This application relates generally to a security system for electronic devices and more specifically to a security system for an electronic calculating device such as an electronic postage meter.
Electronic postage meters are well known devices for imprinting postage impressions of desired value directly on an article to be mailed or on an adherent tape to be affixed to the article. Such meters commonly include a keyboard for the entry of postage information to be printed, a display for displaying postage information to be printed, one or more microprocessors and peripheral circuits for controlling various meter functions and operations including the entry of data to the registers and activation of a printing mechanism, an electronic accounting device including internal memory registers for maintaining accounting information and a printing mechanism for imprinting the postage information. The accounting information maintained in the memory registers may include a control total representing the total amount of postage paid for, an ascending balance representing the total amount of postage printed and expended and a descending balance representing the total balance of postage remaining.
Prior to using a meter, a user must purchase a fixed amount of postage from the postal service. The term "postal service" as used herein means either the United States Postal Service or an authorized private mail carrier. A postal service agent or employee alters the contents of the internal memory register to reflect the amount of postage paid for and sets or increases the control total and descending balance so as to reflect the total amount of postage purchased. In order to use the meter, the user selects a postage value to be imprinted and activates the postage printing mechanism. The postage meter may be used continuously until the descending balance reaches a pre-determined minimum (i.e. until the postage paid for has been exhausted or has reached a pre-determined minimum threshold value required for operation).
Since the accounting information represents the equivalent of money, it is apparent that stringent security safeguards are necessary to protect this information. In particular, the security safeguards must insure that all postage printed must be paid for. For this reason the printing actuating mechanism and the accounting registers are located within a secured housing and access thereto is restricted, in general, to postal service employees. Additional security in electronic postage meters is provided by programmed safeguards employed in the operation of the system. Such safeguards are shown and described in U.S. Pat. No. 3,938,095 issued Feb. 10, 1976 and U.S. Pat. No. 3,978,457 issued Aug. 31, 1976, both of which patents are assigned to the assignee of the present invention. European patent publication No. 0019515 published Nov. 26, 1980 also describes such safeguards. Such programmed safeguards do not form part of this invention and are not further described.
Electronic postage meters inherently rely for their operation on continuous electric power and interruption in such power including either a loss of electric power, a decrease in the electric power below a required minimum line voltage or a fluctuation in the power can threaten the security of electronic postage meters in at least two ways. First, the electronic memory registers which retain the accounting information usually require continuous power for their operation and thus a power interruption can result in a loss of accounting information. Second, a power interruption can affect the operation of the logic and control circuit elements within the meter such that their operation is erratic thus resulting in entry of erroneous data to the memory registers. Accordingly, as a further security safeguard, a separate and redundant set of memory registers in the form of a nonvolatile memory is provided, which nonvolatile memory does not rely on continuous power and thus retains the accounting information even though a power interruption occurs. Such nonvolatile memories may be inherently nonvolatile such as a semiconductor bubble memory or may rely on an auxiliary power source such as a battery. In this manner accounting data is maintained even in the event of a power interruption. As noted, the accounting information has a value similar to that of money and thus the accounting data maintained in the nonvolatile memory is maintained in a secured housing and may be accessed only by postal employees during normal operation.
When the descending balance reaches a pre-determined minimum, the postage meter must be recharged, that is control data and descending register data must be reset to reflect an increase in the amount of postage paid for. This is done at the postal service facility by postal service agents or employees or by a remote resetting mechanism such as that shown and described in U.S. Pat. No. 4,097,923 issued June 27, 1978 and assigned to the assignee of the present invention.
Access to the accounting information is provided through the keyboard or display circuit and through an auxiliary communication channel accessible by an electronic probe connector. However, in view of the security safeguards required as noted above, the access to the accounting information contained in the registers must be made at a postal service facility. As a result, a problem occurs where a malfunction in a meter occurs in circuits peripheral to the nonvolatile memory such as the microprocessor control circuits, power supply or isolation circuits. In such a case immediate access to the memory registers is not possible at the postal service location and the meter must be returned to a repair facility for repair prior to subsequent read out of the postage funds balance from the register at a postal service facility. As a result a substantial period of time elapses during which the customer does not have access to the postage funds he has paid for and which remain on his control total and descending balance in the registers contained in his inoperative meter. It would be desirable to access the accounting information in the event of such a malfunction and transfer it immediately into a replacement meter thus providing the customer with substantially immediate access to his postage funds balance.
Accordingly, an auxiliary communication channel is provided containing read access lines to the nonvolatile memory. Access to this communication channel is provided through a sealed access aperture or door, which provides tampering and electromagnetic interference protection, but is designed for operation on a single occasion only. Access through the door precludes further normal meter operation by deactivating the meter in such a manner that reactivation is not possible without destruction of the meter housing. Thus, the customer has immediate access to his postage funds while protection of the data and prevention of unauthorized alteration of the postage funds balance as well as unauthorized use of the meter and in particular its printing mechanism is achieved.
It will be understood that, although the present invention is described in conjunction with a preferred electronic postage meter embodiment, the invention is applicable to other electronic calculating devices employing a secured housing enclosing and preventing access to an electronic control circuit and nonvolatile memory containing accounting data such as voting machines, parimutual machines, and electronic franking machines.