Ricoh smb scanning with end to end encyrption

[slimslob]

Sounds like SSL/TLS communication is set to default to cleartext.

Set network security to level 2.

You may also need to specify the SSL/TLS encrypted communication mode

1. Log in as the network administrator from the control panel.
2. Press [System Settings].
3. Press [Interface Settings].
4. Press [ Next].
5. Press [Permit SSL / TLS Communication].
6. Select the encrypted communication mode.
Select [Ciphertext Only], [Ciphertext Priority], or [Ciphertext / Cleartext] as the encrypted
communication mode.
7. Press [OK].
8. Log out.

The above is from the Cxx03 security guide. You may want to check the Security Guide for the IM350 for any differences.

[PrintWhisperer]

Most people don't enjoy reading Wiresharks but I'm just weird that way. I've spent so much time going over this with people I have these nice screenshots. I always find examples of someting succeeding help to compare to ones that go wrong.

The first one is the MFP's initial Negotiate Protocol Request packet (In Wireshark you double click on it and open the SMB portion). It shows a robust list of SMB versions presented to a server on connection.

The second is an example of a session which succeeds to negotiate to SMB3. Notice the several negotiate protocol requests as they settle on a version.
It shows the final Server Response packet where the version for the session is dictated.

The example shows the version is listed as a dialect code.You can look them up online.

This case fails on Active Directory authentication because of a config error. (incorrect username, pwd, etc) Shown in Wireshark as a 'Logon failure'

MFP_SMB_Dialects.jpgVersion_Negotiation.jpg

SMB 3.0 is the minimum version with 'end-to-end' encryption. It is built in to the protocol and you can see a reference to encryption in the second screenshot listed next to 'capabilities'

[tonerhead]

Thanks, it is similar to what we are seeing. The trouble is for some stupid reason you can see the username sent in cleartext, at that point security shuts the data stream down. The customer doesn't want even the username sent in cleartext. We can not figure out why it does it. We have cyphertext only checked, it still does it. Firmware is current. I think RIcoh is aware of problem but would rather sell their software streamline nx. They keep promising us a solution but are not delivering.

[slimslob]

Thanks, it is similar to what we are seeing. The trouble is for some stupid reason you can see the username sent in cleartext, at that point security shuts the data stream down. The customer doesn't want even the username sent in cleartext. We can not figure out why it does it. We have cyphertext only checked, it still does it. Firmware is current. I think RIcoh is aware of problem but would rather sell their software streamline nx. They keep promising us a solution but are not delivering.

Hope this helps.

Sounds like Cleartext/Ciphertext as the SSL/TLS encrypted communication mode. You may need to change it to either Ciphertext Only or Ciphertext Priority. The following is from the Security section of the online IM 350/350F/4230F/430Fb User Guide (Full Version).

Enabling SSL/TLS

After installing the device certificate in the machine, enable the SSL/TLS setting using a web browser from networked computers. (We use Web Image Monitor installed on this machine.)
This procedure is used for a self-signed certificate or a certificate issued by a certificate authority.
Open a web browser from a networked computer, and then log in to Web Image Monitor as the network administrator.
For details on how to log in, see Administrator Login Method.

Point to [Device Management], and then click [Configuration].

Click [SSL/TLS] under "Security".

For IPv4 and IPv6, select "Active" if you want to enable SSL/TLS.

Select the encryption communication mode for "Permit SSL/TLS Communication".

Select [Ciphertext Only], [Ciphertext Priority], or [Ciphertext / Cleartext] as the encrypted communication mode.

When you set "Permit SSL/TLS Communication" to [Ciphertext Only], communication will not be possible if you select a protocol that does not support a web browser, or specify an encryption strength setting only. If this is the case, enable communication by setting [Permit SSL / TLS Communication] to [Ciphertext / Cleartext] using the machine's control panel, and then specify the correct protocol and encryption strength.
To avoid the "The page cannot be displayed" message when you access Web Image Monitor without encryption, we recommend you select [Ciphertext / Cleartext].

