GB2473283A - Accessing a Smart Card - Google Patents

Accessing a Smart Card Download PDF

Info

Publication number
GB2473283A
GB2473283A GB0915662A GB0915662A GB2473283A GB 2473283 A GB2473283 A GB 2473283A GB 0915662 A GB0915662 A GB 0915662A GB 0915662 A GB0915662 A GB 0915662A GB 2473283 A GB2473283 A GB 2473283A
Authority
GB
United Kingdom
Prior art keywords
card
access
application
smart card
printer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB0915662A
Other versions
GB0915662D0 (en
GB2473283B (en
Inventor
Karsten Huster
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Canon Europa NV
Original Assignee
Canon Europa NV
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Canon Europa NV filed Critical Canon Europa NV
Priority to GB0915662.1A priority Critical patent/GB2473283B/en
Publication of GB0915662D0 publication Critical patent/GB0915662D0/en
Publication of GB2473283A publication Critical patent/GB2473283A/en
Application granted granted Critical
Publication of GB2473283B publication Critical patent/GB2473283B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • G06F21/608Secure printing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K7/00Methods or arrangements for sensing record carriers, e.g. for reading patterns
    • G06K7/10Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation
    • G06K7/10009Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves
    • G06K7/10118Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves the sensing being preceded by at least one preliminary step

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Toxicology (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Artificial Intelligence (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Electromagnetism (AREA)
  • Bioethics (AREA)
  • Facsimiles In General (AREA)
  • Accessory Devices And Overall Control Thereof (AREA)

Abstract

An image-processing apparatus is provided for accessing a smart card. The image-processing apparatus comprises a printer 62, a print server 61, and a card reader 621. The printer 62 comprises a card access application, and the print server comprises a card configuration application. The card access application receives first information relating to an identity of the smart card obtained from the smart card by the card reader 621. The access application obtains card access configuration details corresponding to the first information from the card configuration application and uses the obtained configuration details to access the smart card introduced to the smart card reader 621. The card configuration application is configured so that, in a case of receipt of the first information, the card configuration application sends to the card access configuration application said card configuration details for allowing the card access application to access the smart card.

