Certificate Enrollment for the Atlas Platform Certificate Distribution Challenges Digital certificates can provide a secure second factor for authenticating connections from MAP-wrapped enterprise apps when enrolled and stored securely. Unfortunately, existing mobile management options for distributing digital certificates to end-users are cumbersome and insecure: 01 02 03 Manual distribution of PKCS#12 files transmits private keys over the network and requires end-users to input complex passphrases on mobile devices Mobile Device Management (MDM) solutions are expensive and can only install system certificates that cannot be used by apps Using the Simple Certificate Enrollment Protocol (SCEP) from a mobile device risks exposing critical enterprise Certificate Authority (CA) servers on the corporate edge Simplified Distribution Using Atlas The Atlas Platform makes certificate distribution transparent, seamless and secure by introducing the concept of a one-time enrollment for each administrator-defined group of apps on a device. When an Atlas-enabled enterprise app initiates a connection, the Atlas Platform can detect that it has not been enrolled with a certificate, and begin the process of onboarding the app. Using dynamic prompts provided to the app by Atlas, the user is guided through the process in two simple steps.
2 Simple Steps 01 First, the user is prompted for their standard enterprise login credentials, which are checked against the corporate identity management infrastructure. Once validated, the user s identity is verified out of band by entering a PIN that is sent to their corporate email account. 02 Once the user is fully verified, the Atlas Platform defines the appropriate certificate template and instructs the app to generate the key pair and certificate signing request, which it then sends to Atlas. Atlas takes this information and interacts with the corporate certification authority (CA) to receive the resulting certificate, which it sends back to the enrolling app. All transactions between the client and gateway are protected with the Internet Key Exchange (IKE) protocol, and the private key is never transmitted over the network. In addition, the issuing CA is left fully protected inside the corporate network. Finally, the Atlas-enabled app encrypts the certificate information, locking it to the app, or group of apps, so that it cannot be accessed or removed. All subsequent connections from the app or other federated apps, automatically use the issued certificate when authenticating with the gateway. To the end user, this enhanced security is completely transparent there are no settings to change or confusing terminology presented to the user.
Architecture Overview Atlas is designed to integrate into existing corporate infrastructure. For certificate enrollment, Atlas interoperates with the following enterprise servers: Active Directory Corporate email Certificate Authority / SCEP or EST Server (Entrust, Microsoft Network Device Enrollment Services, Symantec Cloud) Active Directory is used by Atlas for user authentication and email lookups. Atlas is tested with Active Directory for Windows Server 2003 R3, Windows Server 2008, and Windows Server 2012. An existing email server is used to send an enrollment invitation email containing a 4-digit PIN to the email address associated with the user s Active Directory account. Any mail server that supports the Simple Mail Transport Protocol (SMTP) can be used. The Atlas Platform communicates with the Simple Certificate Enrollment Protocol (SCEP) or Enrollment over Secure Transport (EST) server to obtain a certificate on behalf of the end user. SCEP / EST are only used between Atlas and the enrollment server. The mobile app and device do not participate in any of the SCEP / EST transactions and never have direct access to internal resources in the process. The initial release of Atlas supports Microsoft Network Device Enrollment Services (NDES) with Microsoft Certification Authority and Entrust Authority Enrollment Server for VPN version 7.0.165547 with Entrust Security Manager version 8.1. The end-to-end architecture is designed to reduce the exposure of internal servers and limit changes to existing network infrastructure. All communications from Atlas-enabled apps are terminated by 4 Atlas, and secured by IKE. No internal servers are exposed on the perimeter of the corporate network. Certificate Signing Requests (CSRs) that are received from apps are validated on the Atlas Platform for compliance with configured acceptable parameters before being sent to the Certificate Authority (CA) through the SCEP / EST server.
