VSCEP

CSS recently exposed and published information on a potential privilege escalation attack in SCEP-based Certificate Issuance Systems. To mitigate risk of an attack, CSS created the SCEP Validation Service, which validates certificate contents before the Certificate Authority sends it to the requestor. The patent-pending solution ships today with our Certificate Management System (CMS) software. CSS’ SCEP Validation Service is architected as a set of components that can also be integrated into 3rd-party Mobile Device Management (MDM) products. For more information, contact us at software@css-security.com

For more information on the SCEP Vulnerability, view the report issued by US-CERT: Vulnerability Note VU#971035 or visit our resource center: http://www.css-security.com/scep/

SCEP Validation Service Integration with 3rd-party MDM Applications

CSS recently discovered and published information on a potential privilege escalation attack in SCEP-based Certificate Issuance Systems.  After this discovery, CSS created the SCEP Validation Service, which aims to close this attack by validating the certificate contents before the Certificate Authority sends it to the requestor.  CSS’ patent-pending solution ships today with our Mobile Certificate Management System (mCMS) v 1.1 software. CSS’  SCEP Validation Service is architected as a set of components that can also be integrated into 3rd-party Mobile Device Management (MDM) products.

3rd-party products that meet these requirements may be good candidates to integrate with CSS’ SCEP Validation Service:

  • Utilize a Microsoft Certificate Authority (Standalone or Enterprise)
  • Facilitate iOS devices to enroll for a certificate through a Microsoft NDES (SCEP) Server
  • Built with .NET, or ability to integrate with WCF-based SOAP Services

Normal User Scenario

Let’s take a look at the normal user scenario with NDES and the CA.  In the diagram below, an honest user has requested a certificate.  The MDM gives a configuration containing a SCEP Server URL and SCEP Challenge to the device.  The device generates a key on the device and uses this configuration data to request a certificate from the specified SCEP Server.  If successful, a certificate is issued.

Figure 1: Honest User obtaining a certificate

Malicious User Scenario

As noted in the CSS whitepaper SCEP and Untrusted Devices, if a valid but malicious user obtains a valid SCEP Challenge (regardless of it being a static or dynamic password), they may be able to use it to enroll for a certificate for a different identity or purpose than would be otherwise allowed.

In the diagram below, a malicious user has obtained a SCEP Challenge from his or her MDM system.  Instead of allowing the device to generate a key and PKCS#10, the user crafts a PKCS#10 with a Subject Name field value that gives them a different (and potentially higher-privileged) identity.

Figure 2: Malicious user obtaining a certificate with a different identity

3rd-Party MDM with SCEP Validation Components

With the SCEP Validation Service integrated into an MDM Application, the scenario above can be prevented.  CSS’ VSCEP solution adds two steps to the certificate issuance process.

Figure 3: Malicious user is stopped before obtaining the Certificate through the use of SCEP Validation Service

In the diagram above, Step #2 is the only source-level integration point between the MDM and CSS’ SCEP Validation Service.  When a user enrolls a device with the MDM Application, the MDM registers expected certificate content with the corresponding SCEP challenge using the CSS SCEP Validation Service.  This content includes information such as the expected subject, subject alternative name, template, key usage, and extended key usage values.

Step #6 above shows how the Policy Module validates the new certificate content directly on the Certificate Authority, well before the certificate is sent to the requestor.  The Policy Module works with the Validation Service to verify the actual certificate content with the previously registered expected content from Step #2.  If the Policy Module finds that all of the data matches the expected content, the request is approved and the certificate is sent to the requestor.  If the user has malicious intent, the Policy Module would detect the information mismatch and deny the certificate request.

The SCEP Validation Service is an IIS-hosted service that can live anywhere inside your client’s infrastructure.  It exposes a simple, one method WCF-based interface to allow the MDM to register the user’s expected set of content.  MDM applications do not have to integrate with the Policy Module itself.  The Policy Module is installed directly on a Certificate Authority and configured to talk to the SCEP Validation Service.

Summary

Incorporating CSS’ SCEP Validation Service Components into your product is simple and only requires minimal source-level changes.  The expected SCEP Challenges and certificate content need to be registered with the SCEP Validation Service, as shown above in Figure 3.  The CSS Policy Module validates and enforces that each certificate is issued for the actual identity of the user. In addition to this source-level change, your product install must be modified to include the CSS components.  CSS is eager to work with you to integrate our SCEP Validation Service into your MDM product.

Visit the Validated SCEP resource center for more information: http://www.css-security.com/vscep/

SCEP Validation Service Available for Integration & OEM Licensing

CLEVELAND, OH – August 16, 2012. Certified Security Solutions (CSS) is making its SCEP Validation Service™ – a solution that prevents the attack described in US-CERT vulnerability report VU#970135 – available for integration and OEM license by interested third parties.   Until now, this software has only been available as a part of CSS’ Mobile Certificate Management System (mCMS) product.

While the Simple Certificate Enrollment Protocol (SCEP) has been in use for several years, many Mobile Device Management (MDM) systems now deliver SCEP One-Time-Passwords directly to the devices they manage, which exposes them to misuse by attackers and can lead to certificates with fraudulent content, and potential privilege escalation attacks. Visit this informational portal online to learn more about the vulnerability: www.css-security.com/scep.

CSS’ patent-pending solution to the SCEP vulnerability includes a plug-in Policy Module to the Microsoft CA which blocks any manipulation of SCEP-based certificate request data, and allows customers to retain the benefits of on-device private key generation, while preventing the security problems associated with sending SCEP passwords outside of an organization’s trusted network.

“We’ve realized that the need for Validated SCEP™ transcends the certificate issuance and management space that our products focus on, into areas such as MDM,” says Kevin von Keyserling, CSS’ Chief Executive Officer.   “It doesn’t do our customers any good if they shore up a vulnerability with our mCMS product, only to re-open it when they install another piece of software.  Our hope is that others can make use of this technology so that our collective customer base can be more secure.”

Visit the Validated SCEP resource center for more information: http://www.css-security.com/vscep/

About CSS

CSS is an information security services company with operations throughout North America and headquartered in Cleveland, Ohio. We specialize in three critical areas of information security: identity & access management, secure infrastructure & governance, and risk & compliance. CSS provides consulting services, managed security services, security as a service and security software tools in order to meet our clients’ needs. For more information and for a complete list of branch offices, visit www.css-security.com or email software@css-security.com

SCEP and Untrusted Devices