1. Field of the Invention
The present invention is directed to a mail processing system with a printing machine base controlled via a personal computer of the type having a number of personal computer components in communication with each other via a personal computer system bus, and the printing machine base including a printing station for purely electronic printing in which a printhead is connected to printhead control electronics.
2. Description of the Prior Art
A system of the above type is suitable for processing filled letters of different formats given medium through high shipping quantities. The basic structure composed of the two components, personal computer and machine base station, enables economical adaptation to different customer demands. The system can be operated as a franking system, a shipping system or a postal matter valuation system for a number of carriers.
Letter production ensues at the personal computer in modern offices. The letters that are printed out are manually put in envelopes in the office or are automatically placed in envelopes with an envelope stuffing system. Beginning with a medium through higher number of letters to be sent, or other postal matter, postage meter machines are used in a standard way for franking the postal matter. For example, U.S. Pat. No. 4,746,234 is directed to a thermal transfer postage meter machine that is surrounded by a secured housing.
It is known to construct a franking system composed of individual components. U.S. Pat. No. 5,510,992 (Post N Mail) discloses a system that is composed of two components, namely a personal computer and an office printer. The postage is stored in hardware modules that are connected to the personal computer PC via a standard interface. A specific program that is stored on the PC-contained storage media (for example, hard disk) implements the postage calculation, reduces the stored amount of postage and generates the data for the franking imprint that are transmitted to the office printer. Except for the specific postage memory modules, this PC system manages without additional hardware components, however, it is affected by two deficiencies:
a) The use of an ordinary office printer only enables unfilled envelopes to be printed. Filled envelopes, with their varying letter thicknesses, cannot be drawn into an office printer. This disadvantage limits the application of such a system to the smallest quantities of letter pages. This solution cannot be utilized in a mail expediting office that is to prepare mail arriving centrally from various departments of a concern in a form ready for shipping.
b) The postage accounting program that is processed by the processor of the personal computer can be tampered with. The program can be modified such that it works like the original except for the reduction of the postage amount that is stored in the specific postage memory module. The customer would thus have no necessity of reloading the postage memory module in return for payment at the postal authority, whereas he can continue to provide his expedited mail with franking imprints in an unlimited fashion. Access to the postage accounting program is easily possible, for example by removing the hard disk. This could not even be documented since the programxe2x80x94in contrast to a conventional, electronic postage meter machinexe2x80x94is not in a tampered housing. The manipulated program can be stored in addition to the original program and would be normally run, except in the case of an inspection, when reversion to the original program is made. If the tampered program is also protected by a pass word, the tampering can hardly be detected at all.
A PC-supported franking device is disclosed in European Patent 459 159 that is protected better against manipulation. This solution is based on a specific franking module that is insertable into a slot of a personal computer and is connected to the internal information and power supply network of the personal computer. This franking module contains an independent processor system with postage memories as well as an integrated printing device for the franking of envelopes. By integrating the printing device, one succeeds in overcoming the general deficiency of a lack of security of the aforementioned PC franking system. The user prompting advantageously utilizes the resources of a personal computer, particularly the monitor, keyboard and operating system. Although this solution allows the processing of filled letters to a limited extent, it only allows small letter formats. The slot of the personal computer must also have a correspondingly suitable size (5xc2xcxe2x80x3) in order to accept the franking module, but this is assured with decreasing frequency due to the increasing miniaturization of modern personal computers. The manual supply of the envelope or of a postage tape is only suitable for mail processing on a small scope, i.e. for a low volume of mail. An automatic processing of stacked mail is already precluded due to the lack of a possibility of combination with an automatic letter separation unit. This solution is thus also only suitable for low letter volume.
According to U.S. Pat. No. Re. 31,875, a protected electronic meter is located between a computer and a protected printer, with the protected printer being connected to the meter via protective lines and protected connector parts. The user is not allowed to change the meter nor to open the protected line in order to expand the system. Such a system is not service-friendly.
U.S. Pat. No. 5,200,903 discloses a similar solution. A personal computer or a work station is connected via a multi-path cable to a peripheral postage meter machine that contains an accounting and control module (meter) and a printer both for printing the postage imprint as well as for printing the recipient address. A modem is connected to the personal computer. The personal computer functions as communication equipment and assumes the calculation of the respective postage fees for the individual shipped items on the basis of stored postage fee tables. The peripheral accounting module is relieved of this calculation-intensive and memory-intensive function. No additional scale has to be connected to the postage meter machine when the weight of the letter can be calculated by the personal computer on the basis of the letter contents. The accounting module of the postage meter machine includes a processor system with postage memories and undertakes the accounting. The directly connected control module controls the printing of address and postage imprint. Due to the protective housing, protected lines and protected connector parts between accounting module and printer can be foregone in this solution. Adequately good access to an individual components for a service, however, is still not established.
