SCEP Validation Service is architected as a set of components that can also be integrated into 3rd-party Mobile Device Management (MDM) products.

3rd-party products that meet these requirements may be good candidates to integrate with Keyfactor’s SCEP Validation Service:

  • Utilize a Microsoft Certificate Authority (Standalone or Enterprise)
  • Facilitate iOS devices to enroll for a certificate through a Microsoft NDES (SCEP) Server
  • Built with .NET, or ability to integrate with WCF-based SOAP Services

Normal User Scenario

Let’s take a look at the normal user scenario with NDES and the CA.  In the diagram below, an honest user has requested a certificate.  The MDM gives a configuration containing a SCEP Server URL and SCEP Challenge to the device.  The device generates a key on the device and uses this configuration data to request a certificate from the specified SCEP Server.  If successful, a certificate is issued.

 

Figure 1: Honest User obtaining a certificate

Malicious User Scenario

As noted in the Keyfactor whitepaper SCEP and Untrusted Devices, if a valid but malicious user obtains a valid SCEP Challenge (regardless of it being a static or dynamic password), they may be able to use it to enroll for a certificate for a different identity or purpose than would be otherwise allowed.

In the diagram below, a malicious user has obtained a SCEP Challenge from his or her MDM system.  Instead of allowing the device to generate a key and PKCS#10, the user crafts a PKCS#10 with a Subject Name field value that gives them a different (and potentially higher-privileged) identity.

 

Figure 2: Malicious user obtaining a certificate with a different identity

3rd-Party MDM with SCEP Validation Components

With the SCEP Validation Service integrated into an MDM Application, the scenario above can be prevented. Keyfactor’s VSCEP solution adds two steps to the certificate issuance process.

Figure 3: Malicious user is stopped before obtaining the Certificate through the use of SCEP Validation Service

In the diagram above, Step #2 is the only source-level integration point between the MDM and Keyfactor’s SCEP Validation Service.  When a user enrolls a device with the MDM Application, the MDM registers expected certificate content with the corresponding SCEP challenge using the Keyfactor SCEP Validation Service.  This content includes information such as the expected subject, subject alternative name, template, key usage, and extended key usage values.

Step #6 above shows how the Policy Module validates the new certificate content directly on the Certificate Authority, well before the certificate is sent to the requestor.  The Policy Module works with the Validation Service to verify the actual certificate content with the previously registered expected content from Step #2.  If the Policy Module finds that all of the data matches the expected content, the request is approved and the certificate is sent to the requestor.  If the user has malicious intent, the Policy Module would detect the information mismatch and deny the certificate request.

The SCEP Validation Service is an IIS-hosted service that can live anywhere inside your client’s infrastructure.  It exposes a simple, one method WCF-based interface to allow the MDM to register the user’s expected set of content.  MDM applications do not have to integrate with the Policy Module itself.  The Policy Module is installed directly on a Certificate Authority and configured to talk to the SCEP Validation Service.

Summary

Incorporating Keyfactor’s SCEP Validation Service Components into your product is simple and only requires minimal source-level changes.  The expected SCEP Challenges and certificate content need to be registered with the SCEP Validation Service, as shown above in Figure 3.  The Keyfactor Policy Module validates and enforces that each certificate is issued for the actual identity of the user. In addition to this source-level change, your product install must be modified to include the Keyfactor components.  Keyfactor is eager to work with you to integrate our SCEP Validation Service into your MDM product.

SCEP Validation Service Available for Integration & OEM Licensing

CLEVELAND, OH – August 16, 2012. Keyfactor (formerly Certified Security Solutions, CSS) is making its SCEP Validation Service™ – a solution that prevents the attack described in US-CERT vulnerability report VU#970135 – available for integration and OEM license by interested third parties.   Until now, this software has only been available as a part of Keyfactor’s Certificate Management System (Keyfactor Command) product.

While the Simple Certificate Enrollment Protocol (SCEP) has been in use for several years, many Mobile Device Management (MDM) systems now deliver SCEP One-Time-Passwords directly to the devices they manage, which exposes them to misuse by attackers and can lead to certificates with fraudulent content, and potential privilege escalation attacks. Visit this informational portal online to learn more about the vulnerability: https://www.keyfactor.com/scep/ 

Keyfactor’s patent-pending solution to the SCEP vulnerability includes a plug-in Policy Module to the Microsoft CA which blocks any manipulation of SCEP-based certificate request data, and allows customers to retain the benefits of on-device private key generation, while preventing the security problems associated with sending SCEP passwords outside of an organization’s trusted network.

“We’ve realized that the need for Validated SCEP™ transcends the certificate issuance and management space that our products focus on, into areas such as MDM,” says Kevin von Keyserling, Keyfactor’s Chief Executive Officer. “It doesn’t do our customers any good if they shore up a vulnerability with our CMS product, only to re-open it when they install another piece of software. Our hope is that others can make use of this technology so that our collective customer base can be more secure.”

About Keyfactor

Keyfactor, formerly Certified Security Solutions (CSS), is a leading provider of secure digital identity management solutions that enables organizations to confirm authenticity, and ensure the right things are interacting in the right ways in our connected world.

From an enterprise managing millions of devices and applications that affect people’s lives every day, to a manufacturer aiming to ensure its product will function safely throughout its lifecycle, Keyfactor empowers global enterprises with the freedom to master every digital identity. Its clients are the most innovative brands in the industries where trust and reliability matter most. Learn more at www.keyfactor.com and @keyfactor.

SCEP and Untrusted Devices White Paper

Download PDF