The Information-Based Indicia Program ("IBIP") is a distributed trusted system proposed by the United States Postal Service ("USPS") to retrofit and augment existing postage meters using new technology known as information-based indicia. The program relies on digital signature techniques to produce for each envelope an indicium whose origin cannot be repudiated and content cannot be modified. IBIP is expected to support new methods of applying postage in addition to the current approach, which typically relies on a postage meter to mechanically print indicia on mailpieces. IBIP requires printing a large, high density, two-dimensional ("2-D") bar code on a mailpiece. The 2-D bar code encodes information and is signed with a digital signature.
The USPS has published draft specifications for IBIP. The INFORMATION BASED INDICIA PROGRAM (IBIP) INDICIUM SPECIFICATION, dated Jun. 13, 1996, and revised Jul. 23, 1997, ("IBIP Indicium Specification") defines the proposed requirements for a new indicium that will be applied to mail being processed using IBIP. The INFORMATION BASED INDICIA PROGRAM POSTAL SECURITY DEVICE SPECIFICATION, dated Jun. 13, 1996, and revised Jul. 23, 1997, ("IBIP PSD Specification") defines the proposed requirements for a Postal Security Device ("PSD") that will provide security services to support the creation of a new "information based" postage postmark or indicium that will be applied to mail being processed using IBIP. The INFORMATION BASED INDICIA PROGRAM HOST SYSTEM SPECIFICATION, dated Oct. 9, 1996, defines the proposed requirements for a host system element of IBIP ("IBIP Host Specification"). The specifications are collectively referred to herein as the "IBIP Specifications". IBIP includes interfacing user (user), postal and vendor infrastructures which are the system elements of the program. The INFORMATION BASED INDICIA PROGRAM KEY MANAGEMENT PLAN SPECIFICATION, dated Apr. 25, 1997, defines the generation, distribution, use and replacement of the cryptographic keys used by the USPS product/service provider and PSDs ("IBIP KMS Specification").
The user infrastructure, which resides at the user's site, comprises a PSD coupled to a host system ("Host") with printer. The PSD is a secure processor-based accounting device that dispenses and accounts for postal value stored therein.
The IBIP Indicium Specification provides requirements for the indicium that consists of both human-readable data and PDF417 bar code data. The human-readable information includes an originating address, including the 5-digit ZIP Code of the licensing post office, PSD ID/Type number, date of mailing and amount of the applied postage. The bar code region of the indicium elements includes postage amount, PSD ID, user ID, date of mailing, originating address, destination delivery point identification, ascending and descending registers and a digital signature.
An integrated mailing system is subject to open system requirements if it includes a computer interfaced to the meter and it prepares mailpiece fronts or labels that include both the destination address and the indicium. The integrated system is an open system even if different printers apply the address and the indicium. If the mailing system satisfies such criteria, the USPS considers the "meter" to be an open system peripheral device that performs the dual functions of printing the indicia and interfacing the PSD to the Host. The integrated mailing system must be approved by the USPS according to open system criteria.
The IBIP Host Specification sets forth the requirements for a Host in an open system. The Host produces the mailpiece front including the return address (optional), the delivery address (required), the Facing Identification Mark ("FIM"), and the indicium as an integral unit. The Host may print this unit on the actual mailpiece stock or label(s) for later attachment to the mailpiece. The Host provides the user with an option to omit the FIM (e.g., when the FIM is preprinted on envelopes). The Host produces standardized addresses, including standard POSTNET delivery point bar code, for use on the mailpiece. The Host verifies each address at the time of mailpiece creation. The Host then creates the indicium and transmits it to the printer.
The IBIP Specifications define a stand-alone open metering system, referred to herein as a PC Meter or Stand-alone PC Meter. The Stand-alone PC meter has one personal computer ("PC") which operates as the Host ("Host PC"). The Host PC runs the metering application software and associated libraries (collectively referred to herein as "Host Applications" and "PC Meter Toolkit") and communicates with one or more attached PSDs. The Stand-alone PC Meter can only access PSDs coupled to the Host PC. There is no remote PSD access for the Stand-alone PC Meter.
