Image forming apparatus and communication control method
The image forming apparatus enables user-controlled authorization of weakly encrypted connections, addressing convenience issues by allowing printing from devices with weak encryption while ensuring secure, limited use.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Patents
- Current Assignee / Owner
- OKI ELECTRIC INDUSTRY CO LTD
- Filing Date
- 2022-09-29
- Publication Date
- 2026-06-23
AI Technical Summary
Image forming apparatuses that restrict the use of communication protocols with low security can impair user convenience by preventing printing from devices that only support such protocols.
An image forming apparatus that allows users to selectively enable or disable communication protocols with weak encryption, providing a user interface to authorize temporary use of weakly encrypted connections, and limits printing to one job or a predetermined time frame.
Enhances user convenience while maintaining security by allowing printing from devices with weak encryption upon user authorization and ensuring secure, limited use of such connections.
Smart Images

Figure 0007877994000001 
Figure 0007877994000002 
Figure 0007877994000003
Abstract
Description
Technical Field
[0006] , ,
[0001] The present invention relates to an image forming apparatus and a communication control method.
Background Art
[0002] An image forming apparatus such as a printer receives print data from an information processing apparatus such as a PC and performs printing. Here, the image forming apparatus supports a plurality of communication protocols and communicates with the information processing apparatus using the communication protocol requested by the information processing apparatus (see, for example, Patent Document 1).
[0003] In addition, among the plurality of supported communication protocols, there is an image forming apparatus that has a function of restricting the use of some communication protocols with weak encryption strength and low security (that is, it does not accept print requests transmitted using some communication protocols with low security).
Prior Art Documents
Patent Documents
[0004]
Patent Document 1
Summary of the Invention
Problems to be Solved by the Invention
[0005] However, in an image forming apparatus having a function of restricting the use of some communication protocols with low security, for example, printing from an information processing apparatus that can communicate only with those some communication protocols becomes difficult, and there is a problem that the convenience of the user may be impaired. <00000
[0007] The image forming apparatus of the present invention comprises: a communication unit capable of communicating with an external device using either a first encrypted communication or a second encrypted communication having stronger encryption strength than the first encrypted communication; a printing unit that performs printing in response to a print request from the external device received by the communication unit; a storage unit that stores setting information indicating whether or not the communication unit accepts the first encrypted communication; a display unit; an operation unit; and, when the setting information indicates that the first encrypted communication is not accepted, the communication unit receives a print request from the external device using the first encrypted communication, which displays a screen on the display unit for the user to select whether or not to allow the print request from the external device using the first encrypted communication; and when the user selects to allow the print request using the first encrypted communication via the operation unit, the control unit controls the communication unit to accept the first encrypted communication from the external device.
[0008] Furthermore, the present invention relates to a communication control method for an image forming apparatus having a communication unit capable of communicating with an external device using either a first encrypted communication or a second encrypted communication having stronger encryption strength than the first encrypted communication; a printing unit that performs printing in response to a print request from the external device received by the communication unit; and a storage unit that stores setting information indicating whether or not to accept the first encrypted communication by the communication unit. When the setting information indicates that the first encrypted communication will not be accepted, and the communication unit receives a print request from the external device using the first encrypted communication, the control unit displays a screen on the display unit for the user to select whether or not to allow the print request from the external device using the first encrypted communication. When the user selects to allow the print request using the first encrypted communication via the operation unit, the control unit controls the communication unit to accept the first encrypted communication from the external device.
[0009] Thus, even if the system is configured not to accept the first encrypted communication from an external device, it is now possible to accept the first encrypted communication from the external device and print, but only if the user permits the print request when the first encrypted communication is received from the external device. [Effects of the Invention]
[0010] According to the present invention, it is possible to realize an image forming apparatus and a communication control method that improve user convenience while ensuring security. [Brief explanation of the drawing]
[0011] [Figure 1] This is a diagram showing an example configuration of a printing system. [Figure 2] This is a block diagram showing the configuration of an MFP. [Figure 3] This diagram shows the structure of TLS version 1 authorization information. [Figure 4] This flowchart shows the behavior of the MFP when TLS version 1 is disabled on the MFP. [Figure 5] This flowchart follows the flowchart shown in Figure 4. [Figure 6] This is a sequence chart showing the operation of the MFP and the PC when TLS version 1 is disabled on the MFP. [Figure 7] This diagram shows the screen layout displayed on the MFP. [Figure 8] This flowchart shows the behavior of the MFP when TLS version 1 is enabled on the MFP. [Modes for carrying out the invention]
[0012] Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
[0013] [1. Overall configuration of the printing system] FIG. 1 is a diagram showing a configuration example of a printing system 10 according to an embodiment of the present invention. As shown in this FIG. 1, the printing system 10 is composed of an MFP 100, a PC 200, a PC 300, and a NET 400 connecting these.
