Hi Prabath , The challenge is a random number generated and associated with a user and device. So when the SCEP request hits in, we check the Challenge and the associated user device and a flag is set. Also this gives a flexibility for the user to enroll 1 or more device, since the challenge is for the device.
Lets say the challenge is stolen by another user or same user, if he tries to get the certificate using the same challenge, there is a validation against the user and device. Do you think this can help us to secure ? . If not what is the best method to overcome the SCEP vulnerability. On Mon, Aug 5, 2013 at 10:39 AM, Prabath Siriwardena <[email protected]>wrote: > I guess user challenge it self is not enough.. We also need to validate > the SCEP request.. > > Thanks & regards, > -Prabath > > > On Mon, Aug 5, 2013 at 10:32 AM, Shanmugarajah Sinnathamby > <[email protected]>wrote: > >> Hi Prabath , >> >> Currently SCEP server is within the MDM domain itself . Where validation >> will be done based on the user challenge before it gets passed to it. The >> validation part is not done. >> Also there is a performance issue in the time taken enroll a device , >> Mayuran is working on that along with the validation. >> >> >> >> Thanks, >> -Shan >> >> On Sun, Aug 4, 2013 at 1:38 PM, Prabath Siriwardena <[email protected]>wrote: >> >>> Hi Dilshan, >>> >>> Have we considered passing the SCEP requests from the devices through >>> the MDM and validate those.. There is a separate mail on that.. >>> >>> Thanks & regards, >>> -Prabath >>> >>> >>> On Sun, Aug 4, 2013 at 10:11 AM, Dilshan Edirisuriya >>> <[email protected]>wrote: >>> >>>> Yes Prabath our MDM needs not to work as a SCEP server. Right now its a >>>> separate WEBRick web server and the code is written in Ruby. SCEP server >>>> can be any third party server like EJBCA etc. I had a offline discussion >>>> with Azeez and came into a conclusion that the SCEP server part needs to be >>>> separated out to a web app written in Java. So any time it can be replaced >>>> with anything. Ideally which I believe this part needs to be handle by IS >>>> and MDM only communicate with it through the information provided at the >>>> deployment time. >>>> >>>> Regards, >>>> >>>> Dilshan >>>> >>>> >>>> On Sun, Aug 4, 2013 at 7:09 AM, Prabath Siriwardena >>>> <[email protected]>wrote: >>>> >>>>> Just had a look at how this works with iOS [1].. >>>>> >>>>> I may be totally wrong (please correct me in that case) - I just went >>>>> through the doc quickly.. >>>>> >>>>> In the Response from the MDM - it has the following.. Which in fact >>>>> giving details to connect to a different SCEP server.. so our MDM needs >>>>> not >>>>> to work as a SCEP server.. >>>>> >>>>> <array> >>>>> <dict> >>>>> <key>PayloadContent</key> >>>>> <dict> >>>>> <key>URL</key> >>>>> <string>https://scep.example.com/scep</string> >>>>> <key>Name</key> >>>>> <string>EnrollmentCAInstance</string> >>>>> <key>Subject</key> >>>>> <array> >>>>> <array> >>>>> <array> >>>>> <string>O</string> >>>>> <string>Example, Inc.</string> >>>>> </array> >>>>> </array> >>>>> <array> >>>>> <array> >>>>> <string>CN</string> >>>>> <string>User Device Cert</string> >>>>> </array> >>>>> </array> >>>>> </array> >>>>> <key>Challenge</key> >>>>> <string>...</string> >>>>> <key>Keysize</key> >>>>> <integer>1024</integer> >>>>> <key>Key Type</key> >>>>> <string>RSA</string> >>>>> <key>Key Usage</key> >>>>> <integer>5</integer> >>>>> </dict> >>>>> >>>>> Thanks & regards, >>>>> -Prabath >>>>> >>>>> [1]: >>>>> http://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/iPhoneOTAConfiguration.pdf >>>>> >>>>> >>>>> On Sun, Aug 4, 2013 at 6:36 AM, Prabath Siriwardena >>>>> <[email protected]>wrote: >>>>> >>>>>> >>>>>> >>>>>> On Sat, Aug 3, 2013 at 9:04 PM, Sanjiva Weerawarana <[email protected] >>>>>> > wrote: >>>>>> >>>>>>> Dilshan & Prabath, should the SCEP server code ship with IS by >>>>>>> default? >>>>>>> >>>>>>> Prabath I remember a long discussion about certificate issuing and >>>>>>> distribution 3-4 years ago but don't think we ended up implementing yet >>>>>>> .. >>>>>>> is this a lightweight solution? >>>>>>> >>>>>> >>>>>> Yes.. we didn't make any progress with the CA implementation.. >>>>>> >>>>>> SCEP server plays the middle-man role in enrolling and getting a >>>>>> certificate to a