Practical considerations for imaging and printing security
Page 1
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
Practical considerations for imaging and printing security
Page 6
... information. Protect Information on the Network Protecting Information on page 12. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to the Ethernet network. For more information on HP Secure Erase, see Appendix B, "HP Secure Erase," on the Network insures that afflict enterprise networks. Vulnerabilities...
... information. Protect Information on the Network Protecting Information on page 12. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to the Ethernet network. For more information on HP Secure Erase, see Appendix B, "HP Secure Erase," on the Network insures that afflict enterprise networks. Vulnerabilities...
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 1
...and Public Key Certificate Basics 12 SSL/TLS Protocol Basics ...20 Using HTTPS with HP Jetdirect ...26 A Detailed Look at the SSL/TLS Connection 52 SSL/TLS Server Settings ...60 HP Jetdirect as an SSL/TLS Client ...61 SSL/TLS Client: Understanding Certificate Chains 77 ...SSL/TLS ...89 HP Jetdirect Certificate Guidelines...94 Embedded Devices and Digital Certificates 94 Which HP Jetdirect Products Support SSL/TLS 95 Summary ...95 Introduction HP Jetdirect introduced SSL/TLS support in 2000, the same capability. A free firmware upgrade allowed the 610n EIO print server, shipped in ...
...and Public Key Certificate Basics 12 SSL/TLS Protocol Basics ...20 Using HTTPS with HP Jetdirect ...26 A Detailed Look at the SSL/TLS Connection 52 SSL/TLS Server Settings ...60 HP Jetdirect as an SSL/TLS Client ...61 SSL/TLS Client: Understanding Certificate Chains 77 ...SSL/TLS ...89 HP Jetdirect Certificate Guidelines...94 Embedded Devices and Digital Certificates 94 Which HP Jetdirect Products Support SSL/TLS 95 Summary ...95 Introduction HP Jetdirect introduced SSL/TLS support in 2000, the same capability. A free firmware upgrade allowed the 610n EIO print server, shipped in ...
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 2
...Figure 1: HTTP Application. SSL/TLS is covered extensively in other frameworks as well. This whitepaper will discuss how SSL/TLS works when Jetdirect is operating as LDAPS and 802.1X. It has a purpose: To provide authentication, integrity, and confidentiality to Figure 3 - One... of the purposes of this section, for the latest information regarding HP's printing and imaging products. What is really just running HTTP over SSL/TLS which runs over TCP. Figure 1 - HTTPS Application, we 'll ...
...Figure 1: HTTP Application. SSL/TLS is covered extensively in other frameworks as well. This whitepaper will discuss how SSL/TLS works when Jetdirect is operating as LDAPS and 802.1X. It has a purpose: To provide authentication, integrity, and confidentiality to Figure 3 - One... of the purposes of this section, for the latest information regarding HP's printing and imaging products. What is really just running HTTP over SSL/TLS which runs over TCP. Figure 1 - HTTPS Application, we 'll ...
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 12
In essence, a digital certificate, one used for symmetric cryptography. What the message is trying to say is that "HP Jetdirect 85C1F319", who has been pulled over by :" name is the same as the "Issued to:" name, this certificate in Figure 14: Figure 14 ...unfortunately may not consider it would be issued by computers, binds an identity to a key and needs to be like a driver, who issued the certificate "HP Jetdirect 85C1F319", is a self-signed certificate. Let's look at symmetric cryptography first. 12 What is indicative of our analogy, it a laughing matter. To enable...
In essence, a digital certificate, one used for symmetric cryptography. What the message is trying to say is that "HP Jetdirect 85C1F319", who has been pulled over by :" name is the same as the "Issued to:" name, this certificate in Figure 14: Figure 14 ...unfortunately may not consider it would be issued by computers, binds an identity to a key and needs to be like a driver, who issued the certificate "HP Jetdirect 85C1F319", is a self-signed certificate. Let's look at symmetric cryptography first. 12 What is indicative of our analogy, it a laughing matter. To enable...
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 18
Public Key Certificates Here we can see that everyone's public key certificate is the difference between a certificate authority's selfsigned certificate and Jetdirect's self-signed certificate? What is , well - Good Question! um, public. First let's describe what he needs a certificate. This certificate is signed with its own private ...'s assume Jack realizes that identifies itself. The important thing to note is what a self-signed certificate actually is a "self-signed" certificate. As you may remember, Jetdirect also creates a self-signed certificate.
Public Key Certificates Here we can see that everyone's public key certificate is the difference between a certificate authority's selfsigned certificate and Jetdirect's self-signed certificate? What is , well - Good Question! um, public. First let's describe what he needs a certificate. This certificate is signed with its own private ...'s assume Jack realizes that identifies itself. The important thing to note is what a self-signed certificate actually is a "self-signed" certificate. As you may remember, Jetdirect also creates a self-signed certificate.
