The invention is directed to a method for improving the security of postage meter machines in the transfer of credit, specifically in the retransfer of funds to the data central.
A postage meter machine usually generates an imprint in a form agreed upon with the postal system: flush right, parallel to the upper edge of the postal matter beginning with the content of the postage in the postage stamp, date in the postmark and stamp imprints for advertising slogan and, possibly, type of mailing in the selective imprint. The postage value, the date and the type of mailing thereby form the variable information being input in conformity with the item to be mailed.
The postage value is usually the delivery fee (postage) prepaid by the sender that is subtracted from a refillable credit register and is employed for franking the postal mailing. In the current account method, by contrast, a register is merely incremented dependent on the frankings undertaken with the postage value and is read by a postal inspector at regular intervals.
In general, every franking that has been undertaken must be accounted for and every manipulation that leads to a non-debited franking must be prevented.
A known postage meter machine is equipped with at least one input unit, one output unit, an input/output control module, a memory containing the operating program, data and, in particular, the accounting registers, a control unit and a printer module. Given a printer module with print mechanism, measures must also be undertaken so that the print mechanism cannot be misused for undebited imprints in the deactivated condition.
In a postage meter machine disclosed in U.S. Pat. No. 4,746,234, fixed and variable data are stored in memories (ROM, RAM) in order to read out this data with a microprocessor when a letter on the conveying path actuates a micro-switch preceding the printing position in order to form a print control signal. The fixed and variable data are subsequently electronically combined to form a print format and can be printed on the envelope to be franked by thermo-transfer printing means.
A method for controlling the column-by-column printing of a postal value stamp in a postage meter machine is disclosed in European Application 578 042, wherein fixed and variable data are converted into graphic pixel image data separately from one another during the column-by-column printing. It therefore becomes difficult to undertake a manipulation at the print control signal without significant and expensive efforts when the printing ensues at high speed.
The memory arrangement in known postage meter machines also has at least one non-volatile memory module that contains the currently remaining credit, this resulting from the substraction of the postage value to be printed from a credit loaded into the postage meter machine earlier. The postage meter machine becomes inhibited when the remaining credit is zero.
Known postage meter machines contain three relevant postal registers in at least one memory for total used value (ascending register), residual credit still available (descending register) and a check sum register. The check sum is compared to the sum of total value used and available credit. This already makes a check for proper accounting possible.
It is also possible to transmit reloading information to the postage meter machine from a data central by means of a remote crediting procedure in order to reload a credit into the register for the remaining credit (residual value). Suitable security measures must be undertaken for this purpose so that the credit stored in the postage meter machine cannot be replenished in an unauthorized fashion. The aforementioned solutions to protect against misuse and counterfeiting attempts require additional outlay in terms of material and time.
U.S. Pat. No. 4,864,506 discloses entering into a communication to the remote data central, initiated by the postage meter machine, when the value of the credit in the descending register lies below a threshold for a predetermined length of time.
The aforementioned patent also discloses establishing communication with the postage meter machine, initiated by the data central, after a defined time span, and the postage meter machine only replies at predetermined times for receiving register data and for checking whether the postage meter machine is still connected to a specific telephone number.
The aforementioned patent also teaches interrogating the identification number of the postage meter machine and the values in the descending and ascending registers for authorization by the data central before a reloading of credit into the postage meter machine.
The aforementioned patent also discloses that the communication of the data central with the postage meter machine need not remain limited to merely a transfer of credit into the postage meter machine. In the case of a log-off of the postage meter machine, the communication of the data central with the postage meter machine is utilized in the data central for transferring the remaining credit of the postage meter machine. The value in the descending postal register of the postage meter machine is then zero, effectively deactivating the postage meter machine.
A security housing for postage meter machines that has internal sensors is disclosed by German OS 41 29 302. In particular, the sensors are equipped with switches connected to a battery, these switches being activated when the security housing is opened and automatically causing erasure of a memory (descending postal register) that stores the residual credit, by interrupting the energy supplied. As is known, however, it cannot be predicted what condition a voltage-high memory module will assume when the voltage is restored. Thus, an unpaid, higher residual credit could arise in the memory upon power restoration. Moreover, it cannot be precluded that the remaining value of the credit is at least partially discharged in the aforementioned way. This, however, would be disadvantageous in the case of an inspection since the remaining credit that has been paid by the postage meter machine user must be loaded again, but the amount of this remaining credit can be falsified by the aforementioned measures. This reference does not disclose how one can prevent a manipulator from restoring an unpaid residual credit.
