JP4018645B2 - Printing apparatus, data processing method, storage medium, program - Google Patents

Description

  The present invention relates to data processing of a printing apparatus capable of receiving and processing a print job generated by a printer driver of an information processing apparatus.

  Conventionally, in this type of printing system, in order to prevent others from seeing the printing result of privacy information, the user gives a printing instruction from the host computer by giving a specific instruction when generating the print job. Even if the printing is performed, the printing apparatus does not immediately perform printing, but is in a hold state, and the user visits the printing apparatus and operates the operation panel of the printing apparatus to recognize, select, and cancel the print job (a numeric password). Many methods have been implemented in which the hold state is released by giving the command from the operation panel and the actual printing process is started.

  Such a printing method is generally called secure printing, security printing, confidential printing, or the like. Hereinafter, in this proposal, the terminology is unified as the printing method is secure printing. A print job to be securely printed is specifically called a secure job.

  As a use case in which secure printing is used, it is assumed that privacy data such as hospital diagnosis information, salary details, and resident information should be referred to only by the parties concerned.

  In secure printing, it is desired that the print control of other jobs not be hindered even when the hold (waiting for release) state is entered. Therefore, the secure print is temporarily stored in a secondary storage device such as an HDD. The The special instruction for the print job at the time of secure printing is a secure print instruction attribute and a PIN code attribute for canceling.

  Further, generally, a secure printing function and a normal job printing function for starting printing immediately after sending a normal print job coexist.

  In conventional secure printing, a print job created by a host computer is generated in plain text (meaning that it is not encrypted), and a PIN code used for cancellation is similarly attached to the print job in plain text.

  When sending a print job from a host computer to a printing device via a network such as a LAN, it is relatively easy to eavesdrop and tamper with the route by dedicated equipment or software, and a malicious attack that poses a threat on the network Assuming that there is a person, it can be said that the system for printing confidential information is vulnerable. Alternatively, when a wireless LAN represented by IEEE802.11b is used as a network infrastructure, it is technically easier to eavesdrop outdoors even if sufficient security measures are not taken.

  Furthermore, secure jobs are stored in the printing device and stored in a secondary storage device such as an HDD until the hold is released, but it is assumed that a malicious attacker can physically act on the printing device. If the printer is turned off, the secondary storage device is taken out and taken out and the inside is analyzed, the confidential information contained in the print job can be technically acquired, and the printing system is vulnerable. It can be said.

In order to cope with these problems, even if the print job is encrypted and the path is eavesdropped or the print job stored by extracting the secondary storage device is analyzed, it does not have a decryption key. It may be possible to prevent confidential information from leaking. As a system for encrypting data between a peripheral device and a client PC, a system disclosed in Patent Document 1 is disclosed.
JP 2003-169053 A

  Then, when encrypting the secure job, there are problems that arise from two viewpoints: the problem of where to decrypt and the key to decrypt.

  For example, a first method is assumed in which a key used for decryption is provided by a key stored as electrical information included in a physical medium such as a smart card individually owned by a user who issued a secure job.

  In this case, the secure job that has entered the printing apparatus is encrypted, and if the key is not provided, the contents cannot be interpreted at all.

  On the other hand, in order to release a secure job to be released, a hint is required for selecting a secure job to be released based on additional information such as the owner name and job name of the print job.

  However, if all the data of the secure job is encrypted, the additional information cannot be read out until the above smart card is inserted and the decryption process is performed, and the secure job cannot be selected. There was one problem.

  Alternatively, the key used for encryption is not a physical key such as a smart card owned by the user, but a key that the printing device statically holds as its electrical information on its secondary storage device or nonvolatile memory, for example, Assuming a public key key pair, this method is the second method.

  In this case, it is conceivable that the public key that is one of the key pairs is provided to the host computer in advance, and the secure job is encrypted based on the public key and sent to the printing apparatus. The secure job sent to the printing device is based on the other private key of the public key type key pair included in the printing device immediately inside the printing device (this is managed by the printing device so as not to leak outside). The decryption result is stored in a secondary storage device such as an HDD. In this case, when the host computer generates a secure job in advance, a release PIN code is assigned as additional information as an attribute, and printing processing is performed when the PIN code input through the operation panel matches. Operation is expected.

  In this method, the secure job is decrypted as soon as it is input to the printing apparatus, and the secure job data is stored in the secondary storage device in plain text, so that an attacker can physically act on the printing apparatus. As a result, there is a second problem that the printing apparatus is turned off, the secondary storage device is removed, the inside is analyzed, and the threat of exposing confidential information cannot be countered.

  The present invention has been made to solve the above-described problems, and an object of the present invention is to decrypt an attribute part of a print job received from an information processing apparatus with a decryption key and encrypt PDL data. A mechanism for storing a print job and storing PDL data in an encrypted state until a print instruction is issued is provided.

The printing apparatus according to the present invention has the following characteristic configuration.
A printing apparatus capable of receiving and processing a print job generated by a printer driver of an information processing apparatus, and managing attribute database means for managing individual attribute information of the received print job, and temporarily storing a PDL data portion of the print job Receiving the PDL storage means and the print job, decrypting the attribute part included in the print job based on the first decryption key information, and registering the attribute part extracted by the decryption in the attribute database means Furthermore, the print job interpretation unit that stores the PDL data portion included in the print job in an encrypted state in the PDL storage unit, and the print selected from the print job stored in the PDL storage unit by a user operation Print instruction means for instructing printing of a job, and a print job instructed to print by the print instruction means And having a PDL data decoding means for decoding on the basis of the PDL data that has been encrypted second decryption key information.