The low working speed of the overall system is disadvantageous in both of these aforementioned solutions. This speed is defined by the data transmission rate on the connection between the input/output port of the personal computer and that of the accounting module. For lack of a suitable base station for conveying postal matter, a fast, automatic processing of mixed mail, with changing postage fees from letter-to-letter, is practically impossible.
U.S. Pat. No. 5,309,393 discloses a remotely loaded postage meter machine that is connected to a personal computer that contains a modem and sets up a communication connection with a telephone network. A scale can be additionally connected to the postage meter machine or can be integrated in the postage meter machine housing. This is again a closed, and thus protected, system that, however, continues to exhibit the aforementioned disadvantages. Alternatively, an open system is proposed according to another embodiment of U.S. Pat. No. 5,309,393. An interface board is inserted into a slot of the personal computer, this interface board contains an interface to a scale cell and to a display unit as well as a non-volatile electronically erasable and programmable memory EEPROM for the mail registers (ascending register, descending register). A standard printer that produces the franking imprint is connected to the personal computer via a parallel I/O interface. The primary password, stored in a non-volatile memory of the personal computer, enables access to all franking operations. A secondary password for the user is stored in the EEPROM of the interface board. Whether the security of the system against manipulation is assured beyond this level is not disclosed. Most public mail carriers still have reservations with respect to the security of open systems. Moreover, such a printer also does not seem suitable for processing a high and differing mail volume.
In U.S. Pat. No. 5,590,198, a removable meter insert is likewise inserted into a slot of a personal computer, the insert corresponding to the standard of the Personal Computer Memory Card International Association (PCMCIA). The insert includes further, required modules for an open system in order to assure the necessary security against manipulation. A user password is required for operating the franking system, however, a re-initialization is possible with a super password generated by a data center, i.e. without having to send the meter insert back to the manufacturer. A standard printer that produces the franking imprint is in fact connected to the personal computer in unsecured fashion. The printed postage value in the postage stamp imprint, however, is secured with an additionally printed, digital signature. The authorization is checked at the mail carrier on the basis of the digital signature on the postal matter. The introduction of such a system will only become possible after the postal authorities and private carriers are equipped with an appropriate monitoring technology. The commercially available printers are in fact adapted for connection to a personal computer and are switchable in order to be able to print an unfilled enveloped. Such printers, however, are not designed for handling a medium through high mail volume and can only print unfilled envelopes.
None of the aforementioned solutions allows the processing of filled envelopes having different thickness and different formats. The aforementioned publications do not disclose whether various mail carriers can be selected by the customer of the mail carrier or how an allocation therefor ensues in the accounting. It is also a problem as to how up-to-date data can be maintained for a number of carriers.
An object of the present invention is to eliminate the aforementioned disadvantages associated with known PC-based systems and to provide a mail processing system that is composed of physically separate components that enable a maximum adaptation to the customer""s wishes, with the employment of security housing being reduced while still precluding a misuse for the purpose of a falsification of data of individual components as well as of the overall system.
In particular it is an object to develop, a more flexible mail expediting system having a mail processing machine that enables a utilization of services of various private and public mail carriers. The processing of filled postal matter having different thicknesses and different formats given, medium through high shipping quantities, should ensue with a machine base station.
The above objects are achieved in accordance with the principles of the present invention in a personal computer-based mail processing system having a machine base with a printing station adaptable to postal items of differing thicknesses, and having a specific interface unit, the printhead in the printing station being driven by printing control electronics. Components forming a service request arrangement for processing mail for at least one mail carrier are connected to the system bus of the personal computer. At least one security arrangement per mail carrier is provided, which includes an application-specific integrated circuit connected to the personal computer system bus via a parallel input/output interface, and which is connected to the printing machine base via at least one interface and a data cable. The interface and the application-specific integrated circuit of the security arrangement form a specific data transmission unit for fast data transmission between the security arrangement and a processing circuit in the specific interface unit of the base and/or the printing control electronics. The application-specific integrated circuit includes circuitry for implementing accounting and security functions for the (at least one) selected mail carrier. The hardware circuit is connected to non-volatile memory modules and to a security processor, which is programmed with at least one non-readable program portion in order to implement at least one of a number of security functions.
A printhead for purely electronic printing is driven by printhead electronics and, together with a transport unit, forms a printing station that is adaptable to varying thicknesses of postal items. In addition to enabling the processing of large quantities of mixed mail on the basis of filled envelopes, the invention enables PC-supported franking. Security against manipulation at the interface to the printing base is assured by specific measures in the personal computer and in the printing base, and may be enhanced by a security imprint corresponding to the demands made by the respective mail carriers. The data for the security imprint include a signature or marking that enables a verification of the printed postage value.