Further security measures such as break-away screws and an encapsulated, shielded security housing are already used in known postage meter machines. Keys and a combination lock are also standard in order to make access to the postage meter machine more difficult.
U.S. Pat. No. 4,812,994 teaches prevention of an unauthorized access to a use of the postage meter machine by, in addition to standard measures, inhibiting the postage meter machine given the incorrect entry of a predetermined. password. Moreover, the postage meter machine can be set, by means of a password and an appropriate input via a keyboard, such that a franking is only possible during a predetermined time interval, or at predetermined times of day.
The password can be entered into the postage meter machine by a personal computer via modern, by a chip card or manually. The postage meter machine is enabled after a positive comparison to a password stored in the postage meter machine. A security module (EPROM) is integrated in the control module of the accounting unit or debiting unit. As a further security measure, an encryption module (separate microprocessor or program for the franking machine CPU based on DES or RSA code) is provided, which generates a recognition number in the franking stamp that includes the postage value, the user number, a transaction number and the like. It is still possible, however, that a password could be discovered and could be put into the possession of a manipulator together with the postage meter machine.
U.S. Pat. No. 4,812,965 discloses a remote inspection system for postage meter machines that is based on specific messages in the imprint of postal mailings that must be sent to the data central, or is based on a remote interrogation via modem. Sensors inside the postage meter machine are intended to detect every counterfeiting action that is undertaken so that a flag can be set in appropriate memories in case an intervention was made in the postage meter machine for manipulative purposes. Such an intervention could ensue in order to load an unpaid credit into the registers.
When a manipulation is detected, the postage meter machine is inhibited during the remote inspection via modem by a signal transmitted from the data central. A skillful manipulation nonetheless could be made by resetting the flag and the registers into the original condition after producing franking imprints that have not been accounted for. Such a manipulation could not be recognized by the data central via remote inspection if this canceled manipulation were before the remote inspection. Receiving the postcard from the data central on which a franking for inspection purposes is to be made allows the manipulator to return the postage meter machine into the original condition in adequate time. Thus, higher security cannot be achieved in this way.
A disadvantage of such a system is that one cannot prevent a knowledgeable manipulator who breaks into the postage meter machine from subsequently eliminating evidence of the tampering by erasing the flags. Further, this system cannot prevent that an imprint produced by a properly operated machine from being manipulated. This is because in known machines, there is the possibility of producing imprints with the postage value of zero. Such zero frankings are required for testing purposes and could also be subsequently falsified by simulating a postage value greater than zero.
A security imprint is disclosed in European Application 576 113 assigned to Francotyp-Postalia which provides symbols in a marking field in the franking stamp that contain encrypted informations. This allows the postal authority that collaborates With the data central to recognize a manipulation at the postage meter machine at arbitrary points in time based on the visual analysis of the security imprint Although an ongoing monitoring of such postal mailings provided with a security imprint is technically possible by means of corresponding security marks in the stamp format, this requires an additional outlay in the post office. A manipulation, however, is usually only found later given a monitoring based on random samples.
Knowledge that a postage meter machine was operated by the user beyond the inspection date can be obtained in the data center, however, this knowledge is not sufficient to allow a conclusion to be made regarding whether a manipulation was undertaken for counterfeiting purposes.
U.S. Pat. No. 4,251,874 has a mechanical printer that must be preset for printing and that must be employed with a detector in order to monitor the presetting. Further, means for identifying errors in the data and control signals are provided in the electronic accounting system. When this error number reaches a predetermined value, further operation of the postage machine is interrupted. The sudden outage of the postage meter machine, however, is disadvantageous for the user of the postage meter machine. Given a non-mechanical printing principle, by contrast, such internal errors are not normally anticipated and the postage meter machine is to be shut off immediately anyway given a serious fault. Moreover, the security against manipulation of the postage meter machine does not become significantly greater as a result of the fact that the postage meter machine is turned off after a predetermined number of errors.
