SlideShare a Scribd company logo

SCEP - simple certificate enrollment protocol - 1. OpenCA Workshop 2004 / OpenXPKI

Ives Laaf
Ives Laaf

What is SCEP, how does it work, what can you use it for and how is it integrated into OpenCA. Later forked into OpenXPKI project. Slides are historical versions from 2004, so SCEP protocoll may have evolved since then. Look at: http://tools.ietf.org/html/draft-nourse-scep-23 Be aware that there may be security implications while using scep in open environments: http://www.kb.cert.org/vuls/id/971035 Be aware that scep has been switched to historic status in favor of two more advanced protocols: "The IETF protocol suite currently includes two certificate management protocols with more comprehensive functionality: Certificate Management Protocol (CMP) [RFC4210] and Certificate Management over CMS (CMC) [RFC5272]."

TechnologyEducation
1 of 18
Fraunhofer-Institut für Digitale Medientechnologie IDMT Simple Certificate Enrollment Protocol Ives Steglich Munich, 12th October 2004
Seite 2 Overview • SCEP Simple Certificate Enrollment Protocol Goals Basics Message Format Messages Transaction Model Requests • Integration into OpenCA Interface Supported Operations Open Issues
Seite 3 Overview • SCEP Simple Certificate Enrollment Protocol Goals Basics Message Format Messages Transaction Model Requests • Integration into OpenCA Supported Operations Open Issues
Seite 4 SCEP :: Goals Primary - CA and RA public key distribution - Certificate enrollment - Certificate revocation (manual) - Certificate query - CRL query Secondary - Certificate renewal - CA rollover - Confidantiality of internal networkdata ?
Seite 5 SCEP :: Basics Transportprotocols - HTTP (Get & POST) - LDAP Cryptographic Protocols & Containers - PKCS#7 – Envelop and Confidentiality - PKCS#10 – Certificate Requests Cryptographic Algorithms - RSA - no others supported till now for keys - DES - used in PKCS#7 encryption portion - MD5 - as digest for encrypted message part Others - Message based protocol: Request -> Response - Actions always triggerd by Client
Seite 6 SCEP :: Messages PKCSReq CertRep GetCertInitial GetCert GetCRL GetCACert GetCACertChain (since rev. 3) GetCACaps (since rev. 10) GetNextCACert (since rev. 10)
Seite 7 SCEP :: Transaction Model certificate non existent certificate pending certificate issued PKCSReq CertRep (Status = SUCCESS) GetCertInitial Triggered by timeout or manual authentication or timeout occured CertRep (Status = REJECTED || FAILURE)
Seite 8 SCEP :: Basic Massageformat PKCS#7 pkiMessage: outer PKCS#7 container pkcsPKISigned contains signed attributes - transactin attributes - etc. pkcsPKIEnveloped contains encrypted information - PKCS#10 Request - issued certificate - crl - empty depending on request and reply from the scep-interface pkiMessage pkcsPKISigned Transaction Attributes SignerInfo SignerCertificateChain pkcsPKIEnveloped recipientInfos encryptedData
Seite 9 Messageformat :: Authenticated Transaction Attributes I Authenticated Transaction Attributes transactionID unique transaction identifier - required messageType how to handle the content / what to expect - required pkiStatus only in response failinfo only in error condition senderNonce prevent reply attacs – required in request and response recipientNonce prevent reply attacs – required in response
Seite 10 Messageformat :: Authenticated Transaction Attributes II messageTypes PKCSReq (19) Permits use of PKCS#10 certificate request CertRep (3) Response to certificate or CRL request GetCertInitial (20) Certificate polling in manual enrollment GetCert (21) Retrieve a certificate GetCRL (22) Retrieve a CRL or CRL-Distributionpoint pkiStatus SUCCESS (0) request granted FAILURE (2) request rejected PENDING (3) request pending for manual approval.
Seite 11 Messageformat :: Failcodes failinfo badAlg (0) Unrecognized or unsupported algorithm ident badMessageCheck (1) integrity check failed badRequest (2) transaction not permitted or supported badTime (3) Message time field was not sufficiently close to the system time badCertId (4) No certificate could be identified matching the provided criteria OpenCA mainly uses badRequest for ANY error inside OpenCA so kind of problems may be difficult to trace on client-side
Seite 12 SCEP :: Communication Examples CA/RA Certificate Distribution (performed only once usaly) Enrollment of an Certificate PKCSReq: PKI cert. enrollment msg CertRep: pkiStatus = PENDING[1] no data attached (in PKCS#7) GetCertInitial: polling msg [n-1] CertRep: pkiStatus = PENDING[n] no data attached (in PKCS#7) GetCertInitial: polling msg [n] CertRep: pkiStatus = SUCCESS certificate attached (in PKCS#7) ManualApproval orCert.Request Get CA/RA Certificate(HTTP GET or POST Request) CA/RA Certificate Download (HTTP Response Message) Compute FingerprintCall CA Operator Recive Call Check Fingerprint
Seite 13 SCEP :: Requests I Based on PKCS#10 contains - subject "the requestor's subject name“ - challengePassword - extensions (x.509 v3) ChallengePassword - automatic enrollment; (requires preauthentication of clients) - as revocation pin for verification against the ca
Seite 14 SCEP :: Requests II Renewal - if used issued Cert instead of selfsigned request should be handled as renewal - if request is send after half of validity time may also be handled as renewal request - behavior dependent on CA Policy CA Rollover - use newly introduced msg: GetNextCACert if supported by CA Request New Cert for new CA/RA Cert - use the new CA/RA cert in the requesting envelop instead of the actual CA/RA cert
Seite 15 Overview • SCEP Simple Certificate Enrollment Protocol Goals Basics Message Format Messages Transaction Model Requests • Integration into OpenCA Supported Operations Open Issues
Seite 16 Integration into OpenCA cmdline based tookit openca-scep (c-code) - can parse and create scep-conform pkcs#7 msg - interface similar to openssl cmd-interfaces - doesn’t do transaction or error handling OpenCA created a new interface called SCEP - consists of two functions - one for ca/ra certificate distribution - one for the operations itself - transaction state and error checking managed inside those functions - openca database keeps track of transactions
Seite 17 OpenCA :: Supported Operations PKCSReq CertRep GetCertInitial GetCert GetCRL GetCACert GetCACertChain GetCACaps (planed for 0.9.3) GetNextCACert (planed for 0.9.3)
Seite 18 OpenCA :: Open Issues Handling of renewals - not implemented yet - planed for 0.9.3 Preauthentication and automatic processing - OpenCA backend doesn’t support automatic enrollment and preauthenticatin yet - planed for 0.9.3 Crldistributionpoints - sends back always CRL in response - CDP instead of CRL not implemented yet - planed as configuration option for 0.9.3 CA Rollover - planed for 0.9.3

