IPP Mail Archive: IPP>SEC

IPP>SEC

Roger K deBry (rdebry@juno.com)
Fri, 21 Feb 1997 14:21:25 EST

Following is a proposal for text on security to go into the requirements
document, as discussed in yesterday's (2/19) security phone call. Please
forward your comments to me as soon as possible. (for the time being copy
me at rdebry@juno.com). Thanks

IPP Security Requirements
Introduction

It is required that the Internet Printing Protocol provide the means to
print in secure environments. Wherever possible, IPP ought to make use of
existing security protocols and features as implemented on current
systems. IPP will not invent new security features when the requirements
described here can be met by existing protocols.

Since we cannot anticipate the levels of security or the specific threats
that any given IPP print administrator may be concerned with, IPP
implementations must provide a great deal of flexibility in associating
security mechanisms with IPP operations. One IPP installation might
require no security at all, while another similar installation might
require a very secure environment. IPP implementations must allow
different security mechanisms (e.g. SSL) as required by the installation.
This places a requirement on the IPP directory schema to describe the
security mechanisms required to perform IPP operations on a given
Printer.
Environments

The following unique operating environments have been identified as
targets for the Internet Printing Protocol. Each has differing security
requirements for the protocol.

* Client and IPP Printer are both within the same organizational
firewall. This would be the normal case for shared office printers in an
Intranet environment. It is assumed that outside attacks are minimized
by the firewall, or that the internal network is not connected to the
Internet. Depending upon company policies, security could range from none
to very secure. The printing of paychecks, for example, would have very
different security requirements from printing office documents.
* Client and IPP printer are both outside firewalls. IPP Printers in
this environment are truly public and available to anyone on the
internet. However, users would probably have to be authenticated and pay
for print services. This might be the case, for example, for a print
kiosk in an airport, for student printing in a University environment, or
for a commercial print shop on the Internet. Support for E-commerce,
mutual authentication, encryption and message integrity would be a
requirement of this environment.
* The client is inside the firewall and the IPP Printer is outside of a
firewall. This is a variation of the previous case, where the Printer is
public, but the user is inside of an organizational firewall. Unique
security considerations here would include controls on the print data
that is allowed to flow outside of the organizational firewall.
* The client is outside of the firewall and the IPP Printer is inside of
a firewall.
* The first case is where the client is an employee of the organization
that owns the Printer. This might be the case, for example, when an
employee is working at home and submits a print job through the Internet
to a Printer at work.
* The second case is where the client is not an employee of the company.
This case is not thought to be very likely.
* The client is inside of the firewall and the IPP Printer is inside of a
different firewall. This might occur in the case of an organization who
wants to print a document on a Printer on a business partners network.

Levels of Security

Several levels of security should be considered.

1) No security: Anyone can submit jobs to the printer. No user ID or
password is required. All data transmissions are in the clear. This is
the cheapest solution and might well fit into environments not connected
to the external Internet where anyone within the environment can freely
access any printer. Data is most likely always sent in the clear.
2) Access controlled: The Printer object has an associated Access
Control List (ACL). Identification is required, but authentication (other
than perhaps a password) is not. Data is most likely always sent in the
clear. Again this is probably most suited for environments where
Printers are not accessible from outside of an organization's firewall.
However certain printers may be usable only by certain groups within an
organization. This scheme also allows for accounting to be applied to
printing based on user or group identity.
3) Authenticated Access Control: The Printer object has an associated
ACL. Users identify themselves and are authenticated through the use of
public key certificates. Data may be sent in the clear or may be
encrypted.
4) Mutually Authenticated Access: Any communication with the printer is
done only after the end user and the Printer have been authenticated to
one another. Public key certificates are required for both users and
Printers. This method would be most likely where a Printer is made
visible outside of the organizational firewall. Data may be sent in the
clear or encrypted. Message integrity is checked for each transmission.
5) E-Commerce Printing: Two cases exist which affect security.
* Pay-for-print: When printing is performed, the end user is required to
pay for the printing services. A secure payment scheme must be provided,
based on existing or planned e-commerce schemes, such as SET.
* Pay-for-content: When printing content that has been purchased, an IPP
Printer must be provided that understands and conforms to digital
property rights management instructions. This is probably outside of the
scope of IPP V1.0, but ought to be considered as a placeholder for the
future.

Threats

Several different kinds of threats have been identified.

* Unauthorized or misuse of printer resources
* supplies, printer use
* junk printing
* Denial of service (spamming)
* Liability
* for printed content
* for services performed/not performed
* Provability of service
* Defeating payment or accounting system
* Incorrect destination
* Content integrity
* correct rendering of data
* guarantee security marks (watermarking, fingerprinting, security
banners)
* malicious content changes
* Confidentiality
* on the wire
* on the printer
* corruption of required resources
* Passing organizational data outside a firewall
* Legal liability of user's employer for printed content