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 19
... both trust. Each company establishes their own Public Key Infrastructure (PKI) that there is going to have two purposes: client authentication and server authentication. Jack Create Key Pair Jack's Public Key Jack's Private Key Jack Identity Info + Jack's Public Key Identity Info + Jack's...okay for . In most cases, there is a top level CA or Root CA where the ultimate trust resides. For example, a Jetdirect self-signed certificate will involve well-known certificate authorities like Verisign and Entrust. Self-Signed Certificate Basically, Jack's private key does the ...
... both trust. Each company establishes their own Public Key Infrastructure (PKI) that there is going to have two purposes: client authentication and server authentication. Jack Create Key Pair Jack's Public Key Jack's Private Key Jack Identity Info + Jack's Public Key Identity Info + Jack's...okay for . In most cases, there is a top level CA or Root CA where the ultimate trust resides. For example, a Jetdirect self-signed certificate will involve well-known certificate authorities like Verisign and Entrust. Self-Signed Certificate Basically, Jack's private key does the ...
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 20
... request is a peer, SSL/TLS has specific roles for entities? A driver's license purpose is not a CA create a self-signed certificate with HP Jetdirect and "normal" SSL/TLS protocol interactions. Keep that we know something about SSL/TLS basics and a PKI, we are now "trusted" and the... lot of birth, it is often used to talk about its business. Probably not. SSL/TLS makes a strong distinction between a Client and a Server. Because a driver's license also lists the date of problems. They will now have age limitations. SSL/TLS Protocol Basics Okay, now that certificate ...
... request is a peer, SSL/TLS has specific roles for entities? A driver's license purpose is not a CA create a self-signed certificate with HP Jetdirect and "normal" SSL/TLS protocol interactions. Keep that we know something about SSL/TLS basics and a PKI, we are now "trusted" and the... lot of birth, it is often used to talk about its business. Probably not. SSL/TLS makes a strong distinction between a Client and a Server. Because a driver's license also lists the date of problems. They will now have age limitations. SSL/TLS Protocol Basics Okay, now that certificate ...
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 26
...SSL/TLS works in its most popular form: HTTPS. Server Finished The server decrypts the pre_master_secret and generates the master_secret. Client TCP Connection Established Server TCP SSL Record Handshake Change Cipher Spec Finished Figure 28 - Once the client and server both verify the cryptographic hashes, the handshake process is ...the master secret by providing a cryptographic hash of all data sent over the SSL/TLS connection. We have a RootCA with HP Jetdirect Before we begin, we need a little info on the network. Using HTTPS with a subordinate CA called R2.
...SSL/TLS works in its most popular form: HTTPS. Server Finished The server decrypts the pre_master_secret and generates the master_secret. Client TCP Connection Established Server TCP SSL Record Handshake Change Cipher Spec Finished Figure 28 - Once the client and server both verify the cryptographic hashes, the handshake process is ...the master secret by providing a cryptographic hash of all data sent over the SSL/TLS connection. We have a RootCA with HP Jetdirect Before we begin, we need a little info on the network. Using HTTPS with a subordinate CA called R2.
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 28
Network Diagram A pretty basic setup! In order to get SSL working properly, we are going to open a browser and talk to the Jetdirect page where we can verify its identity correctly and pass all those checks that it can perform our certificate operations. 28 Figure 30 - We'll use regular HTTP and go to the 4345MFP. In short, the XP machine will be an SSL client and the 4345MFP will be an SSL server. The XP client is going to need to assign a certificate to the 4345MFP so that the client has to do.
Network Diagram A pretty basic setup! In order to get SSL working properly, we are going to open a browser and talk to the Jetdirect page where we can verify its identity correctly and pass all those checks that it can perform our certificate operations. 28 Figure 30 - We'll use regular HTTP and go to the 4345MFP. In short, the XP machine will be an SSL client and the 4345MFP will be an SSL server. The XP client is going to need to assign a certificate to the 4345MFP so that the client has to do.
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 29
... create a self-signed certificate the first time it is needed for security. under the heading "Jetdirect Certificate" The subject and issuer names are no DNS names or IP addresses associated with it is generated at this certificate by storing the certificate ... certificate (by pressing "View..." Because the selfsigned is a self-signed certificate. We can take a look at first time power up, there are the same - Each Jetdirect has a unique selfsigned certificate. that is the first clue that is powered on.
... create a self-signed certificate the first time it is needed for security. under the heading "Jetdirect Certificate" The subject and issuer names are no DNS names or IP addresses associated with it is generated at this certificate by storing the certificate ... certificate (by pressing "View..." Because the selfsigned is a self-signed certificate. We can take a look at first time power up, there are the same - Each Jetdirect has a unique selfsigned certificate. that is the first clue that is powered on.
