Value dispensing systems such as postage meters, tax meters, insurance certificate meters, lottery machines, and ticket dispensing devices, are well known in the art. Each of the aforementioned value dispensing systems typically print an indication of value together with the time and date that the indication of value was printed. The printed time and date provides an indication as to the validity of the value dispensed. For example, if an insurance certificate is printed with a certain time and date, it prevents the certificate holder from filing an insurance claim for activities prior to the printed date. Moreover, in postage meters, it is known to print a postal indicia together with the time and date it was printed as well as with additional encrypted information. The encrypted information often utilizes the time and date information as data for the encryption algorithms which produce the encrypted information. The encrypted information can then be decrypted by an appropriate validating authority to determine if the printed postal indicia is a valid postal indicia.
In addition to the validation aspects discussed above, the use of an internal real time clock in a value dispensing mechanism is also often required to initiate and complete certain key maintenance activities in the value dispensing mechanism based on the actual time and date (i.e. day, month, year). For example, in a postage meter which uses an ink jet printer, the initiation and ending of maintenance functions associated with the purging, vacuuming and wiping of the printhead are often tied to a particular time of day or associated with a predetermined period of time that has elapsed since the last maintenance action. In the event that a secure real time clock is not utilized, improper maintenance of the printhead could occur resulting in a shortened printhead operational life.
Furthermore, in postage metering systems, it is often desirable to ensure that the postage meter user operatively connects the postage meter to a remote data center on a periodic basis of, for example, three months, so that the postal authority or the meter manufacturer can remotely inspect the meter. That is, by requiring a periodic remote inspection, the data center can query the individual meter to get certain information about its usage such as the data in appropriate accounting registers. This inspection data can then be analyzed by the postal authority to determine if any potential tampering of the meter has occurred.
In summary, the security of the internal clock of a value dispensing mechanism may be very important for a variety of reasons including indicia validation, detecting potential security breaches, and for ensuring timely maintenance. Thus, if the internal real time clock of the value dispensing mechanism can be changed by any user thereof with no use restrictions, either a potential misuse of the value dispensing mechanism can be achieved by the fraudulently changing the clock date and time (such as to get the benefit of a lower postal rate in the event there is a rate change occurring on a certain day) or, alternatively, failure of certain components of the value dispensing mechanism may occur if preprogrammed maintenance operations which are initiated and ended based on the internal real time clock are not accomplished or not timely accomplished because of an inappropriate resetting of the real time clock by the user.
One approach to solving the above mentioned problems would simply be to prevent the user from having any capability whatsoever of resetting the internal real time clock subsequent to its initial setting at the manufacturing facility of value dispensing mechanism. However, this would require the use of a physically secure clock chip which includes its own internal battery-backed power source which is guaranteed to last for example, ten years, or beyond the anticipated life of the value dispensing mechanism. However, in the case of a postage meter some adjustment of the real time clock mechanism may still be required to permit the changing of the clock to accommodate such things as daylight savings time, or the time zone changes associated with the movement of the meter from one time zone within a country or possibly even to another country in a different time zone. If the value dispensing mechanism is set up such that the user cannot adjust the clock mechanism when any of the above situations occur, it would require sending the meter back to the manufacturer for such changes. This obviously would be inconvenient for the user. Thus, a compromise must be struck between the security required for the internal real time clock relative to preventing unauthorized changing of its settings and the need for the user to be able to set the real time clock as required. Furthermore, in the field of postage meters, the United States Postal Service has recently issued new indicia based program specifications which will require that each meter have a secure clock mechanism incorporated therein. Therefore, those meters currently in the field which do not have a secure clock may need to be retrofitted to provide some form of clock security which is satisfactory to the United States Postal Service. However, the retrofit solution for such postage meter systems needs to be one that can be implemented quickly, easily, and at a low cost.
Another problem associated with postage metering systems that use a battery backup to keep the real time clock running when the primary source of power has been disconnected is that if the battery backup fails, the real time clock will have the wrong time. Accordingly, it is desirable to ensure that in the event the battery backup fails, the real time clock must be reset in a secure manner prior to permitting operation of the postage metering system.