Postage metering systems have been developed which employ cryptographically secured information that is printed on a mailpiece as part of an indicium evidencing postage payment. The cryptographically secured information includes a postage value for the mailpiece combined with other postal data that relate to the mailpiece and the postage meter printing the indicium. The cryptographically secured information, typically referred to as a digital token or a digital signature, authenticates and protects the integrity of information, including the postage value, imprinted on the mailpiece for later verification of postage payment. Since the digital token incorporates cryptographically secured information relating to the evidencing of postage payment, altering the printed information in an indicium is detectable by standard verification procedures.
Presently, postage metering systems are recognized as either closed or open system devices. In a closed system device, the printer functionality is solely dedicated to metering activity. Examples of closed system metering devices include conventional digital and analog postage meters wherein a dedicated printer is securely coupled to a metering or accounting function device. In a closed system device, since the printer is securely coupled and dedicated to the meter, printing cannot take place without accounting. In an open system device, the printer is not dedicated to the metering activity. This frees the system and printer functionality for multiple and diverse uses in addition to the metering activity. Examples of open system metering devices include personal computer (PC) based devices with single/multi-tasking operating systems, multi-user applications and digital printers. An open system metering device includes a non-dedicated printer that is not securely coupled to a secure accounting module. An open system indicium printed by the non-dedicated printer is made secure by including addressee information in the encrypted evidence of postage printed on the mailpiece for subsequent verification.
The United States Postal Service (“USPS”) has approved personal computer (PC) postage metering systems as part of the USPS Information-Based Indicia Program (“IBIP”). The IBIP is a distributed trusted system which is a PC based metering system that is meant to augment existing postage meters using new evidence of postage payment known as information-based indicia. The program relies on digital signature techniques to produce for each mailpiece an indicium whose origin can be authenticated and content cannot be modified. The IBIP requires printing a large, high density, two-dimensional (“2D”) bar code on a mailpiece. The 2D bar code, which encodes information, includes a digital signature. A published draft specification, entitled “IBIP PERFORMANCE CRITERIA FOR INFORMATION-BASED INDICIA AND SECURITY ARCHITECTURE FOR OPEN IBI POSTAGE METERING SYSTEMS (PCIBI-O),” dated Apr. 26, 1999, defines the proposed requirements for a new indicium that will be applied to mail being created using IBIP. This specification also defines the proposed requirements for a Postal Security Device (“PSD”) and a host system element (personal computer) of the IBIP. A PSD is a secure processor-based accounting device that is coupled to a personal computer to dispense and account for postage value stored therein to support the creation of a new “information-based” postage postmark or indicium that will be applied to mail being processed using IBIP.
In conventional closed system mechanical and electronic postage meters, a secure link is required between printing and accounting functions. For postage meters configured with printing and accounting functions performed in a single, secure box, the integrity of the secure box is monitored by periodic inspections of the meters. More recently, digital printing postage meters typically include a digital printer coupled to a PSD, and have removed the need for physical inspection by cryptographically securing the link between the accounting and printing mechanisms. In essence, new digital printing postage meters create a secure point-to-point communication link between the PSD and print head.
FIG. 1 illustrates in block diagram form a conventional closed system postage meter 10 comprising an accounting device 12 coupled to a printer 14 via a cable 16. Accounting device 12 includes a PSD 20 inside a secure enclosure 22. Printer 14 includes a printer driver 24 coupled to a printhead 26 inside a secure enclosure 28.
There are problems, however, with conventional closed system postage meters. The link between the accounting unit 12 and printer 14, i.e., cable 16, is vulnerable to attack. This link must be protected to deter an attacker from fraudulently driving the printer 14 and printing indicia for which payment has not actually been accounted for by PSD 20. Typically, there are three main attacks that must be protected against: (i) an attacker disconnecting the PSD 20 and directly driving the printer 14, (ii) an attacker recording the data communicated to the printer 14 by the PSD 20 and replaying the data to the same or another printer at a later time, and (iii) an attacker recording data communicated to the printer 14 from the PSD 20 and replaying it simultaneously to another printer at the same time as printer 14, also known as parallel printing.
In conventional closed meter systems, the link between the accounting device 12 and printer 14 has been either physically or cryptographically secured. Physical protection of the link is difficult to achieve, especially for meters in which the printhead 26 moves. Full protection of the link requires cryptographically securing the data. This is typically accomplished by fully encrypting the data, utilizing digital signatures, and/or utilizing message authentication codes (MACs). However, this requires significant computations to be performed on both sides of the link, i.e., at the PSD 20 and printer driver 24. As a result, costly cryptographic hardware must be employed, performance of the system must be decreased, or both.
Thus, there exists a need for a closed system postage meter that effectively secures the link between the PSD and printer that is both cost efficient and easy to implement.