Description

APPARATUS FOR ACCESSING A SMART CARD
BACKGROUND OF THE INVENTION
Field of the Invention
[0001] The present invention provides an apparatus for accessing a smart card. In particular, the present invention relates to an apparatus for accessing a smart card via a card reader connected to or built into a printer in order to allow enhanced security for print jobs being received by the printer.
Description of the Related Art
[0002] Smart cards are cards with microchips embedded in them. The level of sophistication of such cards varies, but some cards can act like small computers and are able to perform cryptographic operations, control file access on the card etc. Whilst there is some standardization in the physical form of smart cards and the communication protocols used to communicate with smart cards, the functionality and commands needed to access smart cards vary depending on the card's type and function.
[0003] An open source software application called "OpenCT" implements drivers for certain smart card readers.
The drivers are accessible by an application (such as an email application) via an encryption module called "OpenSC".
Figure 1 shows how these software applications are typically arranged.
[0004] At a bottom abstraction layer is hardware of the device on which the email application is running. This hardware will vary from installation to installation but is likely to be made up of typical computer hardware (CPU, ROM, RAM, bus etc) . Above the hardware, a kernel controls access to the hardware. Above the kernel, cpenCT runs as an application. OpenCT functions as a device driver that is operable to send appropriate commands to the card reader via the kernel allowing communication with the smart card reader. OpenSC operates above OpenCT and provides a library that defines the functionality and commands accepted by various different types of smart card. It should be understood that OpenCT deals with commands acceptable to the card reader and has drivers for various different types of card reader, whereas OpenSC deals with commands acceptable to the smart card and has specifications for various different types of smart card. At the top level, the email application is the application that wishes to access information from the smart card, perhaps for the purpose of digitally signing an email.
[0005] At the driver level, OpenCT has a capability to provide remote access to a card reader on another computer using TCP/IP. In order to achieve such a configuration, the email application, Open SC, and OpenCT are installed on the first machine and OpenCT and the card reader are provided on a second machine connected to the first machine via a network. This configuration is shown in Figure 2. As can be seen from Figure 2, communication across the network occurs at the driver level.
[0006] In a different technical field, print servers are used to distribute print jobs to printers. A typical configuration is shown in Figure 3. A client 31 is connected to a network 30 (depicted as a cloud in Figure 3) Also connected to the network are a print server 32 and two printers 33. In practice any number of printers or clients may be connected to the network. The client includes a printer driver which is configured to convert print jobs from an application (such as Word RTM) into a page description language and to send the converted print job to the print server for storage on a print queue.
[0007] The print server has one or more print queues which store print jobs for the client or clients before release to the printers.
[0008] Among the latest printers there are quite sophisticated multi-functional peripherals (MFP) . For example, an MFP may be capable of printing, scanning, copying, emailing scanned documents, receiving and sending faxes, storing received documents, document preview functionality etc. The terms "MFP" and "printer" will be used interchangeably in this specification. It is to be understood that the term "printer" means any device that is capable of printing, whereas the term "MFP" means the particular class of printers that are capable of performing other operations such as scanning, and/or emailing etc. As the invention described hereafter does not rely on any of the other functions of an MFP, the skilled person will understand that where, in examples or embodiments, the term MFP is used some other type of printer may be used instead.
[0009] In order to support a wide range of functions and to allow provision of third party services, some MFP5 are provided with a facility for installing and running applications provided in addition to the core software provided with the MFP. By way of example, some of Canon's MFP5 are provided with a facility called MEAP (Multifunctional Embedded Application Platform), which will now be described.
[0010] Figure 4 shows the structure of MEAP installed on a Canon MFP. Above the operating system, a Java virtual machine allows the running of Java applets, servlets and esplets. Applets are applications that display a user interface on the MFP console, servlets are applications which have a user interface displayable on a remote browser, and esplets are applications that have no user interface.
[0011] Canon Class Libraries, shown in Figure 4, are libraries that enable various functionality on the MFP, including a library that allows use of native device functions, such as scanning or printing.
[0012] A service management system provides support for MEAP system services. Such system services allow MEAP applications to be installed and executed on the MFP.
Examples of such services are a log-in management service, an applet viewer service that allows MEAP applets to display screens on the console of the MFP, and an HTTP service that allows a MEAP applet to display a remote web interface.
[0013] MEAP applications are applications that may be installed and run on MEAP. Such applications may be provided with the MFP or developed by third parties for the MFP.
[0014] Returning to the printing system shown in Figure 3, in a secure printing setup, print jobs are not released by the print server to the printer until the user who sent the print job identifies him or herself at the printer 2.
A conventional identification mechanism is based on a user identifying himself at the printer using an RFID card with an identification number stored on it.
[0015] In a secure printing process, a user prints to a secure print queue on the print server 32 from the client Pc 31. The user then goes to a printer 32 and identifies himself to the printer using the RFID card. A MEAP applet controls log-in to the printer 33. The MEAP applet retrieves the unique number from the RFID card and sends the unique number to a print server application on the printer server 32. The printer server application compares the received unique number with entries on an access control list. The access control list includes a list of users, identified by the unique numbers, who are allowed to access the printer/print server. If the received unique number is on the access control list, the print server application sends an accept message to the MEAP applet, which then logs the user into the NFP. If the received unique number is not on the access control list, the print server application sends a decline message to the MEAP applet and the MEAP applet displays an error message to the user without logging the user onto the MFP 33. This process is illustrated in Figure 5.
[0016] In the above example, access is controlled by reference to an access control list. However, in other examples, the print server may refer the query to an active directory server, which stores in association with user's details the number stored on the RFID card and permissions data for access to the print server. The active directory server replies to the query from the print server and the result of the query is reported to the printer as in the example described above.
[0017] The printer/server mechanism described above uses simple identification using RFID cards and it would be desirable to be able to use more sophisticated and secure technology to identify users at the printer. In particular, it would be desirable for a user to be able to use a smart card to access the MFP. However, implementation of such technology poses several challenges.
[0018] Smart cards are considerably more sophisticated that RFID cards. Further, while smart cards are subject to some standardization such as ISO/IEC 14443 as implemented by, for example, LEGIC or Mifare, smart cards still vary substantially with many different types of card and operating systems being used. Accordingly, for different offices or installations it is quite likely that different libraries will need to be used to access different types of smart card used. Further, it is possible that in a given installation more than one type of smart card may be in use.
