Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Encryption of printer files

0 views
Skip to first unread message

moncho

unread,
May 24, 2003, 6:31:20 AM5/24/03
to
OS 5.0.5 and OS 5.0.6

With people moving from Telnet to SSH and ftp to Sftp along with other
security measures, I was wondering what people are due to secure their print
jobs from the server to the network attached printers?

I cannot remember the name of the company or website, but someone is
currently developing an encryption printer driver but only for MS products.

Anyone out there investigated this and found something reliable?

Thanks,

moncho


Jean-Pierre Radley

unread,
May 24, 2003, 12:09:25 PM5/24/03
to
moncho typed (on Sat, May 24, 2003 at 06:31:20AM -0400):

If you're printing to a device on a network, it seems to me ipso facto
that you have no idea who is standing next to that device's output tray.
If it's a person that shouldn't be seeing the sensitive information,
then encrypting the bytes while in transit is not your main problem.

--
JP

Bob Rasmussen

unread,
May 24, 2003, 3:09:04 PM5/24/03
to

You have hit on one of the under-mentioned aspects of security. I've been
watching and looking for solutions. So far:

1. Some of the HP JetDirect devices appear to have SSL support. I have not
determined what kind of host level support there is.

2. CUPS seems to have some encryption capability.

There are many links in the chain of security, as has been pointed out.
One of the links that we are addressing is the Internet link to a remote
printer. Suppose, for instance, you're running a medical billing service,
and clients are accessing your system over the Internet. Now you need to
print reports in their office. According to HIPAA, this needs to be
encrypted when it travels over the Internet, at least.

One solution, for character-based applications, is passthrough print,
through an SSH session. If I run AnzioWin (our SSH client) to a host
system, then do passthrough print through that session, the print data is
travelling on the same authenticated, encrypted channel as the screen
data. And regardless of what you may have heard in the past, passthrough
print can be made to work very well. The data is encrypted to the point of
the user's PC, where it can be sent to a directly-wired desktop printer,
or to a networked printer, in which case security analysis would be needed
on that link.

We are also working on a feature called "back channel printing", again in
an SSH connection. With this feature, the multiplexing nature of SSH is
used to create a back channel, using a different pty on the host system.
Printout can be routed to that pty (which can be soft-linked to a knowable
name), and it again travels over the authenticated, encrypted session. In
this approach, the print data positively can not mix with the screen data,
and the Unix spooler can be used if desired.

Finally, there is web-server based printing. Our Web Print Object (WePO)
allows precise printing in this environment. The WePO object actually
fetches the data to be printed from the server, and can use HTTPS to do
so, so data is encrypted. I believe that external means could be used to
authenticate (is this person authorized to view this data?), but we are
still experimenting with that.

More info on web site below.

Regards,
....Bob Rasmussen, President, Rasmussen Software, Inc.

personal e-mail: r...@anzio.com
company e-mail: r...@anzio.com
voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
fax: (US) 503-624-0760
web: http://www.anzio.com

Robert Carnegie

unread,
May 26, 2003, 6:03:08 PM5/26/03
to
Jean-Pierre Radley <j...@jpr.com> wrote in message news:<20030524160...@jpradley.jpr.com>...

Agreed; if the location of the printer is not physically secure,
then you probably want at least a printer that requires a PIN or
other identification before delivering the document. If copiers
with printer capability still come with usage accounting and/or
access key systems built in as well, that should do /that/ job.
I don't know how much of that ours has got, if it requires a PIN
then no one would tell me what the PIN is...

Alternatively, you can install the printer inside a cabinet with a lock.
If the cabinet is transparent, ensure that documents always come out
single-sided print and face down...

Jeff Liebermann

unread,
May 26, 2003, 6:42:58 PM5/26/03
to
On 26 May 2003 15:03:08 -0700, rja.ca...@excite.com (Robert
Carnegie) wrote:

>Agreed; if the location of the printer is not physically secure,
>then you probably want at least a printer that requires a PIN or
>other identification before delivering the document.

Almost all of the high end (i.e. overpriced) network production
printers offer "lockable mailbox bins" or similar ways of securing the
print jobs. Various government contracts require this feature.