[0014] The MFP 100 is a multifunction device equipped with an image reading function in addition to a printing function. This MFP 100 is network-connected to a NET 400 which is a network such as a wired LAN or a wireless LAN, and can communicate with the PC 200 and the PC 300 mutually by TCP / IP. Further, the MFP 100 has server functions of IPPS (IPP over SSL / TLS) and HTTPS (HTTP over SSL / TLS), and communicates with the PC 200 and the PC 300 which have client functions of IPPS and HTTPS using these communication protocols.
[0015] The PC 200 and the PC 300 are personal computers equipped with client functions of IPPS and HTTPS, and can instruct printing to the MFP 100 using the communication protocol of IPPS or HTTPS.
[0016] Here, the server functions and client functions of IPPS and HTTPS include an encrypted communication function called TLS (Transport Layer Security), and encrypted communication can be performed by this TLS.
[0017] That is, in the printing system 10, network printing using TLS (hereinafter referred to as encrypted PCPrint) can be performed on the MFP 100 from the PC 200 and the PC 300.
[0018] This TLS has a version with weak encryption strength (hereinafter referred to as TLS Version 1) and a version with strong encryption strength (hereinafter referred to as TLS Version 2). The server functions of IPPS and HTTPS provided by MFP100 support both TLS Version 1 and TLS Version 2. On the other hand, the client functions of IPPS and HTTPS provided by PC200 and PC300 only support TLS Version 1.
[0019] That is, in the printing system 10, for MFP100, network printing using TLS Version 1 (hereinafter referred to as encrypted PCPrint) can be performed from PC200 and PC300.
[0020] Incidentally, although it will be described in detail later, in MFP100, TLS Version 1 can be set to be enabled or disabled. When TLS Version 1 is set to be disabled, the use of TLS Version 1 is prohibited, and only the stronger encryption strength TLS Version 2 can be used. The overall configuration of the printing system 10 is as described above.
[0021] Incidentally, in the printing system 10 of the present embodiment, personal computers are used as PC200 and PC300, but it is not limited thereto, and mobile terminals such as smartphones may also be used.
[0022] [2. Configuration of MFP] Next, the configuration of MFP100 will be described with reference to FIG. 2. Regarding the configurations of PC200 and PC300, since they have a general computer configuration including a control unit, a storage unit, a display unit, an operation unit, a network communication unit, etc., detailed description thereof will be omitted.
[0023] MFP100 has an image reading unit 101, a printing unit 102, a network communication unit 103, a data storage unit 104, a display / operation unit 105, an encrypted communication control unit 106, a data generation unit 107, and a control unit 108.
[0024] The image reading unit 101 is the part that reads the document set on the document glass or feeder, for example, a scanner. The printing unit 102 is the part that performs printing based on print data written in a page description language such as PostScript, for example, printing on paper using toner. This print data is sent to the MFP100 from the PC200 or PC300 in units called print jobs.
[0025] The network communication unit 103 connects to NET400 and communicates with PC200 and PC300. Specifically, when performing encrypted PCPrint, the network communication unit 103 acts as an IPPS or HTTPS server and performs encrypted communication using TLS with PC200 and PC300, which are IPPS or HTTPS clients.
[0026] The data storage unit 104 manages the storage of various data handled by the MFP100. Among the data stored and managed by this data storage unit 104 is setting value data that indicates various settings of the MFP100. This setting value data includes a TLS version 1 enabled setting value that indicates whether TLS version 1 is enabled or disabled. This TLS version 1 enabled setting value is, for example, "1" or "0", where "1" indicates that TLS version 1 is enabled and "0" indicates that TLS version 1 is disabled.
[0027] In the MFP100, if TLS version 1 is enabled, either TLS version 1 or TLS version 2 can be used; if TLS version 1 is disabled, only TLS version 2 can be used. In the printing system 10, for example, the administrator of the MFP100 sets the TLS version 1 enabled setting of the MFP100 to either enable or disable it.
[0028] As will be explained in more detail later, the MFP100 is designed to temporarily allow TLS version 1 communication even when TLS version 1 is disabled. In this case, as shown in Figure 3, the data storage unit 104 stores and manages TLS version 1 permission information D0, which consists of identification information D1 of the PC (for example, the IP address of PC200) that is temporarily permitted to communicate using TLS version 1, and a timestamp D2 indicating the date and time when this identification information D1 was registered in the data storage unit 104 (i.e., the date and time when TLS version 1 communication was temporarily permitted).
[0029] The display and operation unit 105 is composed of, for example, a touch panel, and displays the status of the MFP100 to allow the user to check the status of the MFP100, and displays various menu screens to allow the user to check various functions and settings of the MFP100. The display and operation unit 105 also accepts operations to execute various functions and operations to change various settings. For example, the display and operation unit 105 displays the TLS version 1 enabled setting value mentioned above, and also accepts operations to change the TLS version 1 enabled setting value.
