Hi Prabath, I have few concerns on this.
Who can ask OTPs from MDM ? Exactly what MDM identifies in this step, is it the user, device or both ? What the OTP going to look like, I believe OTP generation should use a crypto function based on [timestamp+deviceid+userid]. And we should have a mean to prevent brute-force on OTPs. Thanks, -Suresh On Mon, Aug 5, 2013 at 3:56 PM, Prabath Siriwardena <[email protected]>wrote: > Hi Shan, > > Even here - it uses SCEP server, which is a separate entity. And this > video too explains the vulnerability of SCEP - as it is designed for closed > systems.. > > That is one reason we need to validate the SCEP request against the > profile we passed to the device... > > It has to validate device identity as well as - the certificate CN and the > rest.. > > Thanks & regards, > -Prabath > > > On Mon, Aug 5, 2013 at 2:46 PM, Shanmugarajah Sinnathamby > <[email protected]>wrote: > >> Hi Prabath, >> >> Hope u had a look at this >> >> http://www.youtube.com/watch?v=SfMeKnch3YA >> >> >> >> On Mon, Aug 5, 2013 at 1:41 PM, Shanmugarajah Sinnathamby >> <[email protected]>wrote: >> >>> Hi Prabath , >>> >>> The challenge is a random number generated and associated with a user >>> and device. So when the SCEP request hits in, we check the Challenge and >>> the associated user device and a flag is set. >>> Also this gives a flexibility for the user to enroll 1 or more device, >>> since the challenge is for the device. >>> >>> Lets say the challenge is stolen by another user or same user, if he >>> tries to get the certificate using the same challenge, there is a >>> validation against the user and device. Do you think this can help us to >>> secure ? . >>> If not what is the best method to overcome the SCEP vulnerability. >>> >>> >>> >>> >>> >>> On Mon, Aug 5, 2013 at 10:39 AM, Prabath Siriwardena >>> <[email protected]>wrote: >>> >>>> I guess user challenge it self is not enough.. We also need to validate >>>> the SCEP request.. >>>> >>>> Thanks & regards, >>>> -Prabath >>>> >>>> >>>> On Mon, Aug 5, 2013 at 10:32 AM, Shanmugarajah Sinnathamby < >>>> [email protected]> wrote: >>>> >>>>> Hi Prabath , >>>>> >>>>> Currently SCEP server is within the MDM domain itself . Where >>>>> validation will be done based on the user challenge before it gets passed >>>>> to it. The validation part is not done. >>>>> Also there is a performance issue in the time taken enroll a device , >>>>> Mayuran is working on that along with the validation. >>>>> >>>>> >>>>> >>>>> Thanks, >>>>> -Shan >>>>> >>>>> On Sun, Aug 4, 2013 at 1:38 PM, Prabath Siriwardena >>>>> <[email protected]>wrote: >>>>> >>>>>> Hi Dilshan, >>>>>> >>>>>> Have we considered passing the SCEP requests from the devices through >>>>>> the MDM and validate those.. There is a separate mail on that.. >>>>>> >>>>>> Thanks & regards, >>>>>> -Prabath >>>>>> >>>>>> >>>>>> On Sun, Aug 4, 2013 at 10:11 AM, Dilshan Edirisuriya < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Yes Prabath our MDM needs not to work as a SCEP server. Right now >>>>>>> its a separate WEBRick web server and the code is written in Ruby. SCEP >>>>>>> server can be any third party server like EJBCA etc. I had a offline >>>>>>> discussion with Azeez and came into a conclusion that the SCEP server >>>>>>> part >>>>>>> needs to be separated out to a web app written in Java. So any time it >>>>>>> can >>>>>>> be replaced with anything. Ideally which I believe this part needs to be >>>>>>> handle by IS and MDM only communicate with it through the information >>>>>>> provided at the deployment time. >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> Dilshan >>>>>>> >>>>>>> >>>>>>> On Sun, Aug 4, 2013 at 7:09 AM, Prabath Siriwardena < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Just had a look at how this works with iOS [1].. >>>>>>>> >>>>>>>> I