  According to the present invention, the attribute part of the print job received from the information processing apparatus is decrypted with the decryption key, the print job is stored in a state where the PDL data is encrypted, and the PDL data is encrypted until a print instruction is given. It can be memorized.

  Next, the best mode for carrying out the present invention will be described with reference to the drawings.

[First Embodiment]
FIG. 1 is a block diagram showing a configuration of a printing system including a data processing apparatus (host computer) and a printing apparatus according to the first embodiment of the present invention.

  In FIG. 1, the printing system generates a print job, receives a print job from a host computer 100 that comes to the printing apparatus, and prints on an actual sheet by a known printing technique such as electrophotography or inkjet. (Printer) 150 and interface means 170 using a known interface technology for connecting the host computer 100 and the printing apparatus 150.

  The interface unit 170 is a USB (Universal Serial Bus) or IEEE1284 compliant local interface, a wired LAN interface such as Ethernet (registered trademark) or Token-Ring, or a wireless LAN such as IEEE802.11b or Bluetooth (registered trademark). It may be an interface, and may be routed via a router, a switching hub, or the Internet.

  The host computer 100 generates image data desired by the user via the GUI by the application unit 101. The driver unit 102 converts the image format unique to the host computer into a print job that can be interpreted by the printing apparatus 150.

  The secure job generation unit 103 receives the print job generated by the driver unit 102, and performs a conversion operation into a secure job (a print job corresponding to security) that can be analyzed only by the owner. At this time, the print job is divided into an attribute part and a PDL data part, and the attribute part is encrypted based on the public key of the printing apparatus, and the PDL data part is encrypted based on the public key of the user.

  The secure job generated by the secure job generation unit 103 is stored in the existing spool unit 104 and sent to the printing apparatus 150 via the I / F 105.

  The public key possessed by the user that is required when generating the secure job is electrically held in a public key such as a smart card in the previous stage of the printing process and held in the provided medium. It is read, stored by the user public key storage unit 109, and provided to the secure job generation unit 103.

  On the other hand, the public key possessed by the printing apparatus required when generating the secure job is supplied from the printing apparatus 150 via the interface unit 170, stored in the device public key storage unit 107 via the device public key receiving unit 106, and secured by the secure job. Provided to the generation unit 103.

  The secure job is input to the printing apparatus 150 via the I / F 151. The packet determination unit 153 monitors each packet of the secure job, and transfers it to the attribute decryption unit 155 if it is an attribute part and to the PDL spool unit 154 if it is a PDL data part.

  Prior to the transmission of the secure job, when the device public key receiving unit 106 of the host computer 100 requests the printing device 150 for the public key of the printing device, the device public key reception unit 106 is in the printing device 150 in response to the request. A public key unique to the printing apparatus 150 is provided from the device public key management unit 161 to the host computer 100 via the device public key transmission unit 162 and the interface unit 170.

  When the attribute part of the secure job is sent from the device public key management unit 161 in the attribute decryption unit 155, the public key scheme is performed using the secret key that is the other of the public key pairs held by the device public key management unit 161. The attribute part is decrypted by and the attribute data is written in the attribute DB 156.

  The attribute DB 156 is composed of, for example, a RAM which is a volatile memory, and temporarily stores the number of copies related to the drawing process, printing information such as color information, and monitoring information such as a job name and an owner name, and provides the drawing unit 159 with it. On the other hand, attribute information necessary for secure job monitoring is provided to the UI unit 163 in accordance with a display request from an operation panel (not shown).

  When the secure job enters the printing apparatus 150, the secure job enters a hold (waiting for release) state, and data processing stops. When a medium providing a public key such as the same smart card as that used for PDL data encryption is inserted into the card reader unit 158, the user is provided with a decryption key for decrypting the PDL data part according to the procedure described later. Then, the PDL data portion decrypted using the decryption key is transferred to the drawing unit 159, and the drawing processing of the print data is performed. The drawn image data is subjected to a known printing technology such as electrophotography or an inkjet technology. Printing is performed on actual paper in the printer engine unit 160 to be used.

  In order to explain in more detail, internal information of the secure job will be described.

  One secure job is composed of a plurality of job packets. A series of job packets constituting a secure job is called a job script.

  The job packet corresponds to an application layer protocol in the OSI 7 hierarchy, and has a packet structure including a header part and a parameter part.

  FIG. 2 is an explanatory diagram showing the structure of a job packet transferred from the host computer 100 shown in FIG. 1 to the printing apparatus 150.

  In FIG. 2, the vertical axis represents bytes, and the horizontal axis represents bits of each byte. In the figure, the operation code of 0th to 1st bytes is a 2-byte ID indicating the function of the packet. The job packet can take the following values: 0x0201 indicates a job start command, 0x0202 indicates a job attribute setting command (attribute portion), 0x0204 indicates a PDL data transmission command (PDL data portion), and 0x0205 indicates a job end command.

