One example of a value dispensing system is a postage metering system including an electronic postage meter and a printer for printing a postal indicia on an envelope or other mailpiece. Recent efforts have concentrated on removing the printer from being an integral part of the postage meter. Also, the postage meter is generally detachable from the printer so that any number of postage meters may be operatively coupled with the printer.
Electronic postage meters for dispensing postage and accounting for the amount of postage used are well known in the art. The postage metering system supplies proof of the postage dispensed by printing a postal indicia which indicates the value of the postage on an envelope or the like. The typical postage meter stores accounting information concerning its usage in a variety of registers. In a pre-payment type of postage meter, such as those employed in the United States, an ascending register tracks the total amount of postage dispensed by the meter over its lifetime. That is, the ascending register is incremented by the amount of postage dispensed after each transaction. A descending register tracks the amount of postage available for use. Thus, the descending register is decremented by the amount of postage dispensed after each transaction. When the descending register has been decremented to some value insufficient for dispensing postage, then the postage meter inhibits further printing of indicia until the descending register is resupplied with funds. In a post-payment type of postage meter such as those employed in France, the ascending register may be retained as described above while the descending register is eliminated or set to an extremely high value.
Generally, the postage meter communicates data necessary for printing a postal indicia to the printer over suitable communication lines, such as: a bus, data link, or the like. During this transfer, the data may be susceptible to interception, capture and analysis. If this occurs, then the data may be retransmitted at a later time back to the printer in an attempt to fool the printer into believing that it is communicating with a valid postage meter. If successful, the result would be a fraudulent postage indicia printed on a mailpiece without the postage meter accounting for the value of the postage indicia.
It is known to employ secret cryptographic keys in postage metering systems to prevent such fraudulent practices. This is accomplished by having the postage meter and the printer authenticate each other prior to any transfer of print data or printing taking place. One such system is described in U.S. patent application Ser. Co./No. 08/579,507, filed on Dec. 27, 1995, and entitled METHOD AND APPARATUS FOR SECURELY AUTHORIZING PERFORMANCE OF A FUNCTION IN A DISTRIBUTED SYSTEM SUCH AS A POSTAGE METER (E-476) and now issued as U.S. Pat. No. 5,799,290. Another such system is described in U.S. patent application Ser. Co./No. 08/864,929, filed on May 29, 1997, and entitled SYNCHRONIZATION OF CRYPTOGRAPHIC KEYS BETWEEN TWO MODULES OF A DISTRIBUTED SYSTEM (E-612). These types of mutual authentication systems help to ensure that the printer is being contacted by a valid postage meter and that the postage meter is in communication with a valid printer.
Once the postage meter and the printer have mutually authenticated each other, the exchange of print data may begin. A portion of the print data requires generation of a secure token in the postage meter. This token is printed within the postal indicia and is used by a postal authority to verify the integrity of the postal indicia. Generally, the token is an encrypted representation of the postal information contained within the postal indicia printed on the mailpiece. In this manner, the postal authority can read the postal information printed on the mailpiece and independently calculate a token for comparison purposes with the token printed on the mailpiece. In the alternative, the token on the mailpiece may be decrypted to derive the postal information that is anticipated to be printed on the mailpiece. Examples of such techniques are described in U.S. Pat. Nos. 4,831,555 and 4,757,537.
To expedite print data transfer from the postage meter to the printer, the postal indicia may be partitioned into fixed data (graphics) and variable data (date, postage amount, piece count, serial number, etc.). Generally, the fixed data does not change from postal indicia to postal indicia while the variable data may change from postal indicia to postal indicia. To save data transmission time, the fixed data may be previously stored at the printer while the variable data is generated by the postage meter. To print a complete postal indicia, the variable data is transmitted to the printer and then merged with the fixed data at the printer to produce the print data signals necessary to drive the printer.
Additionally, to remain competitive in a global marketplace, it is important to design and build postage metering systems that may be efficiently deployed where consumer demand exists. This means that postage metering systems must be adapted for use depending upon the local currency (US $, CAN $, UK .English Pound., F-Franc, D-mark, S-Franc, Lira, Yen, Euro, etc.). Therefore, it is desirable to have the flexibility of moving postage metering systems from country to country as needed. Generally, the design of the postal indicia is subject to approval and/or specification by the postal authority. As a result, although the fixed data may change from country to country, the fixed data typically remains uniform in a given country for each postage metering system once a format has been established in the given country.
Although mutual authentication and token verification contribute significantly to the security of the postage metering system, potential attack points still exist. For example, it may be possible to manipulate the fixed data portion of a postal indicia so that postage is accounted for in a first currency and printed in a configuration that reflects a second currency. Depending upon the exchange rate between the two currencies, significant advantages could be gained by the successful attacker.
For example, if the attacker were successful in obtaining a postage metering system from Japan having accounting registers indicative of values in Yen and replacing the fixed print data corresponding to Japan with fixed print data corresponding to the United States, then the attacker could produce fraudulent postage in the United States using an authentic postage metering system that may survive scrutiny by the United States Postal Service (USPS). With an exchange rate of one United States dollar (1 US $) approximately equal to one hundred twenty Yen (120 Y), the attacker would realize a substantial return on investment because a resulting postal indicia appearing on its face to indicate a value of one United States dollar (1 US $) would be accounted for as one Yen (1 Y).
As a secondary consideration, interchangeability of components, such as using the same postage meter with a plurality of different printers or using a plurality of different postage meters with the same printer is desirable. For example, a mailer located near the boarder of two countries may have need to post mail in both countries. So as to avoid redundancy and expense, the mailer would not want to operate two metering systems.
Therefore, there is a need for a postage metering system including a postage meter and a printer in communication with but physically separate from the postage meter that provides for efficiency of operation and synchronization of the accounting currency and the print data currency.