Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

SCEP Security & Cipher Support

Does anyone know what ciphers SCEP supports from Cisco ISR routers? I know it uses PKCS#7 for securing the PKCS#10 messages but am not sure if when used from a Cisco ISR Router you can stipulate which cipher & key length to use for encryption of of the PKCS#7 envelope. Ideally we want to be able to use Triple-DES. Can anyone shed any light on this?

Thanks,

John

2 REPLIES
Silver

Re: SCEP Security & Cipher Support

You can only extract the certs out of pkcs7 signed data -# openssl pkcs7 -inform DER -in -print_certs -text

Community Member

Re: SCEP Security & Cipher Support

Thanks for the response ebreniz. It is the security of the initial enrolment request and any revocation requests that I am concerned with rather than the issuing of the certificate itself. If a party could capture an initial request and prevent it reaching the destination CA then they could attack the symmetric encyption and if weak enough discover the shared secret. This could potentially allow them to then generate their own request (with their own locally generated public/private keys) and then impersonate the genuine router. This could result in access being gained to an IPSEC network by the malicious party. I realise their are other mitigating factors such as setting a lifetime/expiration period on the shared secret but ideally want to ensure a strong cipher if used to protect the shared secret in the first place. Do you know if it is possible to use Triple-DES or AES for the encryption used by PKCS#7 in the SCEP certificate enrolment request?

Thanks,

John

136
Views
0
Helpful
2
Replies
CreatePlease to create content