How PKI enhances network security

Posted by Mike Hathaway on Apr 19, 2023 11:55:52 AM

Faced with the persistent threat of data breaches, most global organisations seek the highest level of security when it comes to network connectivity.

PKI Network

Ensuring that any connection to a network resource, such as a corporate VPN or wireless networking infrastructure, is made by an authorised individual on an authorised device has become imperative.

The corporate workforce of today, globally distributed and mobile, complicates this challenge further. The use of multiple corporate offices, hotdesk office arrangements, airport departure lounges and shared working spaces all come with their specific threat landscapes.

This network diversity introduces huge challenges for network security teams.

Problems for organisations looking at device enrolment

Historically, organisations have delivered Rivest–Shamir–Adleman cryptosystems (RSA) to corporate assets such as network routers, switches, firewalls, applications and servers.

The technology landscape evolves rapidly though and, whilst there is no immediate threat, organisations are increasingly looking to Elliptic Curve Digital Signature Algorithm (ECDSA) instead.

An ECDSA cryptographic scheme provides higher levels of security due to faster speed and superior performance especially for constrained devices.

As such, we are seeing organisations across the world planning PKI refresh programs to service requests for ECDSA certificates. And, further into the future, this will all need to adapt once quantum-resistant algorithms are commercially available.

Technology solutions to solve enrolment challenges

Managing all these certificates is hard work.

SCEP, EST, CMPv2, and ACME technologies offer automated enrolment for digital certificates when establishing VPN, wireless, and TLS connections.

Digital Certificates are far superior to shared secrets as they offer the ability to use varying strengths of security, as well as the ability to renew the certificate on the device over time automatically instead of manual intervention to change the shared secret. Digital Certificates also offer the ability to revoke a certificate if a device is no longer to be trusted – due to a device compromise, for example.

What is Secure Certificate Enrolment Protocol (SCEP)?

SCEP has been the standard for network device enrolment for two decades. It is the evolution of a network enrolment protocol sponsored by Cisco Systems that enables devices to request certificates from a Certification Authority.

The protocol is increasingly being leveraged by applications and mobile devices for certificate enrolment and is commonly used by Mobile Device Management Systems to provision certificates across a broad set of devices.

What is Enrolment over Secure Transport (EST)?

EST (RFC 7030) is a new standard from Cisco Systems, authored in 2013, designed to improve the issuance and lifecycle management of Digital Certificates for secure communications. The protocol offers increased security and is far more comprehensive than previous approaches, such as Secure Certificate Enrolment Protocol (SCEP). EST offers broader cryptographic support for algorithms such as ECDSA and is far more efficient than its counterpart, RSA.

What is Certificate Management Protocol version 2 (CMPv2)?

CMPv2 RFC 4210 was created in 2005 and, historically, has been used by mobile telecommunications providers to deliver automated certificate enrolment and lifecycle management for 4G and 5G networks.

Devices such as eNodeB’s (4G/5G Cell Phone Towers) and Security Gateways provide the backbone for a mobile telecommunications provider to offer 4G and 5G networks to its users. These are based on regular IP networks and so, to offer any form of network security, either shared secret or Digital Certificates are the available options open to operators if they want to establish a secure connection from eNodeB back to a Security Gateway.

More recently, networking vendors have looked towards CMPv2 to replace the ageing SCEP protocol to enable networking devices to request certificates from a PKI. The protocol supports both RSA and ECDSA for network device enrolment and, with the varying organisations recommending a migration from RSA to ECDSA, organisations require a flexible technology to support this migration.

What is Automatic Certificate Management Environment (ACME)?

ACME RFC 8555, created in 2016 and updated in 2018, was designed by the Internet Security Research Group (ISRG) for their Lets Encrypt service. It is a protocol for automating certificate lifecycle management between certification authorities (CA’s) and ACME clients that are typically installed on web servers.

ACME has a wide range of open-source clients that are available for a multitude of operating systems, web servers and application servers that enable automated lifecycle management for digital certificates.

How does Ascertia's solution enhance network security?

Ascertia provides a comprehensive solution to enable businesses, governments and trust service providers to deliver Digital Certificates to people's devices and applications.

Our offering comprises of Ascertia ADSS PKI Server and ADSS Web RA Server, with both products delivering a modular high-trust solution including:

  • Secure Certificate Enrollment Protocol Server: Capable of supporting both RSA and ECDSA.
  • Enrollment over Secure Transport Server: Capable of supporting RSA and ECDSA for enterprise networking enrolment.
  • Certificate Management Protocol version 2 Server: Capable of supporting RSA and ECDSA for both enterprise networking enrolment and LTE/4G device enrolment.
  • ACME Server: Providing automated certificate lifecycle management for TLS certificates.

 

These servers offer network vendors the ultimate flexibility when selecting the correct enrolment protocol to support their needs.

Contact our team to discuss how to embed digital trust at the heart of your network.