[0019] Further, although modern MFP5 are sophisticated in their design and capabilities, their resources are still somewhat limited. Levels of memory and processing power are at a premium and the capabilities are still substantially less than those available on a conventional PC. These limitations make implementing smart card technology on MFP5 difficult.
SUMMARY OF THE INVENTION
[0020] The present invention aims to allow implementation of smart card login in a secure printing system taking into account some of the limitations mentioned above.
[0021] According to a first aspect of the invention there is provided an image-processing apparatus for accessing a smart card, comprising a printer and a print server, the printer and print server connected to each other via a network so that the printer can receive print jobs from the print server, and comprising a card reader associated with the printer and adapted to access a smart card that stores identity information relating to a user of the printer; wherein the printer comprises a card access application, and the print server comprises a card configuration application; and wherein the card access application is configured to: in a case of introduction of a smart card to the card reader, receive first information relating to an identity of the smart card obtained from the smart card by the card reader; to obtain card access configuration details corresponding to the first information from the card configuration application; and to use the obtained card access configuration details to access the smart card introduced to the smart card reader; and the card configuration application is configured so that, in a case of receipt of the first information, the card configuration application sends to the card access configuration application said card configuration details for allowing the card access application to access the smart card.
[0022] In some embodiments the card access application is configured to cause the printer to disp]ay a PIN entry screen to allow a user to enter a PIN to access the smart card. The card access application may be configured to use the entered PIN to access the smart card.
[0023] In some embodiments the card access application comprises class information, such as a JAVA class, which is configurable by the card access configuration details to allow access to the smart card. The class information may be configurable using data values known as primitives.
[0024] In some embodiments the card access application is configured by the card access configuration details to access the smart card to initiate a signature process within the smart card.
[0025] The apparatus may comprise permission checking means for identifying at least one permission associated with the user. The permission may be permission to access or log-in to the printer and/or print server. The permission checking means may be a permission checking server which stores permission information regarding a right to access or log-in to the printer and/or print server.
[0026] The image-processing apparatus may be configured so that the card access application is configured to obtain the card access configuration details corresponding to the first information from the card configuration application upon startup of the printer or initialization of the card access application. In this way, the need to obtain the card access configuration details while a user is trying to ]og-in may be obviated. Further, the card access configuration details may only be downloaded at the time that the printer is started up or the card access application is initialized, rather than every time a user logs-in.
[0027] The card access configuration details may comprise any one of: a primitive to configure a class, a script, a password, location details of information on the smart card, and details of how to access a function on the smart card. The class refers to a class in an object oriented programming language, such as a JAVA class.
-10 - [0028] According to a further aspect of the present invention there is provided a method for accessing a smart card performed by an image-processing apparatus, the image-processing apparatus comprising a printer connected to a print server via a network and capable of receiving print jobs from the print server, and a card reader associated with the printer and adapted to access a smart card that stores identity information relating to a user of the printer; wherein the printer comprises a card access application, and the server comprises a card configuration application; the method comprising: in a case of introduction of a smart card to the card reader, the card access application receiving first information relating to an identity of the smart card obtained from the smart card by the card reader; the card access application obtaining configuration details corresponding to the first information from the card configuration application; the card access application using the obtained card access configuration details to access the smart card introduced to the smart card reader; and the card configuration application, in a case of receipt of the first information, sending to the card access application said card access configuration details for allowing the card access application to access the smart card.
[0029] According to a further aspect of the present invention there is provided a card access application for a printer connected to a print server via a network and capable of receiving print jobs from a card configuration -11 -application on the print server, the printer having a card reader associated with it that is adapted to access a smart card that stores identity information relating to a user of the printer; wherein the card access application is configured to: in a case of introduction of a smart card to the card reader, receive first information relating to an identity of the smart card obtained from the smart card by the card reader, to obtain card access configuration details corresponding to the first information from the card configuration application; and to use the obtained card access configuration details to access the smart card introduced to the smart card reader.
[0030] According to a further aspect of the present invention there is provided a card configuration application for a print server connected to a printer via a network and capable of sending print jobs to a card access application on the printer, the printer having a card reader associated with it that is adapted to access a smart card that stores identity information relating to a user of the printer; and wherein the card configuration application is configured: to receive from the card access application first information from a smart card introduced to the card reader; and to send to the card access application configuration card access configuration details for allowing the card access application access to the smart card.
[0031] According to a further aspect of the present invention there is provide an image-processing apparatus -12 -for accessing a smart card, comprising a printer connected to a print server via a network and capable of receiving print jobs from the print server, and a card reader associated with the printer and adapted to access a smart card that stores identity information relating to a user of the printer; wherein the printer comprises a card access application and the print server comprises a card reading application; and wherein the card access application is configured to drive the card reader under remote control of the card reading application, and the card reading application is configured to cause the card access application to access the smart card.
[0032] In some embodiments the card reading application is configured to cause the printer to display a PIN entry screen to allow a user to enter a PIN to access the smart card. The card access application may be configured to use an entered PIN to access the smart card.
[0033] In some embodiments the card reading application is configured to receive identity information of the card in response to introduction of the card to the card reader.
The card reading application may be configured so that in a case that identity information identifying the card is received by the card reading application, the card reading application looks-up configuration details relating to the card inserted in the card reader. The card reading application may further be configured to use the configuration details to access the smart card.
