What is SCEP, how does it work, what can you use it for and how is it integrated into OpenCA. Later forked into OpenXPKI project.
Slides are historical versions from 2004, so SCEP protocoll may have evolved since then. Look at: http://tools.ietf.org/html/draft-nourse-scep-23
Be aware that there may be security implications while using scep in open environments: http://www.kb.cert.org/vuls/id/971035
Be aware that scep has been switched to historic status in favor of two more advanced protocols:
"The IETF protocol suite currently includes two certificate management protocols with more comprehensive functionality: Certificate Management Protocol (CMP) [RFC4210] and Certificate Management over CMS (CMC) [RFC5272]."
1. Fraunhofer-Institut für Digitale Medientechnologie IDMT
Simple Certificate Enrollment Protocol
Ives Steglich
Munich, 12th October 2004
2. Seite 2
Overview
• SCEP Simple Certificate Enrollment Protocol
Goals
Basics
Message Format
Messages
Transaction Model
Requests
• Integration into OpenCA
Interface
Supported Operations
Open Issues
3. Seite 3
Overview
• SCEP Simple Certificate Enrollment Protocol
Goals
Basics
Message Format
Messages
Transaction Model
Requests
• Integration into OpenCA
Supported Operations
Open Issues
4. Seite 4
SCEP :: Goals
Primary
- CA and RA public key distribution
- Certificate enrollment
- Certificate revocation (manual)
- Certificate query
- CRL query
Secondary
- Certificate renewal
- CA rollover
- Confidantiality of internal networkdata ?
5. Seite 5
SCEP :: Basics
Transportprotocols
- HTTP (Get & POST)
- LDAP
Cryptographic Protocols & Containers
- PKCS#7 – Envelop and Confidentiality
- PKCS#10 – Certificate Requests
Cryptographic Algorithms
- RSA - no others supported till now for keys
- DES - used in PKCS#7 encryption portion
- MD5 - as digest for encrypted message part
Others
- Message based protocol: Request -> Response
- Actions always triggerd by Client
7. Seite 7
SCEP :: Transaction Model
certificate
non existent
certificate
pending
certificate
issued
PKCSReq CertRep
(Status = SUCCESS)
GetCertInitial
Triggered by timeout
or manual authentication
or timeout occured
CertRep (Status = REJECTED || FAILURE)
8. Seite 8
SCEP :: Basic Massageformat PKCS#7
pkiMessage:
outer PKCS#7 container
pkcsPKISigned
contains signed attributes
- transactin attributes
- etc.
pkcsPKIEnveloped
contains encrypted information
- PKCS#10 Request
- issued certificate
- crl
- empty
depending on request and reply
from the scep-interface
pkiMessage
pkcsPKISigned
Transaction Attributes
SignerInfo
SignerCertificateChain
pkcsPKIEnveloped
recipientInfos
encryptedData
9. Seite 9
Messageformat :: Authenticated Transaction Attributes I
Authenticated Transaction Attributes
transactionID unique transaction identifier - required
messageType how to handle the content / what to expect - required
pkiStatus only in response
failinfo only in error condition
senderNonce prevent reply attacs – required in request and response
recipientNonce prevent reply attacs – required in response
10. Seite 10
Messageformat :: Authenticated Transaction Attributes II
messageTypes
PKCSReq (19) Permits use of PKCS#10 certificate request
CertRep (3) Response to certificate or CRL request
GetCertInitial (20) Certificate polling in manual enrollment
GetCert (21) Retrieve a certificate
GetCRL (22) Retrieve a CRL or CRL-Distributionpoint
pkiStatus
SUCCESS (0) request granted
FAILURE (2) request rejected
PENDING (3) request pending for manual approval.
11. Seite 11
Messageformat :: Failcodes
failinfo
badAlg (0) Unrecognized or unsupported algorithm ident
badMessageCheck (1) integrity check failed
badRequest (2) transaction not permitted or supported
badTime (3) Message time field was not sufficiently close
to the system time
badCertId (4) No certificate could be identified matching
the provided criteria
OpenCA mainly uses badRequest for ANY error inside OpenCA
so kind of problems may be difficult to trace on client-side
12. Seite 12
SCEP :: Communication Examples
CA/RA Certificate Distribution
(performed only once usaly)
Enrollment of an Certificate
PKCSReq:
PKI cert. enrollment msg
CertRep: pkiStatus = PENDING[1]
no data attached (in PKCS#7)
GetCertInitial: polling msg [n-1]
CertRep: pkiStatus = PENDING[n]
no data attached (in PKCS#7)
GetCertInitial: polling msg [n]
CertRep: pkiStatus = SUCCESS
certificate attached (in PKCS#7)
ManualApproval
orCert.Request
Get CA/RA Certificate(HTTP GET or POST Request)
CA/RA Certificate Download
(HTTP Response Message)
Compute FingerprintCall CA Operator
Recive Call
Check Fingerprint
13. Seite 13
SCEP :: Requests I
Based on PKCS#10 contains
- subject "the requestor's subject name“
- challengePassword
- extensions (x.509 v3)
ChallengePassword
- automatic enrollment;
(requires preauthentication of clients)
- as revocation pin for verification against the ca
14. Seite 14
SCEP :: Requests II
Renewal
- if used issued Cert instead of selfsigned
request should be handled as renewal
- if request is send after half of validity time
may also be handled as renewal request
- behavior dependent on CA Policy
CA Rollover
- use newly introduced msg: GetNextCACert
if supported by CA
Request New Cert for new CA/RA Cert
- use the new CA/RA cert in the requesting
envelop instead of the actual CA/RA cert
15. Seite 15
Overview
• SCEP Simple Certificate Enrollment Protocol
Goals
Basics
Message Format
Messages
Transaction Model
Requests
• Integration into OpenCA
Supported Operations
Open Issues
16. Seite 16
Integration into OpenCA
cmdline based tookit openca-scep (c-code)
- can parse and create scep-conform pkcs#7 msg
- interface similar to openssl cmd-interfaces
- doesn’t do transaction or error handling
OpenCA created a new interface called SCEP
- consists of two functions
- one for ca/ra certificate distribution
- one for the operations itself
- transaction state and error checking managed inside
those functions
- openca database keeps track of transactions
17. Seite 17
OpenCA :: Supported Operations
PKCSReq
CertRep
GetCertInitial
GetCert
GetCRL
GetCACert
GetCACertChain
GetCACaps (planed for 0.9.3)
GetNextCACert (planed for 0.9.3)
18. Seite 18
OpenCA :: Open Issues
Handling of renewals
- not implemented yet
- planed for 0.9.3
Preauthentication and automatic processing
- OpenCA backend doesn’t support
automatic enrollment and preauthenticatin yet
- planed for 0.9.3
Crldistributionpoints
- sends back always CRL in response
- CDP instead of CRL not implemented yet
- planed as configuration option for 0.9.3
CA Rollover
- planed for 0.9.3