1. Field of the Invention
The present invention is directed to an arrangement and to a method for data exchange between a postage meter machine and chip cards in a postage meter machine of the type equipped with a chip card write/read unit and an appertaining controller that requires a specific insertion sequence of cards into the chip card write/read unit for valid chip cards in order to reload data.
2. Description of the Prior Art
It is known to keep track of accounting-specific data about cost centers in postage meter machines. The purpose of the cost center concept is to introduce transparency into the accounting of devices that are used by different users. The term xe2x80x9ccost centerxe2x80x9d means a non-volatile memory area provided for department-by-department accounting or booking of usage activity. Each cost center has a number and/or name allocated to it via which the aforementioned memory area is selected. The business entity associated with a cost center is ultimately responsible for the cost (charge) for postage or shipping fees incurred by personnel who use the postage meter machine who are employed by the business entity.
Modern postage meter machines such as, for example, the thermal transfer postage meter machine disclosed by U.S. Pat. No. 4,746,234 utilize fully electronic digital printer devices. It is thus fundamentally possible to print arbitrary texts and special characters in the postage stamp printing area and to print an arbitrary advertising slogan or one allocated to a cost center. For example, the postage meter machine T1000 of Francotyp-Postalia AG and Co. (Postalia, Inc. in the United States) has a microprocessor that is surrounded by a secured housing having an opening for the delivery of a letter. Given delivery of a letter, a mechanical letter sensor (microswitch) communicates a print request signal to the microprocessor. The franking imprint contains a previously entered and stored postal information for dispatching the letter.
It is also known to store data specific to cost centers on chip cards in order to make the user-specific information mobile (portable) and to avoid an intentional misuse of other cost centers. U.S. Pat. No. 5,490,077 discloses a data entry with chip cards for the aforementioned thermal transfer postage meter machine. One of the chip cards loads new data into the postage meter machine, and a set of further chip cards allows a setting of correspondingly stored data to be undertaken by plugging in a chip card. Loading data and setting the postage meter machine are thus possible in an easier and faster manner than via a keyboard input. The keyboard of the postage meter machine remains small and surveyable because no additional keys are required in order to load or set additional functions. A plug-in slot of a chip card write/read unit, in which the respective chip card is to be plugged by the customer within a time window, is located on the back side of the postage meter machine. Due to the lack of direct visual contact, an unpracticed user often does not always succeed in inserting the required chip cards in immediate succession, which then leads to unwanted delays. The postage meter machine only works with relatively expensive chip cards that are themselves equipped with a microprocessor (smart card) and are thus able to check whether the postage meter machine communicates a valid data word to the chip card before an answer is sent to the postage meter machine. When, however, no answer or user identification ensues, this is registered as an error in the postage meter machine and is displayed before a request to remove the chip card is displayed in the display.
A single slot is provided for a number of chip cards that are sequentially inserted.
A table of passwords is stored in the postage meter machine in order to automatically enter passwords into the chip card. The inserted chip card checks whether the postage meter machine belongs to the group of authorized users by comparing the passwords to an internally stored password. Auxiliary functions, special functions and information from the chip card can be used with temporarily valid passwords that are communicated on demand to the user when the payment is assured. After processing the command sequence according to the transfer protocol, which includes further commands for switching into a security mode of the chip card and for manual password entry into the chip card, the protected chip card data can be fetched. A disadvantage is that the user must pay attention to the proper sequence when inserting a number of chip cards. The fee schedule reloading card must be inserted first. Even with the successor cards, the selection of the chip card to be inserted is up to the user. As is known, a PIN or password input is demanded for assuring the authenticity in different security levels. A disadvantage, however, is that such a number of passwords, may have a time limit on their validity. The alternative of manual PIN or password entry for a number of cards could lead to undesirable confusion.