U.S. Pat. No. 4,785,417 discloses a postage meter machine with program sequence monitoring. The correct execution of a relatively large program segment is monitored with a specific code allocated to each program part, this code being stored in a specific memory cell in the RAM when the program segment is called. A check is then made to determine whether the code stored in the aforementioned memory cell is still present in the program part which is sequencing at the moment. If the run of a program part were interrupted by a manipulation and a different program part were to sequence, an error can be determined by such a monitoring interrogation The comparison, however, can only be implemented in the main sequence. Sub-sequences, for example security-associated calculations that are used by a number of main sequences, cannot be monitored by such a monitoring for execution of the program part because the program check ensues independently of the program sequence. If, on the basis of allowed program parts and sub-sequences, manipulation was carried out such that sub-sequences were additionally incorporated into the main sequences or were omitted therefrom, or if a branch is made to sub-sequences, then no error would be found since no determination about the length of the program part can be made nor can a determination be made as to what program branch was run nor how often a program branch was run.
Another type of anticipated manipulation is the reloading of the postage meter machine registers with a credit value that has not been accounted for. There is thus a requirement for protected reloading. An additional security measure according to U.S. Pat. No. 4,549,281 is the comparison of an internal, invariable combination, stored in a non-volatile memory, to an entered, external combination, whereby the postage meter machine is inhibited by means of inhibition electronics after a number of failed attempts, i.e. non-identity of the combinations. According to U.S Pat. No. 4,835,697, the combination can be fundamentally changed in order to prevent an unauthorized access to the postage meter machine.
U.S. Pat. No. 5,077,660 also discloses a method for changing the configuration of the postage meter machine, whereby the postage meter machine is switched from the operating mode into a configuration mode with a suitable entry via a keyboard and a new meter type number can be entered, this corresponding to the desired number of features. The postage meter machine generates a code for the combination using the computer of the data central and the entry of the identification data and the new meter type number in the data center computer, that likewise generates a corresponding code for communication to and entry into the postage meter machine, in which the two codes are compared. Given coincidence of the two codes, the postage meter machine is configured and switched into the operating mode. The data center thus always has exact records regarding the current setting for the corresponding postage meter machine. The security reliability is dependent, however, only on the level of sophistication of the encoding technique used to encode the transmitted code.
European Application 388 840 discloses a comparable security technology for setting a postage meter machine in order to clear this machine of data without the postage meter machine having to be transported to the manufacturing company. Again, the security reliability is dependent only on the sophistication of the encoding of the transmitted code.
Secured reloading of a postage meter machine with a credit is achieved in a system described in U.S. Pat. No. 3,255,439 wherein an automatic signal transmission from the postage meter machine to the data central is initiated whenever a predetermined amount of money that was franked or a piece number of processed postal mailings or a predetermined time period was reached. Alternatively, a signal corresponding to the sum of money, the piece number or time period can be communicated. The communication thereby ensues with binary signals via converters connected to one another via a telephone line. The machine receives a likewise secured reloading corresponding to the credit balance and is inhibited when no credit is resupplied.
U.S. Pat. No. 4,811,234 discloses implementing transactions in encoded form and interrogating the registers of the postage meter machine, with the registered data being communicated to the data center in order to indicate a chronological reference for the reduction of the authorized amount stored in the register. The postage meter machine identifies itself at the data central when a preset threshold is reached, by means of its encoded register content. The data center modifies the requested franking amount up to which franking is allowed to be carried out with corresponding authorization signals. The encoding is thus the only protection against a manipulation of the register readings. Therefore, if a manipulator properly loads the same amount at the same time intervals but franks an amount with the manipulated postage meter machine in the meantime that is far higher than the amount he paid, the data center cannot find any manipulation.
European Application 516 403 discloses logging errors of the postage meter machine and storing them in a memory for regular transmittal to a remote error analysis computer for interpretation. Such a remote inspection allows an early warning before an error occurs and enables recourse to further measures (service). This, however, does not yet offer an adequate criterion for a manipulation
According to British Specification 22 33 937 and U.S. Pat. No. 5,181,245, the postage meter machine periodically communicates with the data center. An inhibit means allows the postage meter machine to be inhibited and delivers an alarm to the user after the expiration of a predetermined time, or after a predetermined number of operation cycles. For enabling an encrypted code must be entered from the outside, this being compared to an internally generated, encrypted code. In order to prevent incorrect accounting data from being supplied to the data center, the accounting data are involved in the encryption of the aforementioned code. A disadvantage of this known approach is that the warning ensues simultaneously with the inhibit of the postage meter machine without the user having any possibility to take corrective steps in time (i.e., before the machine is inhibited).
