Postage metering systems print and account for postage and other unit value printing such as parcel delivery service charges and tax stamps. These systems have been both electronic and mechanical. Some of the varied types of postage metering systems are disclosed, for example, in U.S. Pat. Nos. 3,978,457; 4,301,507; and 4,579,054. More recently, other types of metering systems have been developed which involve different printing systems such as those employing thermal printers, ink jet printers, mechanical printers and other types of printing technologies. Examples of these other types of electronic postage meter are described in U.S. Pat. Nos. 4,168,533; and, 4,493,252. These printing systems enable the postage metering system to print variable information, which may be alphanumeric and graphic type of information.
Card controlled metering systems have also been developed. These systems have employed both magnetic strip type cards and microprocessor-based cards. Examples of card controlled metering systems employing magnetic type cards include U.S. Pat. Nos. 4,222,518; 4,226,360; and, 4,629,871. A microprocessor (“smart card”) based card metering system providing an automated transaction system employing microprocessor bearing user cards issued to respective users is disclosed in U.S. Pat. No. 4,900,903. Moreover, systems have also been developed wherein a unit having a non-volatile read/write memory which may consist of an EEPROM is employed. One such system is disclosed in U.S. Pat. Nos. 4,757,532 and 4,907,271.
Postage metering systems have also been developed which employ cryptographically protected information printed on a mail piece. The postage value for a mail piece may be cryptographically protected together with other data to generate a Cryptographic Validation Code (CVC) that is usually included in a Digital Postage Mark (DPM). The Digital Postage Mark, also known as a postal revenue block, is a block of machine-readable (and sometimes also human-readable) information normally present on mail item that provides evidence of paid postage (more precisely evidence of appropriate accounting action by mailer). A CVC is cryptographically protected information that authenticates and enables verification of the integrity of the information imprinted on a mail piece including postage value. Another term sometimes used for CVC is a digital token. Examples of such digital postage metering systems (also referred to herein as digital metering systems) which generate and employ CVC are described in U.S. Pat. Nos. 4,757,537; 4,831,555; 4,775,246; 4,873,645; and 4,725,718; and the system disclosed in the various United States Postal Service published specifications such as Information Based Indicium Program Key Management System Plan, dated Apr. 25, 1997; Information Based Indicia Program (IBIP) Open System Indicium Specification, dated Jul. 23, 1997; Information Based Indicia Program Host System Specification dated Oct. 9, 1996, and Information Based Indicia Program (IBIP) Open System Postal Security Device (PSD) Specification dated Jul. 23, 1997.
These systems, which may utilize a device termed a postage evidencing device (PED), employ a cryptographic algorithm to protect selected data elements using CVC. The information protected by CVC provides security to prevent altering of the printed information in a manner such that any change in the values printed in the postal revenue block is detectable by appropriate verification procedures.
Typical information which may be protected as part of the input to a CVC generating algorithm includes the value of the imprint, the origination zip code, the recipient addressee (destination) information (such as, for example, delivery point destination code), the date and a serial piece count number. These data elements when protected by using CVC which is generated by applying a secret or private key and imprinted on a mail piece provide a very high level of security which enables the detection of any attempted modification of the information in the Digital Postage Mark where this information may be imprinted. Digital metering systems can be utilized with both a dedicated printer, that is, a printer that is securely coupled to an accounting/cryptographic module such that printing cannot take place without accounting, or in systems employing non-dedicated printers and secure accounting system. In the latter case, the digital metering system can be part of a personal computing system, or a wide area or local area network computing system, and the non-dedicated printer may print the CVC as well as other information.
CVCs must be computed and printed, for example, in the DPM for each mail piece. The CVC computation transformation requires a secret or private key, that has to be protected and may be periodically updated. In digital metering systems, the CVCs are usually computed for every mail piece processed. This computation involves taking input data elements such as serial piece count, date, origination postal code and postage amount and encrypting this data with secret keys shared by a digital meter portion of the digital metering system (a.k.a. a postage evidencing device or PED) and postal or courier service and by the postage evidencing device and device manufacturer or vendor. This sharing requires coordination of key updates, key protection and other measures commonly referred to as a key management system. The computation of CVC, which is performed by the digital metering system, takes place upon request to generate a DPM by a mailer. Thus, the digital metering system needs to have all the information required for computation, and, most significantly encryption keys. Moreover, refilling the metering system with additional postage funds also requires separate keys and a management process.
Various enhanced systems have been developed including systems disclosed in U.S. Pat. Nos. 5,454,038; 5,448,641; and 5,625,694, the entire disclosures of which is hereby incorporated by reference.
As noted above, it has been recognized that destination address information can be incorporated into the input to CVC computation. This enables protection of such information from alteration and thus provides enhanced security. The inclusion of destination address information in the digital token insures that for an individual to perpetrate a copying attack by copying a valid DPM from one mail piece on another mail piece and entering it into the mail stream, the fraudulent mail piece must be addressed to the same addressee as the original valid mail piece. The inclusion of destination address information enables automatic detection of unauthorized copies. If this has not been done, the fraudulent mail piece would not be detectable as having an invalid indicia upon verification at a mail processing facility.
