1. Field of the Invention
The present invention is directed to a method for statistics mode reloading and for statistical acquisition according to statistics classes in the storing of a dataset in an electronic postage meter machine of the type wherein the postage meter machine can communicate with a remote data center. The term "statistics mode reloading" as used herein means a data communication of statistics instruction data that are arbitrarily flexible, freely selectable and compilable.
2. Description of the Prior Art
Known postage meter machines are equipped at least with an input means, an output means, an input/output control module, a program, data memory means that, in particular, carries the accounting registers, with a control means and with a printer module. Postage meter machines are also known that produce a fully electronically generated imprint for franking postal matter or for comparable purposes.
In a postage meter machine disclosed in U.S. Pat. No. 4,746,234 fixed and variable data are stored in a memory arrangement (ROM, RAM) in order to then read these data out with a microprocessor when a letter on the transport path actuates a microswitch preceding the print position and in order to form a print control signal. Both of the aforementioned types of data are electronically combined to form a print image and can be printed out, for example with a thermal transfer printing means, onto an envelope to be franked. As a rule, a postage meter machine generates an imprint in a standardized form which is flush right, parallel to the upper edge of the postal matter beginning with the content of postage value in the postage stamp, the date in the postmark and stamp imprints for an advertising slogan and, possibly, the type of mailing in the selective print stamp. The postage value, the date and the type of mailing are generated by the variable data which are entered specifically for each piece of mail. Every completed franking must be accounted for and any tampering that leads to a non-debited franking must be prevented.
A large variety of accounting and payment possibilities already exist. The postage value is usually the expediting fee (franking) prepaid by the consignor that is taken from a replenishable credit register and is employed to prepay the mailing.
Known postage meter machines contain three relevant postal registers in at least one memory, namely for used aggregate value (ascending register), remaining credit available (descending register) and a register for a check sum. The check sum is compared to the sum of used aggregate value and remaining credit available. A review for correct accounting is thus already possible. Given the known accounting with a prepaid credit, the memory arrangement includes at least one non-volatile memory module that contains the currently remaining available credit, which results from the postage values of the successively printed frankings being subtracted from a credit loaded into the postage meter machine earlier. The postage meter machine is automatically placed in a blocked (non-functioning) state when the remaining credit is zero. This remaining amount can be replenished by a recredited amount by conducting an authorized recrediting procedure.
A protected reloading procedure for a postage meter machine with a credit is described in U.S. Pat. No. 3,255,439 generates an automatic signal transmission from the postage meter machine to the data center whenever a predetermined amount of money that was franked or whenever an item number of processed mail or a predetermined time period was reached. Alternatively, a signal corresponding to the sum of money, the item number or time period can be communicated. The communication ensues with binary signals via converters connected to one another over a telephone line. The machine receives a reloading that is likewise protected and corresponds to the credit balance and blocked state if no credit is re-supplied.
U.S. Pat. No. 4,864,506 discloses a procedure wherein, preceding a credit reloading into the postage meter machine, the data center interrogates the identity number of the postage meter machine and the values in the descending and ascending registers for authorization. Further, this patent discloses that the communication of the data center with the postage meter machine need not remain limited to a mere credit transfer into the postage meter machine. On the contrary, the communication of the data center with the postage meter machine is used for transferring the remaining credit of the postage meter machine into the data center when the postage meter machine logs off at the mail carrier. The value in the descending postal register of the postage meter machine is then zero, which effectively takes the postage meter machine out of operation. It is self-evident that suitable security measures must be undertaken so that the credit stored in the postage meter machine is not increased in an unauthorized way and then transferred back into a bank account.
German OS 44 46 667 (corresponding to co-pending U.S. application Ser. No. 08/955,072 filed Oct. 21, 1997) discloses specific security measures. The security measures relate to a protected data transmission in all transactions as well as to the monitoring for complete implementation of a second transaction. After the postage meter machine sets up communication with a remote data center, which checks the communicated PIN and acknowledges receipt, a first encrypted message is sent to the data center by the part of the postage meter machine. The value crediting request, identification data, postal register data and CRC data (cyclic redundancy check) are encrypted in the encrypted message with DES algorithm (data encryption standard), for which a first key is employed. Subsequently, the postage meter machine is to receive and decipher a second encrypted message. The first key is again applied for deciphering. The second encrypted message contains a second key, identification data and transaction data. The verification ensues on the basis of the communicated identification data. The second key required for deciphering subsequent transaction data and the transaction data (requested credit value) are stored. The implementation of a second transaction, which sequences comparably, ensues after this first transaction with the communication of the aforementioned request, however, the requested credit value is stored as credited value and the implementation is monitored for completeness.