[0034] In some embodiments the card reading -13 -application is configured to access the smart card to initiate a signature process within the smart card.
[00351 Another aspect of the present invention can provide a method of an image-processing apparatus for accessing a smart card, the image-processing apparatus comprising a printer connected to a print server via a network and capable of receiving print jobs from the print server, and a card reader associated with the printer and adapted to access a smart card that stores identity information relating to a user of the printer; wherein the printer comprises a card access application, and the print server comprises a card reading application; the method comprising: the card access application driving the card reader under remote control of the card reading application, and the card reading application causing the card access application to access the smart card.
BRIEF DESCRIPTION OF THE DRAWINGS
[0036] Embodiments of the present invention will now be described, by way of example only, with reference to the accompanying figures in which: [0037] Figure 1 shows a typical configuration of a device implementing openCT; [0038] Figure 2 shows a configuration of openCT in which software accesses a card reader remotely using TCP/IP; [0039] Figure 3 shows a typical setup of a printing system including a client PC, a print server, and two -14 -printers; [0040] Figure 4 shows the structure of the MEAP platform; [0041] Figure 5 shows exchange of information during loq-in processing on the conventional printing system shown in figure 3; [0042] Figure 6 shows an image-processing apparatus of a first embodiment of the present invention; [0043] Figure 7a shows the structure of a MEAP SC application; [0044] Figure 7b shows the structure of a print server application; [0045] Figure 8 is a flow chart showing steps for accessing a smart card; [0046] Figure 9 is a flow chart showing steps of an alternative method for accessing a smart card; [0047] Figure 10 is a flow chart showing steps for performing]oq-in processing in the first embodiment of the present invention; [0048] Figure 11 shows an image-forming apparatus of a second embodiment of the present invention; [0049] Figure 12 is a flow chart showing steps to perform log-in processing in the second embodiment of the present invention.
DESCRIPTION OF THE EMBODIMENTS
First embodiment -15 -General setup [0050] Figure 6 shows an apparatus for accessing a smart card. The apparatus comprises a print server 61, a printer in the form of an MFP 62, and an active directory server 63.
The print server has a print server application 7 (see Figure 7) installed on it that manages print jobs on a secure print queue. The print server is connected to one or more client computers (not shown) to receive print jobs in a conventional manner.
[0051] The MFP 62 is of the type described in the introductory portion of this patent application and has MEAP installed on it so that it can run MEAP applications.
Attached to the MFP 62 via a USB port is a smart-card reader 621. In Figure 6 the smart-card reader is shown attached to the printer 62. However, in other embodiments, the smart-card reader may be built into the MFP 62.
[0052] One or more user's of the apparatus are each provided with a persona] Integrated Circuit Card (hereinafter referred to as a "smart card") . The smart card is readable by the smart-card reader and has stored on it an X.509 certificate including, unique to the respective user, details of the user's public key, other user details such as the user's name and/or email address. The smart card also stores the user's private key that corresponds to the user's public key. The smart card has a function to allow signature of data using the user's private key.
[0053] The smart-card reader 621 is capable of accessing the smart card. Some smart-card readers operate by -16 -inserting the smart card into the reader so that metal contacts on the card reader align with metal contacts on the smart card. Other smart card readers operate using contact-less technology so that the smart card does not need to be inserted into the card reader. These two options, and others, may be termed introduction of the smart card to the smart-card reader 621, which means arranging the smart card and smart-card reader to allow the smart-card reader to communicate with the smart card.
[0054] The Active directory server 63 is an LDAP (Lightweight Directory Access Protocol) server including Active directory software provided by Microsoft (RIM) . The Active directory server includes a database of user details for the one or more users and their associated X.509 certificates. As above, X.509 certificate for a user includes details of the user's public key and associated user identification details such as the user's name and/or email address. The Active directory server 63 also stores print access permissions for each user in association with the user's other details.
[0055] The client computer (not shown), print server 61, MFP 62, and Active Directory server 63 are all connected to a common network and can communicate with each other.
[0056] Installed on the MFP 62 is a card access application 622 (see Figure 7a) in the form of a MEAP application (referred to hereinafter as "MEAP SC application") for controlling access to a smart card on the card reader 621. The structure of the MEAP SC application -17 - 622 is shown in Figure 7a and comprises a CCID (Credit Card Identification) driver 6221, Java class 6222, APDU scripting 6223, and CCID over TCP driver 6224. The MEAP USE interface is a system service that allows the MEAP SC application to access the USB port to which the smart card reader is attached.
[00571 For easier understanding of the following, it is noted that an APDU is an "Application Protocol Data Unit" and is a basic command or instruction passed between a terminal and a smart card. APDUs are defined in 150 7816-4 of the International Organization for Standardization.
[0058] The CCID driver 6221 is a hardware driver that drives the smart-card reader 621. In this embodiment both the driver and the smart card reader conform to the USB CCID specification for controlling the smart-card reader.
[0059] The JAVA class 6222 includes a configurable description of how to interact with a smart card inserted in the smart-card reader 621. The CCID over TCP driver allows commands to be sent and received from the smart-card reader by the print server application installed on the server 61. One type of APDU scripting referred to as ICARUS will be described below by way of example.
[0060] In addition to the above components, the MEAP SC application comprises a run-time system (not shown), which is a collection of libraries and services available to scripts running as part of the MEAP SC application. The NEAP SC run-time system is provided in addition to the systems and services described above in connection with -18 -MEAP.
[0061] Figure 7b shows the structure of the print server application 7. The print server application comprises a database 71 including a plurality of records. Each record comprises a smart-card identification (AIR ID) and associated parameters to be used to configure the MEAP SC application for the smart card concerned. Details of the data stored are provided later in the present specification.
Although a database is shown here, it should be appreciated that in other embodiments the data could be stored in a file or other computer-readable structure.
[0062] The print server application 7 also comprises a Windows smart card library 72 and a virtual USB driver 73.
The functions of these modules will be explained in connection with the second embodiment.
Communication between the print server application and the MEAP Sc application [0063] Communication between the print server application and the MEAP SC application takes place using a scripting language, referred to herein as ICARUS. The precise details of the ICARUS language, which is a proprietary language, are not necessary to understand or implement the present invention and so are not described in detail here. Suffice to say that ICARUS is an XML based scripting language that can carry parameters between the print server application and the NEAP SC application.
Parameters may be sent by one application according to code -19 -on the sending side and received and processed by the other application on the receiving side.
