The present invention relates to a printer device for performing at least one printer function, comprising a control system for controlling the at least one printer function and access means for selectively providing a user with access to the printer function, wherein the access means are coupled with the control system and comprise communication means capable of and configured to receive a printer command from the user and transmit said printer command to the control system.

To prevent unauthorised use of the printer device and consumption of printer supplies, the printer device is equipped with access means for authothentication a the user, which first authenticate an access right before releasing a printer function of the printer device. Authentication is the technique by which a system can identify who a user is and whether the user is authorised. The most well-known example of authentication is logging in with a username and password. This allows a user to access data and work on a system. However, storing such user data and passwords in the printer device is cumbersome and, moreover, this form of authentication is prone to misuse.

Known means of access for user authentication at a printer device include a card reader linked to the printer's control system that is mounted on, at or near the printer. This uses a personalised access device in the form of a smart card or magnetic card that can be read by the card reader, either with or without contact. The card stores a card ID, which is transmitted to the card reader in cryptographically encrypted form and is exchanged by the card reader with the control system. Only if the card is accepted by the control system will one or more printer functions be released by the system. The card may possibly have an administration attached to it that records a level of usage that can then be charged to the user, if necessary.

An objection to this well-known form of securing a printer device against unauthorised use is that although the card identification is issued to the card reader in encrypted form, the same card reader then exchanges the access request unsecured and note over a standard wire-bound USB connection to the control system. This connection can be relatively easily eavesdropped on by readily available ICT tools, making it relatively easy to intercept and duplicate the now unsecured access request. In the wrong hands, there is thus a danger of unauthorised reuse of the access request and therewith the released printer function(s). An object of the present invention is to provide a printer device that is more secure against unauthorised use in a practical manner.

To that end, a printer device of the type described in the preamble is characterized according to the invention in that the access means comprise identification means that generate a unique command identifier at the printer command, in that the access means include encryption means that cryptographically encrypt the printer command together with said unique command identifier with an encryption key into a cryptographically encrypted printer command, and transmit the printer command in cryptographically encrypted form, in that the control system is coupled with decryption means that are capable and configured to decrypt the cryptographically encrypted printer command and derive the printer command together with the unique command identifier from the cryptographically encrypted printer command using a decryption key associated with the encryption key, and in that validation means are provided that validate the command identifier as being valid only once.

The unique command identifier generated by the access means and attached to the printer command before forwarding the printer command in the form of an encrypted printer command ensures that the printer command is usable only once. To that end, a particular embodiment of the printer device according to the invention is characterized in that the validation means are coupled with an electronic memory in which the unique command identifier(s) of completed printer commands were stored and an offered command identifier is tested for their presence in the memory. Should the printer command be unlawfully intercepted or intercepted and duplicated, unauthorised reuse of the printer command by the decryption means can thus be easily established from a repetition of a command identification already stored in memory. The printer command will then not be accepted again.

Moreover, because the unique command identification, together with the printer command itself, is encrypted in the encrypted printer command, it is practically impossible to modify the command identification wrongfully. In this way, an exceptionally high degree of security is created even though communication between the access means and the control system and/or the decryption means may be over an inherently unsecured (USB) uni-directional connection. A special implementation form of the printer device thereby has the characteristic in that the identification means comprise a counter capable and configured to generate an incrementing rank at the printer command, in particular an arithmetic counter which generates an incrementing sequence number at the printer command, in that the access means comprise an access device comprising a unique device identifier, and in that the unique command identifier comprises a combination of the rank and the device identifier of an input device. Thereby, a higher ranking means a ranking that comes sequentially after a previous ranking, so that in particular only the absolute value of, for example, a counter is important and also a lower value in a descending sequence may have a higher ranking. Here, the command identifier always includes a fixed device identifier in combination with a varying sequentially following rank assigned to the request.

Such precedence may, for example, be a sequential code in a set of codes stored for that purpose in or near the access means or an incremental alpha-numeric value. In particular, it may be based on an arithmetic counter that generates a numeric value that has been incremented, with or without a fixed fraction, from a previous generated value.