German OS 196 05 015 discloses an embodiment for a printer device (JetMail(copyright)) that, given a non-horizontal, approximately vertical letter transport, implements a franking imprint with an ink jet print head stationarily arranged in a recess behind a guide plate. For recognizing the start (leading edge) of a letter, a print sensor is arranged shortly before the recess for the ink jet print head and collaborates with an incremental sensor. The letter transport is free of slippage due to pressure elements arranged on the conveyor belt, and the incremental sensor signal derived during the transport has a positive influence on the quality of the print image. Given such a postage meter machine exhibiting larger dimensions, however, a chip card write/read unit would have to be arranged and operated such that sequentially pluggable chip cards can be unproblematically used. Since the memory capacity on a chip card is limited, the user must keep a number of chip cards on hand, and the postage meter machine must be configured to store all loaded data.
As an alternate way for solving the further problem that there is only limited memory capacity available on a chip card, U.S. Pat. No. 4,802,218 discloses that a number of chip cards be simultaneously employed, these being plugged into a number of write/read units. In addition to a user chip card for the recrediting and debiting whereby the postage fee value is subtracted from the credit, a master card and a further rate chip card with a stored postage fee table are simultaneously plugged in. By accessing a postage fee table, a postage fee value can be determined according to the input weight and shipping destination without loading an entire table into the machine. Since, however, a respective write/read unit is required for every chip card, the apparatus becomes too large and expensive. Moreover, a separate reloading terminal is required in order to replenish the credit in the user chip card, with the master card providing the authorization for this reloading function. A supervisor card has access to all master cards. Various security levels are accessible by appertaining key codes. Such a system with a number of slots for chip cards is very complex overall.
German OS 195 16 429 discloses a method for an access authorization to a secured machine or circuit with card-like master elements that make card-like authorization elements perceptible as valid. Such card-like authorization elements that have been validated later allow access to the secured machine or circuit without the user having the master element in his or her possession. Further authorization elements also can be confirmed as valid. The authorization procedure includes an information exchange between a higher-ranking master element and a lower-ranking authorization element or master element, and an electronic lock of the secured machine or circuit. Specific customer wishes, however, can not be taken into consideration because all cards generated in this way are technologically and functionally identical and merely serve the purpose of distributing access authorizations of a hierarchically ordered administration of the secured machine or circuit. The use of a chip card for access authorization in different hierarchy levels as well is known, but must be accompanied by a further data entry by keyboard by the user in order to call or set an application.
The chip cards are usually initialized by the chip card manufacturer and the postage meter machine manufacturer. It is somewhat complicated, however, for the postage meter machine manufacturer to take specific customer wishes into consideration. There is the necessity for the user of the postage meter machine to inform the manufacturer of his customer wishes that relate to a specific input function by chip card. Until the user has been sent an correspondingly initialized chip card, the postage meter machine can continue to be set for the specific input function only via the postage meter machine keyboard.
An object of the present invention is to provide an arrangement and a method for data exchange between a postage meter machine and chip cards, wherein the sequence of chip cards to be sequentially inserted is partly defined by the manufacturer and partly by the user. Given access to protected memory areas of the chip card, an adapted security should be achieved given the highest possible user friendliness and with low cost. The protection of the transmitted data against a manipulation should be assured.
This object is achieved in a method wherein a first processor chip card is utilized that, at the same time, represents a general access authorization to the postage meter machine and offers a reloading possibility into the postage meter machine. The first processor chip card contains a sequence number stored in a protected manner that has a relationship to a sequence number of a further chip card.
The further chip cards can either supplement information stored in the postage meter machine, or modify it in a suitable way, and/or offer an unlimited access to the functions of the postage meter machine.