[0064] The MEAP SC application can communicate with the card reader using ALDUs. However, in order to be able to send appropriate APDUs to the card reader to perform any particular function, the appropriate APDUs for the particular smart card in the card reader 621 need to be identified. The run-time of the MEAP sc application provides the MEAP SC application with the ability to load and run smart card drivers/libraries in three ways. The first way is to load and run the ICARUS APDU script (a first type of driver/library), the second way is to load and run the JAVA class (a second type of driver/library) to allow access to the smart card in the card reader. The third way is for the run-time system to cause the CCID over TCP driver 6224 to download commands from the print server 61. The first two of these options will be described in connection with the first embodiment. The third of the options will be described in connection with the second embodiment, which is simply a different configuration of the same software as the first embodiment.
[0065] Figure 8 is a flow chart explaining access to a smart card inserted in the smart-card reader using ICARUS APDU scripting. In step S81, an Integrated Circuit card (ICC, also referred to as a smart card) is inserted into the smart-card reader 621. In response to the insertion of the smart card, the smart-card sends a signal to the smart-card reader 621. The signal sent is known as "answer to -20 -reset" and is specified in the Iso 7816-3 standard. The answer to reset signal includes an AIR identification (AIR ID) that identifies the particular card inserted into the smart-card reader 621 (step S82) . In other embodiments identity information about the smart card may be extracted by sending and receiving appropriate APDU5 between an ICARUS APDU script and the smart card.
[0066] In step S83, the ICARUS APDU scripting sends the extracted AIR ID to the print server application (shown as communication Cl in Figure 6) . In response to receipt of the AIR ID, in step S84, the print server application refers to the database and returns parameters which are stored in the database 71 in association with the AIR ID (shown as communication C2 in Figure 6) . Ihe parameters define the properties of the smartcard sufficiently access to the smart card. Such parameters could include such things as passwords required to access the card (other than the user's PIN), stored location of the X.509 certificate on the smart card, details of how to access the signature function of the smart card, etc. Ihe parameters could include an APDU script to allow log-in processing to be initiated on the smart card.
[0067] In step S85, the ICARUS APDU scripting runs a script, which is configured by the received parameters, to allow access to the smart card. Ihis step may include displaying a PIN identification screen on a user-interface of the NFP 62 to allow a user to enter a PIN (Personal Identification Number) . When the PIN has been entered the -21 -PIN is passed to the smart card in order to allow access to the smart card function to send a log-in request.
[0068] Figure 9 is a flowchart explaining how a smart card inserted in the smart card is accessed using the ICARUS APDU scripting and the JAVA class. This process is similar to that described in connection with Figure 8.
However, it is sometimes the case that accessing the smart card is quite complicated and it is not appropriate to try to send all the relevant parameters from the print server 61 to the MFP 62 using the ICARUS scripting language. In this situation, parameters known as "primitives" are sent by ICARUS to configure a JAVA class included in the HEAP SC application. In this way, some of the software needed to access the smart card can be "pre-ccded" into the JAVA class, reducing the amount of data that needs to be sent from the print server application.
[0069] In step S91, a smart card is inserted into the smart-card reader 621. In response to the insertion of the card, the smart-card sends an AIR to the smart-card reader 621, which is passed to the HEAP SC application. In step S93, the ICARUS APDU scripting sends the AIR ID to the print server application (shown as communication Cl in Figure 6) . In response to receipt of the AIR ID, in step S94, the print server application refers to the database and returns parameters, which are stored in the database in association with the AIR ID (shown as communication C2 in Figure 6) . In this case, the parameters include the aforementioned "primitives" used to configure a JAVA class -22 -of the MEAP Sc application and also a setting that indicates to the ICARUS APDU scripting that the JAVA class is to be used.
[0070] In step S95, the ICARUS APDU scripting receives the parameters and runs a JAVA program which configures the JAVA class using the received primitives and uses the JAVA class to access the inserted smartcard. This step may include displaying a PIN identification screen on a display of the MFP 62 to allow a user to enter a PIN (Personal Identification Number) . When the PIN has been entered by the user, the PIN is passed by the MEAP SC application to the smart card in order to allow access to the smart card.
Method of first embodiment [0071] Operation of the first embodiment will now be described with reference to Figures 6 and 10. In step SlOl, a user inserts his or her smart card into the smart-card reader 621 at the printer 62. In response to insertion of the smart card, a PIN identification screen is displayed on the user-interface of the MFP 62 (as described above) and, following entry of the correct PIN, log-in processing is initiated (step S102) by the MEAP sc application.
[0072] The smart card driver/library in the form of the APDU script or configured JAVA class then communicates with the smart card in order to cause the smart card to initiate log-in processing. These steps will vary from card to card.
In the present embodiment, a request for log-in processing is sent to the smart card. In response to the request for -23 -log-in processing, the smart card signs credentials using the signature function of the smart card. The signature function uses the private key of the user to sign a hash of the credentials. The credentials are details of the user such as the user's name and/or email address, which might be extracted from the X.509 certificate stored on the smart card. The signature is performed on the smart card such that the private key does not leave the smart card. The signed credentials and a certificate identifier that identifies the user's X.509 certificate are then sent to the smart card driver/library in response to the request for log-in processing.
[00731 In step S103, the smart card driver/library communicates the signed credentials and certificate identifier to the Active directory server (shown as communication C3 in Figure 6) to authenticate the user's permission to log-on to the MFP and to access the print queue on the printer server. In particular, the active directory server identifies the appropriate X.509 certificate from its database 71 using the received certificate identifier. The active directory server then decrypts the signed credentials using the user's public key from the identified X.509 certificate and checks the decrypted credentials against those associated with the X.509 certificate. If the decrypted user's credentials match those of the X.509 certificate the active directory server obtains the stored permissions regarding access to the print server 61 associated with the user's X.509 -24 -certificate. If the user has permission to log-on to the print server 61, an accept message is returned to the MEAP SC application. If the user does not have permission to log-on to the print server 61, or the verification of the credentials fails, a decline message is returned to the MEAP Sc application.
[00741 If the MEAP SC application receives a decline message from the active directory server, the printer 62 displays an error message indicating "log-on failure -invalid permissions" on the display of the MFP 62 and no further actions are taken. If the MEAP S application receives an accept message, the MEAP Sc application allows the user to access the print server and to access the print queues on the print server. At this stage authentication has been completed. Secure printing, in which a user accesses print jobs stored on the print server, can now continue in accordance with known prior art methods. Log-on processing according to the first embodiment of the present invention has now been completed.
[0075] The above embodiment is advantageous in that the parameters for a large number of cards may be stored in the database 71 of the print server application rather than in the MEAP Sc application. This avoids "bloating" of the MEAP Sc application that would be caused when trying to support many different types of cards if the details for each card were stored on the MFP. By storing the details on the print server 61 unnecessary use of the limited resources of the MFP 62 can be avoided.