Recommended

DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...NetProtocol Xpert
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
TCP/IP
TCP/IPTCP/IP
TCP/IPaibad ahmed
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic ControlSUSE Labs Taipei
 
DPDK KNI interface
DPDK KNI interfaceDPDK KNI interface
DPDK KNI interfaceDenys Haryachyy
 
ISP Load Balancing with Mikrotik ECMP
ISP Load Balancing with Mikrotik ECMPISP Load Balancing with Mikrotik ECMP
ISP Load Balancing with Mikrotik ECMPGLC Networks
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 
8. internal components of router
8. internal components of router8. internal components of router
8. internal components of routerSwarndeep Singh
 

Recommended

DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...NetProtocol Xpert
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
TCP/IP
TCP/IPTCP/IP
TCP/IPaibad ahmed
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic ControlSUSE Labs Taipei
 
DPDK KNI interface
DPDK KNI interfaceDPDK KNI interface
DPDK KNI interfaceDenys Haryachyy
 
ISP Load Balancing with Mikrotik ECMP
ISP Load Balancing with Mikrotik ECMPISP Load Balancing with Mikrotik ECMP
ISP Load Balancing with Mikrotik ECMPGLC Networks
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 
8. internal components of router
8. internal components of router8. internal components of router
8. internal components of routerSwarndeep Singh
 