Alternatively, a time and date stamp generated by clock devices provided for this purpose in or near the acces means can be used for this purpose as a unique numeric value that, together with the device identification, forms a unique command identifier. What matters is that the decryption means will later be able to distinguish an illegally obtained duplicate from an original printer command in order to thus deter unauthorised (re)execution of the printer command; and that without necessary feedback with the user's personal access means.

In a preferred embodiment, the printer device according to the invention is characterised in that the decryption means comprises a decryption device that is linked, or at least connectable, to the control system through second means of communication, where the decryption key is available in the decryption device and the decryption device is able and arranged to decrypt the encrypted printer command. Thus, the decryption key need not be known in the control system of the printer device and/or stored in the printer device. Instead, an independent decryption device holds this sensitive information and the decryption and validation is left to it. The decryption and validation means may be provided in or near the control system itself but may also be located remotely from it. In a particular embodiment, the printer device is characterised for this purpose in that the second communication means comprises telecommunication means which are capable and configured to establish and at least temporarily maintain a telecommunication link for data exchange with the control system, wherein the decryption device is coupled to the control system via the telecommunication link, or is at least connectable, and wherein the telecommunication link is in particular at least in part via the Internet, preferably via an encrypted virtual network (VPN).

The result of the validation may be, for example, a Boolean flag or value (true or false) that is issued to the control system, whether encrypted or not, or the original printer command. But also, the decryption device may only conditionally, under the condition of a printer command validated as valid, establish communication with the control system, in which case no product will be released by the control system of the printer device in the absence of communication with the decryption device.

For cryptographic encryption, self known encryption techniques can be used. Encryption or encoding is based on the concept of encryption algorithms and "keys". When information is sent, it is encrypted based on an algorithm. After that, it can only be decoded with the right key. Such a key can be on the receiving system or sent with the encrypted data. The encrypted data can afterwards be decrypted (decrypted or decoded) again, so that the original information is obtained again. This process is called decryption. In particular, the decryption device is capable of performing such decryption.

There are roughly two forms of cryptography: symmetric and asymmetric. Symmetric cryptography, also called secret-key algorithm, decrypts the information with a key that must be provided to the receiving system before the information can be decrypted. Encryption and decryption are done with the same key. This method is particularly suitable for a closed system, where both encryption resources and decryption resources come from the same source. Translated to the printer device according to the invention, the relevant key is then, for example, stored securely in or near the access means as well as in or near the decryption device. The advantage is that this method is much faster than the asymmetric method. Asymmetric cryptography uses two different keys: a public key and a private key, which are mathematically linked. The keys are essentially just large numbers linked together but not identical, hence the name asymmetric. The public key is shared with everyone, but the private key remains secret. Both are needed to encrypt a message. A message is decrypted with the private key linked to the public key that was used in part for encryption. Preferably, this technique is implemented in the printer device according to the invention.

Preferably, not only communication to the decryption device is encrypted, but communication from the decryption device to the control system is also encrypted. To this end, a further particular embodiment of the printer device according to the invention has the feature that the decryption device comprises second encryption means capable and configured to cryptographically encrypt the printer command with a second encryption key and therefore exchange said printer command in cryptographically encrypted form with the control system, the control system comprising second decryption means capable of decrypting the encrypted printer command with a second decryption key, which second decryption key is associated with the second encryption key. Thus, an additional layer of security is incorporated that aims to further deter misuse.

A further particular embodiment of the printer device according to the invention has the feature that the access device comprises a card reader for reading an electronic access card or electronic token of the user, in particular a smart card or smart token. The term "card" is to be understood broadly as any form of hand-held data carrier which can be read electronically with a reading device adapted thereto, such as, for example, in addition to magnetic and smart cards, so-called drops, pendants and other tokens. This type of implementation is in line with the many existing printer devices on the market that are based on access by means of an electrically readable card or other token. By simply replacing the reading device thereof with the card reader with access means according to the invention, these personal tokens remain usable and require minimal intervention in the existing infrastructure, particularly on the user's side.

