The present invention is directed to a secured release system to transmit and image a print job, and more specifically to a system for securing the release of the transmission, rendering, and outputting of a print job at an imaging device, for print jobs that originate in traditional print spooling subsystems.
In today's business environments, it is often advantageous to provide one peripheral device to service multiple users. For example, as shown in FIG. 1, users (e.g. a group of secretaries, an accounting department, or all the employees in a small business) working at host devices 100 (e.g. computers) may be networked to a single imaging device 102. An imaging device 102 may be, for example, an MFP (Multi-Function Peripheral/Printer/Product), a printer, a facsimile machine, a copier, a scanner, a filing device, a document conversion device, or any imaging device known or yet to be discovered. In the simplest configuration, the users request the imaging device's services, and the imaging device 102 automatically provides the services (e.g. automatic printing). Because the imaging device 102 is generally located remote from at least some of the users, it is often desirable to provide some form of interactive printing. Interactive printing provides some form of security to ensure privacy, confidentiality, and/or simply that the correct user will be able to pick up his “print job” (which includes any type of imaging job including, but not limited to print, fax, copy, scan, and document manipulation) without it being picked up by another user, misplaced, or discarded.
A spooler 104 transmits print data to a printer by entering (“spooling”) the print data from client host devices 100 in a queue in order (e.g. the order of reception) and outputting (“de-spooling”) the print data in a predetermined or dynamically prioritized order to the printer. Exemplary traditional print spooling subsystems include those found in MS WINDOWS® and AS/400®. Any device or mechanism capable of entering the print data from client host devices 100 in a queue, for purposes of this description, will be referred to as a spooler 104. Any application, device, or mechanism capable of outputting the print data to the printer, for purposes of this description, will be referred to as a de-spooler 106.
Users often want to transmit print jobs securely. FIGS. 2-6 show prior art systems used to transmit and image print jobs. All the prior art methods, however, have significant problems.
FIG. 2 shows an apparatus used in an encryption method of automatic printing that prevents unauthorized access to a print job by encrypting the print job. In one such encryption method, an unsecured print job 114a is encrypted (encrypted print job 114b) at the host device 100 during the de-spooling process and decrypted (decrypted print job 114c) on the imaging device 102. It should be noted that the print job may be encrypted either at the transport layer or data layer, between the host device 100 and the imaging device 102. While this method provides security from unauthorized access during the transmission, it does not protect the print job from being accessed after the print job 114d has been output to an output bin 116.
FIG. 3 shows an apparatus used in a secured release output bin method of interactive printing. In this method, a confidential print job 118a is imaged and output/held in secured release output bin 116a that is physically secured (e.g. using a lock and mechanical key) to prevent unauthorized retrieval or access to the print job 118a. Using a release mechanism (e.g. a key), the user is able to obtain access to an output bin 116b holding his print job 118b. It should be noted that the print job 118a in the output bin 116a is the physical document (print job 118b) that is in the output bin 116b, after the print job has been released. A variation of this system could include a mail-boxing system and sorter for feeding sheets from an imaging device 102 into multiple physically secured output bins where each output bin 116a is individually physically secured. When a user wants to keep his print job 118a confidential, he directs the output of the print job 118a to the respective secured output bin 116a to which he has physical access. One disadvantage of this method is that it requires a specially designed output bin. The multiple output bin 116a embodiment also requires a sufficient number of output bins 116a for distinct users with secured release rights (e.g. those having a key). Another disadvantage of this method is that it does not support any form of ad-hoc secured release.