  The block number in the 2nd to 3rd bytes is used to take a response to the response request from the receiving side to which the response from the receiving side corresponds when the side sending the job packet requests a response. Number.

  For example, when an error packet of block number = 2 is returned when job packets of block numbers = 1, 2, and 3 are transmitted in succession, when a reply is returned, the transmitting side sends the second job packet sent It is possible to specify that an error has occurred.

  The parameter length of the 4th to 5th bytes is an area indicating the byte length of the data portion, and can indicate 0 to 64K bytes.

  The 6th to 7th bytes are areas indicating various flags of the job packet, and indicate the following values, respectively.

  When the value of the error flag is “1”, it indicates that some error has occurred in the printing apparatus. This flag is added to a reply packet sent from the printing apparatus to the host computer.

  Further, when the value of the notification flag is “1”, it indicates that the printing apparatus notifies the host computer that there is some notification matter, not a response to the request packet from the host computer.

  Further, when the value of the continuation flag is “1”, it means that not all data has been entered in the data portion, and therefore the remaining data is sent in the next job packet. The next job packet must have the same operation code and block number as the previous packet.

  The response request is set to 1 when a response packet is required from the host computer to the printing apparatus. When 0, the request packet is not returned when it is processed normally. When an error occurs in the printing apparatus, a reply packet with the error flag set to 1 is always sent, regardless of the reply request 0/1.

  The user IDs in the 8th to 9th bytes and the password in the 10th to 11th bytes are areas used for authentication when setting a security restriction on operations that can be performed with the request packet. This embodiment is not affected.

  From the 12th byte onward, additional data corresponding to the operation code is stored.

  In the case of a job start operation, the job execution mode is described as additional data. The execution modes that can be specified are listed below.

  0x01 is a normal execution mode of a job, and the job is added as a normal job at the end of the queue of the printing apparatus, and print processing is performed when scheduling has arrived.

  0x04 is a secure print execution mode of the job. The job is handled as a secure job, and is handled as a hold (waiting for release) state until a key is given without printing.

  The driver unit 102 inside the host computer 100 generates a job script in the same format as that before encryption. This is to prevent the driver unit 102 from being burdened by separating the processing of the driver unit 102 and the secure job generation unit 103.

  FIG. 3 is a schematic diagram for explaining a mechanism for encrypting the first job script in the printing system according to the present invention.

  FIG. 3A shows a job script generated by the driver unit 102. Job packets are generated in order from the top to the bottom. One square box in the middle is a job packet. According to FIG. 3A, the job script is composed of a job start command for informing the start of a print job, a plurality of attribute setting commands, a plurality of PDL data transmission commands, and a job end command. The secure job generation unit 103 analyzes the job script shown in FIG. 3A and generates a secure job shown in FIG. At this time, the operation code of the job packet is determined, and in the case of the attribute setting command, the data part of the job packet is encrypted using the device public key provided from the printing apparatus 150 (the dark shaded portion in FIG. 3). In the case of a PDL data transmission command, encryption is performed using a user's public key provided from a medium that provides a public key such as a smart card (the thin shaded portion in FIG. 3). The encryption here is performed by a method combining a common key method and a public key method.

  FIG. 4 is a data structure diagram showing the structure of the encryption attribute of the attribute setting portion of the print job generated by the secure job generation unit 103 shown in FIG.

  The data structure shown in FIG. 4 shows the data part from the 12th byte in the job packet shown in FIG. 2, and the description of the operation code and the like is omitted.

  First, the secure job generation unit 103 generates two random numbers (random number A and random number B) that have a long generation cycle and are sufficiently large to be trusted. This random number is used as an encryption key by the common key encryption method of the attribute part and the PDL data part, respectively. Further, the random number A that is the encryption key of the attribute part is encrypted by the public key encryption method with the public key of the printer 150 owned by the printer 150 in the device public key storage unit 107, and the device public key shown in FIG. It is attached as an encrypted attribute decryption key 401.

  Further, the random number A is attached as a hash value 402 of the attribute decryption key, which is a hash value hashed to confirm the validity of the encryption key later.

  The hash process is used later to compare the key identities, and it is assumed that a public technique such as SHA-1 (Secure Hash Algorithm 1) is used.

  Further, the random number B, which is the encryption key of the PDL data portion, is based on the public key method by the user's public key held in the smart card and temporarily held in the user public key storage unit 109 via the card reader 108. Encrypted and attached as a PDL data decryption key 403 encrypted with the device public key shown in FIG.

  Further, the random number B is attached as a hash value 404 of a PDL data decryption key, which is a hash value hashed to confirm the validity of the encryption key later.

  Similarly, hash processing is used later to compare key identities, and it is assumed that a public technique such as SHA-1 (Secure Hash Algorithm 1) is used.

  The PDL data transmission instruction is an instruction to divide the PDL data part into job packets and transmit it. In the case of a normal print job, the PDL data part is stored in plain text, but in the case of a secure job, the PDL data part is The result of encryption by the common key cryptosystem with the random number B is attached. In this case, when the hold is later released, the random number B is extracted by decrypting the PDL data decryption key 403 encrypted with the user public key, and the PDL data can be decrypted.

