cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
327
Views
0
Helpful
2
Replies

SCEP Security & Cipher Support

john.walsh
Level 1
Level 1

Does anyone know what ciphers SCEP supports from Cisco ISR routers? I know it uses PKCS#7 for securing the PKCS#10 messages but am not sure if when used from a Cisco ISR Router you can stipulate which cipher & key length to use for encryption of of the PKCS#7 envelope. Ideally we want to be able to use Triple-DES. Can anyone shed any light on this?

Thanks,

John

2 Replies 2

ebreniz
Level 6
Level 6

You can only extract the certs out of pkcs7 signed data -# openssl pkcs7 -inform DER -in -print_certs -text

Thanks for the response ebreniz. It is the security of the initial enrolment request and any revocation requests that I am concerned with rather than the issuing of the certificate itself. If a party could capture an initial request and prevent it reaching the destination CA then they could attack the symmetric encyption and if weak enough discover the shared secret. This could potentially allow them to then generate their own request (with their own locally generated public/private keys) and then impersonate the genuine router. This could result in access being gained to an IPSEC network by the malicious party. I realise their are other mitigating factors such as setting a lifetime/expiration period on the shared secret but ideally want to ensure a strong cipher if used to protect the shared secret in the first place. Do you know if it is possible to use Triple-DES or AES for the encryption used by PKCS#7 in the SCEP certificate enrolment request?

Thanks,

John

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: