Reputation: 431
challenge password in SCEP
What is the purpose of challenge password in simple certificate enrollment protocol (SCEP)?
My understanding is that it is used to authenticate devices.
My question is : How it is different from authentication done by using public and private key pairs?
Upvotes: 1
Views: 7542
Answers (3)
Reputation: 31
SCEP is used to issue certificates to devices (mostly in an untrusted network). The admin will generate challenge password and send it to the user via mail. The SCEP server knows about this challenge password. (We can ask SCEP Server to generate a challenge password and give it to the admin which he shares with respective person). When a device requests SCEP server for certificate with this challenge password, the SCEP server can validate the challenge password and issue certificate.
Actually the device makes first request to get CA cert of the server. It validates the CA Cert. Then the device generates private and public key locally which is what, for instance, iOS MDM agent does. Then a CSR (Certificate Signing Request) is sent to the SCEP server with challenge password. The SCEP Server validates challenge password and now signs the device's public key with its private key. The result is the certificate.
Reference:
Upvotes: 0
Reputation: 8877
Challenge password is(/may be) used in the enrollment process. As stated in SCEP specification (section 2.3):
PKCS#10 [RFC2986] specifies a PKCS#9 [RFC2985] challengePassword attribute to be sent as part of the enrollment request. Inclusion of the challengePassword by the SCEP client is OPTIONAL and allows for unauthenticated authorization of enrollment requests. The PKCS#7 [RFC2315] envelope protects the privacy of the challenge password.
When utilizing the challengePassword, the server distributes a shared secret to the requester which will uniquely associate the enrollment request with the requester. The distribution of the secret must be private: only the end entity should know this secret. The actual binding mechanism between the requester and the secret is subject to the server policy and implementation.
In section 2.5 draft states:
The challengePassword MAY be used to automatically authorize the request.
SCEP draft states in section 2.8:
SCEP does not specify a method to request certificate revocation.
but when challenge password was used in the enrollment process then:
In order to revoke a certificate, the requester must contact the CA server operator using a non-SCEP defined mechanism. Although the PKCS#10 [RFC2986] challengePassword is used by SCEP for enrollment authorization (see Enrollment authorization (Section 2.3)) this does not inhibit the CA server from maintaining a record of the challengePassword to use during subsequent revocation operations as implied by [RFC2985].
Upvotes: 4
Reputation: 1156
If a certificate is compromised (the private key is stolen, etc.) the certificate needs to be revoked as it will remain valid till the end of it's term.
Any administrator with access to a cert can revoke the cert. If a challenge password was specified during the certificate signing request that password will be required before the cert can be revoked.
So, it seems the sole purpose of the challenge password is to prevent revocation by someone without the password.
Upvotes: 2
Related Questions
- How to ignore certificate verification while using openssl s_client connect?
- Verifying the password of generated x509 certificate
- How to encode challenge password into certificate request
- Client certificate authentication
- Validate certificate password using X509Certificate2
- How to specify CA private key password for client certificate creation using OpenSSL
- Extract Certificate - Unknown password
- validate x509 client certificate
- client certificate authentication in https using X509Certificate2
- X509Certificate2 ctor with cer file