Secure Sockets Layer (Ssl); Aes Encryption; Remote Console And Virtual Serial Port Data Encryption - HP AB500A - Integrated Lights-Out Advanced Technology Brief

The purpose of a cipher is to make data private, so that only parties to the cipher and keys can read
the data. The frameworks enable cipher negotiation as well as the secure exchange of keys used to
initiate encrypted communication within the cipher algorithm.
iLO supports RC4, 3DES and AES ciphers. Key exchange uses RSA/Diffie-Hellman, and keys are
rotated every 3 minutes. Certificates are generated using 1024-bit RSA keys signed with MD5RSA
and using a SHA1 fingerprint.

Secure Sockets Layer (SSL)

The iLO management processor encrypts all web pages using 128-bit SSL encryption. This ensures
that all information and commands issued through the web browser are private. See the section titled
"
Authentication and authorization processes for browser access
SSL allows a list of ciphers to be compared between the client (browser) and server (iLO). Generally,
they negotiate to use the strongest common cipher. A client may include a long and permissive list of
ciphers, but it is often desirable to restrict the list of ciphers. iLO 2 v1.30 has this capability.

AES encryption

iLO 2 v1.30 can restrict ciphers to AES/3DES using browser settings (through the Global Settings
page), XML scripting, or SM CLP.
The following is a complete list of communication channels that can employ AES encryption:
• Web browser (UI) – The current Mozilla browser, Firefox 2, supports AES Encryption. Internet
Explorer 7 is the first Microsoft product to do so.
• LOCFG/XML – A command line switch will be implemented that allows the user to select AES
encryption and the cipher strength
• SSH – Both OpenSSH in Linux and PuTTY are capable of initiating AES sessions.
• LDAP– This is an outbound method of communication where iLO provides client-side
communication, and the LDAP server provides server-side communication.
Popular AES cipher strengths are supported through the web browser, XML and SSH.

Remote console and virtual serial port data encryption

The iLO processor uses the RC4 streaming cipher algorithm, a variable key-size stream cipher with
byte-oriented operations, to encrypt the remote console and virtual serial port sessions. Unlike a block
cipher, which encrypts several bytes of data at a time, a streaming cipher encrypts individual bytes of
data, using a different key for each. For more information on RC4, visit the website at
www.rsasecurity.com.
When a user requests either a remote console or a virtual serial port web page, iLO responds by
using the MD5 hash algorithm to create a pair of random 128-bit keys (the "pre-master secrets") and
a time-stamped session ID, as shown in Figure 13. These are the same session ID and MD5 hash
values discussed in the section titled "Login process for remote console and virtual serial port." One
key is used for encrypting data from the client to the server; the other is used to encrypt data from the
server to the client. The time-stamped session ID is part of an array entry that identifies the Telnet
session. This ensures that when the client browser attempts to start an encrypted data session, it can
identify itself with this session ID. The browser passes the128-bit keys and the session ID to the client
by means of JavaScript files included in the browser. This ensures that the security keys and IDs are
sent encrypted.
Next, the client generates the RC4 encryption data by combining the pre-master secrets with a set of
zero bytes to generate the new 128-bit keys that will be used to initiate the RC4 encryption cipher.
The new keys are stored with the pre-master secrets in the dynamic memory space of the client
machine. They are not written to disk. The RC4 cipher algorithm generates a random stream of bytes.
" for more information.
24