Practical considerations for imaging and printing security
Page 1
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
Practical considerations for imaging and printing security
Page 6
... IT administration. DoD 5220-22m specifies an algorithm to repetitively overwrite hard disk data sectors to provide fleet management of HP imaging and printing devices. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to-clunk performance that network communications between users, administrators, the imaging...
... IT administration. DoD 5220-22m specifies an algorithm to repetitively overwrite hard disk data sectors to provide fleet management of HP imaging and printing devices. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to-clunk performance that network communications between users, administrators, the imaging...
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 1
... Basics 12 SSL/TLS Protocol Basics ...20 Using HTTPS with the 615n EIO Print Server. A free firmware upgrade allowed the 610n EIO print server, shipped in early 2002 with HP Jetdirect ...26 A Detailed Look at the SSL/TLS Connection 52 SSL/TLS Server Settings ...60 HP Jetdirect as an SSL/TLS Client ...61 SSL/TLS Client: Understanding Certificate Chains...
... Basics 12 SSL/TLS Protocol Basics ...20 Using HTTPS with the 615n EIO Print Server. A free firmware upgrade allowed the 610n EIO print server, shipped in early 2002 with HP Jetdirect ...26 A Detailed Look at the SSL/TLS Connection 52 SSL/TLS Server Settings ...60 HP Jetdirect as an SSL/TLS Client ...61 SSL/TLS Client: Understanding Certificate Chains...
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 2
...for the sake of familiarity and clarity, we can be done by using "HTTPS" in the URL of "https://" indicates to a Jetdirect device. The most common protocol that HTTPS is commonly associated with the TCP/IP protocol suite, it can see that uses SSL/TLS functionality..., we 'll discuss SSL/TLS within other applications, such as well. correctly. One of the purposes of this section, for the latest information regarding HP's printing and imaging products. SSL/TLS is SSL/TLS? What is also used securely. Figure 1 - This would be used in a separate whitepaper. Well,...
...for the sake of familiarity and clarity, we can be done by using "HTTPS" in the URL of "https://" indicates to a Jetdirect device. The most common protocol that HTTPS is commonly associated with the TCP/IP protocol suite, it can see that uses SSL/TLS functionality..., we 'll discuss SSL/TLS within other applications, such as well. correctly. One of the purposes of this section, for the latest information regarding HP's printing and imaging products. SSL/TLS is SSL/TLS? What is also used securely. Figure 1 - This would be used in a separate whitepaper. Well,...
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 12
... certificate, one used by computers, binds an identity to a key and needs to be like a driver, who issued the certificate "HP Jetdirect 85C1F319", is not trusted." Public Key Infrastructure and Public Key Certificate Basics Let's go back to the certificate information dialog, shown in cryptographic... algorithms. There are public keys and private keys used for asymmetric cryptography and symmetric keys used for himself indicating that "HP Jetdirect 85C1F319", who has been pulled over by the Highway Patrol, handing the officer a driver's license that the driver has created...
... certificate, one used by computers, binds an identity to a key and needs to be like a driver, who issued the certificate "HP Jetdirect 85C1F319", is not trusted." Public Key Infrastructure and Public Key Certificate Basics Let's go back to the certificate information dialog, shown in cryptographic... algorithms. There are public keys and private keys used for asymmetric cryptography and symmetric keys used for himself indicating that "HP Jetdirect 85C1F319", who has been pulled over by the Highway Patrol, handing the officer a driver's license that the driver has created...
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 18
Public Key Certificates Here we can see that everyone's public key certificate is the difference between a certificate authority's selfsigned certificate and Jetdirect's self-signed certificate? As you may remember, Jetdirect also creates a self-signed certificate. What is , well - First let's describe what a self-signed certificate actually is what he needs a certificate. Here is...
Public Key Certificates Here we can see that everyone's public key certificate is the difference between a certificate authority's selfsigned certificate and Jetdirect's self-signed certificate? As you may remember, Jetdirect also creates a self-signed certificate. What is , well - First let's describe what a self-signed certificate actually is what he needs a certificate. Here is...
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 19
... around Microsoft's certificate authority that the certificate can be used for a Root CA to have two purposes: client authentication and server authentication. A root certificate 19 Therefore, in our previous examples, John and Jack must choose a particular certificate authority that there...level certificate authority. Each certificate has a one or more "certificate purposes" that comes with Windows 2003 server. Well, it okay for . For example, a Jetdirect self-signed certificate will involve well-known certificate authorities like Verisign and Entrust. In most cases, there...
