Embedded Files
Pull printing is the set of technologies and processes that allow print jobs to be released according to specific conditions; typically user authentication and proximity to a printer. We developed an open-source pull printing infrastructure based on Google CloudPrint that leverages the OpenID Connect protocol and the electronic IDentity (eID) card to protect users prints with a second-factor authentication. Our goal is to prevent print-related data breaches and tackle the challenges that hinder the widespread adoption of more secure printing solutions: costs and user experience.
Our prototype implementation based on the Italian eID is available under license Apache-2.0 on GitHub.
Architecture
Architecture
In order to provide an open, flexible and secure pull printing service for enterprises, we decided to extend Google CloudPrint capabilities with a multi-platform, printer-agnostic system that authenticates employees on a mobile application via OpenID Connect; in case of sensitive documents, a second-factor authentication is performed with an eID card.
Figure 1 provides a high-level view of the architecture. The enterprise is represented as a set of employees with their eID cards and workstations, an IT administrator in charge of the pull printing service, the enterprise printers and all the components that orchestrate our solution:
- Mobile Devices: phone or tablet that will be used by employees to authenticate with their enterprise credentials, select and release print jobs on specific printers. All the functionalities are provided by the Print Releaser mobile application; if printing sensitive data, the ID Authenticator mobile app will also be used to support the second-factor authentication leveraging OIDC and the use of eID cards.
- Print Endpoint: a virtual appliance with a NodeJS Print Server (the backend of the service) and a Virtual Printer that queues employees print jobs.
- Enterprise and Google Authentication Servers: both supporting the OIDC protocol. The enterprise server has an additional module to support the second-factor authentication via the eID card.
- Google CloudPrint: configured with the enterprise physical printers and the Virtual Printer.
Workflow
Workflow
Once the pull printing service is deployed and operating in the enterprise, enrolled employees can use the service to print sensitive data as reported in Figure 2; a lock is shown in the figure when the employee needs to be authenticated to perform the corresponding operation.
Initially (Step 1), the employee needs to authenticate with his enterprise credentials on a Google Suite service (e.g., Docs) or, if not already, in his CloudPrint installation; then, select one or more document to print and the Virtual Printer as printing device. Google CloudPrint will send the print job(s) and the employee enterprise account email to the print endpoint (Step 2); there, documents are queued.
When the employee moves to the selected printer in the enterprise, he needs to (Step 3):
- Open Print Releaser and authenticate (if not already);
- Select one or more print jobs to release and thick the box indicating sensitive data;
- Point the QR code attached to the printer with the device camera and confirm the printer via the popup notification of its image (see Figure 3).
- Perform the second-factor authentication with the ID Authenticator application and the eID card: insert the security PIN and hold the card near the device NFC sensor when requested by ID Authenticator.
Finally, the enterprise printer will receive and print the documents (Step 4). The Print Releaser will notify the status to the employee.
Deployment
Deployment
- To operate the pull printing service, the enterprise needs to employ the Google Suite platform to handle employees accounts. This is a typical choice in enterprises that do not have the expertise or the means to host an email server and, in addition, it will automatically grant employees the access to the Google CloudPrint service.
- The enterprise needs also to operate an OIDC server with a module that supports the second-factor authentication via eID cards.
- Finally, an IT administrator needs to deploy the Print Server on a host reachable from the enterprise network and configure the mobile applications in the Google developers console at https://console.developers.google.com.
- We created a tutorial to guide the administrator in the creation of a Virtual Printer with CUPS (an open- source printing system developed by Apple Inc.) and its configuration in Google CloudPrint.
Who we are
Who we are
Matteo Leonelli
JuniorResearcher@Security&Trust - Fondazione Bruno Kessler, Trento, Italy leonelli@fbk.eu
Umberto Morelli
Collaborator@Security&Trust - Fondazione Bruno Kessler, Trento, Italy umorelli@fbk.eu
Giada Sciarretta
Researcher@Security&Trust - Fondazione Bruno Kessler, Trento, Italy giada.sciarretta@fbk.eu
Silvio Ranise
Head of Security&Trust @ Fondazione Bruno Kessler, Trento, Italy ranise@fbk.euPage updated
Report abuse