IKE Connect to Atlas (udp/4500) IKE Connect to Atlas (udp/4500) Atlas to AD (tcp/389,445) Atlas SCEP to Entrust (tcp/80) Blue Cedar Secure Browser (MAP Wrapped) Internet Atlas Certificate Authority (CA) Atlas SMTP to mail server (tcp/25) FIGURE 1: Network Diagram of Certificate Enrollment Solution Email Technical Details Between the app and Atlas an IKE-protected channel carries the Blue Cedar proprietary policy protocol, called PERP. IKE is used because of its flexibility, allowing extensions and enhancements staying within the authentication frameworks defined in the IKE standard. PERP enables Atlas to be aware of and control the app s run state, authentication state and security posture. PERP and IKE together form the secure management channel used to control the enrollment flow, and following enrollment PERP is used to control and track the app s behavior. Prior to enrollment the app s connection to the Atlas Platform is authenticated using hybrid RSA for IKE phase-1, with Atlas authenticated to the app. Following setup of the phase-1 channel the PERP protocol is used to prompt for and exchange the user s credentials, first the AD username and password and second the enrollment PIN. Communication over this channel continues until the app has received and securely stored the user certificate.
The certificate request itself starts with the key pair being created on the device. By default an RSA 2048 key pair is used. The app generates a certificate-signing request that is passed through the IKE-secured channel to Atlas. At this point, Atlas has identified the user with multiple factors. It also has collected information about the app, the app version, the device, its operating system and jailbreak/root posture and a host of other information. This information is collected every time the app is used. The Atlas Platform checks the request format and begins its interaction with the CA to retrieve the certificate. The interaction between the Atlas Platform and the SCEP server (MS NDES or Entrust Authority) is transported via HTTP. The SCEP protocol, however, defines session security similar to HTTPS, and the actual payloads use PCKS7 enveloped data to ensure integrity and authenticated endpoints. All of this communication is network isolated from the mobile device until the SCEP session completes, when Atlas sends the resulting certificate response to the app. After enrollment completes the entire communication channel is restarted and the user certificate is used to establish mutual authentication between the app and the Atlas Platform. The username and password are provided to Atlas to complete the two factor authentication and IKE phase-2, allowing the app to obtain a VPN IP address. From this point on all of the app s communication is tunneled through the Atlas Platform and has all the network benefits associated with VPN. Also, the enrolled app is permitted to pass network traffic through Atlas to configured resources required by the app. The VPN-tunneled nature of the resulting communication simplifies the app and the controls needed on internal services. Mobile Devices 1 IKE Handshake (Hybrid RSA Phase 1) 2 Auth Request 3 Send PERP Auth 4 Request Enroll PIN 5 Send PIN from corporate email 6 Request Cert Enroll 8 PERP w/pemcertificate {Base64{DER{x509}}} 9 IKE Handshake (Certificate Phase 1) 10 Auth Request 11 Send Resumed PERP udp/4500 Atlas 7 Send PKCS#10 Cert Request w/ Challenge PW
SCEP PKI Message Signer Info Signature Enveloped Data Recipient Info FIGURE 2: SCEP PKIOperation payload, showing signature / encryption of enveloped data Authenticated Attributes Content Info Mobile certificate enrollment using the Atlas Platform is simple and secure. Users experience just two simple screens to enroll a user certificate from the corporate certificate authority. This happens only once in the lifetime of the corporate apps on their device. Because it is user initiated and leverages existing corporate infrastructure, like AD and the corporate certificate authority, it is simple to administer, maintain and scale. The result is seamless multi-factor authentication for mobile apps to access sensitive corporate information.
About Blue Cedar Networks Blue Cedar Networks was founded on the principle that the app is the optimal control endpoint for the modernorganization. The Atlas platform provides our customers with the most secure, scalable, and user-friendly capabilities to safely and seamlessly connect and protect their enterprise apps across the extended enterprise the user population comprised of employees and non-employees that can drive or derive value from those apps and data. Blue Cedar Networks has over 150 customers spanning every major industry vertical, including some of the largest banking, wireless and telco, insurance, healthcare, and government organizations in the world. Contact us today if you re interested in seeing a live demo of the certificate enrollment. Contact Us