may be totally wrong (please correct me in that case) - I just >>>>>>>> went through the doc quickly.. >>>>>>>> >>>>>>>> In the Response from the MDM - it has the following.. Which in fact >>>>>>>> giving details to connect to a different SCEP server.. so our MDM >>>>>>>> needs not >>>>>>>> to work as a SCEP server.. >>>>>>>> >>>>>>>> <array> >>>>>>>> <dict> >>>>>>>> <key>PayloadContent</key> >>>>>>>> <dict> >>>>>>>> <key>URL</key> >>>>>>>> <string>https://scep.example.com/scep</string> >>>>>>>> <key>Name</key> >>>>>>>> <string>EnrollmentCAInstance</string> >>>>>>>> <key>Subject</key> >>>>>>>> <array> >>>>>>>> <array> >>>>>>>> <array> >>>>>>>> <string>O</string> >>>>>>>> <string>Example, Inc.</string> >>>>>>>> </array> >>>>>>>> </array> >>>>>>>> <array> >>>>>>>> <array> >>>>>>>> <string>CN</string> >>>>>>>> <string>User Device Cert</string> >>>>>>>> </array> >>>>>>>> </array> >>>>>>>> </array> >>>>>>>> <key>Challenge</key> >>>>>>>> <string>...</string> >>>>>>>> <key>Keysize</key> >>>>>>>> <integer>1024</integer> >>>>>>>> <key>Key Type</key> >>>>>>>> <string>RSA</string> >>>>>>>> <key>Key Usage</key> >>>>>>>> <integer>5</integer> >>>>>>>> </dict> >>>>>>>> >>>>>>>> Thanks & regards, >>>>>>>> -Prabath >>>>>>>> >>>>>>>> [1]: >>>>>>>> http://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/iPhoneOTAConfiguration.pdf >>>>>>>> >>>>>>>> >>>>>>>> On Sun, Aug 4, 2013 at 6:36 AM, Prabath Siriwardena < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Sat, Aug 3, 2013 at 9:04 PM, Sanjiva Weerawarana < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Dilshan & Prabath, should the SCEP server code ship with IS by >>>>>>>>>> default? >>>>>>>>>> >>>>>>>>>> Prabath I remember a long discussion about certificate issuing >>>>>>>>>> and distribution 3-4 years ago but don't think we ended up >>>>>>>>>> implementing yet >>>>>>>>>> .. is this a lightweight solution? >>>>>>>>>> >>>>>>>>> >>>>>>>>> Yes.. we didn't make any progress with the CA implementation.. >>>>>>>>> >>>>>>>>> SCEP server plays the middle-man role in enrolling and getting a >>>>>>>>> certificate to a network device (which basically does not have any >>>>>>>>> account >>>>>>>>> with the CA). >>>>>>>>> >>>>>>>>> SCEP server will know how to talk to a CA (could be the existing >>>>>>>>> cooperate CA) and gets the certificate.. >>>>>>>>> >>>>>>>>> My understanding is MDM needs not to be a SCEP server (please >>>>>>>>> correct me if not).. It only has to know how to talk to a SCEP >>>>>>>>> server.. >>>>>>>>> (which may be IS, EJBCA or Microsoft CA). >>>>>>>>> >>>>>>>>> Mobile devices, when getting registered with the MDM, will get a >>>>>>>>> profile with all the details to connect to the SCEP server... and >>>>>>>>> these >>>>>>>>> devices will connect to the SCEP server directly and do the >>>>>>>>> enrollment.. >>>>>>>>> The role of MDM is to embed the OTP and the server URL of the SCEP >>>>>>>>> server >>>>>>>>> in to the profile... >>>>>>>>> >>>>>>>>> Thanks & regards, >>>>>>>>> -Prabath >>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Dilshan have u guys already implemented it? >>>>>>>>>> >>>>>>>>>> Sanjiva. >>>>>>>>>> >>>>>>>>>> On Wed, Jul 31, 2013 at 9:01 PM, Dilshan Edirisuriya < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> Attached is the architecture of mobile device management. The >>>>>>>>>>> MDM build is compiled on top of carbon by using necessary features. >>>>>>>>>>> Build >>>>>>>>>>> consist of these layers modules/components. >>>>>>>>>>> >>>>>>>>>>> 1) MDM web console - MDM Jaggery app where you have the MDM core >>>>>>>>>>> functionality. >>>>>>>>>>> >>>>>>>>>>> 2) MDM admin console - This is for creating tenants and admins. >>>>>>>>>>> At present this is done via carbon admin console. >>>>>>>>>>> >>>>>>>>>>> 3) Public store - Public store Jaggery app. >>>>>>>>>>> >>>>>>>>>>> 