In terms of ease of use, a particular embodiment of the printer device according to the invention has the feature that the access device comprises the input device for contactless data transfer with a personal access device of the user. For this contactless data transfer, if desired, a connection that is not secure in itself can be used because the data exchange will be encrypted. In particular, standard wireless data transfer protocols such as Near Field Communication (NFC), Bluetooth and WiFi lend themselves to this. In a special embodiment, the access device for this purpose comprises a module for wireless data transfer based on Near Field Communication (NFC), WiFi or Bluetooth or a comparable standard protocol for wireless communication.

Additional security and authentication of the legitimate user may be provided by a further special embodiment of the printer device according to the invention characterised in that the personal access device comprises an intelligent personal telecommunication device of the user, in particular a smart phone, and that the access device is capable of and arranged to perform multi-factor authentication with the personal telecommunication device of the user. Thus, authentication is enforced by applying at least two forms of authentication simultaneously.

One example is the use of the personal access device (token) with a PIN code. An attacker must now not only crack the encryption key, but also possess the token. Another form is a one-time password or one-time code sent by the decryption device to the user's personal access device, in particular a smartphone, to be entered as part of the user's authorisation. The multi-factor authentication then involves, for example, the issuing of a temporary password or temporary access code by the decryption device or the access device to the user to be entered by the user in response to a printer command before the printer command is further processed.

Instead of a PIN code or password, biometric recognition of one or more biometric characteristics of the user may additionally be relied upon, especially when using a smart phone. Examples include a fingerprint, the user's voice, iris and/or retinal vasculature or facial recognition.

Because data can be exchanged securely in encrypted form between the personal access device and the decryption device, the security or otherwise of the communication channel is of secondary importance. The communication channel can therefore, while maintaining security, be a communication channel that third parties can also access, such as the Internet. Encryption ensures that such third parties cannot nevertheless read the content of the messages or data exchanged. By using the Internet to transmit the printer command to the decryption device, the latter can be provided as a Cloud solution and no special dedicated communication infrastructure is required.

In the described manner, the decryption device can perform authentication and authorisation of large numbers of users simultaneously or at least jointly. The printer device according to the invention is therefore ideally suited to larger organisations and institutions. In that case, a preferred embodiment of the printer device according to the invention has the feature that the printer device is part of a group of printer devices that are jointly associated, or at least connectable, with the decryption means. Such shared decryption means simplify the issuance, administration and management of issued access means and is seamlessly scalable to more users and to a larger group of printer devices.

The invention also relates to a decryption device that is capable of and configured to cooperate with any one or more printer devices according to one or more of the preceding claims in order to receive from a printer device a printer command cryptographically encrypted with an encryption key, comprising decryption means having a decryption key associated with the encryption key, which enables the decryption means to decrypt the encrypted printer command and derive a unique command identifier encrypted therein, and that validation means are provided which are capable of and configured to validate the unique command identifier as being valid only once and deliver this validation result to an control system associated with the printer device.

Further, the invention relates to an access device for a printer device, comprising communication means capable and arranged to receive a printer command from a user, identification means generating a unique command identifier with the printer command, encryption means cryptographically encoding the printer command together with the unique command identifier with an encryption key into a cryptographically encrypted printer command, and comprising a port for a connection over which the cryptographically encrypted printer command is transmittable.

Such an access device can be used as an add-on to an existing printer device, for example to replace a card reader used so far, or it can be used originally in a new printer device to be manufactured or supplied. For a seamless integration into an existing infra-structure, a special implementation form of the access device thereby has the feature that the communication means include a card reader for reading an electronic access card or electronic token of the user, in particular a smart card or smart token.

