Cisco Blogs


Cisco Blog > Security

Taking Encryption to the Next Level: Enrollment Over Secure Transport Strengthens Adoption of Elliptic Curve Cryptography

Enrollment over Secure Transport (EST) is a new standard (RFC7030) designed to improve the lifecycle management of digital certificates, a key element for secure communications. Cisco Engineer Max Pritikin coauthored the EST standard.

We’re very excited about the potential use cases of EST, which are, as we’ll discuss in a moment, pretty versatile.

To understand EST and how it works, let’s look at a basic use case: A controller, such as a Wi-Fi access point, manages an endpoint. To secure the management communication, both the controller and the endpoint authenticate each other using certificates. EST is a new way to obtain those certificates that is more secure and comprehensive than previous approaches, such as Secure Certificate Enrollment Protocol (SCEP). One area EST is superior to previous approaches is that it enables the use of Cisco’s Next Generation Encryption (NGE), which uses Elliptic Curve Cryptography (ECC) to get the job done as opposed to RSA encryption. That’s a lot of acronyms, so let’s take a step back to explore what this all means.

The next level of encryption

Today’s modern threats demand a new standard of encryption. Cisco’s move to NGE is paving the way for the next decade of cryptographic security. NGE provides a complete algorithm suite that is comprised of authenticated encryption, elliptic-curve based digital signatures and key establishment, and cryptographic hashing. These components provide high levels of security and scalability, aimed at protecting critical data and setting the standard for encrypting sensitive data in networks all over the world.

These cryptographic technologies meet the evolving needs of governments and enterprises by using innovative, battle-tested cryptographic algorithms and protocols, and are beginning to be used in place of legacy cryptographic approaches. EST drives the adoption of ECC, strengthening Cisco’s products and in turn strengthening the security posture of our customers.

EST can be used for a variety of purposes. Enterprises with a number of network endpoints require the “re-enrollment” (re-issuance) of certificates every period, potentially every year. This helps prevent servers going offline due to expired certificates, and the ensuing scramble to obtain and install updates. EST enables automatic re-enrollment to obtain a new certificate, making this a faster and less labor-intensive process. Additionally, EST supports automatic redistribution of CA certificates when they are updated. These improvements are immediately valuable and will be very important for future Internet of Everything (IoE) environments where the large numbers of endpoints will make certificate management highly complex.

Protecting against modern threats

For another example of how EST can help protect the modern network, look no further than your home page and the daily news. The recently discovered Heartbleed bug has thrown the industry into a panic, with enterprises, consumers, and organizations scrambling to assess the fallout and determine an appropriate remediation strategy. Many sites are recommending the replacement of certificates. If EST were in wide deployment, its re-enrollment capabilities would significantly reduce the impact of refreshing the server certificate, supporting much more rapid resolution of the security vulnerability.

Looking ahead

As an open standard, EST will increase interoperability with other company’s offerings, including our CA partners. Cisco has taken steps to accelerate adoption and interoperability by providing EST software in the open source community, through Github. Even at this early stage, we’re seeing some positive feedback. Phil Gibson, chairman of the PSNGB, the Industry Trade Association for Public Services Networks (PSN) suppliers, said: “The Public Services Network is now the primary infrastructure for the majority of government communications in the UK and the encryption solutions it uses must continue to evolve. Due to the large and varied number of encryption devices in use, a scalable certificate provisioning protocol is critical to the migration to next generation encryption (CESG PRIME). Cisco’s release of its EST code into the open source community will facilitate rapid adoption by the PSN community. With the release of this code, other vendors will be able to accelerate their adoption of EST and this in turn expands the choice of encryption solutions available to public sector organizations.”

This is an overview of what we can do with EST, and we’re just getting started. We have started to build libraries to incorporate EST into Cisco products, which will likely begin later this year or early next. Stay tuned for additional updates over the coming months.

Tags: , , , , ,

David McGrew Discusses Legacy Encryption Solutions with Mike Danseglio of 1105 Media at RSA 2013

Today, many encrypted networks use insecure cryptography. Attackers exploiting weak cryptography are nearly undetectable, and the data you think is secure is less safe every day. Legacy encryption technology can’t keep up with current advances in hacking and brute force computing power. Additionally, legacy solutions are increasingly inefficient as security levels rise, and perform poorly at high data rates. In order to stay ahead of this challenge, encryption needs to evolve.

Read More »

Tags: , , , , , , ,

Who really broke Enigma?

October 16, 2012 at 8:28 am PST

Some of the best conversations happen in private exchanges and I often wish we could all benefit more broadly.  This most recent conversation was instructive in and of itself but it also pointed out a level of transparency both Jimmy Ray and I prefer.  So hopefully it goes to say -- we welcome your input! We certainly don’t get it right all the time!

Episode 119 featured Next Generation encryption and we mistakenly attributed Great Britain with breaking Enigma. One of our Cisco fans from Warsaw, Bartlomiej (Bartek) Michalowski, sent us a note.

Read More »

Tags: , , , ,

Next Generation Encryption Meets Tomorrow’s Security Challenges

Cisco’s early adoption and implementation of Next Generation Encryption (NGE) is paving the way for the next decade of cryptographic security. NGE provides a complete algorithm suite, comprised of authenticated encryption, digital signatures, key establishment and cryptographic hashing. These components provide high levels of security and scalability, aimed at setting the standard for the next 10 years of encryption.

The next generation of encryption technologies meets the evolving needs of agencies and enterprises by utilizing modern, but well reviewed and tested cryptographic algorithms and protocols.  As an example, Elliptic Curve Cryptography (ECC) is used in place of the more traditional Rivest-Shamir-Adleman (RSA) algorithms. By upgrading these algorithms, NGE cryptography prevents hackers from having a single low-point in the system to exploit and efficiently scales to high data rates, while providing all of the security of the Advanced Encryption Standard (AES) cipher

As computing power exponentially increases over time, according to Moore’s Law, attackers have access to more powerful tools to crack encryption keys. However, NGE is capable of staying ahead of this curve by improving security and robustness of Cisco’s already market leading trusted solutions to meet emerging global standards into the future.

Check out the video below to learn more about NGE:

TechWiseTV 119: Next Generation Encryption:

Tags: , , , , , , ,