How PKI enhances network security

Posted by Mike Hathaway on Apr 19, 2023 11:55:52 AM

Faced with the persistent threat of data breaches, most global organisations aim to implement the highest security measures regarding network connectivity.

PKI Network

Ensuring that only authorised individuals connect to a network resource, such as a corporate VPN or wireless networking infrastructure, on an authorised device has become imperative.

The globally distributed and mobile corporate workforce of today complicates this challenge further. Multiple corporate offices, hot desk office arrangements, airport departure lounges and shared working spaces come with their specific threat landscapes.

This network diversity introduces huge challenges for network security teams.

Problems for organisations looking at device enrolment

Historically, organisations have delivered Rivest–Shamir–Adleman cryptosystems (RSA) to corporate assets such as network routers, switches, firewalls, applications and servers.

The technology landscape evolves rapidly, though. Whilst there is no immediate threat, organisations are increasingly looking to Elliptic Curve Digital Signature Algorithm (ECDSA) instead.

An ECDSA cryptographic scheme provides higher levels of security due to faster speed and superior performance, especially for constrained devices.

As such, we are seeing organisations around the world planning PKI refresh programs to service requests for ECDSA certificates. Further into the future, this will all need to adapt once quantum-resistant algorithms are commercially available.

Technology solutions to solve enrolment challenges

Managing all these certificates is hard work.

SCEP, EST, CMPv2, and ACME technologies offer automated enrolment for digital certificates when establishing VPN, wireless, and TLS connections.

Digital Certificates are far superior to shared secrets. They offer the ability to use varying security strengths and automatically renew the certificate on the device over time instead of manual intervention to change the shared secret. Digital Certificates also offer the ability to revoke a certificate if a device is no longer to be trusted.

What is Secure Certificate Enrolment Protocol (SCEP)?

SCEP has been the standard for network device enrolment for two decades. It is the evolution of a network enrolment protocol sponsored by Cisco Systems that enables devices to request certificates from a Certification Authority.

Applications and mobile devices are increasingly leveraging the protocol for certificate enrolment. Mobile Device Management Systems commonly use it to provision certificates across a broad set of devices.

What is Enrolment over Secure Transport (EST)?

Authored in 2013, EST (RFC 7030) is a new standard from Cisco Systems. The standard aims to improve the issuance and lifecycle management of Digital Certificates for secure communications. The protocol offers increased security and is more comprehensive than previous approaches like the Secure Certificate Enrolment Protocol (SCEP). EST offers broader cryptographic support for algorithms such as ECDSA and is far more efficient than its counterpart, RSA.

What is Certificate Management Protocol version 2 (CMPv2)?

Created in 2005, mobile telecommunications providers have used CMPv2 RFC 4210 to deliver automated certificate enrolment and lifecycle management for 4G and 5G networks.

Devices such as eNodeB’s (4G/5G Cell Phone Towers) and Security Gateways provide the backbone for a mobile telecommunications provider to offer its users 4G and 5G networks. These are based on regular IP networks, so to offer any form of network security, either shared secret or Digital Certificates are the options for operators to establish a secure connection from eNodeB back to a Security Gateway.

More recently, networking vendors have looked towards CMPv2 to replace the ageing SCEP protocol to enable networking devices to request certificates from a PKI. The protocol supports both RSA and ECDSA for network device enrolment. With the varying organisations recommending a migration from RSA to ECDSA, organisations require flexible technology to support this migration.

What is Automatic Certificate Management Environment (ACME)?

The Internet Security Research Group (ISRG) created ACME RFC 8555 in 2016 and updated it in 2018. ISRG designed it for their Lets Encrypt service. It is a protocol for automating certificate lifecycle management between certification authorities (CA’s) and ACME clients typically installed on web servers.

ACME has a wide range of open-source clients available for many operating systems, web servers and application servers, which enable automated lifecycle management for digital certificates.

How does Ascertia's solution enhance network security?

Ascertia provides a comprehensive solution to enable businesses, governments and trust service providers to deliver Digital Certificates to people's devices and applications.

Our offering comprises of Ascertia ADSS PKI Server and ADSS Web RA Server, with both products delivering a modular high-trust solution including:

  • Secure Certificate Enrolment ProtocolServer: Capable of supporting both RSA and ECDSA.
  • Enrollment over Secure TransportServer: Capable of supporting RSA and ECDSA for enterprise networking enrolment.
  • Certificate Management Protocol Version 2 Server: Capable of supporting RSA and ECDSA for both enterprise networking enrolment and LTE/4G device enrolment.
  • ACME Server: Providing automated certificate lifecycle management for TLS certificates.

These servers offer network vendors the ultimate flexibility when selecting the correct enrolment protocol to support their needs.

Contact our team to discuss how to embed digital trust at the heart of your network.