4) Publisher - Publisher Jaggery app. >>>>>>>>>>> >>>>>>>>>>> 5) Store admin console - Admin console for store. >>>>>>>>>>> >>>>>>>>>>> 6) iPhone interface - This will run the SCEP server[1] which is >>>>>>>>>>> needed for iPhone provisioning. >>>>>>>>>>> >>>>>>>>>>> 7) Android interface - GCM related functionality goes here. >>>>>>>>>>> >>>>>>>>>>> 8) User module - User authentication, register, roles etc. will >>>>>>>>>>> be handled here. For this we will be using WSRequest in Jaggery or >>>>>>>>>>> directly >>>>>>>>>>> calling the OSGI bundle from Jaggery. >>>>>>>>>>> >>>>>>>>>>> 9) Tenant management module - Tenants will be handled in this >>>>>>>>>>> module. >>>>>>>>>>> >>>>>>>>>>> 10) Configuration management module - MDM related configurations. >>>>>>>>>>> >>>>>>>>>>> 11) Security module - SAML based login etc. >>>>>>>>>>> >>>>>>>>>>> 12) Device module - Device related functions. >>>>>>>>>>> >>>>>>>>>>> 13) Policy module - XACML related functions to handle MDM >>>>>>>>>>> policies. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Main MDM app will be developed as a Jaggery app and it will use >>>>>>>>>>> an external mysql database. Jaggery will handle all the database >>>>>>>>>>> functions >>>>>>>>>>> related to MDM. Data level isolation of the tenants will also be >>>>>>>>>>> done using >>>>>>>>>>> the Jaggery code. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> [1] - >>>>>>>>>>> http://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> >>>>>>>>>>> Dilshan >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Architecture mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Sanjiva Weerawarana, Ph.D. >>>>>>>>>> Founder, Chairman & CEO; WSO2, Inc.; http://wso2.com/ >>>>>>>>>> email: [email protected]; phone: +94 11 763 9614; cell: +94 77 >>>>>>>>>> 787 6880 | +1 650 265 8311 >>>>>>>>>> blog: http://sanjiva.weerawarana.org/ >>>>>>>>>> >>>>>>>>>> Lean . Enterprise . Middleware >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Architecture mailing list >>>>>>>>>> [email protected] >>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Thanks & Regards, >>>>>>>>> Prabath >>>>>>>>> >>>>>>>>> Mobile : +94 71 809 6732 >>>>>>>>> >>>>>>>>> http://blog.facilelogin.com >>>>>>>>> http://RampartFAQ.com >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Thanks & Regards, >>>>>>>> Prabath >>>>>>>> >>>>>>>> Mobile : +94 71 809 6732 >>>>>>>> >>>>>>>> http://blog.facilelogin.com >>>>>>>> http://RampartFAQ.com >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks & Regards, >>>>>> Prabath >>>>>> >>>>>> Mobile : +94 71 809 6732 >>>>>> >>>>>> http://blog.facilelogin.com >>>>>> http://RampartFAQ.com >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> Shanmugarajah (Shan) >>>>> >>>>> Director Architecture - WSO2Mobile >>>>> >>>>> Mob: + 94 714944295 >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> Prabath >>>> >>>> Mobile : +94 71 809 6732 >>>> >>>> http://blog.facilelogin.com >>>> http://RampartFAQ.com >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> >>> Shanmugarajah (Shan) >>> >>> Director Architecture - WSO2Mobile >>> >>> Mob: + 94 714944295 >>> >> >> >> >> -- >> >> Shanmugarajah (Shan) >> >> Director Architecture - WSO2Mobile >> >> Mob: + 94 714944295 >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Thanks & Regards, > Prabath > > Mobile : +94 71 809 6732 > > http://blog.facilelogin.com > http://RampartFAQ.com > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Suresh Attanayake Senior Software Engineer; WSO2 Inc. http://wso2.com/ Blog : http://sureshatt.blogspot.com/ Web : http://www.ssoarcade.com/ Facebook : https://www.facebook.com/IdentityWorld Twitter : https://twitter.com/sureshatt LinkedIn : http://lk.linkedin.com/in/sureshatt Mobile : +94755012060 Mobile : +01-616-617-1172
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
