HP 250m Informationsblatt

1 HP Jetdirect and SSL/TLS June 2008 Table of Contents: Introduction ...

10 Figure 12 - IE7 Certificate Error 1 This screen is a lot different from IE6 – notice the red X symbols and explanatory text. The way the inform

11 Figure 13 – IE7 Certificate Error 2 Notice the red URL and the “Certificate Error” message. Essentially, to go back to our story, Internet Expl

12 Public Key Infrastructure and Public Key Certificate Basics Let’s go back to the certificate information dialog, shown in Figure 14: Figure 14

13 Message DeliveryUserEncryption PerformedUserDecryption PerformedUnencrypted MessageUnencrypted Message Figure 15 - Symmetric Cryptography In Figu

14 Figure 16 - Asymmetric Cryptography Here we can see the difference between asymmetric and symmetric cryptography. One key can be used for encryp

15 • A hash – also known as a message digest. A hash is the output of a one way function that attempts to ensure the integrity of the message (i.e.,

16 Figure 18 - Digital Signature Verification Here we see how John uses Jack’s public key to verify the message. Jack’s public key is the only key

17 JackCertificate Authority(Also performs Identity Verification on Jack)Jack’s Public KeyJack’s Private KeyCA’s Public KeyCA’s Private KeyCertificate

18 Figure 20 - Public Key Certificates Here we can see that everyone’s public key certificate is, well – um, public. The important thing to note i

19 JackJack’s Public KeyJack’s Private KeyIdentity Info +Jack’s Public KeyJackJack’s Private Key(Stays Private)Jack’s Public KeyJack’s self-signed Cer

2 correctly. One of the purposes of this whitepaper is to show administrators how to properly deploy SSL/TLS so that it can be used securely. SSL/

20 authority’s self-signed certificate will have a purpose to create certificates for other entities, usually subordinate certificate authorities. It

21 Client ServerTCPSSL RecordHandshakeTCP Connection EstablishedClient HelloSupported Ciphers Random # Figure 23 -Client Hello Here we already have a

22 Figure 24 - Server Hello The server responds with a Server Hello message which includes another random number and the server selected cipher. It

23 Figure 25 - Server Certificate Verification Here the client needs to verify the server is really who they say they are. There are a lot of check

24 ClientServer Random #Client Random #Server Public KeyCryptographic Key Generation:PreMasterSecretEncryptionE(PreMasterSecret) Figure 26 - Keying Ma

25 Figure 27 – Client Finished The client goes ahead and sends over the encrypted pre_master_secret and let’s the server know that it is changing o

26 Client ServerTCP SSL Record HandshakeTCP Connection EstablishedChange Cipher SpecFinished Figure 28 - Server Finished The server decrypts the pre

27 Figure 29 - CA Heirarchy The network is really simple and is composed of these CAs, a DNS server, a client, and an HP LaserJet MFP. Refer to F

28 Figure 30 - Network Diagram A pretty basic setup! The XP client is going to open a browser and talk to the 4345MFP. In short, the XP machine w

29 Every Jetdirect will create a self-signed certificate the first time it is powered on. Each Jetdirect has a unique self-signed certificate. For s

3 see that SSL/TLS requires application changes in order to be utilized. These changes have to be made by every application that wishes to utilize SS

30 We see the RSA public key is 1024 bits for the self-signed certificate and that the certificate can be used for client and server authentication

31 Under the heading “Jetdirect Certificate”, press “Configure…”

32 Select the radio button “Create Certificate Request”. This will tell Jetdirect to create a public/private key pair and along with some more inform

33 Here is the certificate request. We are going to want to store it. We can cut/paste it or click “Save”. Click “Save As”

34 Store it in a directory on the client. Now we are going to bring up R2’s CA web server.

35 Enter the credentials that will allow a certificate to be issued. And here is the R2’s CA web server. Let’s click the link “Request a Certific

36 Click “advanced certificate request” Select the second link “Submit a certificate request….”

37 We cut and paste the certificate request from Jetdirect into the box provided. We select a certificate template. This template is basically a “coo

38 Save it. Bring up the certificate wizard on Jetdirect again by pressing “Configure…”

39 Now we select “Install Certificate” and click “Next” Point it to the file obtained from the R2 CA. Click “Finish”

4 Figure 4 - HTTP Session The URL starts with http:// and tells the browser that SSL/TLS is not required. Let’s change it to https:// and hit the

40 Cool – it worked. Click “OK” Now – let’s view the contents of this certificate. We can see that the issuer is R2. We also see the Subject CN.

41 We see we have some CRL distribution points in the certificate as well – remember that. Also see that we can do Web Server and Web Client authenti

42 Click “Download a CA certificate, certificate chain, or CRL”. Select “Download CA Certificate Chain”. This file will have both R2 and RootCA’s

43 Save it. Go to “Tools” and click “Internet Options”.

44 Click “Certificates”

45 Click “Import…” Click “Next”

46 Select the file Click “Next”

47 Select “Automatically select the certificate store….” Click “Next” Click “Finish”

48 Press “Yes”. Note the Security Warning message. Installing a CA public key certificate as a trusted Root CA is a big deal. You need to be very s

49 Select the tab “Intermediate Certification Authorities” and we can see that R2’s public key certificate has been installed. Yea! Click the tab “

5 Figure 6 - More Info Notice the sentence: “This Web site provides secure communication and has a valid certificate.” After reading this whitepap

50 Now we go back to the web page and still get an error!! No!! The problem is that we have a name mismatch. We are using the IP address in the URL

