This invention relates generally to the field of networked printer systems and, in particular, to the field of networked printer systems that provide for secure transmission of print data across a network from a client device to a printer. More particularly, the invention relates to a printer driver that encrypts print data to provide end-to-end, client-to-printer, encryption for print data.
Printers are typically connected to a client device either directly or via a server. Where a printer is directly connected to client device, prior art systems permit encryption of print data sent from the client to the directly-connected printer. The use of a server is often advantageous over a directly-connected printer because it provides the ability to connect multiple client devices to one or more printers. Some networked printer systems utilize encryption to prevent the unauthorized viewing of the contents of print jobs.
In a client/server printing network environment, prior art print job encryption systems transmit the unencrypted print job from the client device to the server. The server then encrypts the print job and forwards it to the printer. Thus, anyone eavesdropping on the communications between the client device and the printer or anyone with access to the unencrypted print queue on the server can view the contents of the print jobs. These vulnerabilities are particularly relevant where the print jobs must be transmitted over an insecure network and where the server administrator is not authorized to view the contents of the print jobs.
Embodiments of the present invention provide a system for transmitting encrypted print job data across a network. The printer driver on the client device encrypts the print job data using a random AES key and uses the printer's public key to encrypt the random AES key. The print job data remains encrypted during transmission from the client device to the printer via the server. As such, the contents of the print job cannot be viewed by anyone who eavesdrops on the communications between the client device and the printer or by anyone who obtains the print job data from the server's data storage medium. The printer's public certificate, including the printer's public key, is promulgated to the client device via the server which stores the printer's public certificate with other data pertinent to the client device's printer driver.
In a first aspect of the present invention, a system may include an output device (such as a printer) including an output device cryptographic module; a client (such as a computer terminal) including a client output device driver having a client device cryptographic module; and a server operatively interposed between the client device and the output device on a network; such that the output device cryptographic module generates a first key and transmits the first key to the server, the server transmits the first key to the client device cryptographic module, the client device cryptographic module generates a second key and encrypts data using the second key, the client device cryptographic module encrypts the second key using the first key, the client device transmits the encrypted data and the encrypted second key to the output device cryptographic module via the server, the output device cryptographic module decrypts the encrypted second key and the encrypted data, and the output device produces an output corresponding to the data. It is within the scope of the invention to omit the use of the second key and to utilize only the first key of the above-described system. In such an alternative embodiment, the client device encrypts the data using the first key and transmits the encrypted data to the output device cryptographic module via the server.
In a detailed embodiment of the first aspect, the first key may be a public key of a public-private key pair and the second key may be a symmetric key. The client device may receive the client output device driver from the server via the network. The client device may receive an updated client output device driver from the server via the network if the updated client output device driver is available on the server but has not yet been installed on the client device. The updated client output device driver may include an updated first key. The output device may be a printer, the server may be a print server, and the client output device driver may be a printer driver.
In a second aspect of the present invention, a client output device driver may include a rendering component; a client device cryptographic module operatively connected to receive data from the rendering component; and a user interface operatively connected to the cryptographic component.
In a detailed embodiment of the second aspect, the client device cryptographic module may include a key generator adapted to generate a symmetric key and a data encryption component adapted to encrypt data using the symmetric key and to encrypt the symmetric key using a public key. The client output device driver may be a printer driver. The client output device driver may be installed on a client device and the client device may be operatively connected to an output device via a network. The output device may include an output device cryptographic module adapted to decrypt data encrypted by the client device cryptographic module. The output device cryptographic module may provide the public key to the client device cryptographic module via the network.
