In recent years it has been proposed to print postal indicia by means of conventional nonsecure printers such as laser printers, ink-jet printers, and thermal transfer printers. Such printers are termed “nonsecure” because the printer itself is not in a secure housing and because the communications channel linking the printer to other apparatus is nonsecure. Under such a proposal, the question naturally arises what would prevent a user from printing the same postal indicium repeatedly, thereby printing postal indicia for which no money has been paid to the post office. The proposed anti-fraud measure is to store information within the indicia which would permit detecting fraud. The indicium would include not only human-readable text such as a date and a postage amount, but would also include machine-readable information, for example by means of a two-dimensional bar code. The machine-readable information would be cryptographically signed, and would include within it some information intended to make fraud more difficult. The information would typically include an identification of the postage meter license (granted by the meter manufacturer or by the postal authorities, depending on the country), an indication of the number of mail pieces franked, the postage amount, a postal security device identifier about which more will be said later, the date and time, and a zip code or post code of the mail piece addressee.
The typical apparatus for printing such “encrypted indicia” postage includes what is called a postal security device or PSD. The PSD has a secure housing, and within the secure housing are the accounting registers as well as a cryptographic engine. The engine permits cryptographic authentication and signing for communication with an external device such as the computer of the meter manufacturer or of the post of ice. The engine also permits creation of postal indicia which contain specified information and which are cryptographically signed. The PSD may well be physically small as compared to traditional postage meters. The PSD may be the size of a PCMCIA card or the size of a smart card.
Within the PSD the memory must be protected against inadvertent damage due to malfunction of the processor of the PSD, for example as set forth in U.S. Pat. No. 5,668,973, Protection system for critical memory information owned by the same assignee as the assignee of the present application. The PSD must handle power failure in a graceful fashion, for example as set forth in U.S. Pat. No. 5,712,542, Postage meter with improved handling of power failure, also owned by the same assignee as the assignee of the present application.
To reduce smudging, the printer may preferably be that described in PCT publication no. 97-46389, Printing apparatus, also owned by the same assignee as the assignee of the present application. While it has been proposed that the PSD contain a real-time clock which is keeping time continuously, desirably this requirement may be avoided as described in PCT publication no. 98-08325, Printing postage with cryptographic clocking security, also owned by the same assignee as the assignee of the present application. PSDs can form part of a network with multiple printers as described in PCT publication no. 98-13790, Proof of postage digital franking, also owned by the same assignee as the assignee of the present application.
The postal authorities face the question how the PSD can be protected from tampering. For example, the entire system of PSDs depends on the use of cryptographic keys. The keys are used for authenticating communications between the PSD and the manufacturer's system or the postal authority's system. Such communications are used to set up and maintain the PSDs, and are used to refill or “reset” the PSDs to reflect the ability to print more postage. The keys are also used to cryptographically “sign” information printed in the postal indicia. If the cryptographic keys were compromised, a user might be able to defraud the post office or the PSD manufacturer or both.
Many approaches have been proposed for protection of such cryptographic keys from compromise. The usual approach is to place the cryptographic keys in a RAM (random access memory) of a type which keeps its contents only so long as the RAM receives power from a battery. The secure housing of the PSD is designed to include a tamper switch, so that if the secure housing is tampered with, the switch opens. The switch interrupts power to the RAM (and, in particular, interrupts battery power to the RAM) and its contents are lost. In this way the information in the RAM (for example, the cryptographic keys) is protected from tampering. Another proposed approach is to employ commercial memory chips (such as the Dallas Semiconductor DS1283 and Benchmarq bq3283) offer a pin on the package which will clear the memory based on a predetermined input voltage level. The tamper switch is set up to apply the predetermined voltage upon detection of tampering.
Many approaches have also been proposed for detection of the tampering. In EP 820 041, for example, it is suggested that the secure housing of an old-style mechanical or electromechanical postage meter be set up to contain an air pressure that is distinctively higher than or lower than normal atmospheric pressure. If the secure housing is violated, the pressure within the secure housing changes to match the ambient pressure. A sensor within the housing detects the pressure change and thus the violation. The sensor disables further function of the postage meter.
The approach of cutting power to a volatile memory such as the RAM discussed above has a drawback in that during periods of power-down, the RAM depends on an internal battery to avoid loss of the information in the RAM. Depending on the requirements of the postal authority, and on design decisions made by the PSD manufacturer, the quantity of data requiring protection may be quite large. The data to be protected may include cryptographic keys used for PSD configuration, keys used for remote resetting (refilling), keys used for signing postal indicia, and keys used for the management of the other keys. In addition it may be desired to protect the bit-images used to generate the human-readable portion of the printed indicia. A RAM big enough to hold all of these important items of data will also draw a non-negligible current from the internal battery. This may lead to a limited and commercially unacceptable battery life.
It would thus be desirable to have a PSD design which protects the many important items of data stored within, and yet which does not draw very much battery power and so permits a commercially acceptable battery life.