A computer network within an enterprise, e.g. a company, is a communications network that allows the computers of the network to exchange data. As the computers, many kinds of devices can be considered, for example main frame computers, servers, personal computers (PC), laptops, tablet PCs and private smart phones. Securing the computers in the computer network can be therefore a complex problem.
For computer networks within an enterprise, BYOD (Bring Your Own Device) solutions are known that use a method based on SCEP (Simple Certificate Enrollment Protocol), which allows employees also to connect their private devices, e.g. a laptop or a smart phone, to the network. BYOD links the company user database with the SCEP infrastructure. SCEP is a public key infrastructure (PKI) communication protocol, which current version is defined by the Internet Engineering Task Force (IETF) as an Internet Draft, version SCEP-23. SCEP defines a protocol for certificate management and certificate and certificate revocation list queries in a close environment. Entity types defined by SCEP are a requester, e.g. a client or a device, and a SCEP server, which may be either a Certificate Authority (CA) or a Registration Authority (RA). SCEP supports CA and RA public key distribution and certificate enrollment.
The SCEP server is the entity that signs device or client certificates and performs validation and authorisation checks of the SCEP requester, and forwards the certification requests to the CA. A requester starts a certificate enrollment transaction by creating a certificate request and sends it to the certificate authority. A certificate may be granted automatically, or may be granted manually by the administrator. A fingerprint is created by calculating a hash, e.g. a SHA-1 hash, on the whole CA certificate. SCEP is used in particular by network administrators of companies to enroll certificates to devices they manage. This is the original idea behind SCEP. Once the certificate is available, the device can setup connections with other devices and services of the company network.
A standard SCEP certification enrollment is described in more detail with regard to FIG. 1: A requester, for example an administrator A of a company, logs in to a SCEP server B and activates an enrollment process for a device C by transmitting a certification request, step 1. The administrator may use for this process an administration computer or any other computer of the company network, administrator device D. The device C is for example a smart phone of an employee of the company. The SCEP server B provides then a CA certificate for the device C, and the SCEP server B generates also a password, a one-time code (OTC), and a fingerprint of the CA certificate and transmits the fingerprint and the OTC to the administrator A, step 2.
After having received the OTC, the administrator A logs in to the device C and starts-up an enrollment process for the device C by providing the OTC to the device C, step 3. The device C may be connected via Ethernet or via a Wi-Fi connection with the company network. The administrator generates then a certificate signing request (CSR) on the device C and sends it to the SCEP server B together with the OTC, step 4. The SCEP server B verifies the OTC of the device C and if the OTC is correct, the SCEP server B sends the CA certificate signed by the fingerprint to the device C, step 5. The administrator accepts the received CA certificate, if the fingerprint of the CA certificate is valid based on the fingerprint as received from the SCEP server B in step 2. The device C is now ready for operation within the company network.
This solution introduces several weaknesses and the procedure is difficult. The standard SCEP is also difficult to administer. If used correctly, the administrator needs to interact both with the SCEP server and with the device that needs the certificate.
U.S. Pat. No. 8,392,712 discloses a system and method for provisioning a unique device credential, comprising a first operation of determining one or more device characteristics of an electronic device seeking to join the network and generating one or more unique device credentials for the electronic device. The format of the unique device credentials is based on the one or more device characteristics of the electronic device.
US 2012/0166796 discloses a system and method of managing device certificates in a communication network, wherein a certificate manager transmits a certificate service advertisement to a plurality of certificate clients. Responsive to the transmitting of the certificate service advertisement, the certificate manager receives a certificate service request from at least one of the certificate clients. The certificate manager verifies that the at least one certificate client is associated with a set of clients for which the certificate manager offers a service, and the certificate manager fulfills the certificate service request.
The Network Device Enrollment Service (NDES) in Active Directory Certificate Services (ADCS) is an implementation of SCEP by Microsoft for Microsoft servers.