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 31
Under the heading "Jetdirect Certificate", press "Configure..." 31
Under the heading "Jetdirect Certificate", press "Configure..." 31
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 32
Press "Next ->" Here we be entered, generate a certificate request with some more information that we enter details to a CA. Jetdirect does not reveal the private key. This will have different values here. Select the radio button "Create Certificate Request". After entering in the values, press "Next->" 32 Each customer will tell Jetdirect to create a public/private key pair and along with the public that can be given to properly identify the Jetdirect device.
Press "Next ->" Here we be entered, generate a certificate request with some more information that we enter details to a CA. Jetdirect does not reveal the private key. This will have different values here. Select the radio button "Create Certificate Request". After entering in the values, press "Next->" 32 Each customer will tell Jetdirect to create a public/private key pair and along with the public that can be given to properly identify the Jetdirect device.
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 37
DER encoding is basically a "cookie cutter" for Client and Server authentication. Click "Download certificate". The only thing it really specifies is that the certificate can be used for how to create a specific type of certificate. We cut and paste the certificate request from Jetdirect into the box provided. We select a certificate template. We have a template called "jetdirect" which has already been created. This template is fine. 37 Click "Submit".
DER encoding is basically a "cookie cutter" for Client and Server authentication. Click "Download certificate". The only thing it really specifies is that the certificate can be used for how to create a specific type of certificate. We cut and paste the certificate request from Jetdirect into the box provided. We select a certificate template. We have a template called "jetdirect" which has already been created. This template is fine. 37 Click "Submit".
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 38
Bring up the certificate wizard on Jetdirect again by pressing "Configure..." 38 Save it.
Bring up the certificate wizard on Jetdirect again by pressing "Configure..." 38 Save it.
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 52
Let's bring up Wireshark and see what was actually happening on the wire during the successful https connection. 52 A Detailed Look at the SSL/TLS Connection Good stuff so far! Everything worked! Now SSL/TLS is working for HP Jetdirect just like it would work for an Internet secure shopping experience.
Let's bring up Wireshark and see what was actually happening on the wire during the successful https connection. 52 A Detailed Look at the SSL/TLS Connection Good stuff so far! Everything worked! Now SSL/TLS is working for HP Jetdirect just like it would work for an Internet secure shopping experience.
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 54
This packet also contains the "Server Hello Done" message. 54 We can tell from the common name that it is the one we see a random number and the cipher suite selected to be used: TLS RSA WITH RC4 128 MD5 We see the server's certificate. Here we just assigned Jetdirect previously. Now let's look at the server hello.
This packet also contains the "Server Hello Done" message. 54 We can tell from the common name that it is the one we see a random number and the cipher suite selected to be used: TLS RSA WITH RC4 128 MD5 We see the server's certificate. Here we just assigned Jetdirect previously. Now let's look at the server hello.
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 60
...are checked. encrypted of the CRL - SSL/TLS Server Settings HP Jetdirect has a couple of useful settings to control how SSL/TLS clients connect to it isn't checked by default. That is effectively forced to use HTTPS so that . When that is checked, Jetdirect will redirect HTTP requests to be used. 60 Let...'s have a look. A performance hit would occur when CRLs are three main settings for the SSL/TLS server. Here is the Certificate and we've covered that HTTPS is ...
...are checked. encrypted of the CRL - SSL/TLS Server Settings HP Jetdirect has a couple of useful settings to control how SSL/TLS clients connect to it isn't checked by default. That is effectively forced to use HTTPS so that . When that is checked, Jetdirect will redirect HTTP requests to be used. 60 Let...'s have a look. A performance hit would occur when CRLs are three main settings for the SSL/TLS server. Here is the Certificate and we've covered that HTTPS is ...
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 61
... just like we've covered all cipher suites that is necessary when HP Jetdirect acts as an SSL/TLS server. Setting it really means that all that Jetdirect supports can be established. The most common situation for HP Jetdirect. Now, what happens here. HP Jetdirect is going to "Medium" means that aren't considered as an SSL/TLS client...
... just like we've covered all cipher suites that is necessary when HP Jetdirect acts as an SSL/TLS server. Setting it really means that all that Jetdirect supports can be established. The most common situation for HP Jetdirect. Now, what happens here. HP Jetdirect is going to "Medium" means that aren't considered as an SSL/TLS client...
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 63
Let's look at a trace. It initiates the connection and sends the Client Hello. 63 it didn't work. Error message - Here we see Jetdirect taking on the role of the client.
Let's look at a trace. It initiates the connection and sends the Client Hello. 63 it didn't work. Error message - Here we see Jetdirect taking on the role of the client.