Segment Routing Lab
Segment Routing Lab Segment Routing Lab
Segment Routing Lab Cisco Canada
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatDigicomp Academy AG
 
Network LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with MikrotikNetwork LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with MikrotikGLC Networks
 
Proof of Transit: Securely Verifying a Path or Service Chain
Proof of Transit: Securely Verifying a Path or Service ChainProof of Transit: Securely Verifying a Path or Service Chain
Proof of Transit: Securely Verifying a Path or Service ChainFrank Brockners
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDKDenys Haryachyy
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to BottomKernel TLV
 
Linux Performance Analysis and Tools
Linux Performance Analysis and ToolsLinux Performance Analysis and Tools
Linux Performance Analysis and ToolsBrendan Gregg
 
Session initiation protocol SIP
Session initiation protocol SIPSession initiation protocol SIP
Session initiation protocol SIPLaraib Khan
 
Standardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-VStandardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-VRISC-V International
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCKernel TLV
 
Linux Terminal commands for Devops.pdf
Linux Terminal commands for Devops.pdfLinux Terminal commands for Devops.pdf
Linux Terminal commands for Devops.pdfNambi Nam
 
Ovs dpdk hwoffload way to full offload
Ovs dpdk hwoffload way to full offloadOvs dpdk hwoffload way to full offload
Ovs dpdk hwoffload way to full offloadKevin Traynor
 
Mikrotik basic configuration
Mikrotik basic configurationMikrotik basic configuration
Mikrotik basic configurationTola LENG
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
Tcpdump
TcpdumpTcpdump
TcpdumpSourav Roy
 
Ip security
Ip security Ip security
Ip security Dr.K.Sreenivas Rao
 
NFV and SDN: 4G LTE and 5G Wireless Networks on Intel(r) Architecture
NFV and SDN: 4G LTE and 5G Wireless Networks on Intel(r) ArchitectureNFV and SDN: 4G LTE and 5G Wireless Networks on Intel(r) Architecture
NFV and SDN: 4G LTE and 5G Wireless Networks on Intel(r) ArchitectureMichelle Holley
 
Introduction to tcpdump
Introduction to tcpdumpIntroduction to tcpdump
Introduction to tcpdumpLev Walkin
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingViller Hsiao
 
Segment Routing for Dummies
Segment Routing for DummiesSegment Routing for Dummies
Segment Routing for DummiesGary Jan
 
Kuberntes Ingress with Kong
Kuberntes Ingress with KongKuberntes Ingress with Kong
Kuberntes Ingress with KongNebulaworks
 
PKI by Tim Polk
PKI by Tim PolkPKI by Tim Polk
PKI by Tim PolkInformation Security Awareness Group
 

More Related Content

What's hot

Segment Routing Lab
Segment Routing Lab Segment Routing Lab
Segment Routing Lab Cisco Canada
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatDigicomp Academy AG
 
Network LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with MikrotikNetwork LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with MikrotikGLC Networks
 
Proof of Transit: Securely Verifying a Path or Service Chain
Proof of Transit: Securely Verifying a Path or Service ChainProof of Transit: Securely Verifying a Path or Service Chain
Proof of Transit: Securely Verifying a Path or Service ChainFrank Brockners
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to BottomKernel TLV
 
Linux Performance Analysis and Tools
Linux Performance Analysis and ToolsLinux Performance Analysis and Tools
Linux Performance Analysis and ToolsBrendan Gregg
 
Session initiation protocol SIP
Session initiation protocol SIPSession initiation protocol SIP
Session initiation protocol SIPLaraib Khan
 
Standardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-VStandardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-VRISC-V International
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCKernel TLV
 
Linux Terminal commands for Devops.pdf
Linux Terminal commands for Devops.pdfLinux Terminal commands for Devops.pdf
Linux Terminal commands for Devops.pdfNambi Nam
 
Ovs dpdk hwoffload way to full offload
Ovs dpdk hwoffload way to full offloadOvs dpdk hwoffload way to full offload
Ovs dpdk hwoffload way to full offloadKevin Traynor
 