The invention proceeds a recognition that a secured housing is only required for specific components of the system. The system includes security circuits in the personal computer protected by a security housing that is connected to the system of the personal computer. Accounting and security functions are united in the inventive security arrangement. The accounting function of the security arrangement is based on a fast and manipulation-proof hardware accounting unit and non-volatile memory modules that do not require a supporting voltage for data preservation when the machine is turned off. Specific data transmission hardware and a specific, fast interface to the machine base station allow a specific control of at least the machine base station by the security arrangement, as a result of which a use of the machine base station without a connected security means is rendered impossible in the aforementioned way.
As a result of a software-based security module in the security arrangement, the system is equipped with high security against manipulation. A security processor, preferably an OTP (one-time programmable) processor is contained in the security arrangement and stores all security-relevant programs so as to be protected against readout. The security processor is programmed with at least one non-readable program part in order to execute at least one of a number of security functions. The security processor is connected to a modem via the parallel input/output interface of the security arrangement and via the PC system bus, or the security processor is connected to a modem via at least one serial interface of the security arrangement. The security processor is thus programmed with a non-readable program part that implements a manipulation-proof credit reloading into the mail registers that are formed in the non-volatile memory modules. Together with further programs stored in a program memory EPROM of the security arrangement, at least one security module is created that checks the authorization of the individual components and monitors the data transfer between personal computer and machine base station.
The personal computer with appertaining user programs and a beneficial user interface with keyboard and display unit comfortably allows more functions to be executed then could a meter of a postage meter machine. Thus, more and new services of the mail carriers can be requested for the mail processing. Advantageously, these user programs are utilized for operating the system under Windows(copyright) for a number of carriers as franking system, shipping system or postage valuation system. The program memory of the personal computer and/or of the security arrangement preferably contains a user program with a postage calculation routine on the basis of entered shipping data and on the basis of a weight entered manually or via a scale, or on the basis of input data for the indirect calculation of the weight. In a preferred embodiment, the postage calculation routine contains a sub-routine for determining the most beneficial mail carrier for the corresponding shipping or, respectively, conveying task. It has been proposed to utilize a computer-supported mail processing system with postage meter machines, and possibly with other mail handing devices, for the processing of a higher mail volume in a mail station for franking postal matter (German Patent Applications 196 17 586.0, 196 17 473.2, 196 17 476.7, 196 17 557.7, respectively corresponding to pending U.S. applications Ser. No. 08/850,805, Ser. No. 08/850,788, now U.S. Pat. No. 6,064,994 Ser. No. 08/850,413 and Ser. No. 08/850,051 now U.S. Pat. No. 6,035,291 and assigned to the same assignee as the present application). The mail carriers are selected in the office by the user via the user interface of the personal computer, and are printed on the letter as bar coded information. The bar code can be scanned in the remote mailing station via a scanner. The accounting ensues via software in the postage meter machine to which a modem is also connected for updating the postage fee schedules. The updating of the schedules ensues automatically in collaboration with a data center.
Differing therefrom, the invention undertakes an accounting via hardware in at least one security arrangement in the personal computer. The accounting is undertaken for a mail carrier selected from a number of mail carriers. To this end, a service request unit for mail processing for at least one mail carrier is connected to the PC system bus, and at least one security arrangement is equipped with a user-specific hardware circuit that implements the accounting related to a mail carrier in associated, non-volatile memory modules.
Alternatively, one or more separate security inserts (one insert per mail carrier or one insert for a group of mail carriers) can be inserted into a slot of a personal computer.
The security arrangement includes at least one software-based security module in the security processor or in the program memory and at least one fast interface. A software-based security module in the security processor is provided, for example, for generating data for a security imprint or for producing security during printing. Each of the software-based security modules is based on a non-readable program part in the security processor. A number of software-based security modules can likewise be utilized for different mail carriers and purposes. A software-based security module in the security arrangement can be entirely customized to the requirements and demands of a specific mail carrier. The security processor of the security arrangement enters into a communication connection with a modem and is programmed with a non-readable program part that implements a manipulation-proof credit reloading in to the mail registers that are fashioned in non-volatile memory modules.
The security arrangement is connected via a first data cable and via a processing circuit of the specific interface unit and/or of the printhead electronics in the machine base station for the control of a printing station adaptable to postal matter thickness. The security arrangement preferably includes a fast serial interface for the connection to the printhead electronics in the machine base.
