One example of a value printing system is a postage evidencing system including an electronic postage meter and a printer for printing a postal indicia on an envelope or other mailpiece. Electronic postage meters for dispensing postage and accounting for the amount of postage used are well known in the art. The meter supplies evidence of the postage dispensed by printing indicia which indicates the value of the postage on an envelope or the like. The typical postage meter stores accounting information concerning its usage in a variety of registers. An ascending register tracks the total amount of postage dispensed by the meter over its lifetime. That is, the ascending register is incremented by the amount of postage dispensed after each transaction. A descending register tracks the amount of postage available for use. Thus, the descending register is decremented by the amount of postage dispensed after each transaction. When the descending register has been decremented to some value insufficient for dispensing postage, then the postage meter inhibits further printing of indicia until the descending register is resupplied with funds.
Traditionally, the postage meter and the printer have been located within a single secure housing. Examples of this type of postage evidencing system are the PostPerfec.TM. and Personal Post Office.TM. available from Pitney Bowes, Inc. of Stamford, Connecticut, USA. In this environment, the communications between the postage meter and the printer may be either secure or nonsecure. However, recently efforts have been undertaken to provide a postage meter and a printer which are physically separated from each other. Thus, in this type of postage evidencing system, the postage meter and the printer are no longer contained within the same secure housing and the communication lines between the postage meter and the printer are generally nonsecure.
Using nonsecure communication lines between the postage meter and the printer creates a risk of loss of postal funds through fraud. For example, when data necessary to print a valid postal indicia is transferred over the nonsecure communication lines from the postage meter to the printer, it is susceptible to interception, capture and analysis. If this occurs, then the data may be retransmitted at a latter time back to the printer in an attempt to fool the printer into believing that it is communicating with a valid postage meter. If successful, the result would be a fraudulent postage indicia printed on a mailpiece without the postage meter accounting for the value of the postage indicia.
Generally, it is known to employ secret cryptographic keys in postage evidencing systems to prevent such fraudulent practices. This is accomplished by having the postage meter and the printer authenticate each other prior to any printing taking place. One such system is described in U.S. patent application Ser. No. 08/579,507, filed on Dec. 27, 1995, and entitled METHOD AND APPARATUS FOR SECURELY AUTHORIZING PERFORMANCE OF A FUNCTION IN A DISTRIBUTED SYSTEM SUCH AS A POSTAGE METER (E-476). In summary, this application provides a postage evidencing system including a meter and a printer each having an identical set of authentication keys stored in their respective memories. On a random basis, the printer and the meter in secret fashion coordinate the selection of which authentication key will be used to perform mutual authentication. Importantly, if a valid mutual authentication is to be obtained, it is necessary that the same key is selected for use by the meter and the printer.
Although this system generally works well, it suffers from certain disadvantages and drawbacks. For example, the set of authentication keys are the same for every postage evidencing system. That is, the set of authentication keys are universal in that they will operate with any postage evidencing system. Thus, if one postage evidencing system is compromised, then the other postage evidencing systems are also compromised.
To address this problem, other prior art postage evidencing systems have proposed a different system which provides a unique set of authentication keys for each postage meter and printer combination. In this arrangement, if one postage evidencing system is compromised, then the other postage evidencing systems are not compromised. However, the postage meter and the printer are dedicated to each other because each particular postage meter is tied to only one printer, and vice versa. Thus, interchangeability of components, such as using the same postage meter with a plurality of different printers or replacing a defective printer in the postage evidencing system, is difficult due to the necessity of reconfiguring the meter and the printer to each other. This would require updating of the authentication key sets which would increase costs and operating expenses.
Therefore, there is a need for a postage evidencing system that reduces the exposure of universal keys and allows for the interchangeability of postage meters with printers.