Mikrotik basic configuration
Mikrotik basic configurationMikrotik basic configuration
Mikrotik basic configurationTola LENG
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
NFV and SDN: 4G LTE and 5G Wireless Networks on Intel(r) Architecture
NFV and SDN: 4G LTE and 5G Wireless Networks on Intel(r) ArchitectureNFV and SDN: 4G LTE and 5G Wireless Networks on Intel(r) Architecture
NFV and SDN: 4G LTE and 5G Wireless Networks on Intel(r) ArchitectureMichelle Holley
 
Introduction to tcpdump
Introduction to tcpdumpIntroduction to tcpdump
Introduction to tcpdumpLev Walkin
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingViller Hsiao
 
Segment Routing for Dummies
Segment Routing for DummiesSegment Routing for Dummies
Segment Routing for DummiesGary Jan
 

What's hot (20)

Segment Routing Lab
Segment Routing Lab Segment Routing Lab
Segment Routing Lab
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
 
Network LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with MikrotikNetwork LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with Mikrotik
 
Proof of Transit: Securely Verifying a Path or Service Chain
Proof of Transit: Securely Verifying a Path or Service ChainProof of Transit: Securely Verifying a Path or Service Chain
Proof of Transit: Securely Verifying a Path or Service Chain
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to Bottom
 
Linux Performance Analysis and Tools
Linux Performance Analysis and ToolsLinux Performance Analysis and Tools
Linux Performance Analysis and Tools
 
Session initiation protocol SIP
Session initiation protocol SIPSession initiation protocol SIP
Session initiation protocol SIP
 
Standardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-VStandardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-V
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
 
Linux Terminal commands for Devops.pdf
Linux Terminal commands for Devops.pdfLinux Terminal commands for Devops.pdf
Linux Terminal commands for Devops.pdf
 
Ovs dpdk hwoffload way to full offload
Ovs dpdk hwoffload way to full offloadOvs dpdk hwoffload way to full offload
Ovs dpdk hwoffload way to full offload
 
Mikrotik basic configuration
Mikrotik basic configurationMikrotik basic configuration
Mikrotik basic configuration
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
 
Tcpdump
TcpdumpTcpdump
Tcpdump
 
Ip security
Ip security Ip security
Ip security
 
NFV and SDN: 4G LTE and 5G Wireless Networks on Intel(r) Architecture
NFV and SDN: 4G LTE and 5G Wireless Networks on Intel(r) ArchitectureNFV and SDN: 4G LTE and 5G Wireless Networks on Intel(r) Architecture
NFV and SDN: 4G LTE and 5G Wireless Networks on Intel(r) Architecture
 
Introduction to tcpdump
Introduction to tcpdumpIntroduction to tcpdump
Introduction to tcpdump
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
 
Segment Routing for Dummies
Segment Routing for DummiesSegment Routing for Dummies
Segment Routing for Dummies
 

Similar to SCEP - simple certificate enrollment protocol - 1. OpenCA Workshop 2004 / OpenXPKI

Kuberntes Ingress with Kong
Kuberntes Ingress with KongKuberntes Ingress with Kong
Kuberntes Ingress with KongNebulaworks
 
Free OpManager training Part1- Discovery and classification
Free OpManager training Part1- Discovery and classificationFree OpManager training Part1- Discovery and classification
Free OpManager training Part1- Discovery and classificationManageEngine, Zoho Corporation
 
Consuming GRIN GLOBAL Webservices
Consuming GRIN GLOBAL WebservicesConsuming GRIN GLOBAL Webservices
Consuming GRIN GLOBAL WebservicesEdwin Rojas
 
The constrained application protocol (coap) part 3
The constrained application protocol (coap) part 3The constrained application protocol (coap) part 3
The constrained application protocol (coap) part 3Hamdamboy (함담보이)
 
The constrained application protocol (coap) part 3
The constrained application protocol (coap) part 3The constrained application protocol (coap) part 3
The constrained application protocol (coap) part 3Hamdamboy
 