U.S. Pat. No. 5,243,654 discloses a postage meter machine wherein the continuous time data supplied by the clock/date module are compared to stored deactivation time data. When the time represented by the stored data is reached by the current time, the postage meter machine is deactivated, i.e. printing is prevented. Given communication with a data center that reads the accounting data from the ascending register, the postage meter machine has an encrypted combination value communicated to it and a new term is set, as a result of which the postage meter machine is again made operational. The total used amount that contains the sum of used postage and read by the data center, is likewise a component of the combination value communicated in encrypted form. After the encryption of the combination value, the total used amount is separated and compared to the total used amount stored in the postage meter machine. When the comparison is positive, the inhibit of the postage meter machine is automatically canceled. This solution thus requires the postage meter machine to report periodically to the data center in order to communicate accounting data. Instances are conceivable, however, wherein the volume of mail to be franked fluctuates (seasonal operation). In these instances, the postage meter machine would be disadvantageously inhibited unnecessarily often.
U.S. Pat. No. 4,760,532 discloses a mail handling system with the capability of transfer of postal values and accounting information. Data is thereby communicated to the data center via telephone with the touch-tone method widespread in the U.S.A. By pressing an appropriate key of the telephone, the user can transmit a number. Information from the data center is communicated to the operator with a computer voice, the operator having to enter the transmitted values into the postage meter machine. For retransferring funds, the transfer of a negative postal value to a postal device is provided in a first step for setting up a communication to the central station. The central station monitors the total amount of mail (remaining credit) that is stored in the postal device. In second step, the central station is supplied with data related to a desired exchange in order to reduce the total amount of postal values that is available in the aforementioned postal device, and is also supplied with an unambiguous identification relating to the aforementioned postal device. In a third step, a first unambiguous code is received from the central station and entered into the aforementioned postal device. The entry is conducted in order to reduce the total Sum of postal values that are stored in the postal device in agreement with the aforementioned request. In a fourth step, a second unambiguous code is generated in the postal device from the first unambiguous code that was entered into the postal device. The second unambiguous code supplies an indication that the aforementioned postal value, that is available for imprinting the mail, has been reduced in the postal device. If, however, the transmission is disturbed or interrupted, then the data center does not receive a first code and the amount of money in the postal meter machine would remain unmodified, whereas a reaccounting would already have been undertaken in the data center. For checking, of course, the registered readings of the postal meter machine could be interrogated in order to compare these to those stored in the data center. It must be expected, however, that a manipulator would omit the latter. As a final step, U.S. Pat. No. 4,760,532 provides for the transmission of the aforementioned, second unambiguous code to the central station. Under the conditions of the touch-tone method, a re-actuation of numerical keys is required, this being complicated given a multi-place code and usually not sequencing free of input errors. It is also possible for the data center to generate a third, unambiguous code in order to transfer the returned credit to another postage meter machine. The responsible authority can thus be harmed by errors during the transmission. The same problem arises given negative as well as positive remote crediting, namely that of achieving a synchronism of the data in the center and the postage meter machine in a simple way.
The invention is particularly directed to postage meter machines that supply a fully electronically generated imprint for franking postal matter, including the printing of an advertising slogan, which avoids the aforementioned problems of known devices. Since there is no printing mechanism which can be manipulated, it is only a valid franking that has not been accounted for which must be prevented.
It is a further object to improve the security in a communication with the data center when data are communicated in both directions.
The inventive solution is based on the premise that only data centrally stored in a data center can be adequately protected against manipulation. A significant increase in security and synchronism in the stored data is achieved by generating a data report before every predetermined action at the postage meter machine. The reporting ensues at relatively long time intervals, particularly for reloading a credit, enhancing security against a potential manipulation in conjunction with the aforementioned logging. The data to be centrally stored include at least date, time of day, identification number of the postage meter machine (ID number or PIN) and the type of data (for example, register values parameters) when the postage meter machine enters into communication with the data center. For the purpose of pre-synchronization of the data of the postage meter machine with the data of the data center, a specific prescribed request can be employed as a first transaction.
