1

I'm debating and need to know the implications of not using the SCEP protocol for the mdm enrolment, more precisely the Identity certificate (the certificate credential used for authentication). I'm talking about the certificate in the Identity section on IPCU, as shown in the image below, with the red arrow.

enter image description here

I wont be pushing down profiles with sensitive informations (like vpn, email, etc configurations and/or passwords).

My use case will be 99%:

  • Block/unblock apps by rating
  • Lock/unlock device
  • Block/unlock web domains

From reading around StackOverflow (here and here) the following scenarios can happen.

  1. If someone get access to the certificate he will be able to impersonate an enrolled device, but he will only be able to receive commands/profiles and not initiate commands/profiles. Am I right?
  2. A man in the middle attack can get access to the certificate

The advantage of using the PKCS12 embedded within the profile is that it is faster to implement and no external dependencies (SCEP server) but I'm not so sure about the disadvantages. So my questions and doubts is:

  1. What can a malicious person do with the private key from the Identity certificate?

  2. Can it be a security breach going with the PKCS12 embedded approach?

This is mostly a question of SCEP vs PKCS12 embedded within the profile, pros and cons.

Community
  • 1
  • 1
dazito
  • 7,740
  • 15
  • 75
  • 117

1 Answers1

2

Here my thought on that:

1) If you are building a prototype or a small not critical service then go with PKCS12.

2) If you are building a serious product (production and touching devices of people with sensitive info) then go with SCEP (you can get a free SCEP servers. It's not that complex).

Frankly, If I was on the dark side (trying to hack it) I don't think that I would attack PKCS12 vs SCEP (it's not the weakest link)

However, let say, I say I decided to try to hack it

  • I would try to do man in the middle. I will try to capture communicarion, save PKCS12 and password for it

  • I will use it to authenticate to MDM server.

  • You are right, I can't trigger any commands, but I can start probing your code to find where you skipped some security checks. Maybe you don't check that a certificate matches a device UUID and so on.

  • Hopefully, I will find enough security holes to do something (let say trigger actions for other users). Maybe I will send them Wipe command or may be I will try to install a root CA + HTTP proxy configuration to see all their traffic.

Anyhow. I don't think that it's that weakest link and it requires a lot of additional step to get to some interesting stuff. However, if you get there, you can do A LOT.

As a result for a serious product, it will make sense to invest several additional weeks in SCEP.

Victor Ronin
  • 22,758
  • 18
  • 92
  • 184
  • Thanks! What free SCEP servers would you recommend? Out of curiosity, what is/are - in your opinion - the weakest link(s)? – dazito Jun 21 '16 at 19:22
  • You can check jSCEP (Java) - https://github.com/jscep/jscep or Scep-gem (Ruby) - https://github.com/onelogin/scep-gem. EJBCA (Java) also has SCEP server - https://www.ejbca.org/docs/adminguide.html. You can probably find several more. – Victor Ronin Jun 22 '16 at 03:30
  • The weakest link is _always_ a human :) I don't think that you can define upfront what is the weakest link. I would probably write down top 10-15 ideas which I have and would try (probe) each of them (without spending too much time on each attempt) and see how the server will behave. As example, why should I bother with PKCS vs SCEP if as example I can do SQL injection in an authentication form? (BTW. Bear in mind, that I am not a real hacker. I don't have right tooling and talk about this theoretically. A person who has right tools will be able to find weak spots much faster). – Victor Ronin Jun 22 '16 at 03:38