  Here, the common key encryption method uses a common key encryption method represented by DES (Data Encryption Standard), 3DES (Triple-DES)), or AES (Advanced Encryption Standard) encryption method. The common key given here is a key used in common for encryption and decryption and must be kept secret.

  The host computer 100 generates a different random number every time a secure job is generated, uses this as a common key, and is discarded after transmission. Therefore, the common key is not held in the host computer.

  Although the common key is attached to the secure job, since the common key is encrypted by a public key cryptosystem described later, the security strength of the common key depends on the public key cryptosystem.

  Furthermore, the public key encryption here uses a public key system represented by RSA (Rivest, Shamir, Adelman) encryption system, and the public key given here can be widely disclosed.

  In the public key method, decryption without a secret key, which is a contrast, is mathematically difficult at the factorization level, and if a sufficient key length is used, it can be decrypted in real time even in a high-speed computer environment. Proven to be difficult. Since neither the device private key nor the user private key is attached to the secure job, a malicious attacker must decrypt the RSA public key encryption to interpret the secure job attributes and the contents of the PDL data. It must be very motivated.

  Although the encryption attribute is a part of the attribute part, it is an attribute related to the encryption itself, so the attribute itself is attached in plain text (meaning that it is not encrypted).

  Next, processing when a secure job is input to the printer 150 will be described.

  FIG. 5 is a flowchart showing an example of a first data processing procedure in the printing apparatus according to the present invention, and corresponds to the data processing procedure of the packet determining unit 153 shown in FIG. In addition, (501)-(512) shows each step.

  The packet determination unit 153 starts the operation when the printer 150 is activated, and continues the process until the printer 150 is turned off.

  First, in step (501), SecureFlag is initialized to No as an initial process. In step (502), a job packet is received. When a job packet is received, an operation code of the job packet is acquired, and processing is divided according to the operation.

  Next, in step (503), it is determined whether or not the operation code is a job start instruction. If it is determined that the operation code is a job start instruction, the execution mode of the job start instruction is checked in step (504). If it is determined whether the job is a normal job or a secure job, and it is determined that the job is a secure job, in step (505), the Secure Flag is set to Yes.

  In step (506), a new print job is entered in the attribute DB, and the process returns to step (502).

  On the other hand, if it is determined in step (503) that the operation code is not a job start instruction, it is determined in step (507) whether or not the operation code is an attribute setting instruction. If so, the process is passed to the attribute decryption unit 155 in step (508), and the process returns to step (502).

  On the other hand, if it is determined in step (507) that the operation code is not an attribute setting command, it is determined in step (509) whether or not the operation code is a PDL data transmission command. If it is determined that the PDL data portion is written in the PDL spool unit 154 in step (510), the process returns to step (502). The PDL data portion in this case is a common key encrypted with the user's private key, that is, a PDL data portion that is commonly encrypted with the random number B, and has not been decrypted at this stage.

  On the other hand, if it is determined in step (509) that it is not a PDL data transmission command, it is determined in step (511) whether or not the operation code is a job end command, and is not a job end command. If YES in step (502), the flow returns to step (502). If it is determined that the instruction is a job end command, the secure flag is initialized to No in step (512), and the flow returns to step (502).

  Next, data processing of the attribute decoding unit 155 shown in FIG. 1 will be described.

  The attribute decoding unit 155 is called at step (508) shown in FIG. 5 for the packet determining unit 153, and performs attribute interpretation processing.

  FIG. 6 is a flowchart showing an example of a second data processing procedure in the printing apparatus according to the present invention, and corresponds to the data processing procedure of the attribute decryption unit 155 shown in FIG. In addition, (601)-(610) shows each step.

  First, in Step (609), it is checked whether or not SecureFlag is set to Yes. When it is determined that SecureFlag is set to Yes, it indicates that the job is a secure job.

  If it is determined that the job is not a secure job, the attribute value is recorded in the attribute DB in step (610), and the process is terminated.

  On the other hand, if it is determined in step (609) that SecureFlag is set to Yes, the attribute ID is checked in step (601) to determine whether it matches the attribute ID of the encrypted attribute. If the attribute ID is determined to be the attribute ID of the generalized attribute, the attribute is transmitted in plain text, so a special path is entered, and the attribute public key stored in the device public key management unit 161 in step (602) Decrypt with public key cryptography.

  Further, since correct decryption processing cannot be performed if the device public keys do not match, hash processing is performed for the check in step (603). This is performed by the same algorithm as the hash processing performed by the host computer 100.

  Next, in step (604), it is determined whether or not the hash result matches the hash value 402 of the attribute decryption key (random number A) attached to the encrypted attribute. In step (605), the attribute decryption key is registered in the attribute DB, and this process ends. Thereby, it can be used as a key for attribute decryption.

  On the other hand, if it is determined in step (604) that the hashes do not match, in step (606), the secure job is not receivable by the apparatus, and the process is terminated.

  For this reason, the secure job cannot be printed unless the target printing apparatuses match.

  On the other hand, if it is determined in step (601) that the attribute is not an encryption attribute, in step (607), the attribute data is decrypted by the common key method using the attribute decryption key. Since the attribute decryption key is set in step (605), the attribute setting order is first determined to be the encrypted attribute. When the decryption process is completed, in step (608), the attribute value decrypted by the common key method is recorded in the attribute DB. This information will later be used for secure job monitoring and translation processing.

