Manualshelf

HP Imaging and Printing Security Center 2.0 - Instant-On Security

ManualsBrandsHP ManualsSoftwareHP Imaging & Printing Security Center E-LTU - 1000 Device License
21222324252627282930
25
Mutual Authentication
Overview
Instant-On Security can be configured for mutual authentication; an announcement option
that relies upon device and IPSC identity assurance through a combined action of client-to-
server and server-to-client SSL/TLS (Secure Socket Layer/Transport Layer Security)
authentication. Mutual authentication can also be informally referred to as 2-way SSL/TLS
authentication.
Deploying trusted certificates for mutual authentication provides the most secure method of
Instant-On Security. Since certificates remain over a cold reset, this method of Instant-On
Security protects the device even if it is cold reset. Successful mutual authentication requires
the configuration and installation of a valid identity (ID) certificate on the device and in IPSC.
On the device, the unique identity certificate must be signed by a certificate authority (CA)
and installed as a replacement of the default self-signed device certificate. On the IPSC
server, a unique identity certificate signed by a CA and placed in the local computer
personal store is also required. The corresponding certificate must also be installed on the
device (See Figure 26) and in the IPSC server local computer trusted root certification
authorities store. Using a single (CA) to sign both identity certificates isn’t required, but can
simplify the process by reducing the number of necessary components. Certificates can be
configured manually, or a certificate manager can be used.
Handshake
When mutual authentication is configured for Instant-On communication, appropriate
handshaking occurs to establish an encrypted channel prior to any message exchanges. The
handshake includes dialogue to establish the identities of the device and IPSC via the
mutual presentation of signed digital certificates. The dialogue is similar to the example
below:
Client sends a message proposing the SSL/TLS options
Server responds with SSL/TLS option selection
Server presents its identity certificate
Server requests client’s certificate
Server negotiation is complete
Client presents its identity certificate
Client sends key (encrypted with server’s public key)
Client notifies server that it owns the sent certificate
Client sends message activating the negotiated options
Client sends finished message, asking server to check negotiated options
Server sends message activating the negotiated options
Server sends finished message, asking client to check negotiated options