The Stand-alone PC Meter processes transactions for dispensing postage, registration, and refill on the Host PC. Processing is performed locally between the Host and the PSD coupled thereto. Connections to a Data Center, for example for registration and refill transactions, are made locally from the Host through a local or network modem/internet connection. Accounting for debits and credits to the PSD are also performed locally, logging the transactions on the Host PC, which is the PC where the transactions are processed on and to which the PSD is attached. Thus, the accounting of funds and transaction processing are centralized on a single PC. The Host PC may accommodate more than one PSD, for example supporting one PSD per serial port. Several application programs running on the Host PC, such as a word processor or an envelope designer, may access the Host metering software.
Other configurations of open and closed system meters are described in previously noted related applications U.S. Applications Ser. Nos. [Attorney Docket E-644, E-645, E-646, E-647, E-648, E-649, E-650, E-694 and E-696].
It is expected that once IBIP is launched, the volume of meters will increase significantly when the PC-based meters are introduced. Such volume increase is expected in the small office and home office (SOHO) market. The IBIP Specifications address and resolve issues which minimize if not eliminate USPS risks regarding security and fraud. However, as with any system implemented on a non-secure device, such as a personal computer, implementation of an IBIP system may have inherent security weaknesses that could be exploited by sophisticated users intent on defrauding the USPS.
The IBIP Specifications do not specify any method for the removal of funds from the PSD, such as, safely sending funds to the Data Center when a PSD is taken out of service. Contrarily, the IBIP Host and PSD Specifications do not permit the zeroing of registers, which is common practice in current Pitney Bowes meters (except for the Personal Post Office.TM. digital meter as described below). It is anticipated that the removal of funds from a PSD would be accomplished using conventional methods.
Historically, mechanical postage meters that are being taken out of service have to be physically returned to the Post Office, opened and registers zeroed. This method has drawbacks, the most significant of which is the possibility of theft of an active meter and also the inconvenience of making the return.
Today, when a conventional electronic postage meter is taken out of service, a vendor service representative retrieves the postage meter from a customer, and contacts the Data Center's voice response unit or VRU. The service representative enters a special request code for zeroing the meter's registers and sends the request to the Data Center. The Data Center generates a combination code, for example, a 4 digit code as opposed to the standard 6 digit code. The service representative enters the combination code into the postage meter with an amount of "0.00" to indicate to the postage meter that a special register clear operation is to be performed. The postage meter then resets the registers of the meter to 0.
This is not a very secure method, since it relies on the customer service representative to be accurate in reading the registers and putting that information correctly into a computer or on a piece of paper for manual processing. The postage meter, however, serves as a backup to this process by holding a history of past registers in memory. The manual nature of this process can lead to potentially improper or disputed refund amounts.
In the Personal Post Office digital meter, an improvement was made to the existing process. A customer who no longer desires the product or is getting a new meter places a call to the Data Center. The Data Center, knowing that the meter is in a pending withdrawal status, sends a command to the meter requesting that a debit be made to the meter for an amount equal to that of the current descending register. The meter, upon receipt of the command, debits for the appropriate amount and generates a digital signature, also referred to herein as a token, for the mailpiece that would have been printed if the deduction was to occur on a mailpiece. The digital token and other information that would have been printed on the mailpiece are sent to the Data Center for verification to ensure that the meter properly deducted the appropriate funds. However, it should be noted that the digital token is generated in exactly the same way as for a valid mailpiece. Therefore, by intercepting, for example by listening, to the communications with the Data Center, it would be possible for an attacker to obtain valid digital tokens. These tokens and associated postal information could be imprinted on a mailpiece, thus giving the attacker free postage. The amount of free postage could be significant, e.g., for priority mail mailpiece. The attacker could also print an indicium and bring the indicium to the Post Office for a refund.