Tampering with the machine base is already made more difficult by the specific interface. Additional, specific measures guarantee security against an unauthorized manipulation. The legitimacy numbers for the allowed security arrangement are stored in the user program of the personal computer, or an identification of what security component must be accessed in order to implement the accounting for a selected mail carrier are listed therein. The allowed printer devices or the printer devices suitable according to the respective user program are listed in the user program of the personal computer and in a program module of the security arrangement. Routines in order to be able to mutually check the authorization are stored in the user program of the personal computer and in a program module of the security arrangement. The personal computer thereby checks whether the security arrangement allocated to the respective user program or to the respective mail carrier is connected, and whether the machine base station allocated to the respective user program is connected. If not, the respective user program cannot be activated. Moreover, a check in the machine base can likewise ensue with respect to an authorization of the security arrangement. Tampering with the machine base can only be prevented in this way. It is thus not possible to operate the specific machine base with a different computer, i.e. without a connected, authorized security arrangement, in order, for example, to fraudulently produce franking imprints that have not been accounted for.
The security of the inventive mail processing system is based on two measures that, first, are directed to the operating mode of the security arrangement and, second, are directed to the operating mode of the franking printer. The security arrangement is thereby protected against manipulations of the postage fee accounting, whereas the franking imprint of the franking printer is protected against forgeries. The security of the security arrangement, by contrast to a pure PC solution, is based on specific hardware. This specific hardware in fact has an interface to the PC system bus.
Beyond this level of security, no access is possible to the postage accounting program or to some other, security-relevant program, or to security-relevant data or to the postage memories, in order to write data. The security-relevant data can only be read out orxe2x80x94for example, in the course of a credit reloadingxe2x80x94used or modified by the processor of the security module. The identity of the security module is given by a customer-specific or machine-specific key, which cannot be read out, and by means of the previously cited interrogatable legitimacy number. The accounting data can only be read out by the processor of the personal computer, for example, for the purpose of display of the accounting data. The security arrangement itself can be protected by various measures. The simplest form of protection is to encapsulate the security arrangement in a container having a lead seal. An equivalent measure to cast the security-relevant hardware component such as, for example, the postage memory in casting material. A higher level of security against manipulation is achieved by a specific version of the security arrangement in the form of a application-specific integrated circuit (ASIC). At the output side, at least the print data and appertaining control data are emitted from the security arrangement to the machine base. All lines are advantageously combined to form a first data cable that may be equipped with an adapter and that is connected by a plug/socket to the specific interface unit of the machine base.
Together with further, individually controllable stations, the machine base forms a mail processing machine, whereby the individual, controllable stations are respectively connected to one another by a second data cable.
One individually controllable station of the mail processing machine can be an automatic delivery station for postal matter, connected via an interface to the machine base via the second data cable. In addition to driving the machine base, the personal computer equipped with the security arrangement also drives the automatic delivery station that is connected at the postal matter input side and applies an envelope or some other postal matter to the mail input of the machine base.
Another individually controllable station of the mail processing machine can be a dynamic scale, connected via an interface to the machine base via the second data cable.
In another version the individually controllable station is a dynamic scale and is connected by an interface to the machine base via the second data cable and to the security arrangement via a separate data cable.
In an alternative version the automatic delivery station is connected by an interface to the dynamic scale via a second data cable and the dynamic scale is connected by an interface to the machine base via the second data cable, and the machine base is connected by an interface to the security arrangement in the personal computer and via a first and separate data cable.
In addition to the hardware accounting unit for the implementation of an accounting function, at least one serial interface with means for the implementation of a security function is included in the user-specific hardware circuit of the security arrangement. This serial interface is equipped with a monitoring circuit that collaborates with the printhead electronics of the specific interface unit or with a processing circuit of the specific interface unit. The monitoring circuit can be operated in combination with a software security module.
The user-specific hardware circuit of the security arrangement preferably is equipped with a medium-speed, second serial interface that includes a sensor/actuator control with couplers for voltaic separation in order to control the machine base station together with further, individually controllable stations of the mail processing machine via the processing circuit of the specific interface unit. Opto-couplers preferably are utilized as the couplers.
Alternatively the user-specific hardware circuit of the security arrangement can be equipped with a medium-speed, second serial interface and with a slow, third serial interface, the medium-speed second serial interface including a sensor/actuator control and opto-coupler in order to control the machine base via the processing circuit of the specific interface unit. The slow, third serial interface includes a UART circuit and opto-coupler in order to control the further, individually controllable stations of the mail processing machine via a transmission circuit of the specific interface unit.
Preferably, the aforementioned first data cable and separate data cable are combined to form a common, first data cable connected via a plug/socket to the specific interface unit in the machine base. The transmission circuit of the specific interface unit includes an appertaining plug/socket for the data plug of the first data cable of the common data cable, and a level converter that implements a conversion in the machine base station from TTL signals for a V24 interface. The V24 interface is connected to a V24 jack.