  Next, the hold release process will be described.

  In the printer 150, when the secure job is stored in the PDL spool unit 154, the printer 150 waits for a hold release from the user.

  FIG. 7 is a flowchart showing an example of a third data processing procedure in the printing apparatus according to the present invention, and corresponds to the data decoding processing procedure of the PDL data decoding unit 157 shown in FIG. In addition, (701)-(708) show each step.

  In this process, the PDL data decoding unit is activated when the printing apparatus 150 is activated, and continues thereafter until the power is turned off.

  First, in step (701), the user selects a secure job to be printed via the UI displayed on the operation panel. Here, when any job is selected, in step (702), for example, the user is prompted to insert a smart card into the card reader unit 158 by displaying on the operation panel.

  Next, when the printer CPU determines in step (703) that the smart card has been inserted into the printer 150, in step (704), the smart card is requested to decrypt the decryption key using the public key method. When a decryption key, that is, a candidate for random number B is acquired from the smart card, hash processing is performed in step (705). This is performed by the same algorithm as the hash processing performed by the host computer 100.

  Next, in step (706), the hash result is compared with the hash value 404 of the PDL data decryption key (random number B) in the encryption attribute, and it is determined whether or not both values match. And the random number B corresponding to the PDL data decryption key in the encryption attribute, in step (707), the decryption key (= random number B) is used to decrypt the PDL data portion, The result is passed to the rendering unit 159 for rendering, the rendering result is handed to the printer engine 160, and printing is performed on an actual sheet by a known electrophotographic technique or inkjet technique, and the process returns to step (701).

  On the other hand, if it is determined in step (706) that they do not match, in step (708), a display indicating that decoding is impossible is performed on the operation panel unit, and the process returns to step (701).

  Thus, the secure job is a print job that is stored until the hold is released from the user. Alternatively, the destruction is performed by a discarding process, which is a conventional technique (not shown) after a predetermined time has elapsed.

  According to the present embodiment, since the secure job is encrypted with the attribute information other than the encrypted attribute and the PDL data part using two types of keys in the delivery route, the confidential information included in the PDL data part is also included in the secure job. Since the added attribute is also encrypted, the secure job information can be transmitted without eavesdropping on eavesdropping on the communication path.

  Also, in the stored state, the attribute information is held in the attribute DB, so that the attribute information is stored in plain text after entering the printing apparatus, and secure job monitoring and tracking can be performed by disclosing necessary attribute values. Is possible. On the other hand, the PDL data portion is encrypted by a common key method using a random number B, a public key private key for decrypting the common key is held in a smart card distributed to each user, and is decrypted by the printing apparatus. There is no clue. Even if the secondary storage device is extracted from the metaphor printing device, the attribute information is stored in the attribute DB composed of the volatile RAM and is not stored in the secondary storage device. Have difficulty.

  Furthermore, since the PDL data part is encrypted by the common key method, and the key for decrypting the common key by the public key method is not held in the printing apparatus, it is very difficult to analyze the secure job. It is possible to protect confidential information included in secure jobs even against advanced attacks.

[Second Embodiment]
According to the first embodiment, the PDL data part and the attribute part of the job script are each encrypted, but the structure of the job packet is not concealed by the encryption process in order to interpret the operation code.

  In other words, there are several job packets, and the packets are transferred on the network in a state where it is possible to specify how many attribute setting commands and PDL data transmission commands are present.

  In this case, it is possible to analogize the encrypted information by assuming the plain text of the job packet to some extent, and there is a risk that the function strength is relatively weak.

  Therefore, as a second embodiment, a method of encrypting a plaintext attribute portion and an encrypted PDL data portion together with a common encryption method key of the printing apparatus will be described. The description follows the configuration of the first embodiment described above, and only the differences are described in detail.

  FIG. 8 is a schematic diagram for explaining a mechanism in which the second job script is encrypted in the printing system according to the present invention. The secure print job script improved in the structure of the job script shown in FIG. Corresponds to the structure.

  FIG. 8A shows a job script of a normal print job generated by the driver unit 102, which is equivalent to FIG. FIG. 8B is an intermediate image of a job script in which the secure job generation unit 103 encrypts only the PDL data portion and is attached with the encryption attribute of the user.

  The PDL data part here is equivalent to the first embodiment, and the result of encryption by the common key cryptosystem using the random number B is attached (shaded part). On the other hand, the attribute part is attached in plain text.

  FIG. 8C shows a job script generated by the secure job generation unit 103, and the shaded portion, that is, the device encryption data, is obtained by encrypting the job script shown in FIG. Is. Here, not only the data portion of the job packet but also the entire packet header is encrypted.

  In other words, it can be said that the job script shown in FIG. 8B is regarded as one data stream, and all of them are encrypted. The PDL data portion has already been encrypted once with the encryption key B, and here it is encrypted twice. In addition, in order to identify the encryption method, two job packets of a device encryption command and a device key encryption attribute setting indicating encryption information are added to the job script. The two are attached in clear text.

  FIG. 9 is a diagram illustrating the description of the data part in which the header part of the job packet is omitted from the user key encryption attribute shown in FIG.