[tonerhead]

Thanks will check into it.

[PrintWhisperer]

Thanks will check into it.

Do not bother it will not affect your problem.

SMB does not use SSL/TLS. That’s for email/web.

SMB does not behave like SSL/TLS.

As you saw in the Wireshark, SMB uses the NTLM protocol for authentication.
NTLM sends Domain and Username as a Unicode or OEM hex string. Wireshark decodes it to text. There is no option within the protocol to change this.

NTLM NEVER transmits a password, it uses a key encoded with the password.

NTLM has a few vulnerabilities but they have more to do with hijacking the session than getting credentials as username/password.

This protocol is typically used internally and not over the internet so ‘listening’ on the network to capture this would have to be inside the business.

I don’t know what ‘stopped by security’ means about when Domain/Username is sent(normally unencrypted), is that a person or some software? Hard to imagine software shutting down every NTLM auth on the network.

Logged on Domain clients already know the username when making SMB connections so that may be the difference they are seeing but unless your running a Windows client joined to the domain with logged on user on the MFP I don’t think there is a way to change this.

It (MFP) will need to tell the server who it is authenticating and to what Domain and there is no encryption method for this by definition. There is a method to confirm password match on both ends with a sort of shared key, and encryption for the data sent, but this alarm over ‘clear’ text is because they are not used to seeing it, but it’s perfectly normal.

[tonerhead]

You know, the more I listen to this thread, I am thinking the IT at this business is full of crap. I really don't think they know what they want. I'm sure their IT knowledge and security are eons beyond myself or the company I work for. They will not really help us to get this to work.

1. They have told me the Ricoh sends username in cleartext. Their security software on this server cuts the communication at that point.

2. The crazy thing is I can browse from the copier to the server and the share folder. As I browse to the server, it asks for username and password. I enter these and it lets me continue to browse the server to the share folder just fine. At this point I scan a document and it cacks. So it is accepting username and password just fine in browsing.

3. We are not allowed to know what, why, how they are doing in security.

4. Kyoceras work flawlessly.

What is Kyocera doing right? All of the same settings are in the Ricoh.

[slimslob]

You know, the more I listen to this thread, I am thinking the IT at this business is full of crap. I really don't think they know what they want. I'm sure their IT knowledge and security are eons beyond myself or the company I work for. They will not really help us to get this to work.

1. They have told me the Ricoh sends username in cleartext. Their security software on this server cuts the communication at that point.

2. The crazy thing is I can browse from the copier to the server and the share folder. As I browse to the server, it asks for username and password. I enter these and it lets me continue to browse the server to the share folder just fine. At this point I scan a document and it cacks. So it is accepting username and password just fine in browsing.

3. We are not allowed to know what, why, how they are doing in security.

4. Kyoceras work flawlessly.

What is Kyocera doing right? All of the same settings are in the Ricoh.

Are they using a different type of authentication on the Kyoceras?

[tsbservice]

Is there a way on this Ricoh model to force SMB v3 client only?

[PrintWhisperer]

You know, the more I listen to this thread, I am thinking the IT at this business is full of crap. I really don't think they know what they want.

I tend to agree, most IT flunkies don’t really understand the technology.

Sadly it comes back to getting a Wireshark capture as the only way to see what’s going on.

It will show exactly where the conversation breaks due to the security.

As you have seen Kyocera transmits the Domain/username the same as Ricoh in Unicode probably rather than OEM code.

We can assume if they are forcing SMB 3 on the server that the Ricoh offers SMB 3 or it wouldn’t move on to the NTLMSSP_Auth stage, and perhaps there is a problem with Ricoh negotiation there…
…but it’s all guess work without a capture.

SharkTap 1G $189.00 on Amazon.

P.S. In case you didn’t know the Wireshark samples I provided are from a Kyocera.