According to British Specification 22 33 937 and U.S. Pat. No. 5,181,245, the postage meter machine periodically communicates with the data center. A blocking means allows the postage meter machine to be blocked after the expiration of a predetermined time, or after a predetermined number of operation cycles, and supplies a warning to the user. For enabling franking, an encrypted code must be entered from the outside, this being compared to an internally generated encrypted code. In order to prevent false accounting data from being supplied to the data center, the accounting data are also involved in the encryption of the aforementioned code. A disadvantage is that the warning ensues simultaneously with the blocking of the postage meter machine without the user having advance notice so as to avoid a franking interruption. U.S. Pat. No. 5,243,654 discloses a postage meter machine wherein the continuous time data supplied by the clock/date module are compared to stored disable time data in order to deactivate the postage meter machine given equality between these data. In this case, the operation of the machine is interrupted and the user must manually actuate new inputs in a complicated way. This procedure also prevents a printing and (intentionally) requires the user periodically to report his postage meter machine at the data center in order to communicate accounting data (aggregate used amount from the ascending register). The postage meter machine could be blocked for an unnecessarily long time because of the manual user inputs, particularly given an inexperienced user.
Francotyp-Postalia AG & Co. has developed a number of automatically acting security measures that are implemented unnoticed by the user and without the user's input. As described in European Application 660 269 (corresponding to U.S. Pat. No. 5,671,146), the protection of register values that are stored in a non-volatile NVRAM is implemented with a MAC (message authentification code). This solution protects against a manipulation with a microprocessor in a control unit of the postage meter machine. This is programmed with a possibility of entering into a communication mode with a remote data center for the implementation of steps for a start and initialization routine and subsequent system routine. After further steps for entering into a franking mode, a branch is made back into the system routine from the franking mode after execution of an accounting and printing routine. Checks are implemented with a selected checksum method within an OTP processor (one-time programmable) that contains the corresponding program parts stored internally and also the code for forming the MAC. A person attempting tampering therefore cannot replicate the type A of checksum method. Further security-relevant key data and executions are also stored exclusively in the inside of the OTP processor in order to place a MAC protection over the postal registers.
The apparatus and method of European Application 660 269 are based on a postage meter machine that has a closeable and lockable flap that allows access to the hardware lying therebehind (EPROM base) only to a limited, trustworthy group of persons. It must be assumed that no tampering of the postage meter machine would be carried out by these persons. The user has no access to the slogan EPROM base and cannot independently exchange this slogan EPROM. Other advertising slogan data or postage fee schedule data thus can be installed only by a service technician who is authorized to open the postal flap (opening authority). Security cannot be maintained for a postage meter machine that has a partially open postal flap. This disadvantage is eliminated in a method described in German Patent Application 19534530 (corresponding to U.S. Pat. No. 5,805,711). The machine described therein is capable of communication with a remote data center and contains an OTP processor in a control circuit of the postage meter machine. The program parts that are implemented in the internal OTP-ROM also enable a protection of externally stored program parts that, for example, are stored in an EPROM. The user now has access to the slogan EPROM base and can independently change a slogan EPROM. The user himself, who is authorized to open the flap over the EPROM base, can thus also instal other advertizing slogan data or postage fee schedule data. Thus, a limited servicing is carried out by the user himself, which, however, makes a machine-internal check necessary for A misuse of the limited access allowed by the user. A start security check occurring in the framework of the start and initialization routine sequences before a secure print data call routine and before the following system routine. This serves the purpose of determining the validity of a program code and/or the validity of data in the predetermined memory location on the basis of an appertaining MAC (message authentification code) that is stored in the same memory means. The check for valid program code and/or for valid data ensues with a selected checksum method within an OTP processor that internally contains the corresponding program parts. A transfer of the postage meter machine into the aforementioned system routine ensues given validity of the data. A check of the data in the postage meter machine likewise ensues in the aforementioned system routine. If data are invalid, or if a specific tampering criterion is met, the postage meter machine is switched into a first mode that contains steps for the prevention of franking, or for blocking the postage meter machine and/or steps for the prevention of a further program execution, or for causing a program branch leading to the outside from the OTP processor in the framework of the aforementioned system routine.
