US2014337618A1PendingUtilityA1
System and Method for Validating SCEP Certificate Enrollment Requests
Est. expiryMar 12, 2032(~5.7 yrs left)· nominal 20-yr term from priority
H04L 63/0823H04L 63/08H04L 63/205
48
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
A system and method for validating SCEP certificate enrollment that enforces the pairing of a SCEP challenge password and a set of expected certificate request content. A SCEP Validation Service or software residing in another system component whether a certificate request is legitimate by comparing it to registered SCEP challenges and associated expected certificate request content. This system and method addresses a privilege-escalation vulnerability in prior SCEP-based systems that could lead to a practical attack.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A computer implemented method for validating simple certificate enrollment protocol (SCEP) certificate enrollment requests, said method comprising, the steps of, in combination:
electronically receiving a request via a communications network from a trusted user for a SCEP challenge to be used in a subsequent certificate request and, in response to the request, preregistering the SCEP challenge by electronically storing the SCEP challenge and associated expected certificate content for the SCEP challenge; electronically validating a certificate request including the SCEP challenge by checking whether the SCEP challenge of the certificate request was preregistered and if so checking whether content of the certificate request matches the stored expected certificate content associated with the preregistered SCEP challenge, and authorizing a certificate for the certificate request if the SCEP challenge of the certificate request was preregistered and the content of the certificate request matches the stored expected certificate content associated with the preregistered SCEP challenge.
2 . The computer implemented method according to claim 1 , wherein the certificate request is a PKCS#10 certification request.
3 . The computer implemented method according to claim 1 , wherein the validation step is performed by a SCEP Validation Service.
4 . The computer implemented method according to claim 3 , wherein the certificate request is received via the communication network by a SCEP Server which sends the certificate request to a Certificate Authority which communicates with the SCEP Validation Service to validate the certificate request.
5 . The computer implemented method according to claim 4 , wherein the Certificate Authority communicates with the SCEP Validation Service via a SCEP Enforcement Module.
6 . The computer implemented method according to claim 4 , wherein the SCEP Enforcement Module is implemented as a Policy Module for the Certificate Authority.
7 . The computer implemented method according to claim 6 , wherein the SCEP Enforcement Module passes all communications through unless a certificate request containing a SCEP challenge is received.
8 . The computer implemented method according to claim 3 , wherein the SCEP Validation Service is implemented as a Service-Oriented Architecture component.
9 . The computer implemented method according to claim 5 , wherein the certificate request is received via the communication network by a SCEP Server which sends the certificate request to the SCEP Validation Service for validation prior to sending the certificate request to a Certificate Authority.
10 . The computer implemented method according to claim 1 , wherein the certificate request is received via the communication network by a SCEP Server which validates the certificate with software residing in the SCEP Server prior to sending the certificate request to a Certificate Authority.
11 . The computer implemented method according to claim 1 , wherein the certificate request is received via the communication network by a SCEP Server which sends the certificate request to a Certificate Authority which validates the certificate request with software residing in the Certificate Authority prior to authorizing the certificate request.
12 . A system for validating simple certificate enrollment protocol (SCEP) certificate enrollment requests, said system comprising, in combination:
SCEP Server for electronically receiving a request via a communications network from a trusted user to preregister a SCEP challenge to be used in a subsequent certificate request; a SCEP Issuance System for electronically sending the SCEP challenge via the communication network to the trusted user; a SCEP Validation Service for electronically storing the SCEP Challenge and associated expected certificate content for the SCEP challenge and for validating the subsequent certificate request by checking whether the SCEP challenge was preregistered and, if so, checking whether content of the subsequent certificate request matches the stored expected certificate content associated with the preregistered SCEP challenge; wherein the subsequent certificate request is validated by the SCEP Validation Service and a certificate is authorized for the subsequent certificate request if the SCEP challenge of the certificate request was preregistered and the content of the subsequent certificate request matches the stored expected certificate content associated with the preregistered SCEP challenge.
13 . The system according to claim 12 , wherein the subsequent certificate request is a PKCS#10 certification request.
14 . The system according to claim 12 , further comprising a Certificate Authority which receives the subsequent certificate request from the SCEP Server and communicates with the SCEP Validation Service to validate the certificate request.
15 . The system according to claim 14 , wherein the Certificate Authority includes a SCEP Enforcement Module for communicating with the SCEP Validation Service.
16 . The system according to claim 15 , wherein the SCEP Enforcement Module is implemented as a Policy Module for the Certificate Authority,
17 . The system according to claim 16 , wherein the SCEP Enforcement Module passes all communications through unless a certificate request containing a SCEP challenge is received.
18 . The system according to claim 12 , wherein the SCEP Validation Service is implemented as a Service-Oriented Architecture component.
19 . The system according to claim 12 , wherein SCEP server sends the subsequent certificate request to the SCEP Validation Service for validation prior to sending the subsequent certificate request to a Certificate Authority.
20 . A System for validating simple certificate enrollment protocol (SCEP) certificate enrollment requests, said system comprising, in combination:
a SCEP Server for electronically receiving a request via a communications network from a trusted user to preregister for a SCEP challenge to be used in a subsequent certificate request; a SCEP Issuance System for electronically sending the SCEP challenge via the communications network to the trusted user; validation software configured to electronically store the SCEP challenge and associated expected certificate content for the SCEP challenge and to validate the subsequent certificate request; and wherein the validation software validates the subsequent certificate request and authorizes a certificate for the subsequent certificate request if the SCEP challenge of the subsequent certificate request was preregistered and the content of the subsequent certificate request matches the stored expected certificate content associated with the preregistered SCEP challenge.
21 . The system according to claim 20 , wherein the subsequent certificate request is a PKCS#10 certification request.
22 . The system according to claim 20 , further comprising a Certificate Authority which receives the subsequent certificate request from the SCEP Server.
23 . The system according to claim 22 , wherein the validation software resides in the Certificate Authority.
24 . The system according to claim 20 , wherein the validation software resides in the SCEP Server.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.