1. Field of the Invention
The present invention is directed to an arrangement for a security module of the type containing at least one functional unit, such as a processor, which is normally supplied with a system voltage and which has a battery back-up. Such a postal security module is particularly suitable for use in a postage meter machine or mail-processing machine or computer with mail-processing capability.
2. Description of the Prior Art
Modern postage meter machines, such as the thermal transfer postage meter machine disclosed in U.S. Pat. No. 4,746,234, utilize a fully electronic, digital printer. It is thus fundamentally possible to print arbitrary texts and special characters in the franking imprint printing field and an advertising slogan that is arbitrary or allocated to a cost center. For example, the postage meter machine T1000 of the Francotyp-Postalia AG and Co. has a microprocessor that is surrounded by a secured housing that has an opening for the delivery of a letter. When a letter is supplied, a mechanical letter sensor (microswitch) communicates a print request signal to the microprocessor. The franking imprint contains previously entered and stored, postal information for conveying the letter. The control unit of the postage meter machine undertakes an accounting controlled by software, exercises a monitoring function, possibly with respect to the conditions for a data updating, and controls the reloading of a postage credit.
U.S. Pat. No. 5,606,508 (corresponding to German OS 42 13 278) and U.S. Pat. No. 5,490,077 disclose a data input, such as with chip cards, for the aforementioned thermal transfer postage meter machine. One of the chip cards loads new data into the postage meter machine, and a set of further chip cards allows a setting of correspondingly stored data to be undertaken by plugging in a chip card. The data loading and the setting of the postage meter machine can thus ensue more comfortably and faster than by keyboard input. A postage meter machine for franking postal matter is equipped with a printer for printing the postage value stamp on the postal matter, with a controller for controlling the printing and the peripheral components of the postage meter machine, with a debiting unit for debiting postal fees, with at least one non-volatile memory for storing postage fee data, with at least one non-volatile memory for storing security-relevant data and with a calendar/clock. The non-volatile memory of the security-relevant data and/or the calendar/clock is usually supplied by a battery. In known postage meter machines, security-relevant data (cryptographic keys and the like) are secured in non-volatile memories. These memories are EEPROM, FRAM or battery-protected SRAM. Known postage meter machines also often have an internal real time clock RTC that is supplied by a battery. For example, potted modules are known that contain integrated circuits and a lithium battery. After the expiration of the service life of the battery, these modules must be replaced as a whole and disposed of. For economical and ecological reasons, it is more beneficial If only the battery needs to be replaced. To that end, however, the security housing must be opened and subsequently re-closed and sealed since security against attempted fraud is based essentially on the secured housing that surrounds the entire machine.
In European Application 660 269 (U.S. Pat. No. 5,671,146), disclose a suitable method for improving the security of postage meter machines wherein a distinction is made between authorized and unauthorized opening of the security housing.
Repair of a postage meter machine is possible only with difficulty on site where the access to the components is rendered more difficult or limited. Given larger mail-processing machines or devices known as PC frankers, the protected housing in the future will be reduced only to the postal security module. This can improve accessibility to the other components. It would be extremely desirable for economic replacement of the battery for this to be replaced in a relatively simple way. The battery, however, would then be located outside the security area of the postage meter machine. When the battery posts are made accessible from the outside, however, a possible tamperer is able to manipulate the battery voltage. Known battery-supply SRAMs and RTCs have different demands with respect to their required operating voltage. The necessary voltage for holding data of SRAMs is below the required voltage for the operation of RTCs. This means that a reduction of the voltage below a specific limit value leads to an undesired behavior of the component: the RTC stands still and the time of dayxe2x80x94stored in SRAM cellsxe2x80x94and the memory contents of the SRAM are preserved. At least one of the security measures, for example long time watchdogs, would then be ineffective at the side of the postage meter machine. For a long time watchdog, the remote data center prescribes a time credit or a time duration, particularly a plurality of days or a specific day, by which the franking device should report via a communication connection. After the time credit is exhausted or after the term expires, franking is prevented. European Application 660 270 (U.S. Pat. No. 5,680,463) disclose a method for determining the presumed time duration up to the next credit reloading, and a data center considers any postage meter machine suspicious that does not report in time. Suspicious postage meter machines are reported to the postal authority, which monitors the mail stream of letters franked by suspicious postage meter machines. An expiration of the time credit or of the deadline is also already determined by the franking device and the user is requested to implement the overdue communication.