  In FIG. 9, reference numeral 901 denotes an attribute ID indicating the role of the attribute, and indicates that the designated attribute is a user key encryption attribute. Reference numeral 902 denotes a PDL data decryption key (random number B) encrypted with a public key owned by a user in a key medium such as a smart card, which corresponds to the PDL data decryption key 403 shown in FIG.

  Reference numeral 903 denotes a hash value of the PDL data decryption key (random number B), which corresponds to the hash 404 of the PDL data decryption key shown in FIG. The PDL data portion is encrypted by a common key encryption method using a random number B and attached as a job packet (shaded portion in the figure). On the other hand, the attribute part remains plain at this stage.

  Note that the job script shown in FIG. 8B is a job script that is temporarily generated internally, and does not actually flow on the communication path.

  FIG. 10 is a diagram for explaining the description of the data part in which the header part of the job packet is omitted from the device key encryption attribute shown in FIG.

  In FIG. 10, reference numeral 1001 denotes an attribute ID indicating the role of the attribute, and indicates that the designated attribute is a device key encryption attribute. Reference numeral 1002 denotes a job script decryption key (random number A) encrypted with the device public key, which corresponds to the attribute decryption key 401 encrypted with the device public key shown in FIG. Reference numeral 1003 denotes a hash value of the job script decryption key (random number A), which corresponds to the hash value 404 of the PDL data decryption key shown in FIG.

  In this embodiment, the configuration of the printing system is changed to process the job script.

  FIG. 11 is a block diagram showing a configuration of a printing system including a data processing apparatus (host computer) and a printing apparatus according to the second embodiment of the present invention.

  In FIG. 11, the printing system generates a print job, receives the print job from a host computer 1100 that comes to the printing apparatus, and prints on an actual sheet by a known printing technique such as electrophotography or inkjet. And interface means 1170 using a known interface technology for connecting the host computer 1100 and the printing apparatus 1150. The interface unit 1170 is a USB (Universal Serial Bus) or IEEE1284 compliant local interface, a wired LAN interface such as Ether-Net (registered trademark) or Token-Ring, or a wireless device such as IEEE802.11b or Bluetooth (registered trademark). It may be a LAN interface, or may be routed via a router, a switching hub, or the Internet.

  The host computer 1100 uses the GUI by the application unit 1101 to generate image data desired by the user. The driver unit 1102 performs conversion work from an image format unique to the host computer into a print job that can be interpreted by the printing apparatus 1150. The secure job generation unit 1103 receives the print job generated by the driver unit 1102 and converts it into a secure job (a print job corresponding to security) that can be analyzed only by the owner. This operation is an operation for generating (a) to (c) of FIG.

  The generated secure job is stored in the existing spool unit 1104 and sent to the printing apparatus 1150 via the I / F 1105. The public key possessed by the user that is required when generating the secure job is electrically held in a public key such as a smart card in the previous stage of the printing process, held in the provided medium, read by the existing card reader unit 1108, It is stored by the user public key storage unit 1109 and provided to the secure job generation unit 1103.

  On the other hand, the public key possessed by the printing apparatus required when generating the secure job is supplied from the printing apparatus 1150 via the interface unit 1170 and is stored in the device public key storage unit 1107 via the device public key receiving unit 1106, so that the secure job Provided to the generation unit 1103. The secure job is input to the printing apparatus 1150 via the I / F 1151.

  A job script decrypting unit 1155 decrypts the secure job input to the I / F 1151 using the public key method using the secret key information of the printing apparatus. At this stage, the job script is converted from (c) of FIG. 8 to (b) of FIG. At this time, the attribute part becomes plain text.

  The packet determination unit 1153 examines each job packet of the received job script, and sends the attribute part included in the data part to the attribute DB 1156 with respect to the attribute setting command and the PDL spool unit 1154 with respect to the PDL data transmission command. At this time, the PDL data portion is encrypted with the random number B as shown in the state of FIG.

  Prior to the transmission of the secure job, when the device public key receiving unit 1106 requests the printing apparatus 1150 for the public key of the printing apparatus prior to transmission of the secure job, the host computer 1100 is in the printing apparatus 1150 in response to the request. A public key unique to the printing apparatus 1150 is provided from the device public key management unit to the host computer 1100 via the device public key transmission unit 1162 and the interface unit 1710.

  The attribute DB 1156 is composed of a RAM, which is a volatile memory, and temporarily stores information such as the number of copies related to drawing processing and color information, and provides the drawing unit 1159 with a display request from an operation panel (not shown). At the same time, the attribute information of the secure job is provided to the UI unit 1163.

  When the secure job enters the printing apparatus 1150, the secure job enters a hold (waiting for release) state, and the process stops. When a user provides a public key such as a smart card used for PDL data encryption (which functions as a predetermined device) to the card reader unit 1158, the user reads the PDL data portion by a procedure described later. Decryption key information to be decrypted is provided, and using the key information, the PDL data decryption unit 1157 decrypts the encrypted PDL data part by the public key method, and the PDL data part is passed to the drawing unit 1159, The print data drawing process is performed, and the drawn image data is printed on an actual sheet in the printer engine unit 160 using a known printing technique such as electrophotography or an inkjet technique.