In a third aspect of the present invention, a method for securely transmitting an output device job may include the steps of: providing an output device including an output device cryptographic module; providing a client device including a client output device driver having a client device cryptographic module; providing a server which may be operatively interposed between the client and the output device on a network; generating a first key using the output device cryptographic module; transmitting the first key from the output device to the server via the network; transmitting the first key from the server to the client device; generating a second key on the client device cryptographic module; encrypting output data using the second key on the client device cryptographic module; encrypting the second key using the first key on the client device cryptographic module; transmitting the encrypted data and the encrypted second key from the client device to the output device cryptographic module via the server; decrypting the encrypted second key and the encrypted output data on the output device cryptographic module; and producing an output corresponding to the decrypted output data using the output device. The first key may be a public key of a public-private key pair and the second key may be a symmetric key. The step of providing the client device may include transmitting the client output device driver including the client device cryptographic module from the server to the client device. The method may further include the step of transmitting, from the server to the client device via the network, an updated client output device driver if the updated client output device driver is available on the server but has not yet been installed on the client device. The updated client output device driver may include an updated public key. The output device may be a printer, the server may be a print server, and the client output device driver may be a printer driver.
In a fourth aspect of the present invention, a method for securely transmitting data to an output device may include the steps of: providing a client device, a server, and an output device operatively interconnected on a network; storing, on the server, a client output device driver; transmitting a public key of the output device to the server; storing the public key of the output device on the server; transmitting from the server to the client device, upon request by the client device, the client output device driver; transmitting from the server to the client device, upon request by the client device, the public key of the output device; encrypting an output device job on the client device using a symmetric key; encrypting the symmetric key on the client device using the public key; transmitting the encrypted output device job and the encrypted symmetric key from the client device to the output device via the server; decrypting, on the output device, the encrypted symmetric key using a private key corresponding to the public key; decrypting the encrypted output device job using the decrypted symmetric key; and producing an output by the output device corresponding to the decrypted output device job.
The method may further include the steps of transmitting an updated public key from the output device to the server; storing the updated public key on the server; and transmitting, upon request by the client device, the updated public key from the server to the client device. Additionally, the method may further include the step of generating the public key using the output device. Further, the method may include the step of generating the symmetric key using the client device. The output device may be a printer.
In a fifth aspect of the present invention, a system may include an output device having an output device cryptographic module; a client device including a client device output device driver having a client device cryptographic module; and a server operatively interposed between the client device and the output device on a network. The output device cryptographic module may include means for generating a first key and/or means for transmitting the first key to the server. The server may include means for transmitting the first key to the client device cryptographic module. The client device cryptographic module may include means for generating a second key, means for encrypting data using the second key, and/or means for encrypting the second key using the first key. The client device may include means for transmitting the encrypted data and the encrypted second key to the output device cryptographic module via the server. The output device cryptographic module may include means for decrypting the encrypted second key and the encrypted data. The output device may include means for producing an output corresponding to the data.
These and other aspects and advantages of the present invention will become apparent to those skilled in the art upon consideration of the following detailed description of exemplary embodiments exemplifying of the invention as presently perceived.
The detailed description particularly refers to the accompanying Figures in which:
Turning to
Security at the client device 20 is addressed by customary client device security measures. These measures provide security for the client device 20 as well as its data storage medium 22. Security of the output device data storage medium 102 is typically provided by existing output device security measures. Accordingly, these security measures, in conjunction with the present invention, provide end-to-end protection against unauthorized viewing of the contents of the output device job. In short, by providing a system that encrypts the output job before it is spooled to the server 60, by merely gaining access the server 60 an individual is not able view unencrypted output job data.
As used herein, the term “network” refers to one or more connections between devices using wired, wireless, fiber optic, or other electronic communications technologies. The present invention merely requires data connections between the client device 20 and the server 60 as well as the server 60 and the output device 100; no particular technology nor network configuration is implied. In addition, the network may include multiple interconnections between a plurality of client devices, servers, and output devices. It is also within the scope of the invention that the server 60 include one or more server devices or systems of computerized devices; and it is even within the scope of certain aspects of the present invention that the server 60 reside either partially or wholly on the client device 20 and/or the output device 100. Also, as used herein, the terms “component” and “module” (such as “cryptographic module”) may refer to hardware, software, or any combination thereof.