Security modules are already known from electronic data processing systems. For protection against break-in into an electronic system, European Patent 417 447 discloses a barrier that contains a power supply and a signal acquisition circuit as well as shielding in the housing. The shielding is composed of an encapsulation and electrical lines to which the power supply and signal acquisition circuits are connected. The latter reacts to a modification of the line resistance of the lines. Moreover, the security module contains an internal battery, a voltage switch-over from system voltage to battery voltage and further functional units (such as power gate, short-circuit transistor, memories and sensors). The power gate reacts when the voltage falls below a specific limit. When the line resistance, the temperature or the emission are modified, the logic reacts. The output of the short-circuit transistor is switched to a low logic level with the power gate or with the logic, resulting in a cryptographic key stored in the memory being erased. However, the service life of the non-replaceable battery, and thus of the security module, is too short for use in franking devices or mail-processing machines.
For example, JetMail(copyright), which is commercially available from Francotyp-Postalia AG and Co. is a larger mail-processing machine. Here, a franking imprint is produced with a stationarily arranged ink jet print head with a non-horizontal, approximately vertical, letter transport. A suitable embodiment for a printer device is disclosed in German PS 196 05 015. The mail-processing machine has a meter and a base. If the meter is to be equipped with a housing which allows components to be more easily accessible, then it must be protected against attempted fraud by a postal security module that implements at least the accounting of the postage fees. In order to preclude influence on the program run, European Application 789 333 discloses equipping a security module with an application circuit (ASIC) that contains a hardware accounting unit. The application circuit (ASIC) also controls the print data transmission to the print head.
This approach would not be required if unique imprints were produced for each piece of mail. A method and arrangement for fast generation of a security imprint is disclosed, for example, by U.S. Pat. Nos. 5,680,463, 5,712,916 and 5,734,723. A specific security marking is thereby electronically generated and embedded into the print format.
Further measures for protecting a security module against tampering with the data stored therein are disclosed in German applications 198 16 572.2 and 198 16 571.4. The power consumption increases due to the use of a number of sensors, and a security module not constantly supplied by a system voltage then draws the current required for the sensors from its internal battery, which likewise prematurely drains the battery. The capacity of the battery and the power consumption thus limit the service life of a security module. If, however, the battery terminal posts were to be made accessible from the outside in order to increase the service life of the battery, this would afford the possibility of tampering with the security of the postal data by a defrauder.
Such a security module, not being supplied by a system voltage, could then be manipulated via the externally accessible battery contacts, by causing the voltage to be reduced below the limit voltage specified for the processor. When the processor is equipped with an internal clock RAM (RTC), the clock initially stands still. Given increase of the voltage, the internal clock (RTC) would again resume. Given application of a pulse voltage with pulse width modulation, it must be assured that the battery voltage cannot drop below the specified limit which is the minimum necessary to preserve (avoid erasure of) the memory contents. Given a voltage reduction proceeding below the limit, this condition must be documentably maintained until another, admissible condition is valid. A prognosis of the potential for tampering or of the source of tampering is fundamentally required in order to achieve the desired security level with suitable measures that are appropriate in terms of the outlay. The maxim xe2x80x9cas much as necessary, as little as possiblexe2x80x9d, is applicable. The possibility of manipulation must be at least limited with a suitable circuit.
An object of the present invention is to provide a franking device which assures security against unauthorized manipulation of a security module with a battery that is replaceable.
This object is inventively achieved in a postal device, particularly a postage meter machine, equipped with a pluggable security module that is connected to the system bus of the meter, or to some other suitable control means. With a plug-in security module, which is supplied by a system voltage during service, the battery of the security module can be replaced by a service technician. The security module is potted with a hard compound. The battery, however, is arranged outside the casting compound for replacing the battery or for disposal thereof.
Inventively, the security module has a voltage monitoring unit with resettable self-holding that can be interrogated and reset by the processor. The monitoring of the voltage of a battery that is required for the battery-supported RAM memories and for functioning of an internal clock has the objective of triggering actions given downward transgression of a specific voltage level, these actions leading to the erasing of security-relevant data and of the current time of day. The self-holding allows the condition of the downward transgression of the voltage to be conserved until a dependable documentation is possible. The latter occurs only subsequently when the module is again supplied with the system voltage. An inspector or some other authorized person implementing suitable inputs at the keyboard of the franking device can restore the original condition.
The advantages, in addition to lengthening the service life of the security module due to the possibility of replacing the battery, include a low power consumption of the circuit despite a fast reaction to voltage changes and prevention of a formation of an average value given a manipulation with square-wave pulses at the battery terminals.