HP Inc.
HP LaserJet Enterprise MFP M527 Series,
Color LaserJet Enterprise MFP M577 Series, and
PageWide Enterprise Color MFP 586 Series
Firmware with Jetdirect Inside Security Target
Version: 2.0 Copyright © 2008-2016 by atsec information security corporation and HP Inc. Page 88 of 98
Last update: 2016-06-07 or its wholly owned subsidiaries
Syslog server connections
Web Services connections (OXPd & WS*)
Table 35: Trusted channel connections
The TOE uses IPsec as means to provide trusted channel communications. IPsec uses X.509v3
certificates, the ESP, ISAKMP, IKEv1, and IKEv2 protocols, and the cryptographic algorithms listed below
to protect communications.
The cryptographic functions used by IPsec are implemented in the QuickSec cryptographic library version
5.1 ([QuickSec51]) which is produced by INSIDE Secure. The QuickSec cryptographic library is part of
the Operational Environment, not the TOE. The TOE prepares the data and invokes the appropriate
cryptographic functions, but the code in the QuickSec cryptographic library performs the processing and
calculations required. INSIDE Secure performs regular and rigorous developer testing of the
implementation of the cryptographic algorithms in the QuickSec cryptographic library.
In the evaluated configuration, the supported IPsec cryptographic algorithms are:
RSA 1024-bit and 2048-bit (Operational Environment)
AES-128, AES-192, and AES-256 in CBC mode (Operational Environment)
HMAC-SHA1-96 (Operational Environment)
HMAC-SHA-256-128 (Operational Environment)
HMAC-SHA-384-196 (Operational Environment)
HMAC-SHA-512-256 (Operational Environment)
IPsec is conformant to the MUST/MUST NOT requirements of the following IETF RFCs:
[RFC4301] and [RFC4894] for IPsec
[RFC4303] for ESP
[RFC4306] for ISAKMP
[RFC4109] and [RFC4894] for IKEv1
[RFC4306], [RFC4718], and [RFC4894] for IKEv2.
The TOE maintains X.509v3 certificates for IPsec in the certificate store:
One network identity certificate
One or more Certificate Authority (CA) certificates
The EWS (HTTP) and WS* Web Services allow administrators to manage these X.509v3 certificates used
by IPsec. Additionally, OXPd Web Services can be used to manage the CA certificates used by IPsec.
When the TOE is first powered on, it generates a self-signed identity certificate to use for network identity.
In the evaluated configuration, the use of a self-signed identity certificate generated by the TOE for
network identity is not permitted. The administrator must import a CA-signed identity certificate and
private key and designate this certificate for network identity usage. The TOE requires a network identity
certificate to always exist; therefore, it allows the administrator to replace the network identity certificate
used by IPsec.
To Next Page
Loading...