  As a result, the secure job becomes a print job stored until the hold is released from the user. Note that the stored print job is subjected to a discard process by a discard process, which is a conventional technique (not shown) after a predetermined time has elapsed.

  According to the second embodiment, since the secure job is encrypted using the two types of key information in the delivery route, both the attribute information other than the encrypted attribute and the PDL data portion are confidential information included in the PDL data portion. Since the attribute added to the secure job is also encrypted, the secure job information can be transmitted without eavesdropping on wiretapping of the communication path.

  Furthermore, as compared with the first embodiment, since the job script itself of the secure job is completely encrypted, even the configuration of the job script cannot be determined on the communication path, so that the security strength is further improved.

  Also, in the stored state, the attribute information is held in the attribute DB, so that the attribute information is stored in plain text after entering the printing apparatus, and secure job monitoring and tracking can be performed by disclosing necessary attribute values. Is possible.

  On the other hand, the PDL data portion is encrypted by a common key method using a random number B, a public key private key for decrypting the common key is held in a smart card distributed to each user, and is decrypted by the printing apparatus. There is no clue. Even if the secondary storage device is extracted from the metaphor printing device, the attribute information is stored in the attribute DB composed of the RAM and is not stored in the secondary storage device, so it is very difficult to analyze and tamper. .

  Furthermore, since the PDL data part is encrypted by the common key method and the key for decrypting the common key is not held in the printing apparatus, it is very difficult to analyze a secure job, and an advanced attack from an attacker. The confidential information included in the secure job can be protected.

[Third Embodiment]
In the configuration shown in the first or second embodiment, it is possible to apply compression processing by a lossless compression method typified by the LZW method and decompression processing at the latter stage of the decryption process before encryption.

  As a result, there is a high possibility that the data size to be encrypted will be reduced by the compression process, so that there is an effect of reducing the load of the encryption process.

  Further, since the size of the secure job is reduced, the performance can be improved in a relatively slow communication path.

  Furthermore, since the redundancy of the data before encryption can be removed by the compression process, there is an effect that the decryption of the encryption becomes more difficult.

  The configuration of the data processing program that can be read by the printing system according to the present invention will be described below with reference to the memory map shown in FIG.

  FIG. 12 is a diagram illustrating a memory map of a storage medium that stores various data processing programs readable by the printing system according to the present invention.

  Although not particularly illustrated, information for managing a program group stored in the storage medium, for example, version information, creator, etc. is also stored, and information depending on the OS on the program reading side, for example, a program is identified and displayed. Icons may also be stored.

  Further, data depending on various programs is also managed in the directory. In addition, a program for installing various programs in a computer, and a program for decompressing when the program to be installed is compressed may be stored.

  The functions shown in FIGS. 5 to 7 in the present embodiment may be performed by a host computer by a program installed from the outside. In this case, the present invention is applied even when an information group including a program is supplied to the output device from a storage medium such as a CD-ROM, a flash memory, or an FD, or from an external storage medium via a network. Is.

  As described above, a storage medium storing software program codes for realizing the functions of the above-described embodiments is supplied to the system or apparatus, and the computer (or CPU or MPU) of the system or apparatus stores the storage medium in the storage medium. It goes without saying that the object of the present invention can also be achieved by reading and executing the programmed program code.

  In this case, the program code itself read from the storage medium realizes the novel function of the present invention, and the storage medium storing the program code constitutes the present invention.

  Therefore, as long as it has the function of the program, the form of the program such as an object code, a program executed by an interpreter, or script data supplied to the OS is not limited.

  As a storage medium for supplying the program, for example, a flexible disk, hard disk, optical disk, magneto-optical disk, MO, CD-ROM, CD-R, CD-RW, magnetic tape, nonvolatile memory card, ROM, DVD, etc. Can be used.

  In this case, the program code itself read from the storage medium realizes the functions of the above-described embodiments, and the storage medium storing the program code constitutes the present invention.

  As another program supply method, a client computer browser is used to connect to a homepage on the Internet, and the computer program itself of the present invention or a compressed file including an automatic installation function is stored on the recording medium such as a hard disk from the homepage. It can also be supplied by downloading. It can also be realized by dividing the program code constituting the program of the present invention into a plurality of files and downloading each file from a different homepage. That is, a WWW server, an ftp server, and the like that allow a plurality of users to download a program file for realizing the functional processing of the present invention on a computer are also included in the claims of the present invention.

  In addition, the program of the present invention is encrypted, stored in a storage medium such as a CD-ROM, distributed to users, and key information for decryption is downloaded from a homepage via the Internet to users who have cleared predetermined conditions. It is also possible to execute the encrypted program by using the key information and install the program on a computer.

  Further, by executing the program code read by the computer, not only the functions of the above-described embodiments are realized, but also an OS (operating system) or the like running on the computer based on the instruction of the program code. It goes without saying that a case where the function of the above-described embodiment is realized by performing part or all of the actual processing and the processing is included.

  Further, after the program code read from the storage medium is written to a memory provided in a function expansion board inserted into the computer or a function expansion unit connected to the computer, the function expansion is performed based on the instruction of the program code. It goes without saying that the case where the CPU or the like provided in the board or the function expansion unit performs part or all of the actual processing and the functions of the above-described embodiments are realized by the processing.