In order to further enhance the security, a distinction is made between authorized action (service technician) and unauthorized action (manipulative intent) With the control unit of the postage meter machine in conjunction with the steps for the implementation of a xe2x80x9cnegativexe2x80x9d remote crediting for returning a credit value into the data center, whereby a setting from the postage meter machine is communicated to the data center and is stored there and in the postage meter machine.
The control unit of the postage meter machine thereby checks whether a defined procedure for lateral entry into the special mode for negative remote crediting was undertaken with predetermined actuation elements, whether a predetermined time sequence was followed during the negative remote crediting, and whether further steps must be implemented for the automatic implementation of the communication in order to complete there turn transfer if the preceding steps for the implementation of a negative remote crediting were interrupted or if incorrectly encrypted data were communicated to the postage meter machine.
Inventively, a communication ensues between the postage meter machine and the data center at least with encrypted messages, the DES algorithm preferably being employed.
For achieving the object, the postage meter machine thus is operable in at least two special modes. A first mode (kill mode) is provided in order to prevent the postage meter machine from franking with postage values given fraudulent actions or given manipulative intent. This inhibit can be canceled on the occasion of the next on site inspection by a person authorized to do so. The postage meter machine is also operable in a further mode in order to initiate, as warranted, entry of the postage meter machine into automatic communication with the data center when selected criteria are met. In such a further mode, the second special mode for negative credit transfer or a sleeping mode can be entered. After the completion of the special mode, only a limited number of zero frankings are possible for testing the postage meter machine. When this number of frankings has occurred, an automatic communication with the data center is necessarily triggered, the data center thus being informed that the limit for permissible zero frankings has been reached and also being informed of relevant register data of the postage meter machine. The postage meter machine is inhibited in the sleeping mode for this time. The interaction of at least these two aforementioned modes enhances the security against fraudulent manipulation in the handling of credits that are loaded into the postage meter machine or are to be transferred back therefrom to the data center.
In a first version of the invention, the security is achieved by a predetermined operating sequence during the turn-on of the postage meter machine for lateral entry into the special mode for negative remote crediting, as well as later when the postage meter machine has entered into the communication connection, by messages during two transactions communicated encrypted. As the result of a first transaction, a predetermined crediting request is stored in the data center and in the postage meter machine. It is thus no longer necessary to again communicate the stored crediting request during a second transaction. As a result of the second transaction, a corresponding crediting value is subtracted from the content of the descending register, or a negative value is added thereto, so that a zero credit is stored in the postage meter machine.
If, however, an operating sequence other than the predetermined operating sequence occurs during the turn-on of the postage meter machine for lateral entry into the special mode negative remote crediting, this other operating sequence being prohibited, the postage meter machine switches into the aforementioned first mode in order to inhibit the postage meter machine from franking with a postage value (kill mode).
For the purpose of enhancing the security against manipulation the data center may have previously modified a lateral entry of the special mode for negative remote crediting, which was already communicated earlier to the authorized operator (service technician). The operating sequence which will be valid in the future can be partially or completely communicated in conjunction with at least one transaction during a positive or negative remote crediting.
An authorized operator of the postage meter machine, preferably the service technician, implements a predetermined operating action for lateral entry into the special mode negative remote crediting, this being known only to the data center in addition to being known to the service technician. A special flag is thus set that is interpreted as specific transaction attempts.
Monitoring by the control unit of the postage meter machine during the implementation of a transaction in the special mode assures that the transactions in the special mode negative remote crediting are completed even though a particular transaction has remained incomplete. Given a completed transaction in the special mode, the special flag is reset.
Additionally, time monitoring by the control unit of the postage meter machine is undertaken during the execution of a transaction in the special mode which takes effect if a predetermined execution time is exceeded or given a transaction that has remained incomplete in order to carry out the transaction to its end.
Time monitoring likewise ensues on the part of the data center when a transaction is undertaken in the special mode for negative remote crediting. The register data of the postage meter machine can be centrally checked when communication is again established, for conducting a re mote crediting in order, for example, to reload a credit. Either the postage meter machine again automatically enters into the communication, if the transaction remains incomplete, in order to finish the transaction to its end, or an authorized service transmission provides the data center with a message before the end of the day regarding the current status of the postage meter machine, for the purpose of annulling the data transmitted in the special mode negative remote crediting. Otherwise, the time monitoring of the part of the data center results in recognition of the data transmitted in the special mode for negative remote crediting after the expiration of the predetermined time spank.