The constrained application protocol (co ap) part 3
The constrained application protocol (co ap) part 3The constrained application protocol (co ap) part 3
The constrained application protocol (co ap) part 3Hamdamboy
 
The constrained application protocol (co ap) part 3
The constrained application protocol (co ap) part 3The constrained application protocol (co ap) part 3
The constrained application protocol (co ap) part 3Hamdamboy (함담보이)
 
Linkerd – Service mesh with service Discovery backend
Linkerd – Service mesh with service Discovery backendLinkerd – Service mesh with service Discovery backend
Linkerd – Service mesh with service Discovery backendLeandro Totino Pereira
 
Season 4 [Free OpManager training] Part1- Discovery and classification
Season 4 [Free OpManager training] Part1- Discovery and classificationSeason 4 [Free OpManager training] Part1- Discovery and classification
Season 4 [Free OpManager training] Part1- Discovery and classificationManageEngine, Zoho Corporation
 
RPKI Certification Tutorial
RPKI Certification TutorialRPKI Certification Tutorial
RPKI Certification TutorialRIPE NCC
 
IBM MQ V8 Security: Latest Features Deep-Dive
IBM MQ V8 Security: Latest Features Deep-DiveIBM MQ V8 Security: Latest Features Deep-Dive
IBM MQ V8 Security: Latest Features Deep-DiveMorag Hughson
 
Remote procedure calls
Remote procedure callsRemote procedure calls
Remote procedure callsimnomus
 
Micro HTTP Server Implemented in C @ COSCUP 2016
Micro HTTP Server Implemented in C @ COSCUP 2016Micro HTTP Server Implemented in C @ COSCUP 2016
Micro HTTP Server Implemented in C @ COSCUP 2016Jian-Hong Pan
 
APIC-EM API Deep Dive
APIC-EM API Deep DiveAPIC-EM API Deep Dive
APIC-EM API Deep DiveCisco DevNet
 
EC PKI Training on-prem and cloud-based PKI
EC PKI Training on-prem and cloud-based PKIEC PKI Training on-prem and cloud-based PKI
EC PKI Training on-prem and cloud-based PKIParnashreeSaha
 
GVP8- Troubleshooting.pptx
GVP8- Troubleshooting.pptxGVP8- Troubleshooting.pptx
GVP8- Troubleshooting.pptxMiyuruChamath
 

Similar to SCEP - simple certificate enrollment protocol - 1. OpenCA Workshop 2004 / OpenXPKI (20)

Kuberntes Ingress with Kong
Kuberntes Ingress with KongKuberntes Ingress with Kong
Kuberntes Ingress with Kong
 
PKI by Tim Polk
PKI by Tim PolkPKI by Tim Polk
PKI by Tim Polk
 
Apa itu gRPC_.pptx
Apa itu gRPC_.pptxApa itu gRPC_.pptx
Apa itu gRPC_.pptx
 
Free OpManager training Part1- Discovery and classification
Free OpManager training Part1- Discovery and classificationFree OpManager training Part1- Discovery and classification
Free OpManager training Part1- Discovery and classification
 
Consuming GRIN GLOBAL Webservices
Consuming GRIN GLOBAL WebservicesConsuming GRIN GLOBAL Webservices
Consuming GRIN GLOBAL Webservices
 
The constrained application protocol (coap) part 3
The constrained application protocol (coap) part 3The constrained application protocol (coap) part 3
The constrained application protocol (coap) part 3
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 
The constrained application protocol (coap) part 3
The constrained application protocol (coap) part 3The constrained application protocol (coap) part 3
The constrained application protocol (coap) part 3
 
The constrained application protocol (co ap) part 3
The constrained application protocol (co ap) part 3The constrained application protocol (co ap) part 3
The constrained application protocol (co ap) part 3
 
The constrained application protocol (co ap) part 3
The constrained application protocol (co ap) part 3The constrained application protocol (co ap) part 3
The constrained application protocol (co ap) part 3
 
Linkerd – Service mesh with service Discovery backend
Linkerd – Service mesh with service Discovery backendLinkerd – Service mesh with service Discovery backend
Linkerd – Service mesh with service Discovery backend
 