  The present invention is not limited to the above embodiments, and various modifications (including organic combinations of the embodiments) are possible based on the spirit of the present invention, and these are excluded from the scope of the present invention. is not.

  Although various examples and embodiments of the present invention have been shown and described, the spirit and scope of the present invention are not limited to the specific descriptions in the present specification by those skilled in the art.

  Note that the present invention is not limited to the above-described embodiment, and it is needless to say that various modifications can be made without departing from the gist of the present invention.

1 is a block diagram illustrating a configuration of a printing system including a data processing apparatus (host computer) and a printing apparatus according to a first embodiment of the present invention. FIG. 2 is an explanatory diagram showing a structure of a job packet transferred from the host computer shown in FIG. 1 to a printer. It is a schematic diagram for demonstrating the mechanism in which the 1st job script is encrypted in the printing system which concerns on this invention. FIG. 3 is a data structure diagram illustrating a structure of an encryption attribute of an attribute part of a print job generated by a secure job generation unit illustrated in FIG. 1. 6 is a flowchart illustrating an example of a first data processing procedure in the printing apparatus according to the present invention. It is a flowchart which shows an example of the 2nd data processing procedure in the printing apparatus which concerns on this invention. 10 is a flowchart illustrating an example of a third data processing procedure in the printing apparatus according to the present invention. It is a schematic diagram for demonstrating the mechanism by which the 2nd job script in the printing system which concerns on this invention is encrypted. FIG. 9 is a diagram illustrating a description of a data part in which a header part of a job packet is omitted from the user key encryption attribute shown in FIG. 8. FIG. 9 is a diagram for describing the description of the data part in which the header part of the job packet is omitted from the device key encryption attribute shown in FIG. 8. It is a block diagram which shows the structure of the printing system containing the data processing apparatus (host computer) and printing apparatus which show 2nd Embodiment of this invention. It is a figure explaining the memory map of the storage medium which stores the various data processing program which can be read by the printing system which concerns on this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 Host computer 101 Application part 102 Driver part 103 Secure job generation part 104 Spool part 106 Device public key reception part 107 Device public key storage part 108 Card reader part 109 User public key storage part 150 Printer 153 Packet judgment part 154 PDL spool part 155 Attribute decryption unit 156 Attribute DB
157 PDL data decryption unit 161 device public key management unit 162 device public key transmission unit

Claims (10)

A printing apparatus capable of receiving and processing a print job generated by a printer driver of an information processing apparatus,
Attribute database means for managing individual attribute information of the received print job;
PDL storage means for temporarily storing the PDL data portion of the print job;
The print job is received, the attribute part included in the print job is decrypted based on the first decryption key information, the attribute part extracted by the decryption is registered in the attribute database means, and the print job A print job interpreting means for storing the PDL data part included in the PDL storage means in an encrypted state;
A print instruction means for giving a print instruction for a print job selected from print jobs stored in the PDL storage means by a user operation;
PDL data decrypting means for decrypting encrypted PDL data of a print job instructed to be printed by the print instructing means based on second decryption key information;
A printing apparatus comprising: Public key management means for managing private key information and public key information owned by the printing apparatus as key pair information;
The printing apparatus according to claim 1, further comprising: a public key notifying unit that notifies the information processing apparatus of the public key information out of the key pair information managed by the public key managing unit.   3. The print job interpreting means, when decrypting an attribute part, performs a decompression process by a lossless compression method on the data to be decrypted after the decryption. The printing apparatus as described.   2. The PDL data decoding unit according to claim 1, wherein the PDL data decoding unit performs a decompression process by a lossless compression method on the data to be decoded after the decoding, when decoding the PDL data portion. 4. The printing apparatus according to any one of items 3. A data processing method in a printing apparatus comprising attribute database means for managing individual attribute information of a print job to be received and capable of receiving and processing a print job generated by a printer driver of the information processing apparatus,
A PDL storage step of temporarily storing a PDL data portion of the print job in a PDL storage means;
The print job is received, the attribute part included in the print job is decrypted based on the first decryption key information, the attribute part extracted by the decryption is registered in the attribute database means, and the print job A print job interpretation step of storing the PDL data portion included in the PDL storage means in an encrypted state;
A print instruction step for giving a print instruction for a print job selected from print jobs stored in the PDL storage means by a user operation;
A PDL data decrypting step of decrypting the encrypted PDL data of the print job instructed by the print instructing step based on second decryption key information;
A data processing method characterized by comprising: A public key management step for managing private key information and public key information owned by the printing apparatus as key pair information;
6. The data processing method according to claim 5, further comprising: a public key notifying step of notifying the information processing apparatus of the public key information among the key pair information managed by the public key managing step.   7. The print job interpretation step according to claim 5 or 6, wherein when the attribute part is decrypted, decompression processing is performed on the data to be decrypted by a lossless compression method after the decryption. The data processing method described.   6. The PDL data decoding step according to claim 5, wherein when the PDL data portion is decoded, the data to be decoded is decompressed by a lossless compression method after the decoding. 8. The data processing method according to any one of 7 above.   A computer-readable storage medium storing a program for causing a computer to execute the data processing method according to any one of claims 5 to 8.   A program for causing a computer to execute the data processing method according to any one of claims 5 to 8.

Images