In an exemplary embodiment, the client device 20 is a conventional desktop personal computer running a MICROSOFT WINDOWS® operating system (WINDOWS® 2000 or later). The server 60 is a server running MICROSOFT WINDOWS® 2000 Server or WINDOWS SERVER® 2003, including the Microsoft “Point and Print” feature. The output device 100 is a printer (mono-color, color, or multi-function device) including an installed LEXMARK PRINTCRYPTION™ card. These devices are interconnected on a TCP/IP network. Accordingly, the description of the exemplary embodiment includes details specific to these devices. It is within the scope of the invention, however, to utilize other hardware and software, including, but not limited to, different client devices, servers, operating systems, output devices (such as, but not limited to, display devices, audio devices, and any type of printer, including dot matrix, inkjet, laser, thermal, and LED), networks, and encryption algorithms (such as, but not limited to, DES, 3DES, SHA1, Serpent, Twofish, RC6, and MARS), and encryption devices. In addition, it is within the scope of the invention to utilize other encryption schemes, such as, but not limited to, purely asymmetric key exchange for all transactions or the transmission of symmetric keys. It is to be understood that the cryptographic keys discussed herein may be included in cryptographic certificates. For example, the printer's public key may be included in the printer's public certificate which may be transmitted to the client device 20 via the server 60.
The exemplary embodiment utilizes public key infrastructure (“PKI”) cryptography. The LEXMARK PRINTCRYPTION™ card installed in the printer includes a pseudorandom number generator (“PRNG”) that produces a 1024 bit RSA public key (in the form of a self-signed X.509 certificate) and a corresponding 1024 bit RSA private key. These keys do not change unless the cryptographic module is removed from the printer or the key is intentionally regenerated.
As described in greater detail below, the printer 100 transmits the public key to the server 60 and the server 60 forwards the public key to the client device 20. The client device 20 uses a PRNG to generate an ephemeral 128, 192, or 256 bit session key, which it uses to encrypt the print job using the Advanced Encryption Standard (“AES”) Rijndael algorithm in either the electronic code book (“ECB”) or the cipher block cipher (“CBC”) mode with a block length of 128 bits. The client device 20 encrypts the session key using the public key. The encrypted session key is prepended to the encrypted print job and is referred to as the session key header (“SKH”). The client device 20 then transmits the SKH and encrypted print job to the printer 100. The printer 100 decrypts the SKH using its previously-generated private key, then it decrypts the print job using the session key.
In addition to the SKH, each encrypted print job also contains a universal exit language (“UEL”) command prior to the beginning of the actual print job data. Because the UEL command is a particular 9 byte series, it is used by the printer 100 to verify proper decryption of the print job. Essentially, if the decrypted print data does not begin with the UEL command, the printer 100 deletes the job and nothing is printed. This situation could arise if an unencrypted print job was sent to the encrypted printer port, a print job was encrypted using the wrong public key, or another printer on the same network was illegally using the same IP address.
The following sequence of events occurs when a client device 20 initiates a print job. First, the client device 20 establishes a connection to the printer 100 via the MICROSOFT WINDOWS® “Point and Print” feature. In essence, this feature provides for the automatic download and installation onto the client device 20 of all printer driver 30, data, and configuration files necessary to send jobs to the printer 100. The server 60 stores these files and makes them available to client devices 20. If, when a user desires to print to a particular printer 100, the appropriate printer driver 30 is not already installed on the client device 20, the client device 20 downloads the driver 30 from the server 20 and installs it. In the exemplary embodiment, this is accomplished using the MICROSOFT WINDOWS® “Add Printer Wizard” feature. Additionally, even if an appropriate printer driver 30 is already installed on the client device 20, the client device 20 automatically communicates with the server 60 to determine whether an updated printer driver 30 is available on the server 60. If an updated driver 30 is available, the client device 20 automatically downloads and installs the updated printer driver 30.