[0030] The encryption communication control unit 106 controls the network communication unit 103 via the control unit 108 and controls TLS communication with IPPS and HTTPS clients (i.e., PC200 and PC300). Specifically, when the encryption communication control unit 106 receives a TLS connection request from an IPPS or HTTPS client, it determines the TLS version to be used for communication and, if necessary, allows or disconnects the TLS communication.
[0031] The data generation unit 107 generates various types of data. For example, the data generation unit 107 generates PostScript format print data that can be processed by the printing unit 102 based on the information or strings to be printed. The control unit 108 controls each of the above-mentioned units. Alternatively, the control unit 108 may be given the functionality of the encrypted communication control unit 106, so that the encrypted communication control unit 106 is included in the control unit 108. The configuration of the MFP 100 is as described above.
[0032] [3. Printing System Operation] Next, we will explain the operation of the printing system 10. Here, as an example, we will explain the operation when performing encrypted PCPrint from PC200 to MFP100.
[0033] This section describes, in order, the behavior when performing encrypted PCPrint from PC200 to MFP100 when the TLS version 1 setting on MFP100 is disabled, and the behavior when performing encrypted PCPrint from PC200 to MFP100 when the TLS version 1 setting is enabled.
[0034] First, using the flowcharts shown in Figures 4 and 5, and the sequence chart shown in Figure 6, we will explain the operation when the TLS version 1 enabled setting of the MFP100 is disabled, and an encrypted PC print is performed from the PC200 to the MFP100.
[0035] Here, the flowcharts shown in Figures 4 and 5 represent the operation of the MFP100 when performing encrypted PCPrint, and the flowchart in Figure 5 is a flowchart that follows the flowchart in Figure 4. The sequence chart shown in Figure 6 represents the operation of the MFP100 and PC200 when performing encrypted PCPrint. Note that the operation of the MFP100 shown in Figures 4 to 6 is performed by the control unit 108 of the MFP100 controlling each part. The operation of the MFP100 shown in Figure 6 is a summary of the operation of the MFP100 shown in Figures 4 and 5.
[0036] As shown in Figures 4 to 6, the user of PC200 performs, for example, printing to MFP100 (i.e., encrypted PCPrint) from an application on PC200 (step SP201 in Figure 6). In response, PC200 sends a TLS connection request via IPPS to MFP100 (step SP202 in Figure 6). Since PC200 only supports TLS version 1, this connection request will be a TLS version 1 connection request.
[0037] Here, the network communication unit 103 of the MFP100 receives a TLS connection request via IPPS from the PC200 (step SP101 in Figure 4 (Figure 6)). When the encryption communication control unit 106 of the MFP100 confirms that it has received a TLS connection request via IPPS from the PC200 via the network communication unit 103, it obtains TLS version information indicating the TLS version of the received connection request and source information indicating the source of the received connection request from the network communication unit 103 (step SP102). Note that the TLS version information and source information are included in the received connection request, for example. The source information is, for example, an IP address (i.e., the IP address of the PC200).
[0038] Here, the encrypted communication control unit 106 determines whether the received connection request is a TLS version 1 connection request based on the acquired TLS version information (step SP103). Specifically, the encrypted communication control unit 106 determines, for example, that if the TLS version is 1.1 or lower, it is TLS version 1, and if the TLS version is 1.2 or higher, it is TLS version 2. In this case, since the connection request was received from PC200 which only supports TLS version 1, the encrypted communication control unit 106 determines that the connection request is a TLS version 1 connection request (YES in step SP103).
[0039] Next, the data storage unit 104 of the MFP100 reads out the TLS version 1 authorization information D0 (i.e., identification information D1 and timestamp D2) under the control of the control unit 108 (step SP104). Furthermore, the data storage unit 104 obtains the source information of the received connection request (i.e., the IP address of PC200) from the encrypted communication control unit 106 and determines whether this source information is different from the identification information (i.e., the IP address of the PC that is temporarily authorized to communicate using TLS version 1) D1 contained in the read TLS version 1 authorization information D0 (step SP105).
[0040] At this point, if the MFP100 has not authorized any PC to communicate using TLS version 1, then the TLS version 1 authorization information D0 does not exist. In this case, the data storage unit 104 determines that the source information and the identification information D1 contained in the TLS version 1 authorization information D0 are different (YES in step SP105).
[0041] At this point, the encrypted communication control unit 106 rejects the connection request from PC200 using TLS version 1 (i.e., rejects encrypted PCPrint using TLS version 1) by disconnecting communication with PC200, the source of the connection request (step SP106).
[0042] Next, the display / operation unit 105 displays the screen Sc1 shown in Figure 7 under the control of the control unit 108 (step SP107). This screen Sc1 notifies the user who attempted to print from PC200 to MFP100 (encrypted PCPrint) that MFP100 has received a print request (specifically a connection request) from PC200 using TLS version 1 with weak encryption strength, and allows the user to choose whether or not to temporarily allow printing from PC200 using TLS version 1 (encrypted PCPrint).
