1. Field of the Invention
The present invention is directed to a method and to a postal apparatus, particularly a postage meter machine, of the type having a chip card write/read unit for reloading change data by chip card into the postage meter machine or into a postal scale.
2. Description of the Prior Art
The reloading of postage fee tables into a postage meter machine by chip card via a chip card write/read unit is already disclosed in U.S. Pat. No. 5,606,508 for postage meter machines and in U.S. Pat. No. 5,710,706 for scales. The control unit of the postage meter machine performs a monitoring function with respect to the conditions for data updating and controls the reloading.
Modern postage meter machines such as, for example, the thermal transfer postage meter machine disclosed by U.S. Pat. No. 4,746,234 utilize fully electronic digital printer devices. It is thus fundamentally possible to print arbitrary texts and special characters in the postage stamp printing area and to print an arbitrary advertizing slogan or one allocated to a cost center. For example, the postage meter machine T1000 of Francotyp-Postalia AG and Co. (Postalia, Inc. in the U.S.) has a microprocessor that is surrounded by a secured housing having an opening for the delivery of a letter. Given delivery of a letter, a mechanical letter sensor (microswitch) communicates a print request signal to the microprocessor. The franking imprint contains a previously entered and stored postal information for dispatching the letter.
It is also known to store data specific to cost centers on chip cards in order to make the user-specific information mobile (portable) and to avoid an intentional misuse of other cost centers. U.S. Pat. Nos. 5,606,508 (corresponding to German OS 42 13 278) and 5,490,077 disclose a data entry with chip cards for the aforementioned thermal transfer postage meter machine. One of the chip cards loads new data into the. postage meter machine, and a set of further chip cards allows a setting of correspondingly stored data to be undertaken by plugging in a chip card. Loading data and setting the postage meter machine are thus possible in an easier and faster manner than via a keyboard input. The keyboard of the postage meter machine remains small and surveyable because no additional keys are required in order to load or set additional functions. A plug-in slot of a chip card write/read unit, in which the respective chip card is to be plugged by the customer within a time window, is located on the back side of the postage meter machine. Due to the lack of direct visual contact, an unpracticed user often does not always succeed in inserting the required chip cards in immediate succession, which then leads to unwanted delays. The plug-in slot of a chip card write/read unit is only easily accessible when the user bends over the machine. The problems in producing visual contact increase given larger machines. The user often has a number of other chip cards that can be plugged in. One chip card type (size format), for example telephone cards, credit cards and the like, can be physically inserted into the postage meter machine but will not be accepted. Without visual contact, however, the error is not always immediately obvious. The postage meter machine only works with relatively expensive chip cards that are themselves equipped with a microprocessor (smart card) and are thus able to check whether the postage meter machine communicates a valid data word to the chip card before an answer is sent to the postage meter machine. When, however, no answer or user identification ensues, this is registered as an error in the postage meter machine and is displayed before a request to remove the chip card is displayed in the display. To register an erroneously inserted telephone card as attempted fraud, however, would not be reasonable given the not unlikely occurrence of an xe2x80x9cinnocentxe2x80x9d mistake.
A modified technique for scales is disclosed in the aforementioned U.S. Pat. No. 5,710,706. The chip card write/read unit of this postage meter machine is employed fro the additional purpose loading new postage fee tables into the corresponding non-volatile memories of the scale. The different fee schedule structure and fee schedules of further mail carriers also can be loaded. Since the available memory capacity on a chip card is limited, all required data are sequentially loaded into the scale via the postage meter machine with a series of chip cards which are successively inserted.
As an alternate way for solving the further problem that there is only limited memory capacity available on a chip card, U.S. Pat. No. 4,802,218 discloses that a number of chip cards be simultaneously employed, these being plugged into a number of write/read units. In addition to a user chip card for the recrediting and debiting whereby the postage fee value is subtracted from the credit, a master card and a further rate chip card with a stored postage fee table are simultaneously plugged in. By accessing a postage fee table, a postage fee value can be determined according to the input weight and shipping destination without loading an entire table into the machine. Since, however, a respective write/read unit is required for every chip card, the apparatus becomes too large and expensive. Moreover, a separate reloading terminal is required in order to replenish the credit in the user chip card, with the master card providing the authorization for this reloading function. A supervisor card has access to all master cards. Various security levels are accessible by appertaining key codes. Such a system with a number of slots for chip cards is very complex overall.