-25 - [0076] A further advantage of the above embodiment is that configuration of the embodiment to support new card types is relatively straightforward. The configuration can be provided by adding additional entries and details into the database on the print server application rather than adapting the MEAP SC application, which is typically a more difficult and time consuming operation.
Second embodiment [0077] As mentioned above, the second embodiment is a different configuration of the same software as described in connection with the first embodiment. In particular, the second embodiment uses the CCID over TCP driver shown in Figure 6. Figure 11 shows the apparatus of the second embodiment. The hardware configuration is exactly the same as that described in the first embodiment in connection with Figure 6. Accordingly, description of the hardware will not be repeated. The structure of the MEAP SC application shown in Figure 7a and the structure of the print server application shown in Figure 7b is also the same in the first and second embodiments.
[0078] In the first embodiment, control of the smart card was performed locally at the MFP 62 by a smart card driver/library in the form of the ICARUS APDU scripting or the configured JAVA class. However, in the second embodiment the card reader attached to the MFP is treated as a USB device by the print server and the card reader 621 is controlled directly from the print server 61.
[0079] The print server 61 includes an operating system, -26 -which in the present embodiment is a Windows server operating system such as Windows server 2003 by Microsoft Corporation. The print server application has access to Windows smart card libraries installed on the print server 61, which exist for many different types of smart card and which have been implemented for use with Personal Computer devices (PC5) [0080] Also installed on the print server 61 is a virtual USB driver 73, which is configured to communicate with the CCID over TCP driver on the MFP 62. The virtual USB driver 73 emulates a USE card reader so that the MFP 62 and card reader 621 appear to the Windows operating system as a smart card reader locally connected to the print server 61. The virtual USB driver interprets commands sent to it and passes the commands (APDUs) to the CCID over TCP driver 6224 over the network 30 via TCP.
[0081] User authentication will now be described with reference to Fiqure 12. In step S121, a user inserts a smart card into the smart-card reader 621. In response to insertion of the smart card, the smart-card sends an ATR signal to the smart-card reader 621. The CCID driver in turn passes the signal to the CCID over TCP driver which then sends the signal to the virtual USB driver 73 at the print server 61. This passage of commands between the printer 62 and the print server 61 at the driver level continues throughout the present embodiment. Commands are sent to and from the smart card at the AP]DU/driver level over the network using TCP between the CCID over TCP driver -27 - 6224 and the virtual USB driver 73. Higher level control including processing of information from the smart card and deciding which commands to send to the smart card are performed at the print server side. For the sake of brevity, this form of cornrnun�cation will be referred to below as communication via the CCID over TCP drivers.
[0082] The print server 62 receives the ATR signal from the smart card and identifies the ATR ID. Once the ATR ID has been identified, the print server application looks in the Windows smart card libraries to find parameters and/or JAVA class libraries for operating the smart card corresponding to the received ATR ID. The print server application then uses the identified Windows smart card library to initiate log-in processing by the smart card (Step S133) . All the communications between the smart card and the print server 62 are performed at the APDU level via the CCID over TCP driver and virtual USB driver 73. The Windows smart card library generates and sends APDUs to the virtual USB driver 73 as if the smart card reader 621 were connected locally at the printer server 62.
[0083] Once log-in processing is initiated, at step S134, the print server application receives the signed credentials and certificate identifier from the smart card and passes them as a query to the Active directory server 63. The Active directory server checks the signed credentials and the user permissions associated with the user's X.509 certificate and returns an accept message or a decline message as described in the first embodiment. If -28 -the print server receives a decline message, the print server sends a command to the MFP 62 to cause the MFP to display an error message "log-on failure -invalid permissions". If the print server receives an accept message, the print server sends the MFP 62 a command to allow the user to log-on to the MFP 62. At this stage authentication has been completed. Secure printing, in which a user accesses print jobs stored on the print server, can now continue in accordance with known prior art methods.
Log-on processing according to the second embodiment of the present invention has now been completed.
[0084] The above configuration is particularly convenient because Windows smart card libraries can be used to control smart card access on the MFP 62. The ability to use such pre-existing libraries removes the need to develop new parameters and scripts to access the smart card using the MEAP SC application on the MEAP platform. This reduces the amount of development required to support new types of smart card.
[0085] The above embodiment involves sending APDU5 across the network. As this information may well be private, these communications can be encrypted or otherwise secured using SSL or other security technology.
Further embodiments [0086] The embodiments above have described sending signed credentials from a smart card and using the X.509 certificate to perform a log-in check at an Active directory server. In other embodiments the smart card may -29 -store an email address, log-in name, unique number, or other identifying information associated with a user. This information may be stored instead of the X.509 certificate, extracted from the X.509 certificate, or stored in parallel with the X.509 certificate. The identifying information (email address, log-in name, etc.) may be used instead of, or as well as, the X.509 certificate to perform the log-in checks at the Active directory server. Further, the use of an Active directory server is optional. A check may be performed against some other form of directory server or may be performed locally at the print server using, for example, an access control list.
[0087] The first embodiment describes a case in which the parameters are looked up in the database 71 in response to receipt of the ATR ID. However, in other embodiments, the parameters may be pre-loaded onto the MFP 62 when the MFP is started up or when the MEAP SC application is initialized. In a typical office setup, the types of card that will be used to log-on to the MFP 62 are known in advance. For example, a company may have issued a particular type of smart card to its employees to log-on to the MFP 62. Accordingly, the MEAP sc application can be configured with the ATR IDs in advance so that the appropriate parameters are downloaded from the database 71 at start-up of the MFP 62 or MEAP SC application. The configuration of the MEAP SC application with the ATR IDs may occur via a user interface of the MFP 62 or by an interface of the print server application 7. configuring -30 -the MEAP Sc application to download the parameters at start up of the MFP can make operation of the MFP 62 quicker because there is no need to communicate the configuration parameters from the database 71 over the network 30 during the log-in processing. Delay due to communication across the network 30 is thereby reduced and the parameters are only downloaded once.
[0088] Aspects of the present invention can also be realized by a printer or print server (or devices such as a cu or MPU inside the printer or print server) that reads out and executes a program recorded on a memory device to perform the functions of the above-described embodiment(s), and by a method, the steps of which are performed by, for example, reading out and executing a program recorded on a memory device to perform the functions of the above-described embodiment (s) . For this purpose, the program may be provided to the printer or print server for example via a network or from a recording medium of various types serving as the memory device (e.g., computer-readable medium).

