The present invention relates generally to a method for verifying indicia and, more particularly, to such method for verifying information-based indicia.
The Information-Based Indicia Program (IBIP) is a distributed trusted system proposed by the United States Postal Service (USPS). The IBIP requires printing large, high density, two dimensional (2-D) bar codes on mailpieces. The Postal Service expects the IBIP to provide cost-effective assurance of postage payment for each mailpiece processed. However, such assurance will only be as good as the verification process within the IBIP.
The vast majority of the Posts around the world demand prepayment for postal services. This allows the Posts to avoid the substantial costs associated with collecting, processing and distributing billing data, as well as costs of remittance processing and collection for billions of mailers. Prepayment, however, necessitates that individual mailpieces carry verifiable evidence of paid postage. The familiar postage stamp is a prime example of such evidence. Although postage stamps are good for many applications they suffer from shortcomings. They are costly to produce and distribute and are subject to theft. For moderate to larger volume mailings postage stamps are difficult to apply and slow the process. Further, stamps do not provide information such as date and place of mailing and provide limited postal revenue security.
Arthur Pitney invented the first postage meter in 1902 to alleviate some shortcomings of postage stamps. The postage meter was a mechanical device with securely coupled printing and accounting functions. The mechanical meter, perfected over the years, became a widespread basic business machine; many are still in service. The accounting and machine control functions were computerized in the late seventies, after the invention of the microprocessor. This enabled new features, including departmental accounting and computerized meter resetting. The fundamental security of postage evidencing remained the same.
Postal revenue security in the analog postage meter depends on two features: (a) physical security of the printing process, i.e., printing of postage evidence can not occur without appropriate accounting, and (b) forensic detectability, i.e., fraudulent postal indicia can be distinguished from legitimate indicia.
Coupling the printing and accounting mechanism within a secure tamper evident device provides physical security of printing. Inspection of the device normally reveals tampering. The effectiveness of forensic detectability of fraudulent postal indicia depends on non-availability of alternative mechanisms suitable for forging indicia. Before the proliferation of inexpensive, high print quality computer-driven digital printers, serious attempts to generate fraudulent indicia using an alternate printing mechanism were detectable.
Recent availability of inexpensive computer-driven printers provides opportunities for customer convenience and cost advantages for printing postage evidence. This requires a new way of securing postage, such as disclosed in U.S. Pat. Nos. 4,641,347, 4,641,346, 4,757,537, and 4,775,246, which provide that the security of postage evidencing depends on the security of the information printed in the indicium, including message authentication and integrity. This idea is extended to unsecured printing of postage as disclosed in U.S. Pat. Nos. 4,831,555 and 4,725,718, which provide that at least some of the information in the indicium must appear random to a party not in possession of some secret. This random looking information is referred to as a digital token.
The basis of postal revenue security in the digital printing world is two new requirements: (a) security of the digital token generating process, i.e., digital tokens can not be generated without appropriate accounting, and (b) automatic detectability, i.e., fraudulent digital tokens can be detected by automatic means.
A cryptographic transformation applied to data appearing in the indicium produces the digital token. The data elements, referred to as input postal data or simply postal data, may include postage value, date, register values, postal code of the geographical deposit area, recipient address information and piece count. The secret used to generate the token is generally a cryptographic key held within the device. The digital token is validated, i.e., verification that accounting for the postage value printed in the indicium has been properly done, by a verifier with access to a key matching the accounting device secret. Several cryptographic algorithms and protocols have been considered for this purpose. U.S. Pat. No. 4,853,961 describes critical aspects of using public key cryptography for mailing applications.
Verification of Information-Based Indicia (IBI) indicia is the process of proving that the postage evidenced on each IBI mailpiece has been paid. The digital signature scheme proposed for the IBI system provides a secure method of proving the validity, specifically the integrity and authenticity, of the data within the indicium. However, this capability alone does not rule out all potential fraud attempts. A thorough verification system must account for cases where the indicium bar code is unreadable and must be able to detect duplicate mailpieces.
The generation of unreadable indicia bar codes is an attractive method of fraud. This attack circumvents the cryptographic security and tracking features of the IBI system. However, due to the difficulties inherent in printing large, high density, 2-D bar codes on mail it is likely that many honest mailers will also print a significant number of unreadable, but legitimate mailpieces. Thus, since there will probably be a large volume of such pieces, unreadable mail cannot arbitrarily be returned to the sender, nor can it automatically be suspected of fraud. Therefore, every effort must be made to correctly read as many mailpieces as possible.
Duplicate mailpieces pose another serious threat. For cases where the indicium does not involve destination address information, there is no relationship between the indicium data and a particular mailpiece, so a simple copy of an indicium will produce multiple mailpieces with cryptographically valid indicia. The only defense against this attack is to maintain a database of mailpieces at each mail processing facility. For computer-based systems, the destination address is cryptographically tied to the indicium data; thus, the potential benefit of a simple copy attack is limited. However, enforcement of this cryptographic link requires that the destination postal code specified in the indicium is the same as the address to which the mailpiece is actually delivered. This requires that the machine readable and human readable address information be checked to ensure that they agree with the destination address specified in each indicia.
Another complication with duplicate indicia is the determination of which mailpiece is legitimate and which is the fraud. While in some cases a mailer may naively copy indicia from his or her own postal security device (PSD), it is more likely that a sophisticated attacker will copy indicia data from other mailpieces. In these cases the verification system cannot necessarily determine which mailpiece is fraudulent, but it must make an effort to record sufficient mailpiece information for investigators to pursue the culprit.
If the data in an indicium is unreadable, the validity of the indicium cannot be verified, and any special services requested and paid for by the mailer cannot be performed. This situation also presents the potential for either fraud or the effective loss of postal customer funds. In an attempt to minimize these effects, every attempt must be made to ensure accurate reading of the indicium data. It has been found that the information in an IBI indicium that is unreadable in a normal verification process, may be determined in accordance with the present invention. Such xe2x80x9creadingxe2x80x9d of unreadable indicia is aided by the significant redundancy naturally occurring within the indicium.
The present invention provides a method for verifying an unreadable information-based indicium generated by a postal security device (PSD) for an information-based indium comprising a 2-D bar code, certain human-readable information, a digital signature and a certificate. The method comprises the steps of attempting to read the 2-D bar code using sophisticated digital image processing when the 2-D bar code is not readable during normal processing; and continuing normal processing when the 2-D bar code is readable with the sophisticated digital image processing. When the 2-D bar code is still not readable two independent processes are used to determine the indicium certificate. A first process includes reading human readable information by optical character recognition using context, syntax, and redundancy in the human readable information to obtain an identification number of the PSD (PSD-ID); and using the PSD-ID to look up in a certificate database a certificate corresponding to the information-based indicium. A second process includes interpreting partial bar code data and extracting a xe2x80x9cbest guessxe2x80x9d of the certificate. Computing a hash of the best guess provides a preferred method of searching the certificate database for the closest matching certificate. The method further comprises merging data obtained from the two processes and attempting to reconstruct bar code data from the merged data. Error correction code can handle more errors in the variable bar code data if the errors in the fixed data are corrected by reference to an external source. If the merged data is sufficient, an attempt is made to verify the digital signature obtained from the merged data. If the signature is verified, normal processing is resumed. If the merged data is insufficient or if the signature is not verified, a suspect mailpiece record is created.