German OS 196 05 015 discloses an embodiment for a printer device (JetMail(copyright)) that, given a non-horizontal, approximately vertical letter transport, implements a franking imprint with an ink jet print head stationarily arranged in a recess behind a guide plate. For recognizing the start (leading edge) of a letter, a print sensor is arranged shortly before the recess for the ink jet print head and collaborates with an incremental sensor. The letter transport is free of slippage due to pressure elements arranged on the conveyor belt, and the incremental sensor signal derived during the transport has a positive influence on the quality of the print image. Given such a postage meter machine exhibiting larger dimensions, however, a chip card write/read unit would have to be arranged and operated such that sequentially pluggable chip cards can be unproblematically used.
The chip cards are usually initialized by the chip card manufacturer and the postage meter machine manufacturer, however, it is complicated for the postage meter machine manufacturer to take specific customer wishes into consideration. Although information with respect to the postage fees matched to the current fee schedules must be communicated to the individual user of a postage meter machine, it affects all users of postage meter machines. A non-personalized chip card would have the advantage of being able to be produced on a mass production basis which could be implemented on short notice immediately before a fee schedule change. Given a freely purchasable non-personalized reloading card, however, there is the possibility that users of postage meter machines may have received the reloading information from other users without adequately compensating the actual service vendor. A universal requirement to purchase reloading cards cannot be implemented because some users would then be required to purchase unneeded information. This would be the case, for example, when only details of the reloading information that are not relevant to all users are modified. Finally, it is also technically unnecessary to replace an entire table only because of a few modified details. Moreover, commercially available programming devices exist with which a new chip for a chip card can be burned-in. A final consideration is that a data bank with expensive data bank security would only be required to prevent a misuse, and thus may not be needed when the risk of misuse or the incentive to tamper is low.
For some specific chip card applications, there is far less of a security risk for the protection or devaluation (theft) of the monetary data present on the chip card. Thus, an estimate of the tampering potential or of the tamperer categories is fundamentally required for every application in order to achieve the desired security level with measures that are reasonable in terms of outlay. The axiom xe2x80x9cas much as necessary, as little as possiblexe2x80x9d thereby applies. A registered. postage meter machine use number would too obviously divulge the user identifier to an attacker. A certain deterrence threshold for theft by copying must therefore be present.
Often, chip cards have only a highly limited memory capacity. This is especially true of inexpensive chip cards. Thus, memory cards are usually implemented with a few hundred bits of memory capacity. This memory capacity is insufficient for accepting the full scope of fee-specific data. There are numerous security methods based partly on access-protected physical areas of the chip cards and partly on different cryptographic protection algorithms. A disadvantage of these methods is that a high initialization outlay must be expended, for example for the individualization of the cards by assigning PINs or for code administration given cryptographic methods. Known security methods are unsuitable insofar as they require a great deal of additional memory capacity on the chip card. Deleting the data on the chip card after their one-time use in fact requires no additional memory capacity on the chip card but must still remain out of consideration because the method would preclude a repeated use of the reloading card at the same postage meter machine. A repeated use of the reloading card at the same postage meter machine is required for recovery in case of error if the appertaining data have been lost in the postage meter machine and must be restored. A repeated use of the reloading card at the same postage meter machine also can be required as needed for the purpose of pre-dating mail, particularly when a change in fee schedule takes effect in the time span between normally dated mail and pre-dated mail. In the pre-dating to a future date of mail to be carried by a selected mail carrier, mail is already franked in bulk several weeks or days before the shipment and is warehoused until the shipment date. A corresponding carrier-related chip card loads carrier-related reloading data into the postage meter machine. After the end of the one franking job, a new franking job is to be processed. To this end, another carrier-related chip card can load carrier-related reloading data into the postage meter machine. Since the postage meter machine cannot load and store all data for all carriers, a repeated use of the reloading card is required in order to implement pre-dated mail processing in alternation.
An object of the present invention is to provide a fraud-proof method and postage meter machine with a chip card write/read unit for reloading fee schedule change data into a postage meter machine or into a scale by chip card. The method and machine should allow an easily accessible chip card write/read unit and an appertaining controller to be utilized and a set of unpersonalized chip cards should be made available to the user, these allowing a reloading of information for the implementation of postage meter machine functions, or their combined application, as often as necessary. On the other hand, a protection against multiple use of one and the same chip card in other postage meter machines when the used chip card is handed over should be created.