In a second version, security is enhanced by checking the operating sequence for coincidence with a predetermined operating sequence in the postage meter machine and by a check of the crediting request in the data central for coincidence with a code stored therein for a predetermined crediting request. It is possible to time-dependently modify the operating sequence, with the same calculating algorithm being employed in the data center and in the postage meter machine in order to identify a current operating sequence. Transmission of a valid operating sequence from the data center to the postage meter machine is thus superfluous.
In a third version, security is enhanced by a combination of a number of measures. A discriminateable log-on at the data center ensues in a first transaction and a predetermined crediting request was stored in the data center and in the postage meter machine in a first transaction. As a reaction thereto, the data center communicates a new security flag and/or a predetermined operating sequence for lateral entry into the special mode negative remote crediting to the postage meter machine is the postage meter machine was normally, activated and has entered into the communication connection. A check is made in the data central to determine whether the communicated crediting request corresponds to a predetermined crediting request. In the first transaction, for example, a new code word or security flag and/or operating sequence is communicated to the postage meter machine and, in a second transaction, the logged-on transaction is implemented and, corresponding to the crediting request, a credit value is added in the corresponding memory of the postage meter machine as well as in a corresponding memory of the data center for the purpose of checking the transaction.
For an entry into the special mode for negative remote crediting, the service technician must implement the operating sequence during the turn-on of the postage meter machine in the way communicated to him from the data center, i.e. a specific key combination must be simultaneously pressed with turn-on of the machine.
In the second transaction, the reloading of the postage meter machine accordingxe2x80x94the corresponding crediting valuexe2x80x94ensues with a negative credit, so that a remaining credit of zero arises as a result.
The inventive procedure also recognizes that the funds stored in the postage meter machine must be protected against unauthorized access. Falsification of data stored in the postage meter machine is made more difficult to such an extent that the effort is no longer rewarding for a manipulator.
Commercially obtainable OTP processors (one time programmable) can contain all security-related program parts in the inside of the processor housing, and can also contain the code for forming the message authentication code (MAC). The MAC is an encrypted checksum that is attached to a data block (or blocks). For example, data encryption standard (DES) is suitable as a crypto-algorithm. MAC information can thus be attached to the relevant security flags and to the special flags, or to the registered data and thus enhances the difficulty of manipulation of the aforementioned flags or of the postal registers.
The method for improving the security of a postage meter machine of the type capable of communicating with a remote data center and having a microprocessor as part of its control system, also includes the steps of forming a check sum in the OTP processor regarding the content of the external program memory and comparison of the result to a predetermined value stored in the OTP processor. This can occur in the execution of the franking mode or the operating mode, particularly during the initialization (i.e., when the postage meter machine is started) or at times when printing is not carried out (i.e., when the postage meter machine is being operated in standby mode). In case of an error, a logging and subsequent blocking of the postage meter machine then ensue.
In order to improve the security of postage meter machines against manipulation, a distinction is made between non-manipulated and manipulated operation of a postage meter machine using the control system of the postage meter machine by monitoring the time duration of the execution of programs, program parts or security-associated routines during the operating mode, and by comparing the measured run time with a predetermined run time following the execution of the monitored programs, program parts or security-associated routines. A manipulation with fraudulent intent should thus also be prevented during a communication, particularly by undertaking monitoring in the communication mode as to the adherence to a specific time sequence in the special mode for negative remote crediting. The time duration is monitored starting from sending a third encrypted message on the part of the postage meter machine to the reception of the fourth encrypted message sent from the data central to the postage meter machine which trigger, given verification, a zeroizing of the credit value. A decremental counter or an incremental counter is employed in order to detect a transgression of the time in the special mode as a reliable indication for an abortive transmission, and a specific sub program is then called that prepares a renewed implementation of the special mode for negative remote crediting and automatically triggers it, so that the first and second transaction are automatically repeated.
In a fourth version, security is enhanced by an additional input security units that is brought into contact with the postage meter machine in order to transfer a remaining credit from an authorized person back to the data center.