Season 4 [Free OpManager training] Part1- Discovery and classification
Season 4 [Free OpManager training] Part1- Discovery and classificationSeason 4 [Free OpManager training] Part1- Discovery and classification
Season 4 [Free OpManager training] Part1- Discovery and classification
 
RESTful APIs and SBCs
RESTful APIs and SBCsRESTful APIs and SBCs
RESTful APIs and SBCs
 
RPKI Certification Tutorial
RPKI Certification TutorialRPKI Certification Tutorial
RPKI Certification Tutorial
 
IBM MQ V8 Security: Latest Features Deep-Dive
IBM MQ V8 Security: Latest Features Deep-DiveIBM MQ V8 Security: Latest Features Deep-Dive
IBM MQ V8 Security: Latest Features Deep-Dive
 
Remote procedure calls
Remote procedure callsRemote procedure calls
Remote procedure calls
 
Micro HTTP Server Implemented in C @ COSCUP 2016
Micro HTTP Server Implemented in C @ COSCUP 2016Micro HTTP Server Implemented in C @ COSCUP 2016
Micro HTTP Server Implemented in C @ COSCUP 2016
 
APIC-EM API Deep Dive
APIC-EM API Deep DiveAPIC-EM API Deep Dive
APIC-EM API Deep Dive
 
EC PKI Training on-prem and cloud-based PKI
EC PKI Training on-prem and cloud-based PKIEC PKI Training on-prem and cloud-based PKI
EC PKI Training on-prem and cloud-based PKI
 
GVP8- Troubleshooting.pptx
GVP8- Troubleshooting.pptxGVP8- Troubleshooting.pptx
GVP8- Troubleshooting.pptx
 

Recently uploaded

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

SCEP - simple certificate enrollment protocol - 1. OpenCA Workshop 2004 / OpenXPKI