network device (which basically does not have any >>>>>> account >>>>>> with the CA). >>>>>> >>>>>> SCEP server will know how to talk to a CA (could be the existing >>>>>> cooperate CA) and gets the certificate.. >>>>>> >>>>>> My understanding is MDM needs not to be a SCEP server (please correct >>>>>> me if not).. It only has to know how to talk to a SCEP server.. (which >>>>>> may >>>>>> be IS, EJBCA or Microsoft CA). >>>>>> >>>>>> Mobile devices, when getting registered with the MDM, will get a >>>>>> profile with all the details to connect to the SCEP server... and these >>>>>> devices will connect to the SCEP server directly and do the enrollment.. >>>>>> The role of MDM is to embed the OTP and the server URL of the SCEP server >>>>>> in to the profile... >>>>>> >>>>>> Thanks & regards, >>>>>> -Prabath >>>>>> >>>>>> >>>>>>> >>>>>>> Dilshan have u guys already implemented it? >>>>>>> >>>>>>> Sanjiva. >>>>>>> >>>>>>> On Wed, Jul 31, 2013 at 9:01 PM, Dilshan Edirisuriya < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> Attached is the architecture of mobile device management. The MDM >>>>>>>> build is compiled on top of carbon by using necessary features. Build >>>>>>>> consist of these layers modules/components. >>>>>>>> >>>>>>>> 1) MDM web console - MDM Jaggery app where you have the MDM core >>>>>>>> functionality. >>>>>>>> >>>>>>>> 2) MDM admin console - This is for creating tenants and admins. At >>>>>>>> present this is done via carbon admin console. >>>>>>>> >>>>>>>> 3) Public store - Public store Jaggery app. >>>>>>>> >>>>>>>> 4) Publisher - Publisher Jaggery app. >>>>>>>> >>>>>>>> 5) Store admin console - Admin console for store. >>>>>>>> >>>>>>>> 6) iPhone interface - This will run the SCEP server[1] which is >>>>>>>> needed for iPhone provisioning. >>>>>>>> >>>>>>>> 7) Android interface - GCM related functionality goes here. >>>>>>>> >>>>>>>> 8) User module - User authentication, register, roles etc. will be >>>>>>>> handled here. For this we will be using WSRequest in Jaggery or >>>>>>>> directly >>>>>>>> calling the OSGI bundle from Jaggery. >>>>>>>> >>>>>>>> 9) Tenant management module - Tenants will be handled in this >>>>>>>> module. >>>>>>>> >>>>>>>> 10) Configuration management module - MDM related configurations. >>>>>>>> >>>>>>>> 11) Security module - SAML based login etc. >>>>>>>> >>>>>>>> 12) Device module - Device related functions. >>>>>>>> >>>>>>>> 13) Policy module - XACML related functions to handle MDM policies. >>>>>>>> >>>>>>>> >>>>>>>> Main MDM app will be developed as a Jaggery app and it will use an >>>>>>>> external mysql database. Jaggery will handle all the database functions >>>>>>>> related to MDM. Data level isolation of the tenants will also be done >>>>>>>> using >>>>>>>> the Jaggery code. >>>>>>>> >>>>>>>> >>>>>>>> [1] - >>>>>>>> http://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol >>>>>>>> >>>>>>>> >>>>>>>> Regards, >>>>>>>> >>>>>>>> Dilshan >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Sanjiva Weerawarana, Ph.D. >>>>>>> Founder, Chairman & CEO; WSO2, Inc.; http://wso2.com/ >>>>>>> email: [email protected]; phone: +94 11 763 9614; cell: +94 77 787 >>>>>>> 6880 | +1 650 265 8311 >>>>>>> blog: http://sanjiva.weerawarana.org/ >>>>>>> >>>>>>> Lean . Enterprise . Middleware >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks & Regards, >>>>>> Prabath >>>>>> >>>>>> Mobile : +94 71 809 6732 >>>>>> >>>>>> http://blog.facilelogin.com >>>>>> http://RampartFAQ.com >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks & Regards, >>>>> Prabath >>>>> >>>>> Mobile : +94 71 809 6732 >>>>> >>>>> http://blog.facilelogin.com >>>>> http://RampartFAQ.com >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Thanks & Regards, >>> Prabath >>> >>> Mobile : +94 71 809 6732 >>> >>> http://blog.facilelogin.com >>> http://RampartFAQ.com >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> >> Shanmugarajah (Shan) >> >> Director Architecture - WSO2Mobile >> >> Mob: + 94 714944295 >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Thanks & Regards, > Prabath > > Mobile : +94 71 809 6732 > > http://blog.facilelogin.com > http://RampartFAQ.com > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Shanmugarajah (Shan) Director Architecture - WSO2Mobile Mob: + 94 714944295
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