It has also been recognized that a level of enhanced security can be obtained by generating the CVC using a subset of destination address information. This concept is disclosed in published European Patent Application Publication No. 0782108 for A METHOD FOR AUTHENTICATING POSTAGE EVIDENCING USING DIGITAL TOKENS GENERATED FROM A SUBSET OF ADDRESSEE INFORMATION, filed Dec. 19, 1996 and published Jul. 2, 1997. The published European application discloses, inter alia, the use of the hash code of a predetermined appropriate section of each address field as an input to CVC computation process. It is suggested that the first 15 characters of each line can be selected as such appropriate section of each address field for authentication. An error correction code is generated for the selected address data using, for example, Reed Solomon or BCH algorithms. A secure hash of this section of the address field data is generated, which is sent to a vault (a.k.a. postal security device) along with the postage required and other data. This information, the section of the address field, is part of a request for a DPM generation. The vault, which may be coupled to a personal computer (PC), generates the CVC using this data. The error correcting code is printed on the mail piece in alphanumeric characters or bar code format. Upon verification, an OCR/mail processing system reads the delivery address from the mail piece and the data from the DPM. Using an OCR or bar code reader, the error correcting code is also read. An error-correction algorithm is executed using the error correcting code. If errors are not correctable, then the recognition process is notified of a failure. If correctable, the appropriate section of each address field is selected for authentication. A secure hash of the selected data is generated during the verification process. A secure hash and the postal data are then sent to the verifier which then generates CVC that is compared to the CVC printed on the mail piece to complete the verification process. The use of error-correction algorithm is motivated by the requirement that all data that needs protection has to be hashed before it can be encrypted using a digital signature algorithm.
An important requirement for digital metering is user-friendliness and low cost. Traditional systems of copy attack detection employ destination address information incorporation into the CVC computation. Such is the IBIP system referenced above. The IBIP system requires the use of 11 digit postal ZIP code as the destination address-identifying element. This has two problems. First, up to 20% of all US postal addresses (for example, apartments in apartment buildings or office buildings) do not have an 11 digit ZIP code. Second, all foreign addresses do not have an 11 digit ZIP code. Third, a database containing 11 digit ZIP codes must be regularly updated since ZIP codes may change for postal addresses. The IBIP specification requires that in order to use digital metering in PC-based system (a.k.a. open systems) mailers must use a certified postal database, which must be updated at least quarterly. These requirements represent significant and in some cases fatal inconvenience to mailers. As a result PC-based digital metering is grossly disadvantaged compared to other methods of postage evidencing. For example, if a mailer is using a full value first class postage and does not provide any postal ZIP code in the destination address, the mailer is still entitled to full spectrum of delivery services from USPS. The important object of present invention is to create a system that would make use of any address information (with or without postal codes) in order to provide protection against copying of DPMs.
Previously known solutions to the problem of DPM duplication fall into two categories. The first category involves printing in the DPM additional (sometimes hidden) information that would be difficult to reproduce using conventional printing means. A good example of this solution is the use of Digital Watermarks, such as disclosed in U.S. patent application Ser. No. 10/077,354 OBJECTS USING DIGITAL WATERMARKS ASSOCIATED WITH MULTIDIMENSIONAL QUALITY METRICS, filed Feb. 15, 2002, and assigned to the assignee of the present application. The disadvantages of Digital Watermarks are twofold. First, Digital Watermarks are still reproducible by dishonest mailers albeit with more difficulty because the cost of reproducing them is higher than simple copying of DPM using a conventional copier. Second, the verification of Digital Watermarks in large quantities requires high resolution specialized scanning equipment. Such equipment is normally not employed by a Post in its mail processing facilities.
The second category of copy protection techniques makes use of the destination address information as a piece of information uniquely indicative of the mail item. As it was noted above, the use of sufficiently deep postal code as an address identifier (such as for example 11 digit ZIP code in USA) is extremely inconvenient for mailers. On the other hand from the verification viewpoint the use of full destination address information is very difficult because this information cannot be recreated during the DPM verification process without at least some errors. It has been discovered that many mail pieces have destination addresses that are difficult and sometimes impossible to fully read, such that the CVC imprinted on the mail piece cannot be verified. These conflicting requirements brought a discovery of Address Identifier (AI) system described in pending patent application E714. It makes use certain additional information (such as a structure of the destination address block) and error correction codes to significantly improve robustness of automatic address reading. This process works but it is not always economical because of the amount of additional information that must be generated and processed including computation of error correction codes for a broad variety of addresses. Another disadvantage of the Address Identifier system is the fact the known error correction codes are not designed to work with text processing system and therefore not optimal. Besides, such Address Identifier still must be robust enough that it can be reproduced without errors even in a relatively error-prone OCR address recognition systems. The Address Identifier is first computed from the address information and then hashed and encrypted (digitally signed) along with other data elements that require protection. The robustness of the Address Identifier can not always be guaranteed and the error recovery process become an essentially manual exercise, slow and costly.