The invention relates generally to a system for secure printing and, more particularly, to an encryption system for printer/printer client communications that deters the unauthorized printing of encrypted data.
A variety of encryption systems have been devised to secure data transmissions between computers. One type of encryption security system often used for private and public network data transmissions uses both public and secret key cryptography. Public key cryptography uses a pair of keysxe2x80x94one private and one publicxe2x80x94for encryption. Secret key cryptography, by contrast, uses only one key for encryption. Dual key systems typically use the public/private key pair to authenticate the transaction and then a single secret xe2x80x9csessionxe2x80x9d key to encrypt the main data transmission and any other subsequent communications. The Secure Sockets Layer (SSL) protocol popular with TCP/IP application developers to secure data transmissions over the Internet is one example of a dual key encryption system. The SSL protocol works as follows.
1. The client computer requests a secure connection with a server computer and sends the server its public key.
2. The server generates a random message and sends the message to the client.
3. The client uses its private key to encrypt the random message received from the server and sends it back to the server.
4. The server decrypts the message using the client""s public key. If the decrypted message matches the random message generated by the server, the server knows it is communicating with the owner of the public/private key pair (i.e., the client).
5. The server then creates a secret session key, encrypts the session key with the client""s public key and sends it to the client.
6. The client decrypts the session key with its private key. The client and the server then use the session key to send and receive further communications.
While encryption security systems are widely known for use with client/server and other computer to computer data transmissions, such systems have not yet been adapted for use to secure communications between a printer client and a printer. Printer client to printer communications present a unique security problem because the confidential data is printed, and often at a printer accessible to numerous users. The security of a confidential print job may be breached if the encrypted print data is copied and then resubmitted to the printer as an authorized print job. The unauthorized copying of encrypted print data for the purpose of simulating an authorized print job is referred to as a xe2x80x9creplay attack.xe2x80x9d
Accordingly, the present invention is directed to an encryption security system for printer client/printer communications that reduces or eliminates the risk of replay attacks. The validity of a secure print job is determined using a public/private key pair. The printer client encrypts print data using the public key of the public/private key pair or, preferably, a session key. If the print job is determined to be valid, the printer decrypts the print data and prints the data. In one preferred version of the invention, the validity of the print job is determined by (1) the printer generating and storing a print session identifier, (2) the printer sending the session identifier to the printer client, (3) the printer client sending the session identifier back to the printer along with the encrypted print data in a manner that ties the session identifier to the print data, and (4) the printer determining if the session identifier received from the printer client has changed from that originally sent to the printer client and if the session identifier received from the printer client is in storage. If the session identifier has not changed and it is in storage, then the printer deletes the session identifier from storage and prints the print data.
The xe2x80x9cvalidityxe2x80x9d of a print job may be manifested in different ways for different embodiments of the invention and the printer""s response to an invalid print job may vary. If the printer actually detects an error, it may refuse the print request and report the error to the user. If the printer does not detect the error but the print job is not valid, it will print garbage. For example, if a session identifier is used as described above, the print job is determined to be not valid if the session identifier is not in storage and the print request is, therefore, refused. If a session identifier is not used, and the bare public/private key encryption is relied on to determine validity, then a print job is deemed not valid if the print data cannot be decrypted with the printer""s private key. In that case, the printer will print an error message or garbage in response to the invalid print request.
It is expected that, in most operating environments, the printer client will generate the session key, encrypt the session key using the printer""s public key and send the encrypted session key to the printer. The printer decrypts the session key using the printer""s private key and then uses the session key to decrypt the print data.
For added security, the invention may also include detecting any change in the print data made after the printer client sends the encrypted print data to the printer. This may be accomplished, for example, by the printer client computing a hash value for the print data. A hash value is a unique identifier for data computed from that data. The printer client encrypts the hash value using the session key and sends the encrypted hash value to the printer. The printer computes a hash value for the decrypted print data it has received. The printer decrypts the hash value from the printer client and compares it to the hash value it has computed for the decrypted print data. If the print data is modified between the printer client and the printer, then the hash value computed by the printer client from the original data will not match the hash value computed by the printer from the modified data, and the printer will not print the data. If the hash values are the same, the printer knows that no changes were made to the print data after it was send by the printer client, and the printer can then print the data.