[0043] In other words, screen Sc1 displays message Ms1 indicating that MFP100 has received a print request from PC200 using TLS version 1, which has weak encryption strength; message Ms2 asking the user whether to temporarily allow printing from PC200 using TLS version 1; identification information (specifically, the IP address) D10 of PC200, the source of the print request; a "Yes" button Bt1 to select to temporarily allow printing using TLS version 1; and a "No" button Bt2 to select not to allow printing using TLS version 1.
[0044] After the user prints from PC200 to MFP100, they move to MFP100 and check screen Sc1 displayed on MFP100. This allows the user to understand that printing from PC200 uses TLS version 1, which has weak encryption strength. At this point, the user, for example, if the content they want to print from PC200 is not highly confidential, presses the "Yes" button Bt1 on screen Sc1 to temporarily allow printing using TLS version 1.
[0045] The display and operation unit 105 of the MFP100 obtains the user's selection result based on the user's operation on screen Sc1 (step SP108). Specifically, if the "Yes" button Bt1 is pressed, the display and operation unit 105 obtains that the selection result is to temporarily allow printing using TLS version 1, and if the "No" button Bt2 is pressed, the selection result is to not allow printing using TLS version 1.
[0046] Next, the data storage unit 104 determines from the acquired selection result whether or not it has been selected to temporarily allow printing using TLS version 1 (step SP109).
[0047] Here, as described above, if the user presses the "Yes" button Bt1, the data storage unit 104 determines from the acquired selection result that it has been selected to temporarily allow printing using TLS version 1 (YES in step SP109). At this time, in order to temporarily allow printing using TLS version 1 from PC200, the data storage unit 104 generates and stores TLS version 1 permission information D0, as shown in Figure 3, with the IP address of PC200 acquired as source information as identification information D1 and the current date and time as timestamp D2.
[0048] Furthermore, the TLS version 1 permission information D0 has an expiration date (e.g., 5 minutes), and after a certain period of time (e.g., 5 minutes) has elapsed from the date and time indicated by the timestamp D2, it is considered expired and deleted by the data storage unit 104. In this way, the MFP100 allows TLS version 1 printing from PC200 for a certain period of time after the user has selected to temporarily permit TLS version 1 printing. At this point, the operation of the MFP100 ends. If the user presses the "No" button Bt2, the data storage unit 104 determines that the user has selected not to permit TLS version 1 printing (NO in step SP109). In this case, the operation of the MFP100 ends without the TLS version 1 permission information D0 being stored.
[0049] At this point, the user who has chosen to temporarily allow printing from PC200 using TLS version 1 by pressing the "Yes" button Bt1 returns to PC200 and performs printing to MFP100 again (i.e., encrypted PCPrint) (step SP203 in Figure 6). Then, as before, PC200 sends a connection request to MFP100 using TLS version 1 (step SP204 in Figure 6).
[0050] At this point, the network communication unit 103 of the MFP100 receives another TLS connection request via IPPS from the PC200 (step SP101 in Figure 4 (Figure 6)). When the encryption communication control unit 106 of the MFP100 confirms that it has received a TLS connection request via IPPS from the PC200 via the network communication unit 103, it obtains TLS version information and source information from the network communication unit 103 (step SP102).
[0051] Here, the encrypted communication control unit 106 determines whether the received connection request is a TLS version 1 connection request based on the acquired TLS version information (step SP103). In this case as well, since the connection request was received from PC200 which only supports TLS version 1, the encrypted communication control unit 106 determines that the connection request is a TLS version 1 connection request (YES in step SP103).
[0052] Next, the data storage unit 104 of the MFP100 reads out the TLS version 1 authorization information D0 (i.e., identification information D1 and timestamp D2) under the control of the control unit 108 (step SP104). Furthermore, the data storage unit 104 obtains the source information of the received connection request (i.e., the IP address of PC200) from the encrypted communication control unit 106 and determines whether this source information is different from the identification information (i.e., the IP address of the PC that is temporarily authorized to communicate using TLS version 1) D1 contained in the read TLS version 1 authorization information D0 (step SP105).
[0053] At this time, MFP100 temporarily allows TLS version 1 communication from PC200, so the source information (PC200's IP address) and the identification information (PC200's IP address) included in TLS version 1 permission information D0 match. Therefore, in this case, the data storage unit 104 determines that the source information and the identification information D1 included in TLS version 1 permission information D0 match (NO in step SP105). However, if, for example, a connection request is received from PC300 instead of PC200, the source information (PC300's IP address) and the identification information (PC200's IP address) included in TLS version 1 permission information D0 are different, so the data storage unit 104 determines that the source information and the identification information D1 included in TLS version 1 permission information D0 are different (YES in step SP105).