Authenticity checks are also provided in the result of the print data input in the print data call routine for frame and/or window data as well as during the start and initialization routine as well as during the system routine in the step for keyboard interrogation and display of security-relevant window data that were modified in the print data input. Given an absence of authenticity, steps are triggered for the prevention of a further program execution or a program branch is triggered leading to the outside from the OTP processor. This check has the advantage that program code and constant, security-relevant data cannot be modified, nor skipped nor surreptitiously identified. The program execution of program parts that are executed in the internal OTP-ROM thus can not be manipulated. There is a reliable protection against fraudulent manipulation as long as no program branch occurs. Even in a faulty or manipulated postage meter machine the program execution remains completely in the OTP-ROM and cannot be forced into other operating modes.
A method for securing data and program code of an electronic postage meter machine is described in German Application 19534530 and U.S. Pat. No. 5,805,711. The teachings of co-pending U.S. Pat. No. 5,805,711 are incorporated herein by reference. This method includes the transmission of an externally stored, predetermined MAC value into the internal OTP-RAM and formation of a checksum in the OTP processor over the content of that external memory to which the MAC is allocated, and a comparison of the result to the predetermined value of the MAC volatilely stored in the internal OTP-RAM before and/or after the end of the franking mode or operating mode, and thus also after the initialization (i.e. when the postage meter machine is being operated) or at times when printing is not being carried out (i.e. when the postage meter machine is operated in standby mode). In the event of a fault, a logging and subsequent blocking of the postage meter machine ensues. A number of keys and an encryption algorithm that is employed in the program execution of security-relevant transactions and in the external storing of security-relevant data are also stored in the OTP-ROM. The aforementioned solution also assumes that the funds stored in the postage meter machine must be protected against unauthorized access. The falsification of data stored in the postage meter machine thus is made so difficult that the outlay is no longer worthwhile for a tamperer. The only disadvantage of this solution is that the user is required to perform a limited servicing. For example, a current postage fee table must be loaded when the carrier fee schedules change. In general, however, it is desirable not to burden the user--insofar as possible--with further tasks or services if this is not absolutely required.
Some postal authorities/mail carriers now require, or employ price reductions to promote, preparation by the user of printouts of operating sequences stored in the postage meter machine, for documents/bills of lading accompanying bulk mail/freight or accountings performed in a time period, or printout of statistics or receipts about a reloading that has ensued for replenishing credit. According to European Application 285 956, a postage meter machine is equipped with a specific operating sequence memory and with a connection for an external printer, however, seeking and printing specific data from the stored, periodic acquisition of all data demands that the user make a high time outlay available for such purposes.
European Application 493 948 also discloses a postage meter machine that is equipped with a number of registers in a protected module for storing accounting data that relate to the use of the postage meter machine for franking items. A first set of registers relates to a specific, first service, and a second set of registers relates to a specific, second service, whereby the specific services are selectable via the input means and the accounting data of the respectively selected service are updated. One shipping mode to be separately accounted for is, for example, "first class", which is preferred in the expediting. Another shipping mode to be separately accounted for is, for example, "second class". The shipping mode can be printed as a selective print stamp separately from the franking stamp or integrated therewith. Only certain services, however, are covered, and it is difficult for the postage meter machine manufacturer to predict for future mail carriers what services will be offered by such future carriers that then have to be separately accounted for as well. As needed, postage meter machines would then have to be refitted for new mail carriers or new services either in the factory or by a service technician, which would be very complicated. The accounting reports would likewise have to be printed out by a separate, second printer. A validity check by the microprocessor is provided for securing register values. For every printout of accounting reports, the microprocessor generates a validity code for register values that is printed out together therewith.
European Application 717 376 discloses a postage meter machine and a communication procedure to a data center both for register interrogation and credit reloading as well as for other administrative purposes. The communication can ensue online via modem or offline via chip card. A DEC CBC mode (data encryption standard & cipher block chaining) is utilized for authentification of the data. The postage meter machine has definition means for at least one group of mail classes. The postage meter machine has an item counter for each mail class in order to count the number of franked postal items per mail class. The mail classes are defined by upper and lower limit values for postage values. The data center can define at least one group of mail classes, particularly the upper and lower limits therefor. The data center can change this definition at predetermined times and limit the use of the postage meter machine, for example in terms of time, number of items and with respect to a cumulative value. The underlying statistics structure, however, can only be used fully or limited but not fundamentally modified.