In a preferred embodiment, the access device according to the invention is thereby characterised in that the identification means comprises a counter capable and configured to generate an incremental rank at the printer command, in particular an arithmetic counter which generates an incremental sequence number at the printer command, and that the unique identifier comprises a combination of the rank and a unique device identifier of the access device. The unique device identifier includes, for example, a MAC address or other unique code of an electronic component used therein, and when combined with the rank to be generated each time by the access device, forms a unique combination that can be encoded as such in the printer command.

The access device may itself be variously equipped with communication means for reading out the personal access device, whether secured or unsecured and whether wired or contactless and/or wireless. A particularly practical form has as a feature that the communication means are capable of and arranged for contactless data transmission with a personal access means of the user. In particular, for this purpose, the access device may rely on a module for wireless data transfer based on Near Field Communication (NFC), WiFi or Bluetooth or a comparable standard protocol for wireless communication.

Thereby, the personal access device may further comprise an intelligent personal telecommunication device of the user, in particular a smart phone, where the decryption means and/or the access means may be able and arranged to perform multi-factor authentication with the personal telecommunication device of the user.

Below, the invention will be explained in more detail by means of an implementation example and a corresponding drawing. In the drawing shows:

Figure 1 a schematic representation of an implementation example of a printer device according to the invention. It should be noted, incidentally, that the figure is purely schematic and not always drawn to (the same) scale. In particular, for the sake of clarity, some dimensions may be more or less exaggerated. Corresponding parts are indicated in the figure with the same reference number.

Figure 1 shows a printer device as an example of a printer device according to the invention. In this example, it concerns a multi-function printer or copier 100 which is capable of and configured to perform a number of printer functions, such as a printing or on-demand printing function on various sizes of paper and a scanning function by means of a scanner provided for this purpose at the top of the device. The printer device 100 is provided with an access device 15 equipped with a communication module for wireless communication with a user's personalised access means 20.

For the access device 20, an intelligent device (smartphone) equipped with a Bluetooth and/or Near Field Communication (NFC) transmitter/receiver circuitry for contactless communication with the module of the access device 15, which is also provided with such a transmitter/receiver circuitry so that a wireless communication link can be established and maintained therebetween. Over this connection, the device 20 exchanges a printer command 25 with the communication module of the access device 15. Also, the access device 15 includes a card reader with which a smart card 22 or similar token may be read, either with or without contact. Alternatively, a card reader for a user's magnetic card or other token may also be used. Unlike the smartphone 20, these cards and tokens generally do not involve bi-directional communication but only uni-directional one-way traffic through which the printer command 25 is passed to the printer.

For security and data protection reasons, the printer command 25 is cryptographically encrypted. For example, the printer command 25 is already stored in encrypted form in the card 22, with the card reader in the module having the required decryption key and software to decrypt the printer command 25. Adequate encryption and decryption technology is also part of the aforementioned and other wireless data transmission protocols so that secure encryption of the printer command 25 is seamlessly implemented therein. Alternatively, the printer command may merely comprise a command to execute a (print) command already stored in or at the printer. The access device 15 is wired to a central control system 13 of the printer 100. In general, this involves a standard, often unsecured serial or TTL connection, such as here a USB connection 11 with a standard keyboard interface. After being decrypted by the access device 15 with the communication module, the printer command 25 could only be transmitted insecurely and susceptible to interception over this relatively insecure connection to the control system 13. Nevertheless, to provide secure transmission, the access device 15 includes encryption means 13 by which the printer command 25 is uniquely encrypted.

Moreover, the access device has tagging means 16 that also encrypt a proprietary identification ID of the access device 15 or access module in the printer command 25 as well as a unique rank 17. The latter is always a successive code or value as a higher rank in a defined sequence of codes or values. This example uses an arithmetic counter 17 for this purpose, which always outputs an incremental value in the form of an ever-increasing integer value. Alternatively, a code in a predefined and as such stored in the access device 15 sequence of codes, a time/date stamp or otherwise a predefined sequence that uniquely defines a ranking of the printer command 25 time-sequentially may be applied instead.