[0054] If the source information matches the identification information D1 contained in the TLS version 1 authorization information D0, the control unit 108 of the MFP100 calculates the elapsed time since the TLS version 1 authorization information D0 was registered (i.e., since communication via TLS version 1 from PC200 was permitted) by taking the difference between the timestamp D2 contained in the TLS version 1 authorization information D0 and the timestamp indicating the current time. The control unit 108 then determines whether the calculated elapsed time exceeds a predetermined fixed time (for example, 5 minutes) (step SP111).
[0055] If the calculated elapsed time exceeds a certain period (YES in step SP111), this means that the TLS version 1 permission information D0 has expired, i.e., the temporary permission for communication using TLS version 1 is invalid. In this case, the control unit 108 controls the data storage unit 104 to delete the TLS version 1 permission information D0 (step SP112). After that, the MFP 100 performs the operations from step SP106 onwards as described above. In this case, an additional message indicating that the temporary permission for encrypted PCPrint has timed out may be displayed on screen Sc1.
[0056] On the other hand, if the calculated elapsed time does not exceed a certain period (NO in step SP111), this means that the TLS version 1 permission information D0 has not expired, that is, the temporary permission for communication using TLS version 1 is still valid. In this case, the encrypted communication control unit 106 of the MFP100 accepts the TLS connection request received from the PC200 via the network communication unit 103 and continues communication with the PC200 using TLS version 1.
[0057] At this point, PC200 accepts the TLS connection request and communication continues using TLS version 1, thereby sending print data to MFP100 (step SP205 in Figure 6). Note that the print data referred to here is the data for one print job.
[0058] Here, the network communication unit 103 of the MFP100 receives print data from the PC200 using IPPS TLS version 1 (step SP113). The print unit 102 acquires the print data received by the network communication unit 103 of the MFP100 and prints it (step SP114). Once printing is complete, the data storage unit 104 deletes the TLS version 1 permission information D0 under the control of the control unit 108 (step SP115). At this point, the operation of the MFP100 ends.
[0059] Thus, in the MFP100, when encrypted PCPrint using TLS version 1 is temporarily permitted, the temporary permission for encrypted PCPrint using TLS version 1 is disabled by deleting the TLS version 1 permission information D0 after the printing of one print job is completed. In other words, in the MFP100, when encrypted PCPrint using TLS version 1 is temporarily permitted, only one print job can be printed. The above describes the behavior when performing encrypted PCPrint from PC200 to MFP100 when the TLS version 1 enabled setting of MFP100 is disabled.
[0060] In this example, we have described the case where PC200 sends a TLS version 1 connection request to MFP100. However, it is also possible that PC200 supports TLS version 2 and sends a TLS version 2 connection request to MFP100. In this case, the encryption communication control unit 106 of MFP100 determines that the connection request is a TLS version 2 connection request (NO in step SP103), accepts the request, and continues communication with PC200 using TLS version 2, thereby performing encrypted PCPrint. In this case, there is no limit to the number of printable print jobs, and the TLS version 1 permission information D0 is not deleted after printing is complete.
[0061] Next, using the flowchart shown in Figure 8, we will explain the operation when the TLS version 1 setting of the MFP100 is enabled and encrypted PCPrint is performed from the PC200 to the MFP100. Here, the flowchart shown in Figure 8 represents the operation on the MFP100 side when encrypted PCPrint is performed, and this is carried out by the control unit 108 of the MFP100 controlling each part.
[0062] A PC200 user, for example, performs a print operation to the MFP100 (i.e., encrypted PCPrint) from an application on the PC200. In response, the PC200 sends a TLS connection request via IPPS to the MFP100. This connection request uses TLS version 1.
[0063] At this point, the network communication unit 103 of the MFP100 receives a TLS connection request via IPPS from the PC200 (step SP301). When the encryption communication control unit 106 of the MFP100 confirms that it has received a TLS connection request via IPPS from the PC200 via the network communication unit 103, it obtains the TLS version information of the received connection request from the network communication unit 103 (step SP302).
[0064] At this time, since the TLS version 1 enabled setting is enabled in the MFP100 (i.e., TLS version 1 is usable), the encryption communication control unit 106 immediately accepts the TLS connection request received from the PC200 via the network communication unit 103 and continues communication with the PC200 using TLS version 1. As a result, print data is sent from the PC200 to the MFP100, and the network communication unit 103 of the MFP100 receives this print data from the PC200 using IPPS TLS version 1 (step SP303).
[0065] Here, the data generation unit 107 of the MFP100, under the control of the control unit 108, obtains TLS version information from the encrypted communication control unit 106 and determines whether or not the current encrypted PCPrint is using TLS version 1 (step SP304). If the data generation unit 107 determines that the current encrypted PCPrint is using TLS version 1 (YES in step SP304), it generates print data with content (text) that indicates that the print was made using encrypted communication with weak encryption strength, such as "Printed using TLS version 1 with weak encryption strength."
