Cisco Blogs


Cisco Blog > Security

Taking Encryption to the Next Level: Enrollment Over Secure Transport Strengthens Adoption of Elliptic Curve Cryptography

Enrollment over Secure Transport (EST) is a new standard (RFC7030) designed to improve the lifecycle management of digital certificates, a key element for secure communications. Cisco Engineer Max Pritikin coauthored the EST standard.

We’re very excited about the potential use cases of EST, which are, as we’ll discuss in a moment, pretty versatile.

To understand EST and how it works, let’s look at a basic use case: A controller, such as a Wi-Fi access point, manages an endpoint. To secure the management communication, both the controller and the endpoint authenticate each other using certificates. EST is a new way to obtain those certificates that is more secure and comprehensive than previous approaches, such as Secure Certificate Enrollment Protocol (SCEP). One area EST is superior to previous approaches is that it enables the use of Cisco’s Next Generation Encryption (NGE), which uses Elliptic Curve Cryptography (ECC) to get the job done as opposed to RSA encryption. That’s a lot of acronyms, so let’s take a step back to explore what this all means.

The next level of encryption

Today’s modern threats demand a new standard of encryption. Cisco’s move to NGE is paving the way for the next decade of cryptographic security. NGE provides a complete algorithm suite that is comprised of authenticated encryption, elliptic-curve based digital signatures and key establishment, and cryptographic hashing. These components provide high levels of security and scalability, aimed at protecting critical data and setting the standard for encrypting sensitive data in networks all over the world.

These cryptographic technologies meet the evolving needs of governments and enterprises by using innovative, battle-tested cryptographic algorithms and protocols, and are beginning to be used in place of legacy cryptographic approaches. EST drives the adoption of ECC, strengthening Cisco’s products and in turn strengthening the security posture of our customers.

EST can be used for a variety of purposes. Enterprises with a number of network endpoints require the “re-enrollment” (re-issuance) of certificates every period, potentially every year. This helps prevent servers going offline due to expired certificates, and the ensuing scramble to obtain and install updates. EST enables automatic re-enrollment to obtain a new certificate, making this a faster and less labor-intensive process. Additionally, EST supports automatic redistribution of CA certificates when they are updated. These improvements are immediately valuable and will be very important for future Internet of Everything (IoE) environments where the large numbers of endpoints will make certificate management highly complex.

Protecting against modern threats

For another example of how EST can help protect the modern network, look no further than your home page and the daily news. The recently discovered Heartbleed bug has thrown the industry into a panic, with enterprises, consumers, and organizations scrambling to assess the fallout and determine an appropriate remediation strategy. Many sites are recommending the replacement of certificates. If EST were in wide deployment, its re-enrollment capabilities would significantly reduce the impact of refreshing the server certificate, supporting much more rapid resolution of the security vulnerability.

Looking ahead

As an open standard, EST will increase interoperability with other company’s offerings, including our CA partners. Cisco has taken steps to accelerate adoption and interoperability by providing EST software in the open source community, through Github. Even at this early stage, we’re seeing some positive feedback. Phil Gibson, chairman of the PSNGB, the Industry Trade Association for Public Services Networks (PSN) suppliers, said: “The Public Services Network is now the primary infrastructure for the majority of government communications in the UK and the encryption solutions it uses must continue to evolve. Due to the large and varied number of encryption devices in use, a scalable certificate provisioning protocol is critical to the migration to next generation encryption (CESG PRIME). Cisco’s release of its EST code into the open source community will facilitate rapid adoption by the PSN community. With the release of this code, other vendors will be able to accelerate their adoption of EST and this in turn expands the choice of encryption solutions available to public sector organizations.”

This is an overview of what we can do with EST, and we’re just getting started. We have started to build libraries to incorporate EST into Cisco products, which will likely begin later this year or early next. Stay tuned for additional updates over the coming months.

Tags: , , , , ,

eStore, A Winning Digital Strategy

Earlier this month, we received some great news. Cisco ranked 25th on the InformationWeek Elite top 100 leading-edge IT organizations. Our ranking is a clear result of how we are embracing mobility, analytics, and cloud technologies to cut costs, boost productivity, and essentially, provide the best possible user experience. A prime example of how we are taking great strides in adopting the consumerization of IT is eStore. Read More »

Tags: , , , , ,

IWAN Wed: The Case for Direct Internet Breakout at Branch and IWAN

Simplify Branch Security with ISRCloud services and SaaS applications is enabling customers to accelerate their business processes and improve employee productivity while lowering their total IT spending. The Cisco IWAN solution is helping organizations adopt cloud applications with an improved user experience by enabling local internet breakout from the branch environment, thus helping eliminate the need to backhaul internet-bound traffic across the WAN link. This helps provide the user improved experience through lower latency for not only internet applications, but also free up bandwidth for application on the WAN link. The reduced WAN link usage also means lower IT spending those links.

However, a study commissioned by Cisco during Jan’14 from 641 customers from US and Europe on their MPLS usage and adoption of local internet breakout found that 68% of the customers responded that enabling direct internet access was an organizational focus for them.  However, 54% of the total respondents reported that lack of sufficient security at the branch environment hindered them from enabling local internet breakout at the branch. This was ranked as the #1 reason to not enable Direct Internet Access at branch sites.

Read More »

Tags: , , , , , , , , ,

Providing the Right Platform is Sometimes All it Takes

Change is the only constant. Except that it isn’t; constant that is. We are seeing changes to IT services, infrastructure, eco-systems, and business models, with consequent demands and expectations that we have not witnessed before. Cisco is responding to all of this with new technologies for the DevOps community, including APIs, development tools, training and more, all of which I discuss below.

The Economist likens this to the Cambrian era that saw the multiplication of life forms that populate our world today: “… this time is … different, in an important way. Today’s entrepreneurial boom is based on more solid foundations than the 1990s internet bubble, which makes it more likely to continue for the foreseeable future.”

What has made this possible, which the Economist illustrates with a variety of examples, is the ubiquity of communications and open source platforms in a “cloud” environment. The Economist lists these elements:

  • …snippets of code that can be copied free from the internet, along with easy-to-learn programming frameworks (such as Ruby on Rails).
  • … services for … sharing code (GitHub) …
  • … “application programming interfaces” (APIs), digital plugs that are multiplying rapidly …
  • … “platforms”—services that can host startups’ offerings (Amazon’s cloud computing), distribute them (Apple’s App Store) and market them (Facebook, Twitter).
  • … the internet, the mother of all platforms, which is now fast, universal and wireless.

What has also changed is that the IT stack is, in effect, collapsing. The “separation of concerns”, that kept the network infrastructure distinct from the applications running over it, is being whittled away. In October 2013 we teamed up Read More »

Tags: , , , , , , , , , , ,

#CiscoChampion Radio S1|Ep10 Cyber Security

#CiscoChampion Radio is a podcast series by Cisco Champions as technologists, hosted by Cisco’s Amy Lewis (@CommsNinja). This week Chris Young, SVP Security Business Group Cisco, and Bill Carter, Senior Network Engineer and Cisco Champion, talk about Intelligent Cyber Security for the real world.

Listen to the Podcastcisco_champions BADGE_200x200

Cisco Subject Matter Expert: Chris Young, SVP Security Business Group Cisco (@YoungDChris)
Cisco Champion: Bill Carter, Senior Network Engineer (@billyc5022)

Highlights:
How Cisco deals with fragmentation in Security market
Attack-driven model for Security, before, during and after
How Sourcefire acquisition fits in with Cisco Security
Open Source Security around Snort Community Read More »

Tags: , , , ,