51 We ping it just to be sure. Looks good. We go back to the web browser and enter the name instead of the IP address.

52 Everything worked! Now SSL/TLS is working for HP Jetdirect just like it would work for an Internet secure shopping experience. A Detailed Lo

53 We see the TCP connection is established to “https” or TCP port 443. The client is 192.168.0.25 and the web server is 192.168.0.20. We see the S

54 Now let’s look at the server hello. Here we see a random number and the cipher suite selected to be used: TLS RSA WITH RC4 128 MD5 We see the se

55 Here the client is sending over the pre_master_secret encrypted with the server’s public key. It is also letting the server know it is changing key

56 Now we have actual client data – this is probably the initial HTTP request encapsulated in SSL/TLS. There was one check that wasn’t done – the C

57 Check for server certificate revocation is not selected.

58 Let’s select it and restart IE7. Here is another HTTPS connection to the same LJ4345MFP. Everything looks the same so far

59 Here we go – looks like before any application data is sent, the CRL is check using http. This one is going to the RootCA Another CRL request to

6 Well, we’ve got one green checkmark and two yellow warnings. Good enough for us! Let’s click “Yes” and establish the HTTPS session with the MFP.

60 Here is the content of the CRL – encrypted of course. A performance hit would occur when CRLs are checked. That is probably why it isn’t chec

61 The setting “Encryption Strength” controls the cipher suites that Jetdirect will select from a client request. The default setting is “Low” which

62 We are going to select Simple over SSL as the LDAP server bind method and use the IP address of 192.168.0.1, which is our LDAP server. We then scr

63 Error message – it didn’t work. Let’s look at a trace. Here we see Jetdirect taking on the role of the client. It initiates the connection and

64 The server responds. There is a new message here – one we haven’t talked about. The Certificate Request. The server is indicating to Jetdirect t

65 Because we have already stored the CA certificates in our browser’s certificate store, we’ll just export one and put it on Jetdirect. Let’s take a

66 Select R2 and hit “Export…” Click Next

67 Select DER. Click Next. Save it.

68 Save it. Click “Finish”

69 Under the heading “CA Certificate”, click “Configure” Select Install and click “Next”

7 Figure 9 - Lock Icon The mouse pointer was placed on the lock icon. Notice the “SSL Secured (128 bit)” shown in the bottom right. If we double-c

70 Select the file. Click Finish Click OK.

71 The status for the CA Certificate is now “Installed” We try again and it still fails!

72 Same message. What did we do wrong?

73 We need the ROOT CA. Jetdirect cannot use Intermediate CAs. Back to the certificate store and now let’s export RootCA’s public key certificate.

74 Try again. Another failure! Let’s check the trace. Here we get a “Certificate Unknown” message. Well, it could be we are using the IP address

75 We use the DNS name and try again. Success!!

76 Now that we are successful, we see the server’s certificate has a SubjectAltName with a dnsName identifier. Remember that the server wanted Jet

77 SSL/TLS Client: Understanding Certificate Chains In the previous section, we described a situation where the wrong CA certificate was configured

78 Figure 32 - Notice that R2’s certificate is issued by RootCA. What does RootCA’s certificate look like? Let’s look at Figure 33.

79 Figure 33 - RootCA Notice the RootCA is “self-signed”. All Root CAs will be self-signed – these CAs represent the single point of trust. A lo

8 Figure 10 - Certificate Details Something is very wrong here. We went from yellow warning symbols and green checkmark to a big red X symbol. We

80 Root Certificate Authority: RootCASubordinate Certificate Authority: R2RootCA.example.internalR2.example.internalRootCA’s Certificate RootCA’s Publ

81 Root Certificate Authority: RootCASubordinate Certificate Authority: R2RootCA.example.internalR2.example.internalRootCA’s Certificate RootCA’s Publ

82 Figure 36 - Walking the Chain 1 Jetdirect has one certificate stored on it – the RootCA public key certificate. During the SSL/TLS handshake wit

83 Jetdirect verifies that R2 has signed the server’s certificate. It also verifies R2’s certificate (e.g., it has not expired and so on) and makes s

84 Figure 38 - Subject We can se there are several things in the Subject – but the most critical is the Common Name. Here we can see why the brows

85 Figure 39 - SubjectAltName Notice how there isn’t even a Common Name in the LDAP server’s certificate. If you remember, we tried connecting to

86 Effectively, the algorithm is going to be something like this: If( dNSName is present) { Match dNS Name } Else { Match Common Name } For HTTPS

87 Figure 40 - OU Here the Common Name is the FQDN of Jetdirect but there is additional information provided in the Organizational Units (OU). Th

88 (“https://msimpson.example.com” or “https://bsimpson.example.com”), they get a Certificate Error indicating a name mismatch. Why? If we refer bac

89 IPP over SSL/TLS SSL/TLS can also be used to protect printing. HP Jetdirect supports IPP over TLS (henceforth, IPPS), but does not support any cl

9 Digital Certificates Much like a fake ATM machine, an unethical hacker could use technology to direct a user to a false web site when they are thin

90 Click “Next” Select “A network printer…”

91 Specify a URL of HTTPS and be sure to end it with a “/ipp” so Jetdirect knows what it is for. Select the appropriate driver.

92 Click “Finish” Now we have a printer. Right Click and select properties.

93 Print a test page. Yep – we have our print data protected by SSL/TLS.

94 That wasn’t too bad to get security for your print data. However, there is a problem. Notice that we used the IP address in the URL. After the b

95 physical user interface) and is probably stored right next to the digital certificate. In short, an analysis of the non-volatile storage of your e