Cryptographic Hardening of SCEP Transactions for the Network Device Enrollment Service (NDES)

The Simple Certificate Enrollment Protocol (SCEP) is an ancient protocol from the early 2000s. It does not use Transport Layer Security (TLS). Therefore, the protocol messages are encrypted at the transport layer.

When sending the certificate request to the NDES server, the client will sign the certificate request with the NDES server's CEP encryption certificate (which was previously communicated to it via the GetCACert message).

Upon receiving the issued certificate, the NDES server will encrypt the response using a self-signed certificate temporarily generated by the SCEP client.

In both cases, a symmetric encryption algorithm is used.

Continue reading „Kryptographische Härtung der SCEP-Transaktionen für den Registrierungsdienst für Netzwerkgeräte (Network Device Enrollment Service, NDES)“

Network Device Enrollment Service (NDES) Basics

The Simple Certificate Enrollment Protocol (SCEP) was developed by Verisign for Cisco in the early 2000s to provide a simplified method for requesting certificates. Previously, network devices required manually generating a certificate request on each device, submitting it to a certificate authority, and then manually reinstalling the issued certificate on the corresponding device.

Continue reading „Grundlagen Registrierungsdienst für Netzwerkgeräte (Network Device Enrollment Service, NDES)“
en_USEnglish