One of my security conscious customers decided to lock their dot
matrix production printer in a closet, as they suspected employees
were printing out customer lists and selling them to competitors. It
was a big Printronix printer and a small closet. I was called in to
do damage control when a print job went insane, and jammed the inward
opening door shut by wrinkling a box of wide green bar paper.

I once played with a laser printer that generated scrambled output.
Each dot would be re-positioned somewhere near the proper location.
To read the output, the user had a fiber optic plate, that
repositioned the dots back to their proper location. You could fish a
printed page out of the trash and still not be able to read the page
without the fiber optic decoder plate. A similar system was used for
reading authentication codes on bank drafts. It kinda worked but was
a real pain to align. It was also suppose to eliminate the need for
paper shredders, which didn't happen. The customer blundered onward
to the "paperless office" which also didn't happen. There are many
such ideas on the road to security.

One of my aquaintances makes a business out of selling "invisible ink"
for ink jet printers through the various "spy supply" online stores.
The print only shows up when the paper is heated.
http://www.masino.com/ideas/LemonInkjet.php
Try not to start a fire while reading the page.

None of these will do any good against a camera mounted inside the
copier or printer. Our spooks did exactly that to the Russian embassy
in Washington DC during the cold war. The film cartridge was replaced
whenever the copier repairman came to do scheduled maintenance. It
didn't catch anything useful or even interesting.

Ummm... Where's my black hat?


--
Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
(831)421-6491 pgr (831)336-2558 home
http://www.LearnByDestroying.com AE6KS
je...@comix.santa-cruz.ca.us je...@cruzio.com

moncho

unread,
May 27, 2003, 6:14:42 AM5/27/03
to

"Bob Rasmussen" <r...@anzio.com> wrote in message
news:Pine.LNX.4.55.03...@nimbus.anzio.com...

> On Sat, 24 May 2003, moncho wrote:
>
> > OS 5.0.5 and OS 5.0.6
> >
> > With people moving from Telnet to SSH and ftp to Sftp along with other
> > security measures, I was wondering what people are due to secure their
print
> > jobs from the server to the network attached printers?
> >
> > I cannot remember the name of the company or website, but someone is
> > currently developing an encryption printer driver but only for MS
products.
> >
> > Anyone out there investigated this and found something reliable?
>
> You have hit on one of the under-mentioned aspects of security. I've been
> watching and looking for solutions. So far:
>
> 1. Some of the HP JetDirect devices appear to have SSL support. I have not
> determined what kind of host level support there is.

I believe this is thru their SD Express printing.

http://h20015.www2.hp.com/en/document.jhtml?lc=en&docName=bpj07078

>
> 2. CUPS seems to have some encryption capability.

Will investigate this.

>
> There are many links in the chain of security, as has been pointed out.
> One of the links that we are addressing is the Internet link to a remote
> printer. Suppose, for instance, you're running a medical billing service,
> and clients are accessing your system over the Internet. Now you need to
> print reports in their office. According to HIPAA, this needs to be
> encrypted when it travels over the Internet, at least.
>
> One solution, for character-based applications, is passthrough print,
> through an SSH session. If I run AnzioWin (our SSH client) to a host
> system, then do passthrough print through that session, the print data is
> travelling on the same authenticated, encrypted channel as the screen
> data. And regardless of what you may have heard in the past, passthrough
> print can be made to work very well. The data is encrypted to the point of
> the user's PC, where it can be sent to a directly-wired desktop printer,
> or to a networked printer, in which case security analysis would be needed
> on that link.

Now this intrigues me. I am doing more investigation on this but I will
ask a question anyways.

If a person connects via a VPN connection with SSH how does
pass-thru printing work?

How are you able to send the print job back thru the tty?

If you have any links that explains this, it would really help.


>
> We are also working on a feature called "back channel printing", again in
> an SSH connection. With this feature, the multiplexing nature of SSH is
> used to create a back channel, using a different pty on the host system.
> Printout can be routed to that pty (which can be soft-linked to a knowable
> name), and it again travels over the authenticated, encrypted session. In
> this approach, the print data positively can not mix with the screen data,
> and the Unix spooler can be used if desired.

What do you mean by "soft-linked to a knowable name"?

>
> Finally, there is web-server based printing. Our Web Print Object (WePO)
> allows precise printing in this environment. The WePO object actually
> fetches the data to be printed from the server, and can use HTTPS to do
> so, so data is encrypted. I believe that external means could be used to
> authenticate (is this person authorized to view this data?), but we are
> still experimenting with that.

