Certificate Authority for everyone? Or how to lock the NSA out

Most companies today operate at several sites and use public networks to stay interconnected. With the aim of securing communication over the Internet, encryption techniques have seen significant development and refinement in recent years. In the case of site connectivity via VPN tunnel, the IPSec protocol is considered to be highly robust and secure.  This is an extension to the Internet Protocol (IP), which adds encryption and authentication mechanisms to cryptographically secure the IP packets for transport across insecure public networks. IPSec was developed by the Internet Engineering Task Force (IETF) as an integral part of IPv6 and was later adapted for IPv4.

The outcry among experts and the business world was loud when, at the end of 2014, it was reported that the VPN protocol—previously believed to be impregnable and secure—had been cracked by the NSA. Relief set in, however, when it turned out that the claim was untrue. The lack of expertise on this complex topic, along with amateur reporting, resulted in disastrous misinformation. Nevertheless, according to an article on Spiegel Online about new Snowden documents on the attack methods used by the NSA, the NSA has for years been working on breaking into secure VPN connections, and has already had some success.

This much is clear: To date, the NSA has not succeeded in cracking IPSec encryption, despite their best efforts. They continue to attempt to break into tunneled connections using alternative attack methods, such as stolen keys and brute-force attacks (link to PDF).

The Achilles heel of VPN connections—as with so many areas of IT security—is the insecure distribution of passwords. Keys are used to encrypt data, and one method used to negotiate this key makes use of Pre-Shared Keys (PSK).  These are often used in small and medium-sized enterprises because they are easy to set up and the costs of management are low. The danger, however, lies in these passwords themselves: The simpler they are, the greater is the risk that they will be cracked.

So how can I protect myself? Long, complex passwords are a good start and provide a modicum of security. A secure password should be at least 12 characters long and contain uppercase and lowercase letters, special characters, and numbers. You should avoid words that can be found in a dictionary and common keyboard/repetitive patterns such as “1234abcd” or “asdfgh”.

An alternative to relying on pre-shared keys is to obtain trusted certificates from a (public) Certificate Authority (CA).  Certificates are far more secure than passwords and, by relying on the lock-and-key principle, certificates can be assigned uniquely to each individual device. Another advantage is that certificates can be revoked if need be.


For years already, larger companies with their own in-house security experts have been using digital certificates for VPN key negotiation as a way to protect themselves against potential brute-force attacks. However, the path to a certificate-based VPN is often long and involves additional cost, which makes it difficult for smaller organizations to manage. These are just a few reasons why the use of certificate-based VPNs is less widespread among SMEs.

This is why we have spent the past few months working intensively on a new development. The basis of this is a certificate authority (CA) integrated directly into the VPN router, which generates highly secure certificates in just a few steps. You are no longer dependent on external CAs, and there are no more complicated procedures.  It takes just a few steps for system administrators to create and manage their own digital certificates. With the help of the Simple Certificate Enrollment Protocol (SCEP) (link to video), certificates can be automatically assigned to routers, even before the VPN tunnel is established.


Smart Certificate – Simple Certificate Enrollment Protocol (SCEP)

By taking full control over their certificates, administrators have the basis for encrypted communication in their own hands. This avoids dependencies on third-party providers, and there is no need for in-depth expertise. This means: Security for everyone! At least in the case of multi-site communications; intelligence agencies, perpetrators of industrial espionage, and cyber criminals are locked out and left in the cold.

No Comments Yet

Leave a Reply

Your email address will not be published. Required fields are marked *

When you leave a comment, the system automatically stores the following data:

    • your name or your pseudonym (mandatory information / will be published)
    • your e-mail address (mandatory / will not be published)
    • your IP address (the IP address will be deleted automatically after 60 days)
    • date and time of the comment submitted
    • a website (optional)
    • your comment text and personal data contained therein
    • I also agree that all personal data entered together with my IP address will only be checked and stored by the Akismet spam filter in the USA for the purpose of spam prevention. Further information on Akismet and revocation options can be found here.