This random stream of bytes is combined in a Boolean XOR operation with the data being sent to
create the encrypted data.
The client then sends a “connect” message to the server. Part of the “connect” message is a “start
encryption now” signal and the session ID, after which all bytes are sent encrypted. The server uses
the session ID to find the correct Telnet session and then begins decrypting the data using the RC4
cipher. Another Boolean XOR operation is performed on the encrypted data to recover the original
data.
Figure 13.
Remote console and virtual serial port encryption process
Every three minutes, the server will combine the pre-master secrets with the generated 128-bit keys to
generate new 128-bit keys. These new keys are used to create a new set of RC4 data. The server
sends a signal to the client indicating that it has generated the new RC4 data and will begin
communicating using the new cipher. The client will perform the same operation when it sees the
signal. It then sends a signal to the server indicating that it is using the new RC4 data. The signal is
implemented with a byte-insertion protocol.
Secure Shell encryption
As previously discussed, the CLI uses SSH to encrypt the data stream both to and from the host server.
The iLO processor encrypts the SSH data using either the 3DES-CBC or AES128-CBC protocols (refer
to “Appendix B: SSH-2 support”). The SSH client negotiates with iLO to use one of those two
protocols.
Disabling and changing ports
Administrators can use the flexibility of the iLO design to change the port numbers of services or to
disable services and utilities that are not necessary.
25
