The digital-signature-based postage metering systems proposed by various postal systems, e.g. those based on the Information-based Indicia (IBI) Program being developed by the United States Postal Service, have placed a premium on the protection of cryptographic keys. (See, e.g. draft PERFORMANCE CRITERIA FOR INFORMATION-BASED INDICIA AND SECURITY ARCHITECTURE FOR OPEN IBI POSTAGE EVIDENCING SYSTEMS, dated Feb. 23, 2000, by the United States Postal Service.) A compromise of these keys allows an attacker to produce indicia that verify cryptographically, but have not been paid for. A sophisticated attacker could perpetrate a significant amount of fraud before being detected. To guard against such fraud, the proposed digital-signature-based postage metering systems often include the requirement that meters be physically secure against sophisticated attacks, such as physical penetration or differential power analysis, leading to increased meter cost.
But despite such precautions, there is a basic flaw in digital-signature-based postage systems not addressed by the requirements now under consideration: a meter contains the secret information, including cryptographic keys, used to authenticate all transactions (including imprinting postage on a mailpiece), and a meter owner has no stake in protecting the secret information. More importantly, a dishonest owner of a meter has every incentive to determine the cryptographic keys stored in the meter. In other words, digital-signature-based postage metering systems place the information needed to guard against fraud in the least secure environment: the meter, located at the customer site. In recognition of the flaw, postal systems have considered various stringent meter security requirements, which increase the cost of using a meter.
What is needed is a system that does not store in a meter all of the secret information used to authenticate transactions using the meter.