One example of a value printing system is a postage printing system including an electronic postage meter and a printer for printing a postal indicia on an envelope or other mailpiece. Recent efforts have concentrated on removing the printer from being an integral part of the postage meter. Electronic postage meters for dispensing postage and accounting for the amount of postage used are well known in the art. The postage printing system supplies proof of the postage dispensed by printing a postal indicia which indicates the value of the postage on an envelope or the like. The typical postage meter stores accounting information concerning its usage in a variety of registers. An ascending register tracks the total amount of postage dispensed by the meter over its lifetime. That is, the ascending register is incremented by the amount of postage dispensed after each transaction. A descending register tracks the amount of postage available for use. Thus, the descending register is decremented by the amount of postage dispensed after each transaction. When the descending register has been decremented to some value insufficient for dispensing postage, then the postage meter inhibits further printing of indicia until the descending register is resupplied with funds.
Generally, the postage meter communicates data necessary for printing a postal indicia to the printer over suitable communication lines, such as: a bus, data link, or the like. During this transfer, the data may be susceptible to interception, capture and analysis. If this occurs, then the data may be retransmitted at a later time back to the printer in an attempt to fool the printer into believing that it is communicating with a valid postage meter. If successful, the result would be a fraudulent postage indicia printed on a mailpiece without the postage meter accounting for the value of the postage indicia.
It is known to employ secret cryptographic keys in postage printing systems to prevent such fraudulent practices. This is accomplished by having the postage meter and the printer authenticate each other prior to any transfer of print data or printing taking place. One such system is described in U.S. Pat. No. 5,794,290 entitled METHOD AND APPARATUS FOR SECURELY AUTHORIZING PERFORMANCE OF A FUNCTION IN A DISTRIBUTED SYSTEM SUCH AS A POSTAGE METER (E-476), now issued as U.S. Pat. No. 5,799,290. Another such system is described in U.S. patent application Ser. Co./No. 08/864,929, filed on May 29, 1997, and entitled SYNCHRONIZATION OF CRYPTOGRAPHIC KEYS BETWEEN TWO MODULES OF A DISTRIBUTED SYSTEM. These types of mutual authentication systems help to ensure that the printer is being contacted by a valid postage meter and that the postage meter is in communication with a valid printer.
Once the postage meter and the printer have mutually authenticated each other, the exchange of print data may begin. A portion of the print data requires generation of a secure token in the postage meter. This token is printed within the postal indicia and is used by a postal authority to verify the integrity of the postal indicia. Generally, the token is an encrypted representation of the postal information contained within the postal indicia printed on the mailpiece. In this manner, the postal authority can read the postal information printed on the mailpiece and independently calculate a token for comparison purposes with the token printed on the mailpiece. In the alternative, the token on the mailpiece may be decrypted to derive the postal information that is anticipated to be printed on the mailpiece. Examples of such techniques are described in U.S. Pat. Nos. 4,831,555 and 4,757,537.
Although mutual authentication and token verification contribute significantly to the security of the postage printing system, potential attack points still exist. For example, the print data may be susceptible to interrogation and tampering as it travels from the postage meter to the printer. Thus, a successful attacker would be able to manipulate the print data to produce an alterred postal indicia that would pass verification by the postal authority. In this way, the successful attacker could print a postal indicia in excess of the postal value that was authorized and accounted for by the postage meter. To combat this potential attack, it is known from U.S. Pat. No. 5,583,779 to encrypt the print data itself at the postage meter before transmission and subsequently decrypt the print data at the printer.
Although this approach generally works well by adding another level of security, it may not be sufficient to defeat a sophisticated attacker. Several factors exist that assist the sophisticated attacker, such as: (i) the potential attacker has access to the encrypted print data as described above; (ii) the potential attacker has access to the decrypted print data as evidenced by the postal indicia printed on the mailpiece; (iii) the potential attacker has access to an unlimited number of print data streams and associated postal indicias; (iv) the print data does not vary much from postal indicia to postal indicia due to the high degree of fixed data (design graphics, meter serial number, zip code, etc.) and predictable variable data (date, postage amount); and (v) the potential attacker has control over the some of the predictable variable data (postage amount). Thus, the potential attacker has a great deal of knowledge concerning the encrypted print data due to the inherent nature of the postage printing system. Using this readily available knowledge and knowing the regular structure (geographic layout) of the postal indicia, the degree of difficulting in defeating the encryption of the print data is reduced.
This problem is particularly accute if traditional electronic code book (ECB) encryption is used. In ECB encryption the same input data will always encrypt to the same output data so long as the encryption key remains the same. Thus, the attacker may begin to compile a code book revealing the correspondence between the input data and the output data without having to break the encryption algorithm or the encryption key.
Therefore, there is a need for a postage printing system including a postage meter and a printer in communication with but physically separate from the printer that provides for increased security of the print data that is transmitted from the postage meter to the printer.