The ranking 17 of the printer command 25 thus generated by the access device 15 is combined with the identification (ID) 16 of the access device 15 with which the personal access device 20,22 was communicated. Together, they form a unique command identifier which, as such, is cryptographically encrypted together with the printer command 25 into an encrypted printer command 35, using an initial algorithmic encryption key available to the access device 15 for this purpose.

The access device 15 transmits the encrypted printer command 35 to the control system 13 of the printer device 100. Although the standard and in itself unsecured USB communication port 11 of the printer 100 is used for this purpose, the cryptographic encryption of the printer command 25 in the printer command 35 hereby nevertheless provides adequate protection against tampering or tampering of the system or interception of the encrypted printer command 35. Without knowledge of the decryption key associated with the first encryption key, the encrypted printer command 35 is practically unreadable or tamperable. The control software (print management software) of the control system 13 has a facility that enables the control system 13 to pass the encrypted printer command 35 in encrypted form to decryption means 50. In this case, the decryption means include a remote decryption annex validation server 50 of the control system and the printer 100 acting in common for a group of such printer devices, whether or not in the same geographical location. Therein, specific decryption and validation software 55 is loaded based on which the decryption and validation server 50 is able to decrypt the encrypted printer command 35 and test it for authenticity. For this purpose, the server 50 processes decryption software with a cryptographic decryption key associated with the first encryption key.

Only when the authenticity of the printer command 35 is established, the server 50 transmits the decrypted printer command 25 to the control system 13 of the printer 100, which responds to it in the usual way by releasing one or more printer functions to the user, depending on its privileges. The authenticity of the printer command 35 is thereby established by the server 50 on the basis of the unique access identification accompanying the printer command 25. Only the first time the printer command 25 is presented with the corresponding rank 1 17, the printer command 35 is accepted as authentic and the printer command 25 embedded therein accepted. To this end, the server has access to an electronic memory in which the unique access identifiers of already completed printer command 35 were stored.

If a combination of device identifier ID and rank 1 already occurs as an offered access identifier in this stored set of access identifiers, the offered access identifier is recognised by server 50 as a repetition and is not accepted again. Re-use of the encrypted printer command 35, e.g. after it was unlawfully intercepted or duplicated, is thus precluded by the fact that this is immediately found out from the already used and therefore expired rank 1 at the device identification ID.

For communication between the server 50 and the control system 13 of the printer 100, a secure connection is used in this example. The server 50 provides connection with an authentication service, such as Microsoft Active Directory (LDAP) and Azure AD. Various protocols and platforms can be used by themselves for communication between the printer and the decryption device, such as HTTPS, TLS1.2 and TLS 1.3, for example. The decrypted printer command 25 may therefore be exchanged in readable, decrypted form nevertheless securely by the server 50 with the printer 100. Incidentally, if required, cryptographic encryption may also be applied again for this message exchange, using a second encryption/decryption key pair shared between the server 50 and the printer 100. In both cases, the server 50 is connected to the printer 100 with advantage via the Internet 60 for data exchange. The server 50 is hereby provided as a cloud solution to which additional printer 100 can easily be connected without having to intervene in the existing ICT infrastructure in any way. Incidentally, it should be noted that where this example is based on a server 50, this should not just be understood to mean an independent physical device, but also a virtual server environment running on shared hardware.

If desired, the smartphone 20 adds extra security by requesting an access code (password or PIN) itself and/or performing biometric recognition. Furthermore, the system can be augmented with a further form of multi-factor authentication in that the server 50 derives from the printer command 35 an SSID of the device 20 also encrypted therein and sends a temporary password to it.

Altogether, the invention thereby creates a particularly user-friendly security layer on the control system and hardware of a printer device by which the authentication and authorisation of a user can be established particularly reliably and securely autonomously, i.e. completely upstream without any necessary hand-shaking or other feedback, making the invention also applicable in a uni-directional connection for data throughput.

Although the invention was explained in more detail above by means of merely a few implementation examples, it should be clear that the invention is by no means limited to this. On the contrary, many variations and manifestations are still possible within the scope of the invention for an average person skilled in the art.