Postage meters are devices for dispensing value in the form of postage printed on a mail piece such as an envelope. The term postage meter also includes other similar meters such as parcel post meters. Meters of this type print and account for postage stored within the meter. Since representations of postage available for printing are stored in the meter, the postage meter must be provided with safeguards against tampering.
Within the above requirement, systems have been developed to enable postage meters to be recharged or reset with additional postage for printing by the meter without the need to physically carry the postage meter back to the postal authorities for resetting. This avoids the inconvenience to the users of the postage metered mailing system by avoiding the necessity to bring the meters to the postal service for resetting or recharging. The remote recharging systems have met the requirement of security for the postage meters and have been developed for both fixed increment resetting for mechanical meters and variable increment resetting for electronic meters.
In the mechanical resetting meters, the system is equipped with a combination lock whose combination changes in a predetermined random sequence (often referred to as pseudo-random sequence) each time it is actuated. The combination lock operates on the resetting mechanism of the postage meter such that, when unlocked, the mechanism may be manipulated to recharge the meter with a postage increment. As the meter is recharged, the combination lock automatically locks itself to prevent subsequent recharging of the meter unless and until the correct new and different combination is entered. Combination locks of this type, suitable for use in postage meters are disclosed in U.S. Pat. Nos. 3,034,329 entitled Combination Lock Device and 3,664,231 entitled Locking Device.
The remote meter resetting system may also be incorporated in electronic postage meters such as described in U.S. Pat. No. 4,097,923 for REMOTE POSTAGE CHARGING SYSTEM USING AN ADVANCED MICROCOMPUTERIZED POSTAGE METER. This resetting system involves a data center which may be equipped with a voice answer back unit. The data center processes telephone calls from the postage meter users, requiring the transmission by the user of information unique to the particular meter being reset. The information is used to verify the authenticity of the call and to update the record of the user stored at the data center.
The postage meter user informs the data center of the postage which is desired to be funded into the meter. The postage amount requested for resetting may be varied according to the requirement of the user. The computer at the data center formulates a combination based on the identifying information and the amount of postage requested for resetting. This combination is then transmitted back to the user. The user enters both the amount and the combination into the postage meter. The postage meter contains circuitry for comparing the entered combination with an internally generated combination based upon the amount of postage requested for resetting and the identifying information. If the entered combination matches the internally generated combination, the funding registers of the meter are increased by the new postage amount.
A system disclosed in copending U.S. patent application Ser. No. 024,813, about to issue as U.S. Pat. No. 4,253,158, filed Mar. 28, 1979, for Robert B. McFiggans, entitled, SYSTEM FOR SECURING POSTAGE PRINTING TRANSACTIONS employs encryptors at both a printing station and an accounting station interconnected through an insecure communications link. Each time the meter is tripped, a number generator at the printing station is activated to generate a number signal which is encrypted to provide an unpredictable result. The number signal is also transmitted to the accounting station. At the accounting station, the postage to be printed is accounted for and the number signal is encrypted to provide a reply signal. The reply signal is transmitted to the printing station where a comparator compares it with the encryption results generated at the printing station. An equality of the encryption result and the reply signal indicates that the postage to be printed has been accounted for and the printer is activated.
Although the above systems operate quite satisfactorily for their intended purpose, it has been a constant desire to enhance the security of the postage meter remote recharging systems and to provide improved performance. This is particularly so with variable increment resetting which requires a more secure and more complex environment than fixed increment systems. The reasons for this are that the amounts which may be involved in a reset can be substantially larger than with fixed systems where the amount is established in advance.
Systems for enhancing the security of a remotely resettable postage meter are described in U.S. patent application Ser. No. 168,932, filed July 14, 1980, in the names of Edward C. Duwel and Howell A. Jones, Jr., entitled, IMPROVED POSTAGE METER RECHARGING SYSTEM, and U.S. patent application Ser. No. 168,931, filed July 14, 1980, for Ronald L. Rivest, entitled, DATA CENTER FOR REMOTE POSTAGE METER RECHARGING SYSTEM HAVING PHYSICALLY SECURE ENCRYPTING APPARATUS AND EMPLOYING ENCRYPTED SEED NUMBER SIGNALS, both assigned to the assignee of the present application. The disclosures of these patent applications are hereby incorporated by reference. In this connection, various security measures have been implemented at the data center to protect the information stored in the data center's records. To this end, physical security has been provided to limit the number of people who may enter the data center and to limit the access to the particular information within the data center. These systems provide a high level of security. It is desired, however, to further increase the level of security at the postage meter recharging system data centers.
In prior devices of the general category including electronic postage meters, it has been found desirable to employ one or more microprocessors to control various meter functions and operations. For security reasons, all data relating to the accounting operation is maintained separately from other data. Therefore it is possible to improve security while employing concepts of distributed processing by the use of multiple processors. In addition, the use of electronics in postage meters allows greater sophistication in automatic recharging of the accounting registers without the need for operating personnel as disclosed in the aforementioned patent applications. Further, improved methods of detecting tampering and performing self-diagnostic error checking can be provided.
An improved electronic postage meter employed multiple microprocessors is disclosed in U.S. patent application Ser. No. 89,413, filed Oct. 29, 1979, in the names of John H. Soderberg, Alton B. Eckert, Jr., and Robert B. McFiggins, entitled ELECTRONIC POSTAGE METER HAVING PLURAL COMPUTING SYSTEMS the disclosure of which is hereby incorporated by reference. In the aforementioned patent application, advantageously the postage meter is provided with accounting, printing and keyboard units, which although mechanically connected together, are each provided with a CPU and a crystal controlled clock, with a nonvolatile memory (NVM) in the accounting unit for data storage during power off. The frequencies of the clocks of the different units need not be identical, and communication between the units is by way of serial messages that are asynchronously transmitted and received.
During operation of the aforementioned electronic postage meter it is important in minimizing malfunction of the meter and possible inconvenience to the customer to detect when the memory retention capability of the NVM has weakened substantially, thereby increasing the likelihood of failure in the near term. One method of accomplishing this is disclosed in German Patent Application 29 16 840, filed Apr. 26, 1979, in which a register is incremented after each power supply recuperation until a predetermined value is reached at which time a service signal is displayed by the meter and a printing prohibition is triggered. Such a system is of necessity pre-programmed for a predetermined number of power supply recuperations and lacks flexibility in that it does not take into account differences in the life cycles of NVM's of different meters.