Claims (12)

  1. -31 -CLAIMS1. An image-processing apparatus for accessing a smart card, comprising a printer and. a print server, the printer and print server connected to each other via a network so that the printer can receive print jobs from the print server, and comprising a card reader associated with the printer and adapted to access a smart card that stores identity information relating to a user of the printer; wherein the printer comprises a card. access application, and the print server comprises a card configuration application; and wherein the card access application is configured to: in a case of introduction of a smart card to the card reader, receive first information relating to an identity of the smart card obtained from the smart card by the card reader; to obtain card access configuration details corresponding to the first information from the card configuration application; and to use the obtained card access configuration details to access the smart card introduced to the smart card reader; and the card configuration application is configured 50 that, in a case of receipt of the first information, the card configuration application sends to the card access configuration application said card configuration details for allowing the card access application to access the -32 -smart card.
  2. 2. An image-processing apparatus according to claim 1, wherein the card access application is configured to cause the printer to display a PIN entry screen to allow a user to enter a PIN to access the smart card.
  3. 3. An image-processing apparatus according to claim 1 or claim 2, wherein the card access application comprises class information which is configurable by the card access configuration details to allow access to the smart card.
  4. 4. An image-processing apparatus according to any preceding claim wherein the card access application is configured by the card access configuration details to access the smart card to initiate a signature process within the smart card.
  5. 5. An image-processing apparatus according to any preceding claim comprising permission checking means for identifying at least one permission associated with the user.
  6. 6. An image-processing apparatus according to claim 5, wherein the permission checking means is a permission checking server which stores permission information regarding a right to access or log-in to the printer and/or print server.
  7. 7. An image-processing apparatus according to any preceding claim wherein the card access application is configured to obtain the card access configuration details corresponding to the first information from the card configuration application upon startup of the printer or -33 -initialization of the card access application.
  8. 8. An image-processing apparatus according to any preceding claim, wherein the card access configuration details comprise at least one of: a primitive to configure a class, a script, a password, location details of information on the smart card, and details of how to access a function on the smart card.
  9. 9. A method for accessing a smart card performed by an image-processing apparatus, the image-processing apparatus comprising a printer connected to a print server via a network and capable of receiving print jobs from the print server, and a card reader associated with the printer and adapted to access a smart card that stores identity information relating to a user of the printer; wherein the printer comprises a card access application, and the server comprises a card configuration application; the method comprising: in a case of introduction of a smart card to the card reader, the card access application receiving first information relating to an identity of the smart card obtained from the smart card by the card reader; the card access application obtaining configuration details corresponding to the first information from the card configuration application; the card access application using the obtained card access configuration details to access the smart card introduced to the smart card reader; and the card configuration application, in a case of -34 -receipt of the first information, sending to the card access application said card access configuration details for allowing the card access application to access the smart card.
  10. 10. A card access application for a printer connected to a print server via a network and capable of receiving print jobs from a card configuration application on the print server, the printer having a card reader associated with it that is adapted to access a smart card that stores identity information relating to a user of the printer; wherein the card access application is configured to: in a case of introduction of a smart card to the card reader, receive first information relating to an identity of the smart card obtained from the smart card by the card reader, to obtain card access configuration details corresponding to the first information from the card configuration application; and to use the obtained card access configuration details to access the smart card introduced to the smart card reader.
  11. 11. A card configuration application for a print server connected to a printer via a network and capable of sending print jobs to a card access application on the printer, the printer having a card reader associated with it that is adapted to access a smart card that stores identity information relating to a user of the printer; and wherein the card configuration application is -35 -configured: to receive from the card access application first information from a smart card introduced to the card reader; and to send to the card access application configuration card access configuration details for allowing the card access application access to the smart card.
  12. 12. A storage medium storing an application according to claim 10 or claim 11.
GB0915662.1A 2009-09-08 2009-09-08 Apparatus for accessing a smart card Active GB2473283B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0915662.1A GB2473283B (en) 2009-09-08 2009-09-08 Apparatus for accessing a smart card