Once the printer driver 30 is installed on the client device 20, the printer driver 30 queries the server's “PrinterDriverData” registry area 70 in the installed options table to obtain the printer's public key. The rendering module 32 of the printer driver 30 performs all necessary rendering of the print job, producing a RAW print job stored in unencrypted buffer 36. The RAW print job is provided to the cryptographic component along with the printer's public key, which is supplied via the user interface 34. The cryptographic component 38 encrypts the data and delivers it to encrypted buffer 40. It is within the scope of the invention for the cryptographic component to receive the RAW print job either as it is rendered or all at once after the rendering is complete. The printer driver 30 sends the encrypted buffer 40 to the print server 60 via the spooler 42 as a RAW print job, thus indicating that no processing by the server 60 is required. The print server 60 spools the encrypted print job to the printer 100 using spooler 68. The cryptographic module 102 decrypts the print job data and the printer 100 prints the job using print device 104.
In
Application 24 transmits unencrypted print commands to the printer driver 30 over paths 26, 28. Data pertaining to the graphics to be printed are transmitted over path 26 to the rendering component 32. Whenever the printer driver 30 is invoked on the client device 20 via path 28, the printer driver 30 checks if an updated version of the printer driver 30 exists on the server 60, and if so, the updated printer driver 30 is pulled down from the server 60. The rendering component 32 transmits the RAW unencrypted print data to the cryptographic component 38 over paths 44, 46 via unencrypted buffer 36.
The encrypted print job travels over paths 52, 200, and 202 to the client spooler 42, server spooler 68, and to the cryptographic module 102 in the printer 100. Finally, the decrypted print job is transmitted to the print device 104.
Although print server systems typically permit either the client device 20 or the server 60 to render print jobs, the printer driver 30 of the exemplary embodiment performs all of the required rendering. As such, the printer driver 30 spools all print jobs as RAW print jobs. This is because the server 60 is not able to access the contents of the encrypted print jobs due to the encryption and, therefore, the server 60 cannot perform any data manipulation in this exemplary embodiment.
Unencrypted or encrypted metadata corresponding to the encrypted print data may be generated prior to the encryption of the print job. For example, metadata pertaining to various print job attributes may be used by a managed print services system for billing and services purposes. Such metadata may include job identification number, originating computer, job name, originating user, copies, pages, N-up (printing more than one logical page on a physical page), duplex, color, bytes printed, job time, queue, port name, host name, serial number, model, IP address, paper type, paper size, scan type, pages scanned, original media size, collated, destinations, MAC address, and data source. The metadata may be appended or prepended to the encrypted print job or the metadata may be transmitted separately from the encrypted print job.
In the exemplary embodiment, the server's printer driver 66 is initially installed using software contained on a portable memory device such as a compact disk or a flash drive. It is within the scope of the invention to utilize other means of installing the server printer driver 66 including, but not limited to, transmission via the network. Additionally, the server 60 obtains the public key from the printer 100 via path 150. The printer driver 66 places the public key into the appropriate location 70 in the registry 64. In the exemplary embodiment, the server printer driver 66 and the client printer driver 30 comprise the same software; the client printer driver 30 is merely a copy of the server printer driver 66.
While exemplary embodiments of the invention have been set forth above for the purpose of disclosure, modifications of the disclosed embodiments of the invention as well as other embodiments thereof may occur to those skilled in the art. Accordingly, it is to be understood that the inventions contained herein are not limited to the above precise embodiments and that changes may be made without departing from the scope of the invention as defined by the claims. Likewise, it is to be understood that the invention is defined by the claims and it is not necessary to meet any or all of the stated advantages or objects of the invention disclosed herein to fall within the scope of the claims, since inherent and/or unforeseen advantages of the present invention may exist even though they may not have been explicitly discussed herein.