Embedded Files
Introduction
Introduction
Laymen explanation
Laymen explanation
Suppose you want to use your mobile device to access office resources like mail, office app etc. To connect with office network, device must comply with corporate policy. So, your mobile device will first be configured as part of on-boarding activity. Your device will need certificate as well. And this should be generated without manual involvement. SCEP protocols help in this case.
Technical explanation
The protocol is designed to make the issuing of digital certificates as scalable as possible. The idea is that any standard network user should be able to request their digital certificate electronically and as simply as possible. These processes have usually required intensive input from network administrators, and so have not been suited to large scale deployments.
Manual approach
Manual approach
The important thing is the SCEP shared secret, which the certificate requester(router here) uses as a credential to authenticate to the certificate authority
Onboarding approach where mobile device fetches certificate from SCEP server
Onboarding approach where mobile device fetches certificate from SCEP server
Here mobile device received the SCEP secret. Upon receipt, the mobile device generates the key pair and requests the certificate via SCEP. The mobile device contacts the CA with the SCEP request. The CA authenticates the request via the shared secret and the mobile device now has a certificate.
Risk:
Here risk is of sharing same SCEP secret with multiple mobile devices.
Certificate provisioning without SCEP
Certificate provisioning without SCEP
Here MDM service fetches the certificate and provisions to the mobile device.
Risk
MDM service is aware of private key of device certificate.
SCEP using proxy
SCEP using proxy
Onboarding is normally clubbed with sslvpn and NAC devices. These both devices can act as proxy. In this case, SCEP secret will not be shared to the mobile device[Quotation needed]
Reference
Reference
https://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol
https://www.ietf.org/id/draft-gutmann-scep-01.txt
http://blogs.gartner.com/mark-diodati/2012/07/02/mobile-device-certificate-enrollment-are-you-vulnerable/
http://blogs.gartner.com/mark-diodati/2012/07/02/mobile-device-certificate-enrollment-are-you-vulnerable/
Page updated
Google Sites
Report abuse