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0915662.1A GB2473283B (en) 2009-09-08 2009-09-08 Apparatus for accessing a smart card

Publications (3)

Publication Number Publication Date
GB0915662D0 GB0915662D0 (en) 2009-10-07
GB2473283A true GB2473283A (en) 2011-03-09
GB2473283B GB2473283B (en) 2016-02-17

Family

ID=41203358

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0915662.1A Active GB2473283B (en) 2009-09-08 2009-09-08 Apparatus for accessing a smart card

Country Status (1)

Country Link
GB (1) GB2473283B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9607189B2 (en) 2015-01-14 2017-03-28 Tactilis Sdn Bhd Smart card system comprising a card and a carrier
US10037528B2 (en) 2015-01-14 2018-07-31 Tactilis Sdn Bhd Biometric device utilizing finger sequence for authentication
US10395227B2 (en) 2015-01-14 2019-08-27 Tactilis Pte. Limited System and method for reconciling electronic transaction records for enhanced security

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0929023A1 (en) * 1998-01-09 1999-07-14 Hewlett-Packard Company Secure printing
US20070208889A1 (en) * 2006-03-02 2007-09-06 Tatsuya Irisawa Interface circuit, system device using the interface circuit, and data interface method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008244518A (en) * 2007-03-23 2008-10-09 Ricoh Co Ltd Image forming apparatus management system, image forming apparatus, management device, terminal device, image forming apparatus managing method, and image forming program

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0929023A1 (en) * 1998-01-09 1999-07-14 Hewlett-Packard Company Secure printing
US20070208889A1 (en) * 2006-03-02 2007-09-06 Tatsuya Irisawa Interface circuit, system device using the interface circuit, and data interface method

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9607189B2 (en) 2015-01-14 2017-03-28 Tactilis Sdn Bhd Smart card system comprising a card and a carrier
US10037528B2 (en) 2015-01-14 2018-07-31 Tactilis Sdn Bhd Biometric device utilizing finger sequence for authentication
US10147091B2 (en) 2015-01-14 2018-12-04 Tactilis Sdn Bhd Smart card systems and methods utilizing multiple ATR messages
US10223555B2 (en) 2015-01-14 2019-03-05 Tactilis Pte. Limited Smart card systems comprising a card and a carrier
US10229408B2 (en) 2015-01-14 2019-03-12 Tactilis Pte. Limited System and method for selectively initiating biometric authentication for enhanced security of access control transactions
US10275768B2 (en) 2015-01-14 2019-04-30 Tactilis Pte. Limited System and method for selectively initiating biometric authentication for enhanced security of financial transactions
US10395227B2 (en) 2015-01-14 2019-08-27 Tactilis Pte. Limited System and method for reconciling electronic transaction records for enhanced security

Also Published As

Publication number Publication date
GB0915662D0 (en) 2009-10-07
GB2473283B (en) 2016-02-17

Similar Documents

Publication Publication Date Title
US10026028B2 (en) Network system, interface board, method of controlling printing on an network system, and program
US9667426B2 (en) Information processing apparatus, program, storage medium and information processing system
CN102609635B (en) Information processing apparatus and control method
RU2552148C2 (en) Printed relaying system, imager, system control method and programme
EP1398954B1 (en) Image forming apparatus and use control method
US8024792B2 (en) Methods and systems for imaging device credential submission
EP2037385B1 (en) Information processing apparatus, authentication control method, and authentication control program
US10750050B2 (en) IMAGE PROCESSING APPARATUS, METHOD FOR CONTROLLING IMAGE Processing apparatus, program storage medium, system, and method for controlling system for use in biometric authentication
US20110113469A1 (en) Network synchronization system and information processing apparatus
JP2006203858A (en) Image processing apparatus and method for controlling the same
US20080022399A1 (en) Information processing apparatus, information processing method, and computer program product
US7540416B2 (en) Smart card authentication system with multiple card and server support
EP3211520A2 (en) Image processing system, information processing device, image processing device and computer readable program
US20110203005A1 (en) Software distribution method, information processing apparatus, and software distribution system
JP2009130435A (en) Image forming apparatus and computer readable recording medium
JP2011257935A (en) Software distribution method, information processing apparatus, and information processing system
US8711381B2 (en) Image forming apparatus and job request control method instructed by authenticated users
US20100287362A1 (en) Information processing apparatus, information processing system, computer program and information processing method
JP2009070385A (en) Technique for managing device usage data
CN102984421A (en) Device and system and method for image output
GB2473283A (en) Accessing a Smart Card
CN104683622A (en) Information processing apparatus and method of controlling the same
US9013735B2 (en) Image forming system and image forming method providing controls of settings of image position and restriction
EP1783653B1 (en) Login control for multiple applications
JP7532273B2 (en) PRINTING DEVICE, PRINTING DEVICE CONTROL METHOD, AND PROGRAM