[0066] Here, the printing unit 102 first acquires the print data generated by the data generation unit 107 and prints it (step SP305). Then, the printing unit 102 acquires the print data received by the network communication unit 103 and prints it (step SP306). At this point, the operation of the MFP 100 ends. In other words, in this case, the first page (i.e., the first sheet) will be printed with content that indicates that it was printed using encrypted communication with weak encryption strength, and the subsequent pages (i.e., the second sheet and onward) will be printed with content based on the print data received from the PC 200.
[0067] In response, if the data generation unit 107 determines that the current encrypted PCPrint is not based on TLS version 1 (i.e., it is based on TLS version 2) (NO in step SP304), the printing unit 102 acquires the print data received by the network communication unit 103 and performs printing (step SP306). At this point, the operation of the MFP 100 ends.
[0068] As described above, when the TLS version 1 setting is enabled on the MFP100, and encrypted PCPrint is performed from the PC200 using TLS version 1, the first page will be printed with content indicating that the print was made using weakly encrypted communication, and then subsequent pages will be printed with content based on the print data received from the PC200. This is how encrypted PCPrint is performed from the PC200 to the MFP100 when the TLS version 1 setting on the MFP100 is enabled.
[0069] [4. Summary and Effects] As described above, in this embodiment, the MFP100 as an image forming apparatus is provided with a network communication unit 103 as a communication unit that can communicate with an external device PC200 (PC300) using TLS version 1 as a first encrypted communication or TLS version 2 as a second encrypted communication with stronger encryption strength than TLS version 1; a printing unit 102 that performs printing based on print jobs received by the network communication unit 103; a data storage unit 104 as a storage unit that stores a TLS version 1 enabled setting value as setting information indicating whether or not to accept communication using TLS version 1; and a display / operation unit 105 as a display unit and operation unit.
[0070] Furthermore, when the MFP100 is in a state where the TLS version 1 enabled setting indicates that it will not accept communication via TLS version 1 (i.e., it is disabled), and the network communication unit 103 receives a print request (specifically a connection request) via TLS version 1 from the PC200, a screen Sc1 is displayed on the display / operation unit 105 to allow the user to choose whether or not to allow the print request via TLS version 1 from the PC200. If the user selects to allow the print request via TLS version 1 on the screen Sc1 via the display / operation unit 105, a control unit 108 is provided to control the network communication unit 103 to accept communication via TLS version 1 from the PC200.
[0071] Specifically, when the control unit 108 receives a print request via TLS version 1 from PC200 while the TLS version 1 enabled setting value indicates that it will not accept communication via TLS version 1, the control unit 108 temporarily rejects the print request via TLS version 1 by disconnecting communication with PC200. Subsequently, when the user selects to allow the print request via TLS version 1 from PC200 on the screen Sc1 displayed on the display / operation unit 105, the control unit 108 stores TLS version 1 permission information D0, indicating that the print request via TLS version 1 from PC200 is permitted, in the data storage unit 104.
[0072] Then, when the network communication unit 103 receives a print request from PC200 using TLS version 1, the control unit 108 accepts (permits) the TLS version 1 print request sent from PC200 based on the TLS version 1 permission information D0 stored in the data storage unit 104. As a result, the network communication unit 103 receives the print data (print job) sent from PC200, and the printing unit 102 performs the printing.
[0073] Thus, in this embodiment, even if the MFP100 is configured not to accept TLS version 1 communication, when it receives a print request via TLS version 1 from the PC200 as an external device, it can accept the TLS version 1 communication from the PC200 and perform printing only if the user performs an operation to authorize the print request. In this embodiment, the MFP100 can improve user convenience while ensuring security.
[0074] Furthermore, the MFP100 now displays a message Ms1 on screen Sc1 indicating that the MFP100 has received a print request from PC200 using TLS version 1 with weak encryption. This allows the user to know through screen Sc1 that they are being asked to print using weak encryption, and then, based on their own judgment, allow printing using weak encryption, such as when the print job is of low confidentiality.
[0075] Furthermore, in the MFP100, the control unit 108 is configured to allow printing only one print job received within a certain period of time after the user has selected to allow print requests using TLS version 1. In this way, the MFP100 ensures security by limiting the printable time and the number of print jobs after the user has selected to allow print requests using TLS version 1.
[0076] Furthermore, in the MFP100, the control unit 108 prints a message on the first page (i.e., immediately before printing the print job) indicating that the print job was printed using weakly encrypted communication, each time it prints a print job received from the PC200 via TLS version 1 communication. This allows the user to easily confirm that the printed document output from the MFP100 was printed using weakly encrypted communication.
[0077] [5. Other Embodiments] [5-1. Other Embodiments 1] In the embodiment described above, the control unit 108 of the MFP100, after the user selects to allow a print request using TLS version 1, allows printing according to predetermined conditions (i.e., only one print job received within a certain period of time). However, it is not limited to this; for example, the time limit may be removed from the predetermined conditions, and after the user selects to allow a print request using TLS version 1, printing may be allowed for only a predetermined number of print jobs (e.g., one).