The postage meter machine is equipped with a chip card write/read unit and an appertaining controller. The controller requires a specific insertion sequence for valid chip cards into the chip card write/read unit in order to reload data, but allows an authorized user to define a specific sequence for the insertion of further suitably initialized, lower ranking chip cards in order to simplify the function and data entry into the postage meter machine. The latter chip cards set the postage meter machine to an operation with limited function scope. For their initialization, a table with a specific hierarchic structure is produced using of the keyboard and display and with the assistance of a microprocessor and the appertaining non-volatile memories in memory areas within the postage meter machine, so that the pre-stored structure is correspondingly modified by the user. As used herein, xe2x80x9cinitializationxe2x80x9d means the completion of a chip card number, the writing in a part of an identifier string in a memory of the chip card, and the allocation and storing of the allocation of the chip card number to a number of one or more application functions in a non-volatile memory of the postage meter machine. As used below, xe2x80x9ctop down initializationxe2x80x9d means the derivation of chip card numbers and their allocation in the postage meter machine to a limited number of application functions or to at least one application function.
A tree structure thereby arises in the hierarchy for the second chip cards derived from the inventive first chip card and for further successor cards, particularly specific application cards that allow the access to the table with their chip card number stored internally in the chip card. The allocation of a chip card number to function applications with limit data can be arbitrarily selectably stored in the memory areas by the authorized user.
In an economical and customer-friendly way, the arrangement for data exchange between the postage meter machine and chip cards enables a large variety of data to be loaded into the postage meter machine or selected. When, thus, there is a need to modify data stored in the postage meter machine dependent on unforeseeable external events, i.e. to implement a data update, then the control system of the postage meter machine loads the dataxe2x80x94given validityxe2x80x94from unprotected memory areas and then from protected memory areas of the chip and operates then in a suitable way with data from other chip cards that were previously loaded.
The chip card write/read unit operates according to different communication protocols dependent on the respective card type of the inserted card and loads data from inserted, valid chip cards under the control of the control system of the postage meter machine. The control system is equipped with a program memory and a microprocessor in order, according to an application program, to store, the data currently received from the chip card write/read unit in corresponding non-volatile memory areas and to link this stored data in a suitable way with the memory areas that already contain previously loaded data from previously inserted, valid chip cards.
The chip card reader of the postage meter machine includes a contacting unit for the mechanical acceptance and electrical connection of the chip card as well as an appertaining microprocessor board that functions as a link element between the postage meter machine and an inserted chip card in order to enable the communication and/or the data transfer. The interface of the chip card reader is a serial interface according to the RS232 standard; the software protocol can vary so as to be manufacturer-specific. The chip card reader is integrated into the base housing of the postage meter machine.
A reload (update) possibility is thus created for at least the data of a function feature and/or the postage table data in that a dialog with the inserted chip card via a single chip card write/read unit, whereby a loading of data with respect to new features and/or with respect to a postage fee table ensues from a first chip card, coupled with a first code that modifies an allocation of features/data stored in the postage meter machine to a second code that is entered.
An access possibility to at least one defined cost center or to data of a function feature can also be automatically entered with a chip card. An automatic access authorization at least to the overall cost center is thereby checked. If not differently declared, all issued chip cards will access only this cost center, but the possibility is permitted of subsequently making a manual selection of a specific department-related cost center for the cost center memory of the postage meter machine via the keyboard. It can also be declared that a second or further successor chip cards of an arbitrary type access defined cost centers. This is achieved, given an inserted master chip card, by producing a table having a specific hierarchic structure in memory areas within the postage meter machine.
The invention is based on the concept of allowing different security measures in different security levels in order to achieve an adapted security. The authorized access to the chip card data can be checked within the chip card itself. The postage meter machine communicates its serial number to the chip card, which implements a comparison of the communicated serial number to a stored serial number and communicates the result of the comparison to the chip card write/read unit. Given a positive comparison result, the latter receives a dataset with numbers, prescribed data and reload data as well as an appertaining authorization code MAC. The controller of the postage meter machine checks the authorization of the loaded data on the basis of the communicated authorization code MAC. For the reloading of data, a manufacturer-defined sequence for the insertion of the reload chip cards is protected by a sequence number communicated in addition to the base number.
Moreover, the controller is equipped with a program, so that the user, particularly the postage meter machine user, can program a security protection into the postage meter machine which is individually adapted according to a hierarchic principle.
