Mark Diodati over at Gartner just blogged about a vulnerability in the Simple Certificate Exchange Protocol.
This vulnerability—when combined with two additional pieces of information—enables an attacker to impersonate another user when enrolling for an X.509 certificate.
This is pretty significant because many portals are using SCEP to enroll mobile devices. A certificate is downloaded to the mobile device (usually) after the end-user has authenticated for the first time with the device to the corporate portal. This enables the corporate portal and sometimes Active Directory to start managing the device. It’s a big deal for Bring Your Own Device (BYOD) and it is a big deal around security generally even if you aren’t concerned about BYOD.
Many organizations rely upon certificates for mobile access to the internal network, email, SharePoint, virtual desktops, web applications—you name it. The attacker can impersonate an authorized user and gain unauthorized access to these applications.
This is just another reason why step-up or adaptive authentication is an important aspect of security. Same goes for adaptive authorization once you’re in.
We can no longer rely on a one-time challenge for entry thru the castle walls. We must build in multiple layers of security that force different methods of authentication at different times while you are in the castle. You want to access the treasure room? Who are you again?
It won’t be enough “to perform better user proofing prior to certificate issuance” as Mark says. That will help but we are all going to need to get used to more “Halt! Who goes there?” challenges even after we get thru the castle door.