[0078] Furthermore, the system is not limited to this; for example, it may remove the limit on the number of print jobs from the predetermined conditions and, after the user has chosen to allow print requests using TLS version 1, allow printing of all print jobs received within a certain period of time. Furthermore, the system is not limited to this; for example, it may remove both the time limit and the limit on the number of print jobs and, for example, after the user has chosen to allow print requests using TLS version 1 from PC200, allow printing of print jobs received from PC200 until a print request is received from another PC300.
[0079] Furthermore, the control unit 108 may, for example, receive a print job from PC200 and then receive another print job from PC200 within a predetermined time (for example, within 1 minute), assume that the user is attempting to print multiple print jobs consecutively. In this case, even if a certain amount of time has passed since the user selected to allow print requests using TLS version 1, the control unit 108 may allow printing of the next print job. This improves convenience, for example, when printing multiple print jobs consecutively, as the user does not need to allow print requests for each print job on screen Sc1.
[0080] Furthermore, in the embodiment described above, the control unit 108 of the MFP100 calculates the elapsed time since the user selected to allow the TLS version 1 print request by comparing the timestamp D2 when the TLS version 1 permission information D0 is stored in the data storage unit 104 when the user selects to allow the TLS version 1 print request with the timestamp when the PC200 receives the TLS version 1 print request again. If this elapsed time exceeds a certain period, the control unit rejects the print request and deletes the TLS version 1 permission information D0.
[0081] The control unit 108 of the MFP100 may, after the user selects to allow a print request using TLS version 1, measure the elapsed time using a timer and delete the TLS version 1 permission information D0 when the elapsed time reaches a certain period. In this case, the MFP100 will return to a state where it does not accept print requests using TLS version 1 when it deletes the TLS version 1 permission information D0.
[0082] [5-2. Other Embodiments 2] Furthermore, in the embodiments described above, IPPS TLS was used for the first and second encrypted communications, but the invention is not limited to these; HTTPS TLS may be used, or other types of encrypted communications may be used.
[0083] Furthermore, in the embodiment described above, the MFP100 disables TLS version 1, which has weaker encryption strength, thereby making it impossible to use TLS version 1 (i.e., only TLS version 2 is available). However, the MFP100 is not limited to this, and it is sufficient if it supports multiple encrypted communications and allows disabling of the one with weaker encryption strength. Here, multiple encrypted communications may be the same type of encrypted communication but with different versions, such as TLS version 1 and TLS version 2, or they may be different types of encrypted communications.
[0084] [5-3. Other Embodiments 3] Furthermore, in the embodiment described above, when TLS version 1 is enabled on the MFP100 and encrypted PCPrint is performed from the PC200 to the MFP100, the first page (i.e., immediately before printing the print job) is printed with content indicating that the print job was printed using encrypted communication with weak encryption strength. However, this is not the only option; for example, the same content could be printed on the last page (i.e., immediately after printing the print job), or the same content could be printed in the headers or footers of each page.
[0085] Furthermore, in the embodiment described above, each time a print job is printed, content indicating that the print job was printed using weakly encrypted communication is printed along with the print job. However, this is not the only option; for example, the content indicating that the print job was printed using weakly encrypted communication may be printed at intervals rather than every time, such as after printing a predetermined number of print jobs received from the same PC.
[0086] Similarly, when TLS version 1 is disabled on the MFP100, and the user selects to allow print requests using TLS version 1, encrypted PCPrint may also be configured to print content on the first page or elsewhere indicating that the print job was done using weakly encrypted communication.
[0087] [5-4. Other Embodiments 4] Furthermore, in the embodiment described above, when the control unit 108 of the MFP100 receives a print request via TLS version 1 from the PC200 while the TLS version 1 enabled setting value indicates that it will not accept communication via TLS version 1, it temporarily rejects the print request via TLS version 1 by disconnecting communication with the PC200. Subsequently, when the user selects to allow the print request via TLS version 1 from the PC200 on screen Sc1, and the MFP100 receives another print request via TLS version 1 from the PC200, it accepts it and receives the print data from the PC200.
[0088] In addition to this, if the control unit 108 of the MFP100 receives a print request via TLS version 1 from the PC200 while the TLS version 1 enabled setting indicates that it will not accept communication via TLS version 1, it will put the request on hold. At this time, the PC200 will continue to send print requests at regular intervals (retries). Subsequently, when the user selects to allow the TLS version 1 print request from the PC200 on screen Sc1, the control unit 108 of the MFP100 may accept the held print request and receive the print data from the PC200. This improves convenience because the user does not need to return to the PC200 and perform the print again after selecting to allow the TLS version 1 print request from the PC200 on the MFP100's screen Sc1.
[0089] [5-5. Other Embodiments 5] Furthermore, in the embodiment described above, the MFP100 notifies the user that it has received a print request (specifically a connection request) from the PC200 using TLS version 1 with weak encryption strength, and displays a screen Sc1 on the display / operation unit 105 of the MFP100 to allow the user to choose whether or not to temporarily permit printing from the PC200 using TLS version 1 (encrypted PCPrint).
