HP 250m Print Server - Fast Ethernet manual SSL/TLS Protocol Basics, SSL/TLS Protocol Structures

Page 20

authority’s self-signed certificate will have a purpose to create certificates for other entities, usually subordinate certificate authorities. It may be of help to go back to our driver’s license example to explain certificate purposes. A driver’s license purpose is to clearly identify the person it has been issued to and to show that that person has the right to drive in a given state. Because a driver’s license also lists the date of birth, it is often used to determine age and whether the holder is able to purchase various products that have age limitations. This purpose is actually above and beyond the original purpose of a driver’s license. In the digital certificate world, this additional purpose would more than likely not be allowed.

So, can’t someone who is not a CA create a self-signed certificate with the ability to create other certificates for entities? Sure they can! Will this be trusted? Probably not. However, if an unethical hacker can somehow install a CA certificate of their own choosing into your trusted certificate store, you will be in for a lot of problems. They will now have the ability to fool the browser and other applications into connecting to malicious sites that are now “trusted” and the browser or other application will not be able to detect it. Keep that certificate store protected!

SSL/TLS Protocol Basics

Okay, now that we know something about SSL/TLS basics and a PKI, we can talk about how the SSL/TLS protocol goes about its business. While there are many interesting protocol specifics, we are only going to talk about common situations with HP Jetdirect and “normal” SSL/TLS protocol interactions. A basic breakdown of SSL/TLS protocol structures is shown in Figure 22:

Figure 22 - SSL/TLS Protocol Structures

(Note: In order to enhance understanding, this diagram was simplified. Please refer to the many excellent SSL/TLS references for a more complete and more accurate protocol description). SSL/TLS makes a strong distinction between a Client and a Server. Unlike a protocol like IPsec where each endpoint is a peer, SSL/TLS has specific roles for each endpoint. The endpoint initiating the SSL/TLS connection, like a web browser to a secure shopping site, is the client. The endpoint responding to the connection request is the server. There are two primary phases in an SSL/TLS connection: The handshake and then the data transfer. The handshake messages get everything started. We can see the start of them if Figure 23.

20

Image 20
Contents Whitepaper IntroductionWhat is SSL/TLS? Http ApplicationHttps Decoded Application ChangesHttp Session More Info Https Session Lock Icon Certificate Details Digital Certificates IE6 Security AlertIE7 Certificate Error IE7 Certificate Error Public Key Infrastructure and Public Key Certificate Basics Certificate InformationSymmetric Cryptography Asymmetric Cryptography Digital Signature Digital Signature Verification Certificate Authority Public Key Certificates Self-Signed Certificate SSL/TLS Protocol Basics SSL/TLS Protocol StructuresClient Hello Server Hello Server Certificate Verification Keying Material Client Finished Using Https with HP Jetdirect Server FinishedCA Heirarchy Network Diagram Page Page Under the heading Jetdirect Certificate, press Configure… Page Page Page Page Page Page Page Page Page Page Page Save it Go to Tools and click Internet Options Click Certificates Click Import… Click Next Select the file Click Next Page Page Page Page Page Detailed Look at the SSL/TLS Connection Page Page Page Page Check for server certificate revocation is not selected Page Page SSL/TLS Server Settings HP Jetdirect as an SSL/TLS Client Page Page Page Page Select R2 and hit Export… Click Next Select DER. Click Next Save it Save it Click Finish Page Select the file. Click Finish Click OK Page Same message. What did we do wrong? Page Page We use the DNS name and try again Success Page SSL/TLS Client Understanding Certificate Chains CA HierarchyPage RootCA Incorrect HP Jetdirect CA Configuration Correct HP Jetdirect CA Configuration Walking the Chain SSL/TLS Client Certificates and Name Verification Subject SubjectAltName Page Page Page IPP over SSL/TLS Click Next Select a network printer… Page Page Print a test Yep we have our print data protected by SSL/TLS HP Jetdirect Certificate Guidelines Embedded Devices and Digital CertificatesWhich HP Jetdirect Products Support SSL/TLS? Summary