Encrypting Network Communication
To protect communicated information, it is necessary to encrypt communication between computers and external equipment.
Data sent from and received by the machine can be intercepted, cracked, or tampered with during transmission. For example, the following data can be transmitted between the machine and external devices or the computer:
Documents printed in the company using the printer driver
Login user name and login password
See the table below for the methods of encrypting data.
Data to encrypt | Encryption method | Process/Reference |
|---|---|---|
Web Image Monitor IPP print Windows authentication LDAP authentication | SSL/TLS | Install a device certificate.
|
Machine management data | SNMPv3 | Specify an encryption password.
|
Authentication information of print jobs | Driver encryption key IPP authentication | Specifying a Driver Encryption Key Specify IPP authentication.
|
Kerberos authentication data | Varies depending on the KDC server | Select an encryption method.
|
The administrator is required to manage the expiration of certificates and renew the certificates before they expire.
The administrator is required to check that the issuer of the certificate is valid.
Installing a Self-signed Certificate/Certificate Issued by a Certificate Authority
To encrypt communication with the machine, install a device certificate.
Two types of device certificates can be used: a self-signed certificate created by the machine and a certificate issued by a certificate authority. When you need higher reliability, use a certificate issued by a certificate authority.
Install a device certificate from Web Image Monitor.
Installing a self-signed certificate/certificate issued by a certificate authority
Log in to the machine as the network administrator from Web Image Monitor.
Click [Configuration] from the [Device Management] menu.
Click [Device Certificate] in the "Security" category.
On the "Device Certificate" screen, install a self-signed certificate or certificate issued by a certificate authority by following the instructions below:
To install a self-signed certificate
Create and install a self-signed certificate.
Select the number from the list to create a self-signed certificate.
Click [Create] to specify the necessary settings.
Common Name: Enter the name of the device certificate to create. You must enter a name.
Enter "Organization", "Organizational Unit", and other items as necessary.
Click [OK].
"Installed" is displayed in "Certificate Status".
To install a certificate issued by a certificate authority
Request a device certificate from a certificate authority and install it. Follow the same steps to install an intermediate certificate.
Select the number from the list to create a device certificate.
Click [Request] to specify the necessary settings.
Click [OK].
"Requesting" is displayed in "Certificate Status".
Apply to the certificate authority for the device certificate.
You cannot apply to the certificate authority from Web Image Monitor. The application procedure varies depending on the certificate authority. For details, contact the certificate authority.
For the application, click the Details icon
and use the information that appears in "Certificate Details".The issuing location may not be displayed if you request multiple certificates at the same time. When you install a certificate, be sure to check the certificate destination and installation procedure.
After the device certificate has been issued by the certificate authority, select the number of the issued certificate from the list on the "Device Certificate" screen, and then click [Install].
Enter the contents of the device certificate in the entry fields.
To install the intermediate certificate at the same time, enter also the contents of the intermediate certificate.
If an intermediate certificate issued by a certificate authority is not installed, an alert message is displayed during network communication. When an intermediate certificate has been issued by a certificate authority, you must install the intermediate certificate.
Click [OK].
"Installed" is displayed in "Certificate Status".
After completing the installation, select the certificate for each application on "Certification".
Click [OK].
After completing the configuration, click [OK] and exit the Web browser.
To print data in the machine using IPP-SSL, the user must install a certificate in the computer. Select "Trusted Root Certification Authorities" for the certificate store location when accessing the machine by IPP.
To change "Common Name" of the device certificate when using the Windows standard IPP port, delete any previously configured PC printer beforehand and install the printer driver again. Also, to change the user authentication settings (login user name and password), delete any previously configured PC printer beforehand, change the user authentication settings, and then install the printer driver again.
Encrypting Transmission Using SSL/TLS
SSL (Secure Sockets Layer) /TLS (Transport Layer Security) is a method to encrypt network communications. SSL/TLS prevents data from being intercepted, cracked, or tampered.
To check whether SSL/TLS configuration is enabled, enter "https://(the machine's IP address or host name)/" in your Web browser's address bar to access this machine. If the "The page cannot be displayed" message appears, check the configuration because the current SSL/TLS configuration is invalid.
If you enable SSL/TLS for IPP (printer functions), sent data is encrypted, preventing it from being intercepted, analyzed, or tampered with.
Flow of SSL/TLS encrypted communications
The user's computer requests the SSL/TLS device certificate and public key when accessing the machine.
The device certificate and public key are sent from the machine to the user's computer.
The shared key created on the computer is encrypted using the public key, sent to the machine, and then decrypted using the private key in the machine.
The shared key is used for data encryption and decryption, thus achieving secure transmission.
To enable encrypted communication, install a device certificate in the machine in advance.
To encrypt communication using SSL/TLS, enable SSL/TLS as follows:
Enabling SSL/TLS
Log in to the machine as the network administrator from Web Image Monitor.
Click [Configuration] from the [Device Management] menu.
Click [SSL/TLS] in the "Security" category.
Select the protocol to enable encrypted communication on "SSL/TLS" to specify the details about the communication method.