[0090] The control unit 108 of the MFP100 may, via the network communication unit 103, transmit the data of this screen Sc1 to an information processing terminal, such as a smartphone, connected to NET400, and display it on the information processing terminal. In this case, when the user selects whether or not to temporarily allow printing from PC200 using TLS version 1 (encrypted PCPrint) on screen Sc1 displayed on the information processing terminal, the selection result is transmitted from the information processing terminal to the MFP100.
[0091] In this case, the control unit 108 of the MFP100 transmits the data for screen Sc1 to the IP address of the information processing terminal that has been previously registered in the data storage unit 104. Alternatively, the data storage unit 104 may be configured to have the IP address of the PC200 and the IP address of the information processing terminal linked together, and when it receives a print request (specifically a connection request) from the PC200 using TLS version 1 with weak encryption strength, it may transmit the data for screen Sc1 to the IP address of the information processing terminal that is linked to the IP address of the PC200.
[0092] [5-6. Other Embodiments 6] Furthermore, although the present invention was applied to the MFP100, a multifunction device, in the above-described embodiment, it is not limited to this and can also be applied to other image forming devices (e.g., printers) that have printing capabilities.
[0093] [5-7. Other Embodiments 7] Furthermore, the present invention is not limited to the embodiments described above. That is, the scope of the present invention extends to embodiments that arbitrarily combine some or all of the embodiments described above, as well as embodiments that differ in some respects. [Industrial applicability]
[0094] This invention can be widely used in image forming devices such as printers and multifunction devices that support multiple encrypted communications. [Explanation of Symbols]
[0095] 10...Printing system, 100...MFP, 101...Image reading unit, 102...Printing unit, 103...Network communication unit, 104...Data storage unit, 105...Display / operation unit, 106...Encrypted communication control unit, 107...Data generation unit, 108...Control unit, D0...TLS version 1 permission information, D1...Identification information, D2...Timestamp, Sc1...Screen, Ms1, Ms2...Message, D10...Identification information of the print requester (IP address), Bt1..."Yes" button, Bt2..."No" button.
Claims
1. A communication unit capable of communicating with an external device using either a first encrypted communication or a second encrypted communication having stronger encryption than the first encrypted communication, A printing unit that performs printing based on a print job received by the communication unit, A storage unit that stores setting information indicating whether or not the communication unit accepts the first encrypted communication, Display unit and Control panel and When the setting information indicates that the first encrypted communication is not accepted, and the communication unit receives a print request via the first encrypted communication from the external device, the control unit displays a screen on the display unit for the user to choose whether or not to allow the print request via the first encrypted communication from the external device, and when the user selects to allow the print request via the first encrypted communication via the operation unit, the control unit controls the communication unit to accept the first encrypted communication from the external device. An image forming apparatus characterized by comprising:
2. The control unit, After the user selects to authorize the print request via the first encrypted communication through the operation unit, the communication unit is controlled to receive the print job transmitted from the external device via the first encrypted communication according to predetermined conditions. The image forming apparatus according to feature 1.
3. The aforementioned predetermined conditions are: This involves receiving print jobs that have been sent within a certain time period. The image forming apparatus according to feature 2.
4. The aforementioned predetermined conditions are: This means receiving only one print job. The image forming apparatus according to feature 2.
5. The aforementioned predetermined conditions are: This means receiving only one print job that has been sent within a certain time period. The image forming apparatus according to feature 2.
6. The aforementioned screen shows: A message is displayed indicating that a print request has been received from the external device using the first encrypted communication with weak encryption strength. The image forming apparatus according to feature 1.
7. The system further comprises a data generation unit that generates print data indicating that the print was made using the first encrypted communication with weak encryption strength, The control unit, When receiving and printing a print job transmitted from the external device via the first encrypted communication, the printing unit is controlled to print the print data generated by the data generation unit along with the print job. The image forming apparatus according to feature 1.
8. The control unit, When receiving and printing a print job transmitted from the external device via the first encrypted communication, the printing unit is controlled to print the print data generated by the data generation unit immediately before or after printing the print job. The image forming apparatus according to feature 7.
9. A communication control method for an image forming apparatus, comprising: a communication unit capable of communicating with an external device using either a first encrypted communication or a second encrypted communication having stronger encryption strength than the first encrypted communication; a printing unit that performs printing based on a print job received by the communication unit; and a storage unit that stores setting information indicating whether or not the communication unit accepts the first encrypted communication. When the setting information indicates that the first encrypted communication is not accepted, and the communication unit receives a print request via the first encrypted communication from the external device, the control unit displays a screen on the display unit for the user to choose whether or not to allow the print request via the first encrypted communication from the external device. If the user selects to allow the print request via the first encrypted communication via the operation unit, the control unit controls the communication unit to accept the first encrypted communication from the external device. A communication control method characterized by the following: