In prior art, a postal security device (PSD) is used in a franking system for storing a fund therein for postage dispensation. When the stored fund runs out, a data center needs to be contacted to download more funds into the PSD such that it cah continue to issue postage. Because of the sensitive nature of the communications between the PSDs and the data center, which involves the transfer of funds, the critical funds-related communications are typically encrypted and/or cryptographically signed.
For example, each PSD contains a private/public key set in accordance with a well known cryptographic methodology. The private key of each PSD is used to encrypt and cryptographically sign a message to be sent to the data center, which has knowledge of each PSD's public key. The data center decrypts and verifies the authenticity of the message using the public key associated with the particular PSD. The resulting cleartext message may contain, among others, a request for additional funds to be downloaded into the PSD. The data center then sends a response message to the PSD authorizing the further issuance of postage (i.e. downloading funds to the PSD). It is also typical that such a response message is cryptographically signed by the data center. To that end, the data center has at least one private key therein to sign the response message. The public key corresponding to such a private key is known by the PSDs served by the data center, and is used by the PSDs to authenticate the response message.
To prevent fraud and to ensure a secure environment, it is desirable that the private key of the data center be kept secret. Specifically, the private key is securely maintained in a module known as a security device (SD), which may be a secured personal computer (PC), in the data center. However, in the event of a loss of the private key, such as through tampering or equipment failure, absent any way to recover the key, it would be necessary to recall each PSD served by the data center to reprogram the PSD with a public key corresponding to the data center's new private key.
It is therefore desirable to provide a methodology to back up and recover the data center's private key which is secret in a secure manner which does not require divulgence of all or part of the private key.