Permit SSL/TLS Communication: Select one of the encryption communication modes below:
Ciphertext Priority: Performs encrypted communication when a device certificate has been created. If encryption is not possible, the machine communicates data in clear text.
Ciphertext/Cleartext: Performs encrypted communication when connecting to the machine using an "https" address from a Web browser. Communicates in clear text when connecting to the machine using an "http" address.
Ciphertext Only: Allows encrypted communication only. If encryption is not possible, the machine does not communicate. If encryption is not possible for some reason, the machine cannot communicate. If this is the case, select [Host Interface]
[Network][Permit SSL/TLS Comm.] on the control panel, change the communication mode to [Ciphertext/Cleartext] temporarily, and then check the settings.
SSL/TLS Version: Specify TLS 1.2, TLS 1.1, TLS 1.0, and SSL 3.0 to enable or disable. At least one of these protocols must be enabled.
Encryption Strength Setting: Specify the encryption algorithm to apply to AES, 3DES, and RC4. You must select at least one check box.
KEY EXCHANGE: Specify whether to enable or disable exchanging of the RSA key.
DIGEST: Specify whether to enable or disable SHA-1 DIGEST.
Click [OK].
After completing the configuration, click [OK] and exit the Web browser.
To encrypt communications with the SMTP server, use the following procedure to change "SSL" to [On].
Depending on the states you specify for TLS 1.2, TLS 1.1, TLS 1.0, and SSL 3.0, the machine might not be able to connect to an external LDAP server.
Enabling SSL for SMTP connection
Log in to the machine as the network administrator from Web Image Monitor.
Click [Configuration] from the [Device Management] menu.
Click [Email] in the "Device Settings" category.
In "SMTP", click [On] of "Use Secure Connection (SSL)".
After completing the configuration, the port number changes to 465 (SMTP over SSL). When using SMTP over TLS (STARTTLS) for encryption, change the port number to 587.
When you specify the port number to a number other than 465 and 587, the communication is encrypted according to the setting in the SMTP server.
Click [OK] and exit the Web browser.
Encrypting Data Communicated with Machine Management Software Via SNMPv3
When monitoring devices using Device Manager NX via a network, you can encrypt the transmitted data by using the SNMPv3 protocol.
Log in to the machine as the network administrator from Web Image Monitor.
Click [Configuration] from the [Device Management] menu.
Click [Network Security] in the "Security" category.
In "Permit SNMPv3 Communication" of "SNMP", click [Encryption Only].
Click [OK] and exit the Web browser.
To change the settings specified in the machine from Device Manager NX, specify an encryption password to the network administrator in [Program/Change Administrator], and then register the encryption password in the SNMP account of Device Manager NX.
Encrypting the Login Password of Print Jobs
You can encrypt the login password for the printer driver and the password for IPP printing to increase security against password cracking.
To perform printing from a LAN inside the office, specify the driver encryption key.
To perform IPP printing from an external network, encrypt the password of IPP printing.
Specifying a Driver Encryption Key to Encrypt Passwords
Specify the driver encryption key specified in the machine also to the printer driver to encrypt and decrypt passwords.
Press the [Menu] key.
Log in to the machine as the network administrator on the control panel.
Select [Security Options], and then press the [OK] key.
Select [Extended Security], and then press the [OK] key.
Select [Driver Encryption Key], and then press the [OK] key.
Press the [
] or [
] key to select a character for the driver encryption key, and then press the [OK] key to enter the character. Repeat this to complete the driver encryption key, and then press the selection key beneath [Accept].
To enter upper-case letters, numerals, or symbols, press the selection key beneath [ABC/123].
To delete a character that has been entered, press the selection key beneath [Delete].
Enter the driver encryption key using up to 32 alphanumeric characters.
Repeat Steps 6 and 7 to re-enter the driver encryption key.
Press the selection key beneath [Logout].
The network administrator must give users the driver encryption key specified on the machine so they can register it on their computers.
Make sure to enter the same driver encryption key as that specified on the machine.
If the desired menu item is not on the screen, press the [
] or [
] key on the control panel until it appears.
Encrypting the password of IPP printing
When printing using the IPP protocol, specify the authentication method to [DIGEST] to encrypt the IPP authentication password. Register the user name and password for IPP authentication separately from the user information in the address book.
Log in to the machine as the network administrator from Web Image Monitor.
Click [Configuration] from the [Device Management] menu.
Click [IPP Authentication] in the "Security" category.
Select "DIGEST" in "Authentication".
Enter User Name and Password.
Click [OK].
After completing the configuration, exit the Web browser.
Encrypting Communication Between KDC and the Machine
You can encrypt communications between the machine and the Key Distribution Center (KDC) server when using Kerberos authentication with Windows or LDAP authentication to secure communication.
The supported encryption algorithm differs depending on the type of KDC server.
Log in to the machine as the machine administrator from Web Image Monitor.
Click [Configuration] from the [Device Management] menu.
Click [Kerberos Authentication] of the "Device Settings" category.
Select the encryption algorithm to enable.
Only Heimdal supports DES3-CBC-SHA1.
To use DES-CBC-MD5 in Windows Server 2008 R2 or later, enable it in the operating system settings.
Click [OK] and exit the Web browser.