In recent years, some postal authorities have proposed that systems for printing postage (franking systems) should use so-called xe2x80x9cpostal security devices.xe2x80x9d Each postal security device typically consists of a printed circuit board, a power supply, an anti-tampering shield, and a housing or enclosure. A cryptographic boundary is defined, within which is located a real-time clock. These parts when assembled are permanently sealed, for example in epoxy resin. The postal security device or PSD is configured and placed into service.
Designers of postage meters (franking machines) and would-be designers of PSDs have typically chosen configuration steps which include embedding a unique serial number into the device which will never change again, and which is used for a number of purposes including tracking of units and management of cryptographic keys.
A variety of prior-art approaches have been attempted. In U.S. Pat. No. 4,506,329 to Duwel et al. (xe2x80x9cDuwelxe2x80x9d) there is described a device in which a bit in memory is used to indicate whether a one-time-only serial number has already been stored in memory. Software in the device is designed to check the contents of the bit. If the bit is set, the software will not permit further changes of the memory. This approach has a drawback in that it is necessary to know what serial number is desired at the time the bit is to be set. The device does not permit changing a serial number at a later time, for example if a device is to be reused. Even if such a device were modified to permit changing a serial number at a later time, a consequence would be that the previous serial number would be lost, which is disadvantageous.
U.S. Pat. No. 4,525,786 to Crowley et al. describes a device in which the setting of a serial number is linked to setting predetermined values in other memory locations, specifically ascending and descending registers in a postage meter. This, too, has some of the same drawbacks as Duwel, for example the problem that the serial number cannot later be changed even if a device is to be reused.
U.S. Pat. No. 4,424,573 to Eckert, Jr. et al. discloses a device having a xe2x80x9cchip numberxe2x80x9d and a distinct xe2x80x9cserial number.xe2x80x9d The serial number is stored in nonvolatile memory in the device in a way that replaces the chip number. This again has the potential drawback that the chip number is lost when the serial number overwrites it.
U.S. Pat. No. 5,742,682 to Baker et al. shows a system in which a xe2x80x9cunique secure box identificationxe2x80x9d is stored in a box. In U.S. Pat. No. 5,680,456 to Baker et al. there is described a xe2x80x9cunique device identifierxe2x80x9d that is programmed into a device.
All of these past approaches have potential drawbacks. These approaches typically assume that a device is purpose-built for a particular specific application. They typically assume that a unique identifier, once programmed into a device, will not subsequently change. They further typically assume that a device would not be a generic nondescript unit capable of being configured one way and at a later time being configured in a different way.
Purpose-built devices have an additional potential drawback that they must be inventoried according to their purpose. Such inventorying is costly and takes up space.
It would be extremely desirable to devise a system permitting the manufacture of generic nondescript units, which could then be configured for particular applications. Such a system would require unique identification of the generic units, but would also require a versatile way of identifying units according to the applications for which they are configured. Finally, such a system would ideally have not only identifiers stored within the units (which are not readily human-readable) but would also have identifiers perceptible from outside the unit, by characters or bar coding or the like, all integrated with the rest of the system.
Computer-based products such as postal security devices are manufactured as generic, nondescript units. Each has a unique identifier or embedded hardware serial number readable by data communications such as serial electrical communications. At customization time, a human-readable marking is placed on the device, along with a bar code indicative of the human-readable marking. A bar-code reader reads the bar code. The embedded hardware serial number is read. A record is made in a database indicative of the embedded hardware serial number and the bar code information. Software may then be selected based on the bar code information, and loaded into the device, typically within a cryptographically secure area within the device. At a later time the device may be retired from service and reprogrammed, in which case a new human-readable marking and bar code are affixed to the device. The embedded hardware serial number and new bar code information are read and appropriate new data records are created. The data records may further contain information regarding cryptographic keys loaded into the device and version levels of software within the device. In this way a generic device may be customized and efficiently managed.