This sounds pretty cool.

>
> More info on web site below.

Will be visiting soon....

>
> Regards,
> ....Bob Rasmussen, President, Rasmussen Software, Inc.
>

Thanks,

moncho


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.483 / Virus Database: 279 - Release Date: 5/19/2003


moncho

unread,
May 27, 2003, 6:14:42 AM5/27/03
to

"Jean-Pierre Radley" <j...@jpr.com> wrote in message
news:20030524160...@jpradley.jpr.com...

Actually if the printer is in an area for specfic employees and/or the
business rules state that the corporation as a whole is actually one person
with regards to identifiable information (every person signs a
confidentiallity agreement) then the printed docs are still within the
security specs.

The problem lies in the fact that if we are so worried about encrypting the
session from the pc to the server on an internal network then why the heck
do we not worry about standard print jobs to the printer. Although on an
internal network it could fall back to the above security specs.

The main thing I am worried about is that if a hacker, external or internal)
gets in (I know he could probably get at a ton of crap by then), and
installs a port scanner, risk can be limited with an encrypted session to
the printer.

Bob Rasmussen

unread,
May 27, 2003, 11:29:39 AM5/27/03
to
On Tue, 27 May 2003, moncho wrote:

> > 1. Some of the HP JetDirect devices appear to have SSL support. I have not
> > determined what kind of host level support there is.
>
> I believe this is thru their SD Express printing.
>
> http://h20015.www2.hp.com/en/document.jhtml?lc=en&docName=bpj07078

That's a start, but I find it difficult to get the big picture from HP
documents.

> ...


> If a person connects via a VPN connection with SSH how does
> pass-thru printing work?

I should have mentioned VPN as another solution. A VPN provides some
security for printing. Note that SSH and VPN are independent protocols.

>
> How are you able to send the print job back thru the tty?
>
> If you have any links that explains this, it would really help.

Passthru printing works with most terminal emulation products. A piece of
code on the server sends out a "printer on" escape sequence, then print
data, then a "printer off" sequence. See "A Guide to Passthrough Printing"
at http://www.anzio.com/support/whitepapers/printguide.htm

> >
> > We are also working on a feature called "back channel printing", again in
> > an SSH connection. With this feature, the multiplexing nature of SSH is
> > used to create a back channel, using a different pty on the host system.
> > Printout can be routed to that pty (which can be soft-linked to a knowable
> > name), and it again travels over the authenticated, encrypted session. In
> > this approach, the print data positively can not mix with the screen data,
> > and the Unix spooler can be used if desired.
>
> What do you mean by "soft-linked to a knowable name"?

The back channel is created on some pty, but that can change every time.
So how will the primary process know where to send the print data? The
solution is to soft-link the back channel's pty to a name based on the
username, primary pty, etc.

Regards,
....Bob Rasmussen, President, Rasmussen Software, Inc.

personal e-mail: r...@anzio.com

Jeff Liebermann

unread,
May 27, 2003, 12:26:07 PM5/27/03
to
On Tue, 27 May 2003 10:14:42 GMT, "moncho"
<mon...@NOspamameritech.net> wrote:

>If a person connects via a VPN connection with SSH how does
>pass-thru printing work?

Lacking any knowledge of the network topology, a few notes:
1. If your printer is plugged into a dedicated print server (i.e. HP
JetDirect box), which has no encryption capabilities, then the traffic
on the network to the print server must be un-encrypted and is
sniffable.
2. If your (parallel) printer is plugged directly into a server that
also terminates the VPN or SSH session, then the traffic on the
network is encrypted and not sniffable. It would be possible to
replace a dedicated HP Jetdirect print server, with a dedicated
Unix/Linux box acting as a print server using an SSH tunnel.
3. If your VPN is terminated by a VPN router, then all the traffic on
the inside LAN is unencrypted and sniffable.
4. If you are using an ethernet switch, the traffic between the
server and the network print server only travels between the two ports
involved thus limiting the opertunities for sniffing.

Adding an SSH tunnel inside an encrypted VPN tunnel is only useful if
terminated on different machines. For just printing, they perform the
same function.

0 new messages