  • 1. Fraunhofer-Institut für Digitale Medientechnologie IDMT Simple Certificate Enrollment Protocol Ives Steglich Munich, 12th October 2004
  • 2. Seite 2 Overview • SCEP Simple Certificate Enrollment Protocol Goals Basics Message Format Messages Transaction Model Requests • Integration into OpenCA Interface Supported Operations Open Issues
  • 3. Seite 3 Overview • SCEP Simple Certificate Enrollment Protocol Goals Basics Message Format Messages Transaction Model Requests • Integration into OpenCA Supported Operations Open Issues
  • 4. Seite 4 SCEP :: Goals Primary - CA and RA public key distribution - Certificate enrollment - Certificate revocation (manual) - Certificate query - CRL query Secondary - Certificate renewal - CA rollover - Confidantiality of internal networkdata ?
  • 5. Seite 5 SCEP :: Basics Transportprotocols - HTTP (Get & POST) - LDAP Cryptographic Protocols & Containers - PKCS#7 – Envelop and Confidentiality - PKCS#10 – Certificate Requests Cryptographic Algorithms - RSA - no others supported till now for keys - DES - used in PKCS#7 encryption portion - MD5 - as digest for encrypted message part Others - Message based protocol: Request -> Response - Actions always triggerd by Client
  • 6. Seite 6 SCEP :: Messages PKCSReq CertRep GetCertInitial GetCert GetCRL GetCACert GetCACertChain (since rev. 3) GetCACaps (since rev. 10) GetNextCACert (since rev. 10)
  • 7. Seite 7 SCEP :: Transaction Model certificate non existent certificate pending certificate issued PKCSReq CertRep (Status = SUCCESS) GetCertInitial Triggered by timeout or manual authentication or timeout occured CertRep (Status = REJECTED || FAILURE)
  • 8. Seite 8 SCEP :: Basic Massageformat PKCS#7 pkiMessage: outer PKCS#7 container pkcsPKISigned contains signed attributes - transactin attributes - etc. pkcsPKIEnveloped contains encrypted information - PKCS#10 Request - issued certificate - crl - empty depending on request and reply from the scep-interface pkiMessage pkcsPKISigned Transaction Attributes SignerInfo SignerCertificateChain pkcsPKIEnveloped recipientInfos encryptedData
  • 9. Seite 9 Messageformat :: Authenticated Transaction Attributes I Authenticated Transaction Attributes transactionID unique transaction identifier - required messageType how to handle the content / what to expect - required pkiStatus only in response failinfo only in error condition senderNonce prevent reply attacs – required in request and response recipientNonce prevent reply attacs – required in response
  • 10. Seite 10 Messageformat :: Authenticated Transaction Attributes II messageTypes PKCSReq (19) Permits use of PKCS#10 certificate request CertRep (3) Response to certificate or CRL request GetCertInitial (20) Certificate polling in manual enrollment GetCert (21) Retrieve a certificate GetCRL (22) Retrieve a CRL or CRL-Distributionpoint pkiStatus SUCCESS (0) request granted FAILURE (2) request rejected PENDING (3) request pending for manual approval.
  • 11. Seite 11 Messageformat :: Failcodes failinfo badAlg (0) Unrecognized or unsupported algorithm ident badMessageCheck (1) integrity check failed badRequest (2) transaction not permitted or supported badTime (3) Message time field was not sufficiently close to the system time badCertId (4) No certificate could be identified matching the provided criteria OpenCA mainly uses badRequest for ANY error inside OpenCA so kind of problems may be difficult to trace on client-side
  • 12. Seite 12 SCEP :: Communication Examples CA/RA Certificate Distribution (performed only once usaly) Enrollment of an Certificate PKCSReq: PKI cert. enrollment msg CertRep: pkiStatus = PENDING[1] no data attached (in PKCS#7) GetCertInitial: polling msg [n-1] CertRep: pkiStatus = PENDING[n] no data attached (in PKCS#7) GetCertInitial: polling msg [n] CertRep: pkiStatus = SUCCESS certificate attached (in PKCS#7) ManualApproval orCert.Request Get CA/RA Certificate(HTTP GET or POST Request) CA/RA Certificate Download (HTTP Response Message) Compute FingerprintCall CA Operator Recive Call Check Fingerprint
  • 13. Seite 13 SCEP :: Requests I Based on PKCS#10 contains - subject "the requestor's subject name“ - challengePassword - extensions (x.509 v3) ChallengePassword - automatic enrollment; (requires preauthentication of clients) - as revocation pin for verification against the ca
  • 14. Seite 14 SCEP :: Requests II Renewal - if used issued Cert instead of selfsigned request should be handled as renewal - if request is send after half of validity time may also be handled as renewal request - behavior dependent on CA Policy CA Rollover - use newly introduced msg: GetNextCACert if supported by CA Request New Cert for new CA/RA Cert - use the new CA/RA cert in the requesting envelop instead of the actual CA/RA cert
  • 15. Seite 15 Overview • SCEP Simple Certificate Enrollment Protocol Goals Basics Message Format Messages Transaction Model Requests • Integration into OpenCA Supported Operations Open Issues
  • 16. Seite 16 Integration into OpenCA cmdline based tookit openca-scep (c-code) - can parse and create scep-conform pkcs#7 msg - interface similar to openssl cmd-interfaces - doesn’t do transaction or error handling OpenCA created a new interface called SCEP - consists of two functions - one for ca/ra certificate distribution - one for the operations itself - transaction state and error checking managed inside those functions - openca database keeps track of transactions
  • 17. Seite 17 OpenCA :: Supported Operations PKCSReq CertRep GetCertInitial GetCert GetCRL GetCACert GetCACertChain GetCACaps (planed for 0.9.3) GetNextCACert (planed for 0.9.3)
  • 18. Seite 18 OpenCA :: Open Issues Handling of renewals - not implemented yet - planed for 0.9.3 Preauthentication and automatic processing - OpenCA backend doesn’t support automatic enrollment and preauthenticatin yet - planed for 0.9.3 Crldistributionpoints - sends back always CRL in response - CDP instead of CRL not implemented yet - planed as configuration option for 0.9.3 CA Rollover - planed for 0.9.3