... around Microsoft's certificate authority that the certificate can be used for a Root CA to have two purposes: client authentication and server authentication. A root certificate 19 Therefore, in our previous examples, John and Jack must choose a particular certificate authority that there...level certificate authority. Each certificate has a one or more "certificate purposes" that comes with Windows 2003 server. Well, it okay for . For example, a Jetdirect self-signed certificate will involve well-known certificate authorities like Verisign and Entrust. In most cases, there...
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 20
... many excellent SSL/TLS references for each endpoint is not a CA create a self-signed certificate with HP Jetdirect and "normal" SSL/TLS protocol interactions. SSL/TLS makes a strong distinction between a Client and a Server. This purpose is the server. SSL/TLS Protocol Basics Okay, now that certificate store protected! Unlike a protocol like a web browser to...
... many excellent SSL/TLS references for each endpoint is not a CA create a self-signed certificate with HP Jetdirect and "normal" SSL/TLS protocol interactions. SSL/TLS makes a strong distinction between a Client and a Server. This purpose is the server. SSL/TLS Protocol Basics Okay, now that certificate store protected! Unlike a protocol like a web browser to...
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 26
...done and actual client data can be sent over to the client. Refer to clients on the setup. Once the client and server both verify the cryptographic hashes, the handshake process is changing over to use the master_secret and proves that it knows the master secret...connection. Let's see how SSL/TLS works in its most popular form: HTTPS. Server Finished The server decrypts the pre_master_secret and generates the master_secret. Using HTTPS with a subordinate CA called R2. We have a RootCA with HP Jetdirect Before we begin, we need a little info on the network. CA Hierarchy. ...
...done and actual client data can be sent over to the client. Refer to clients on the setup. Once the client and server both verify the cryptographic hashes, the handshake process is changing over to use the master_secret and proves that it knows the master secret...connection. Let's see how SSL/TLS works in its most popular form: HTTPS. Server Finished The server decrypts the pre_master_secret and generates the master_secret. Using HTTPS with a subordinate CA called R2. We have a RootCA with HP Jetdirect Before we begin, we need a little info on the network. CA Hierarchy. ...
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 28
Figure 30 - Network Diagram A pretty basic setup! In order to get SSL working properly, we can perform our certificate operations. 28 We'll use regular HTTP and go to do. In short, the XP machine will be an SSL client and the 4345MFP will be an SSL server. The XP client is going to need to assign a certificate to the 4345MFP so that it can verify its identity correctly and pass all those checks that the client has to the Jetdirect page where we are going to open a browser and talk to the 4345MFP.
Figure 30 - Network Diagram A pretty basic setup! In order to get SSL working properly, we can perform our certificate operations. 28 We'll use regular HTTP and go to do. In short, the XP machine will be an SSL client and the 4345MFP will be an SSL server. The XP client is going to need to assign a certificate to the 4345MFP so that it can verify its identity correctly and pass all those checks that the client has to the Jetdirect page where we are going to open a browser and talk to the 4345MFP.
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 29
Every Jetdirect will create a self-signed certificate the first time it is powered on the client) may be all that it . 29 For small environments, trusting the ... certificate (by pressing "View..." We can take a look at first time power up, there are the same - Because the selfsigned is needed for security. Each Jetdirect has a unique selfsigned certificate. that is the first clue that is generated at this certificate by storing the certificate on . under the heading...
Every Jetdirect will create a self-signed certificate the first time it is powered on the client) may be all that it . 29 For small environments, trusting the ... certificate (by pressing "View..." We can take a look at first time power up, there are the same - Because the selfsigned is needed for security. Each Jetdirect has a unique selfsigned certificate. that is the first clue that is generated at this certificate by storing the certificate on . under the heading...
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 31
Under the heading "Jetdirect Certificate", press "Configure..." 31
Under the heading "Jetdirect Certificate", press "Configure..." 31
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 32
Select the radio button "Create Certificate Request". Each customer will tell Jetdirect to create a public/private key pair and along with some more information that we enter details to a CA. Press "Next ->" Here we be entered, generate a certificate request with the public that can be given to properly identify the Jetdirect device. Jetdirect does not reveal the private key. This will have different values here. After entering in the values, press "Next->" 32
Select the radio button "Create Certificate Request". Each customer will tell Jetdirect to create a public/private key pair and along with some more information that we enter details to a CA. Press "Next ->" Here we be entered, generate a certificate request with the public that can be given to properly identify the Jetdirect device. Jetdirect does not reveal the private key. This will have different values here. After entering in the values, press "Next->" 32
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 37
The only thing it really specifies is that the certificate can be used for how to create a specific type of certificate. Click "Download certificate". DER encoding is basically a "cookie cutter" for Client and Server authentication. Click "Submit". We select a certificate template. This template is fine. 37 We cut and paste the certificate request from Jetdirect into the box provided. We have a template called "jetdirect" which has already been created.
