The present invention relates to a postal security device (PSD) for use in a postage meter. More specifically, it relates to a PSD with a display that can display the contents of certain registers within the PSD.
The United States Postal Service has proposed an Information Based Indicia Program (IBIP) to replace the indicia (postmarks) printed by traditional postage meters. IBIP will use a two-dimensional symbol printed on the envelope to provide evidence that postage was paid, as well as providing additional information fields. This information is encoded into the symbol together with security information. The two-dimensional symbols can be thought of as an advanced version of the bar codes that are commonly used to identify products in supermarkets.
In contrast to traditional postage meters, in which all the indicia with the same postage value printed on a given day are identical, the indicia printed on each piece of mail using an IBIP symbol will be different. This will create a unique and traceable identity for each piece of mail.
A PSD is a security device that is used in conjunction with a host system to create the IBIP indicia. According to Post Office specification, the host may either be `closed` (i.e., dedicated solely to printing indicia like current postage meters) or `open` (i.e., having other functions such as a personal computer with a connected printer). The PSD is implemented in hardware and provides a number of security functions, including cryptographic digital signature generation and verification. The PSD also maintains the descending register, which tracks the amount of postage available for postmark creation, and the ascending register, which tracks the total postage value used by a given PSD. These registers perform the same functions as the ascending and descending registers of traditional postage meters.
Postage is loaded into the PSD by a remote communications link. When this occurs, the descending register is updated by the amount loaded so as to keep track of the amount of postage available for printing indicia. As each indicium is printed, the descending register is decremented to reflect the amount of postage that remains. The amount shown in the descending register is equivalent to actual money and may be exchanged for money by surrendering the PSD.
Because the Postal Service's PSD specifications only provide for accounting and security functions, a PSD designed to meet those specifications would only provide those functions. All the other functions of the postage meter, including printing of the IBIP indicia and display of the ascending and descending registers, must be provided by the host system. While the host system could be either a dedicated postage meter or an ordinary PC with a printer, it is expected that the PSDs themselves will be the same for all host environments. As a result, the only ways to access these registers are through a host system monitor, by printed indicium, or by a device audit. To accomplish any of these, however, the PSD must first be connected to the host.
PSDs may be implemented as a cartridge that can be inserted into and removed from the host system. This implementation is advantageous because it allows the PSD to be removed and locked in a secure place when not in use and allows the PSD to be used with multiple hosts. In addition, in the event of a host failure, the PSD may be transferred to another host to enable repair of the failed host system without tying up the postage contained in the PSD. It also simplifies meeting some of the PSD requirements, such as rugged enclosures and the use of physically distinct connectors for the data port and the authentication port. Of particular note is a requirement for the PSD enclosure to detect any tampering at the time the tampering occurs and to immediately erase all memory contents that are cryptographically important (but not the descending and ascending registers). This almost certainly implies using long lived battery-powered detection and erasing circuits, including a `self destruct` mode for when battery failure is near.
The PSD specifications do not require any display functions to be provided within the PSD itself. This causes a number of disadvantages. In particular, because the contents of the registers in the PSD can only be accessed when the PSD is connected to a host, a user cannot determine the contents of the PSD registers when the PSD is removed from the host. As a result, the only way to determine the contents of a register of an uninstalled PSD is to reinsert the PSD into a host, and use the host's facilities to display the desired information. This can be problematic because a host may not be available.
The inability to check PSD registers without installing the PSD into a host could also cause problems in environments where multiple PSDs are used (e.g., a contract mailing service company) and one of the PSDs is to be selected for insertion into a host. In this situation, it would be relatively easy to confuse a depleted PSD with a full one. This could cause significant inconvenience if a depleted PSD is inserted into a mailing machine with the expectation that it is full. Accordingly, the ability to read the PSD registers without inserting the PSD into a base would be a great convenience.
Until now, however, displays for PSDs have never been implemented. Moreover, rigorous cryptographic security requirements imposed by the Post Office make the connection of a display or other peripheral to the PSD a serous design challenge. Previous, non-PSD based postal meters have included display features that allow a user to determine the amount of postage remaining in the meters. U.S. Pat. No. 4,876,956 to Riley is an example of this type of postal meter. But because these postage meters are not PSD-based, they do not provide guidance on incorporating a display feature into a PSD.