The entire cost center handling within the postage meter machine is inventively controlled with the assistance of a consecutive chip card number in every chip card that is employed in combination with the postage meter machine. A first application that allocates specific privileges (hierarchies), security measures and cost center numbers to specific chip card numbers is stored within the program memory of the postage meter machine. The first chip card, which is supplied together with the postage meter machine, is referred to as a master card. The authorization is not limited for this card. In addition to the consecutive number, however, the master card contains further data in its protected, non-volatile memory areas. The method for data exchange inventively provides that this further data is communicated in separate datasets. This further data include a sequence number for the continuation of the reloading with a further reload (update) chip card and, in particular, boundary data or limit data limiting the application authorization of successor cards that effect a limitation of any operation which is not set and triggered by the master card. These boundary or limit data achieve an application-adapted security protection for a second chip card or for the further successor cards. The hierarchically highest-ranking, first chip card causes a limit account to be stored in a protected memory area of the non-volatile memory of the postage meter machine. This principle is continued downward in the hierarchy for successor cards. The hierarchically higher-ranking, second chip card thus deposits a limit account in a protected memory area of a non-volatile memory of the postage meter machine for a lower-ranking successor card. The aforementioned table can be at least partially displayed according to the modified structure (for survey by the user) before storage ensues. A limit account prescribed by the master card can only be modified in one direction, i.e. can only be more restrictively limited. The aforementioned limit thus can not be cancelled by a chip card having a lower rank.
A set of chip cards that control the access to preselectable postage meter machine functions for the combined application thereof is made available to the user. Moreover, an easily accessible chip card write/read unit is created in the postage meter machine, that is arranged behind the guide plate, that avoids problems plug-in of cards. Mistakes in the selection of a chip card are also minimized by the easy access to the chip card write/read unit. The chip card/postage meter machine system can be arbitrarily expanded or user-modified. A different inserted chip card type can be recognized by the postage meter machine and correspondingly interpreted. The postage meter machine thus can be operated with an optimally inexpensive chip card type. The advantages of unambiguous, simple and fraud-resistant cost center selection by chip card are still achieved while avoiding the use of substantial memory capacity. In addition to enabling the cost center, an enabling of predetermined, further functions can be achieved merely by plugging a chip card into the chip card write/read unit. Functions and/or data allocated to this chip card number are stored in the table. The table is stored in corresponding memory areas of the non-volatile memory of the postage meter machine. The aforementioned table has a specific hierarchic and modifiable structure in which limit data are stored allocated. The aforementioned, modifiable structure is divided into a list of valid card numbers, linkage conditions and appertaining parameter sets. Every second and following chip card need contain only a chip card number. The postage meter machine reserves a memory location for a parameter value for at least one type of limit value. This allows an inexpensive set of chip cards to be used that are only partially pre-initialized at the manufacturer. The desired chip card number can be additionally stored or modified in a third part of an identifier string in the memory areas of the chip card by an authorized user with the chip card write/read unit of the postage meter machine. A control device of the postage meter machine connected to the chip card write/read unit has a non-volatile memory with memory areas for an allocation of listed application functions to limit data and to a chip card. The microprocessor of the control device of the postage meter machine is programmed to load the chip card number stored in the respective chip card, to call an allocation of the listed application functions to the respective chip card number in one of the memory areas of the non-volatile memory of the postage meter machine and to implement the corresponding application programs stored in the program memory while adhering to the limit value. The allocation in the aforementioned memory areas can be arbitrarily selected by the authorized user and stored in the aforementioned memory areas within the scope of the limit values.
The distributed, modifiable structure can be restored using electronic pointers in order to undertake a corresponding data entry into the main memory, to allow whereby the microprocessor of the postage meter machine to execute corresponding function or a stored sequence of functions according to the application program. One of the functions can be implemented in order to at least partially display the structure in a table or in order to allow the user to modify this structure or table.