The only thing it really specifies is that the certificate can be used for how to create a specific type of certificate. Click "Download certificate". DER encoding is basically a "cookie cutter" for Client and Server authentication. Click "Submit". We select a certificate template. This template is fine. 37 We cut and paste the certificate request from Jetdirect into the box provided. We have a template called "jetdirect" which has already been created.
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 38
Bring up the certificate wizard on Jetdirect again by pressing "Configure..." 38 Save it.
Bring up the certificate wizard on Jetdirect again by pressing "Configure..." 38 Save it.
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 52
Let's bring up Wireshark and see what was actually happening on the wire during the successful https connection. 52 Everything worked! Now SSL/TLS is working for HP Jetdirect just like it would work for an Internet secure shopping experience. A Detailed Look at the SSL/TLS Connection Good stuff so far!
Let's bring up Wireshark and see what was actually happening on the wire during the successful https connection. 52 Everything worked! Now SSL/TLS is working for HP Jetdirect just like it would work for an Internet secure shopping experience. A Detailed Look at the SSL/TLS Connection Good stuff so far!
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 54
This packet also contains the "Server Hello Done" message. 54 Here we just assigned Jetdirect previously. Now let's look at the server hello. We can tell from the common name that it is the one we see a random number and the cipher suite selected to be used: TLS RSA WITH RC4 128 MD5 We see the server's certificate.
This packet also contains the "Server Hello Done" message. 54 Here we just assigned Jetdirect previously. Now let's look at the server hello. We can tell from the common name that it is the one we see a random number and the cipher suite selected to be used: TLS RSA WITH RC4 128 MD5 We see the server's certificate.
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 60
Let's have a look. When that is checked, Jetdirect will redirect HTTP requests to use HTTPS so that . encrypted of useful settings to control how SSL/TLS clients connect to be used. 60 A performance hit would occur when CRLs are three main settings for the SSL/TLS server. There are checked. That is the... Web Communication". The next one is the Certificate and we've covered that HTTPS is effectively forced to it isn't checked by default. SSL/TLS Server Settings HP Jetdirect has a couple of course. Here is probably why it .
Let's have a look. When that is checked, Jetdirect will redirect HTTP requests to use HTTPS so that . encrypted of useful settings to control how SSL/TLS clients connect to be used. 60 A performance hit would occur when CRLs are three main settings for the SSL/TLS server. There are checked. That is the... Web Communication". The next one is the Certificate and we've covered that HTTPS is effectively forced to it isn't checked by default. SSL/TLS Server Settings HP Jetdirect has a couple of course. Here is probably why it .
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 61
... ciphers when presented with the choice. Keep in mind that Jetdirect will select from a client request. HP Jetdirect can also act as an SSL/TLS Client The most popular one is necessary when HP Jetdirect acts as an SSL/TLS server. But wait, there's more! Let's look at what ... that the roles are reversed here. The most common situation for HP Jetdirect. The default setting is "Low" which is going to use LDAP over SSL/TLS. HP Jetdirect is going to initiate a connection and verify the server's certificate just like we've covered all cipher suites that aren't...
... ciphers when presented with the choice. Keep in mind that Jetdirect will select from a client request. HP Jetdirect can also act as an SSL/TLS Client The most popular one is necessary when HP Jetdirect acts as an SSL/TLS server. But wait, there's more! Let's look at what ... that the roles are reversed here. The most common situation for HP Jetdirect. The default setting is "Low" which is going to use LDAP over SSL/TLS. HP Jetdirect is going to initiate a connection and verify the server's certificate just like we've covered all cipher suites that aren't...
HP Jetdirect Print Servers - HP Jetdirect and SSL/TLS
Page 63
it didn't work. Let's look at a trace. Error message - It initiates the connection and sends the Client Hello. 63 Here we see Jetdirect taking on the role of the client.
it didn't work. Let's look at a trace. Error message - It initiates the connection and sends the Client Hello. 63 Here we see Jetdirect taking on the role of the client.