FIG. 4 shows an apparatus used in a coded memory release method of interactive printing (“confidential print” or PIN printing). A confidential print job 122a (shown as Non-Output Imaged/Print Job 122a) is imaged and output/held in secured memory 120 that is secured using a coded virtual locking system (e.g. a code or personal identification number (PIN), herein after referred to as a secure release code 124) to prevent unauthorized retrieval or access to the confidential print job 122a. In this method, the secured memory 120 is memory or internal storage of the imaging device 102. The user may assign a secure release code 124 to a print job by entering the secure release code 124 during the generation of the print job. The secure release code 124 is generally hashed (one-way encryption) and the hash value is added to the confidential print job 122a. When the imaging device 102 receives the confidential print job 122a it is fully rasterized (RIP) as a confidential print job 122a to be held in the secured memory 120. The owner of the confidential print job 122a can then release the confidential print job 122a by entering the respective secure release code 124 at the operations panel 126 of the imaging device 102. Generally, the device will hash (e.g. MD5) the entered secure release code 124, using the same hash algorithm at the client side and compare it to the hash value stored in the confidential print job 122a. The RIP pages of the confidential print job 122a are then developed and output as an output print job 122b. One disadvantage of this method is that the RIP confidential print jobs 122a consume considerable storage space in the secured memory 120 of the imaging device 102. The secured memory 120 would have to have sufficient storage capacity to allow other secured and non-secured release jobs to be processed on the imaging device 102 while the RIP confidential print jobs 122a are stored. Thus, this may severely limit the number of confidential print jobs that can be processed at a time and, potentially, limit the number of non-confidential print jobs. Another disadvantage of this method is that if the imaging device 102 is physically compromised and the secured memory 120 is accessed while the RIP confidential print jobs 122a are stored, even if the confidential print jobs 122a are encrypted, they may contain visible “unencrypted” content. Yet another disadvantage of this method is that if confidential print jobs 122a are forgotten (i.e. not picked up by the issuer), the storage space used by the RIP confidential print jobs 122a is indefinitely consumed until an operator with the appropriate authorization is able to delete the confidential print jobs 122a from secured memory 120.
FIG. 5 shows an apparatus used in a coded memory execution and release method of interactive printing. In this method, both the host device 100 and imaging device 102 have an ID reader 130 (e.g. an optical reader) for entering an ID card 132. When the user submits a print job 134a, he inserts his ID card 132 into the ID reader 130 at the host device 100. The host device 100 imaging system then adds an ID code, generally hashed, to the print job 134a and transmits the ID code and print job to the imaging device 102 as unexecuted print job 134b. The unexecuted print job 134b is then stored in the imaging device 102. The user can access and execute (e.g. RIP and output) the print job 134c, 134d by entering his ID card 132 at the ID reader 130 of the imaging device 102. One disadvantage of this method is that the unexecuted print jobs 134b, while not RIP, can still consume significant storage space in the imaging device 102 memory. Another disadvantage of this method is that if the imaging device 102 is physically compromised and the storage therein is accessed while the unexecuted print job 134b is stored, the unexecuted print job 134b can be retrieved. If the unexecuted print job 134b is unencrypted, it could be processed at a different location to reveal the content. If the unexecuted print job 134b is encrypted, its contents could still be accessed if the encrypted code is hacked. Yet another disadvantage of this method is that if secured unexecuted print jobs 134b are forgotten (i.e. not picked up by the issuer) the storage space used by the forgotten unexecuted print job 134b is indefinitely consumed.
FIG. 6 shows an apparatus used in a remotely stored method of interactive printing. In this method, the user sends the print job 140a from the host device 100 to a secure release print server 142 along with a secure release code 143. The print job 140b is then held on the print server 142. The user releases the print job 140b by entering the secure release code 143 at the operation panel 144 of the imaging device 102. The imaging device 102 then contacts the secure release print server 142, passing it the entered secure release code 143. The print server then de-spools to the imaging device 102 the print job 140c related to the secure release code 143. The print job is then developed 140d and output as an output print job 140e to the output bin 116. While the print job is not held in a secured release mode on the imaging device 102, this method still suffers in that the print job 140 is held (taking up memory) at an intermediate location (i.e. secure release print server 142) between the host device 100 and the imaging device 102, which could be compromised. For example, an operator with print administration rights on the secure release print server 142 could make a copy of the print job 140c and process the print job 140c at another location.