The above object is achieved in accordance with the invention in a method and machine wherein, before the utilization of the data stored on a first chip card, a postal apparatus, particularly a postage meter machine, modifies this data with the assistance of a specific crypto-algorithm and a suitable, device-specific, first key, such that the data can only be decrypted with the assistance of this key. The use data are stored in a first memory area of the aforementioned chip card and include the remaining use data and variable data, or a crypto code after the initial use. A repeatedly used chip card only supplies usable data for the same device that implemented the personalization of the unpersonalized chip card when it was inserted for the first time.
In the case of a renewed data loading from the first chip card into the postal apparatus an additional inscription of data modified in a predetermined way in the postal apparatus into the chip card is implemented as a result of the reloading.
Additionally, given a repeated use of the first chip card, the modified data differ dependent on the number of uses, so that a renewed data loading into the postal apparatus and an additional inscription of data modified in another predetermined way in the postal apparatus ensue into the chip card. The modification only affects the form of the data and their storage in memory locations, however, it has no effect on the content of the information that can be reloaded at any time. The postal apparatus can reconstruct the original information independently of the encrypted or unencrypted form. The nature of the modification is predetermined by the stored program. A reversible encryption algorithm such as, for example, DES (Data Encryption Standard) is preferably employed.
Alternatively, data segments or at least functions derived from the data or data segments, can be modified in a predetermined way in order to then rewrite these segments or functions in a memory area as code.
The writing of a code based on initial data into the chip card, given repeated insertion thereof, can be additionally employed for the purpose of verifying the authenticity of the chip cards before the chip card data are used again internally in the postage meter machine. A code is stored in a second memory area of the chip card for the authorization of the use data, or a different code is stored after the initial use. A second key is stored in the chip card in hidden form. An identical second key is likewise stored in a manner so as to be protected against unauthorized reading in all postage meter machines. For example, the second key can be scrambled or functionally operated with the data checksum in a predetermined way, so that the key is also given a different appearance with every new fee schedule table. A third key that has a predetermined relationship to the second key exists in every postage meter machine.
This second keyxe2x80x94similar to a recursive methodxe2x80x94is inventively co-encoded by the third key, resulting in the execution of a check routine for authenticity in a protected (postage meter machine) device environment without having the second key leave the postage meter machine during the procedure or having its secrecy compromised. After the decoding of the data or data parts or data functions, the verification of the data authenticity now ensues internally in the device at least on the basis of the check of a predetermined relationship between the secret second key of the chip card and the third key of the postage meter machine. Additionally, the checksum formed over the unencoded chip card data can be utilized for the authenticity check in a form modified in a predetermined way with the second key. This requires an interleaved check of mutually dependent data that have a predetermined relationship to one another. After use of the chip card, the data inventively remain in a form modified by the first postage meter machinexe2x80x94specific key, which precludes a meaningful use of the data given an attempt to the chip card at a different postage meter machine, as well as leading to blocking of the chip card, or of the postage meter machine, when the attempt is made.
In particular, the invention creates a chip card/postage meter machine system, so that an automatic reloading of a postage meter machine can be achieved after the insertion of a reload chip cardxe2x80x94recognizable with respect to its typexe2x80x94into a chip card write/read unit without having the same chip card likewise produce a reloading after being inserted into a chip card write/read unit of another postage meter machine. The crypto code is calculated in the postage meter machine and written into the chip card, so that the chip card supplies usable data only for the same postage meter machine. Also a MAC protection technique is utilized that requires little memory capacity on the chip card and nonetheless allows a machine-check of the authenticity of the chip card data.
The chip card/postage meter machine system can be arbitrarily expanded or modified. A different inserted chip card type can be recognized by the postage meter machine and correspondingly interpreted. The postage meter machine thus can be operated with an optimally inexpensive chip card type dependent on the nature of a particular application.
Arranging the chip card write/read unit behind the guide plate of the postage meter machine allows easy access thereto. The chip card can be seen well during the insertion, and the type of chip card being inserted at the moment thus also can be easily determined on the basis of a corresponding identification.
For a data update among all the postage meter machine users, a delivery of unpersonalized chip cards with identical content to the respective users can ensue as a massed-produced product, it being incumbent upon the supplier to undertake measures for the protection of the original chip cards against unallowed copying until the first reloading. A certain deterrence threshold for theft by copying is also achieved by using a specific, particularly rarer card type that is thus more difficult to acquire. Second, however, it is assured that, following the initial use of the card by a postage meter machine, this card can only be used at this specific apparatus and that a data use at other postage meter machines is no longer possible. A necessity to surrender the data content of a chip card already used once for reloading for multiple use at other postage meter machines thus is avoided.