1. Field of the Invention
The present invention is directed to an arrangement and method for modifying the functionality of a security module.
2. Description of the Prior Art
Security modules operate in a potentially unfriendly environment in products representing different functionalities, such as automatic teller machines, automatic transport ticket machines, cash registers, electronic purses, computers for personal use (laptops, notebooks, organizers), cell phones and devices that combine several of these products. The assemblies are cast with a casting compound. A postal security module is used in a postage meter machine or mail processing machine or a computer with mail-processing function (PC frankers).
European Application 417 447 discloses the use of special modules in electronic data processing systems that are equipped with means for protecting against a break-in into their electronics. Such modules are included among security modules as that term is used herein.
Modern postage meter machines or other device for franking postal matter are equipped with a printer for printing the postage stamp onto the postal matter, a controller for controlling the printing and the peripheral components of the postage meter machine, an accounting unit for debiting postage fees that are maintained in non-volatile memories, and a unit for cryptographically protecting the postage fee data. A security module (European Application 789 333) can have a hardware accounting unit and/or a unit for protecting the printing of the postage fee data. For example, the former can be realized as an ASIC (application specific integrated circuit) and the latter can be realized as an OTP (one-time programmable) processor. An internal OTP processor stores sensitive data (cryptographic keys) in a manner protected against readout. Such data, for example, are required for replenishing a credit. An encapsulation with a security housing offers further protection.
Further measures for the protection of a security module against intrusion are disclosed in German OS 198 16 572, German OS 198 16 571, European Application 1 035 516 (corresponding to co-pending U.S. application Ser. No. 09/522,621, European Application 1 035 517, European Application 1 035 518 (corresponding to co-pending U.S. application Ser. No. 09/522,619, filed Mar. 10, 2000), European Application 1 035 513 (corresponding to co-pending U.S. application Ser. No. 09/524,118, filed Mar. 13, 200), and German Utility Model 200 20 635 (corresponding to co-pending U.S. application Ser. No. 10/007,899, filed Nov. 5, 2001.
The various techniques that have been conventionally employed, such as encapsulation with a secure housing and the use of various event detectors that can cause the security module to erase security-relevant data (European Application 1 035 518 and German OS 200 20 635), can only offer a dependable protection against manipulation for the one particular functionality for which it is designed.
U.S. Pat. No. 4,528,644 discloses a method for customer-specific setting of the firmware of an electronic postage meter machine after the assembly thereof, whereby an input of a configuration message is stored in a non-volatile memory which collaborates with the operating program in order to adapt the postage meter machine to the customer's wishes. Further access to the configuration data is prevented after the end of the configuration. Beyond the secure environment at the manufacturer, however, it is difficult to provide a dependable protection against manipulation. Therefore, no security-relevant program data for achieving a different application functionality are installed outside the secure environment at the manufacturer.
Memories referred to as flash-EEPROMs are utilized as program memories in modern postal devices. These allow sector-by-sector erasure and storage of data as well as a byte-by-byte insertion of individual data into a memory area (sector). European Application 724 141 discloses a method for the input of data into a scale, whereby the appertaining memory areas in the flash-EEPROM of the scale are erased before a reprogramming is undertaken in order, for example, to at least partially modify a postage rate table. The data, which are preferably loaded via modem of a postage meter machine, for example JetMail®, are stored in compressed form in the flash-EEPROM and are decompressed before the application and stored in a separate application memory. A programmable security means also is provided in the scale that prevents an unauthorized erasure of data blocks in the flash-EEPROM memory areas. Sub-image datafiles and a control datafile are defined for the postage meter machine, that are downloaded into the memory of the postage meter machine from a data center together with the data intended for the scale. In addition to a dataset that, among other things, contains a version information, the processing status is stored in order to non-volatilely conserve the program status that was achieved prior to a program abort. However, no security-relevant program data are stored in the postage meter machine or in the scale.
An electronic device with flash memory and a method for reprogramming the flash program memory are disclosed in European Application 788 115. The programming of the flash program memory module ensues by processing a sub-program contained in a memory bank for this purpose, with the appertaining memory areas of the respectively other memory bank being erased before a reprogramming is undertaken. The program is usually longer or shorter than the free memory sector created by the erasure and thus cannot be fully utilized. In addition to the aforementioned limitation with respect to the complete utilization of the memory space, such a component is more expensive than a comparable component without multiple memory banks. Whether the reprogramming has been completed is determined by checking a checksum. It cannot thus be precluded that the device was reprogrammed with manipulated data.
Reprogrammable memory components (FLASH or EEPROM) can also be utilized for a function-specific program storage in postal security modules. The programming of these components can be undertaken by the manufacturer in a known way using various methods:                programming of a program component with a programming adapter before the installation into the security module;        programming of the program module by processing a sub-program contained in a memory bank of the program component for this purpose.        
Compared to the second method, the first method has the disadvantage that a faulty programs cannot be replaced. The second method disadvantageously requires a module that has at least two different memory banks, which makes it more expensive given the aforementioned limitations on the use of the memory space. Special demands are made of postal security modules with respect to the replacement and the expandability of functions. The programming of the aforementioned program modules must not be capable of being implemented at arbitrary times and, in particular, not by every operator.