1. Field of the Invention
The present invention is directed to a method for protecting a security module and to an arrangement for the implementation of the method, particularly a postal security module suitable for use in a postage meter machine or mail-processing machine or a computer with mail-processing capability.
2. Description of the Prior Art
Modern postage meter machines, such as the thermal transfer postage meter machine disclosed in U.S. Pat. No. 4,746,234, utilize a fully electronic, digital printer. It is thus fundamentally possible to print arbitrary texts and special characters in the franking imprint printing field and an advertising slogan that is arbitrary or allocated to a cost center. For example, the postage meter machine T1000 of the Francotyp-Postalia AG & Co. has a microprocessor that is surrounded by a secured housing that has an opening for the delivery of a letter. When a letter is supplied, a mechanical letter sensor (microswitch) communicates a print request signal to the microprocessor. The franking imprint contains previously entered and stored, postal information for conveying the letter. The control unit of the postage meter machine undertakes an accounting controlled by software, exercises a monitoring function, possibly with respect to the conditions for a data updating, and controls the reloading of a postage credit.
U.S. Pat. No. 5,606,508 (corresponding to German OS 42 13 278) and U.S. Pat. No. 5,490,077 disclose a data input, such as with chip cards, for the aforementioned thermal transfer postage meter machine. One of the chip cards loads new data into the postage meter machine, and a set of further chip cards allows a setting of correspondingly stored data to be undertaken by plugging in a chip card. The data loading and the setting of the postage meter machine can thus ensue more comfortably and faster than by keyboard input. A postage meter machine for franking postal matter is equipped with a printer for printing the postage value stamp on the postal matter, with a controller for controlling the printing and the peripheral components of the postage meter machine, with a debiting unit for debiting postal fees, with at least one non-volatile memory for storing postage fee data, with at least one non-volatile memory for storing security-relevant data and with a calendar/clock. The non-volatile memory of the security-relevant data and/or the calendar/clock is usually supplied by a battery. In known postage meter machines, security-relevant data (cryptographic keys and the like) are secured in non-volatile memories. These memories are EEPROM, FRAM or battery-protected SRAM. Known postage meter machines also often have an internal real time clock RTC that is supplied by a battery. For example, potted modules are known that contain integrated circuits and a lithium battery. After the expiration of the service life of the battery, these modules must be replaced as a whole and disposed of. For economical and ecological reasons, it is more beneficial If only the battery needs to be replaced. To that end, however, the security housing must be opened and subsequently re-closed and sealed since security against attempted fraud is based essentially on the secured housing that surrounds the entire machine.
European Application 660 269 (U.S. Pat. No. 5,671,146), disclose a suitable method for improving the security of postage meter machines wherein a distinction is made between authorized and unauthorized opening of the security housing.
Repair of a postage meter machine is possible only with difficulty on site where the access to the components is rendered more difficult or limited. Given larger mail-processing machines or devices known as PC frankers, the protected housing in the future will be reduced only to the postal security module. This can improve accessibility to the other components. It would be extremely desirable for economic replacement of the battery for this to be replaced in a relatively simple way. The battery, however, would then be located outside the security area of the postage meter machine. When the battery posts are made accessible from the outside, however, a possible tamperer is able to manipulate the battery voltage. Known battery-supply SRAMs and RTCs have different demands with respect to their required operating voltage. The necessary voltage for holding data of SRAMs is below the required voltage for the operation of RTCs. This means that a reduction of the voltage below a specific limit value leads to an undesired behavior of the component: the RTC stands still and the time of day—stored in SRAM cells—and the memory contents of the SRAM are preserved. At least one of the security measures, for example long time watchdogs, would then be ineffective at the side of the postage meter machine. For a long time watchdog, the remote data center prescribes a time credit or a time duration, particularly a plurality of days or a specific day, by which the franking device should report via a communication connection. After the time credit is exhausted or after the term expires, franking is prevented. European Application 660 270 (U.S. Pat. No. 5,680,463) disclose a method for determining the presumed time duration up to the next credit reloading, and a data center considers any postage meter machine suspicious that does not report in time. Suspicious postage meter machines are reported to the postal authority, which monitors the mail stream of letters franked by suspicious postage meter machines. An expiration of the time credit or of the deadline is also already determined by the franking device and the user is requested to implement the overdue communication.
Security modules are already known from electronic data processing systems. For protection against break-in into an electronic system, European Patent 417 447 discloses a barrier that contains a power supply and a signal acquisition circuit as well as shielding in the housing. The shielding is composed of an encapsulation and electrical lines to which the power supply and signal acquisition circuits are connected. The latter reacts to a modification of the line resistance of the lines. Moreover, the security module contains an internal battery, a voltage switch-over from system voltage to battery voltage and further functional units (such as power gate, short-circuit transistor, memories and sensors). The power gate reacts when the voltage falls below a specific limit. When the line resistance, the temperature or the emission are modified, the logic reacts. The output of the short-circuit transistor is switched to a low logic level with the power gate or with the logic, resulting in a cryptographic key stored in the memory being erased. However, the service life of the non-replaceable battery, and thus of the security module, is too short for use in franking devices or mail-processing machines.
For example, JetMail®, which is commercially available from Francotyp-Postalia AG & Co. is a larger mail-processing machine. Here, a franking imprint is produced with a stationarily arranged ink jet print head with a non-horizontal, approximately vertical, letter transport. A suitable embodiment for a printer device is disclosed in German PS 196 05 015. The mail-processing machine has a meter and a base. If the meter is to be equipped with a housing which allows components to be more easily accessible, then it must be protected against attempted fraud by a postal security module that implements at least the accounting of the postage fees. In order to preclude influence on the program run, European Application 789 333 discloses equipping a security module with an application circuit (ASIC) that contains a hardware accounting unit. The application circuit (ASIC) also controls the print data transmission to the print head.
This approach would not be required if unique imprints were produced for each piece of mail. A method and arrangement for fast generation of a security imprint is disclosed, for example, by U.S. Pat. Nos. 5,680,463, 5,712,916 and 5,734,723. A specific security marking is thereby electronically generated and embedded into the print format.
Further measures for protecting a security module against tampering with the data stored therein are disclosed in German applications 198 16 572.2 and 198 16 571.4. The power consumption increases due to the use of a number of sensors, and a security module not constantly supplied by a system voltage then draws the current required for the sensors from its internal battery, which likewise prematurely drains the battery. The capacity of the battery and the power consumption thus limit the service life of a security module.
Like many other products, postage meter machines are modularly constructed. This modular structure enables the replacement of modules and components for various reasons. Thus, for example, malfunctioning modules can be removed and replaced by checked, repaired or new modules. Since extreme care is required in the replacement of an assembly that contains security-relevant data, the replacement usually requires a service technician and measures that, given improper use or unauthorized replacement of a security module, suppress the functioning thereof. Such measures are extremely complicated.