EP0388840A2 - Security extension procedure for electronic remote setting meter - Google Patents

Security extension procedure for electronic remote setting meter Download PDF

Info

Publication number
EP0388840A2
EP0388840A2 EP90105118A EP90105118A EP0388840A2 EP 0388840 A2 EP0388840 A2 EP 0388840A2 EP 90105118 A EP90105118 A EP 90105118A EP 90105118 A EP90105118 A EP 90105118A EP 0388840 A2 EP0388840 A2 EP 0388840A2
Authority
EP
European Patent Office
Prior art keywords
meter
code
entry
security
remote setting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP90105118A
Other languages
German (de)
French (fr)
Other versions
EP0388840A3 (en
EP0388840B1 (en
Inventor
John Gregory Haines
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Quadient Technologies France SA
Original Assignee
Neopost Technologies SA
Alcatel Satman SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=23279508&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=EP0388840(A2) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.
Application filed by Neopost Technologies SA, Alcatel Satman SA filed Critical Neopost Technologies SA
Publication of EP0388840A2 publication Critical patent/EP0388840A2/en
Publication of EP0388840A3 publication Critical patent/EP0388840A3/en
Application granted granted Critical
Publication of EP0388840B1 publication Critical patent/EP0388840B1/en
Anticipated expiration legal-status Critical
Revoked legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1016Devices or methods for securing the PIN and other transaction-data, e.g. by encryption
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00016Relations between apparatus, e.g. franking machine at customer or apparatus at post office, in a franking system
    • G07B17/0008Communication details outside or between apparatus
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00733Cryptography or similar special procedures in a franking system
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/30Individual registration on entry or exit not involving the use of a pass
    • G07C9/32Individual registration on entry or exit not involving the use of a pass in combination with an identity check
    • G07C9/33Individual registration on entry or exit not involving the use of a pass in combination with an identity check by means of a password
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00016Relations between apparatus, e.g. franking machine at customer or apparatus at post office, in a franking system
    • G07B17/0008Communication details outside or between apparatus
    • G07B2017/00153Communication details outside or between apparatus for sending information
    • G07B2017/00161Communication details outside or between apparatus for sending information from a central, non-user location, e.g. for updating rates or software, or for refilling funds
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00016Relations between apparatus, e.g. franking machine at customer or apparatus at post office, in a franking system
    • G07B17/0008Communication details outside or between apparatus
    • G07B2017/00153Communication details outside or between apparatus for sending information
    • G07B2017/00169Communication details outside or between apparatus for sending information from a franking apparatus, e.g. for verifying accounting
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00185Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
    • G07B17/00362Calculation or computing within apparatus, e.g. calculation of postage value
    • G07B2017/00419Software organization, e.g. separation into objects
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00733Cryptography or similar special procedures in a franking system
    • G07B2017/00822Cryptography or similar special procedures in a franking system including unique details
    • G07B2017/0083Postal data, e.g. postage, address, sender, machine ID, vendor
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00733Cryptography or similar special procedures in a franking system
    • G07B2017/00935Passwords

Definitions

  • This invention relates generally to postage meters, and more particularly, to electronic postage meters capable of being remotely set.
  • the present invention provides a technique for securely clearing the meter after it has been disabled without returning the meter to the factory.
  • the meter generates a security lock code which is transmitted to a data center computer.
  • the data center computer compares the security lock code with an internally generated security lock code. If the codes agree, the data center computer then generates a security clear code which is transmitted to the meter.
  • the meter compares this code with an internally generated security clear code. If these codes agree, then the meter clears a security lock flag thereby enabling the meter. As a result, the customer can subsequently remotely set the meter.
  • Fig. 1 is a block diagram of a preferred postage meter 10 that can be remotely set in the field by the customer.
  • Meter 10 includes a print mechanism 12, accounting registers, and control electronics, all enclosed within a secure meter housing 13.
  • a keyboard 14 and a display 16 provide the user interface.
  • a connector 17 provides an electrical connection with a mailing machine for control of the printing process.
  • the control electronics includes a digital microprocessor 18 which controls the operation of the meter, including the basic functions of printing and accounting for postage, and optional features such as department accounting and remote setting.
  • the microprocessor is connected to a clock 20, a read only memory (ROM) 22, a random access memory (RAM) 24, and a battery augmented memory (BAM) 26.
  • ROM read only memory
  • RAM random access memory
  • BAM battery augmented memory
  • ROM 22 is primarily used for storing non-­volatile information such as software and data/function tables necessary to run the microprocessor. The ROM can only be changed at the factory.
  • RAM 24 is used for intermediate storage of variables and other data during meter operation.
  • BAM 26 is primarily used to store accounting information that must be kept when the meter is powered down. The BAM is also used for storing certain flags and other information that is necessary to the functioning of the microprocessor. Such information includes meter identifying data such as the meter serial number and BAM initialization date, and a number of parameters relevant to the remote setting of the meter.
  • Fig. 2 is a detailed flowchart of the manner in which the security lock flag is set.
  • the customer may then continue the remote setting procedure.
  • the customer enters the remote setting code (step 48).
  • the meter checks whether the security lock flag has already been set (step 50). If so, then the customer is returned to step 48 as if the remote setting code were incorrect. If the security lock flag has not been set, then the meter determines whether the remote setting code is correct (step 52). If the code is correct, then the meter resets the counter to zero (step 53) and the customer may continue the remote setting procedure (which is not shown as it does not directly relate to the present procedure). If the code is not correct, then the meter then checks to see whether the customer has already attempted over a predetermined number of allowed attempts (step 56).
  • the meter If the customer has attempted less than the predetermined number of allowed attempts, then the meter returns the customer to the step of entering the remote setting code. If the customer has attempted over the predetermined number of allowed attempts then the security lock flag in BAM in set and the meter returns the customer to the step of entering the remote setting code.
  • Fig. 3 is a high level flow chart of the process necessary for clearing the security lock flag in the meter.
  • a security lock code generated by the meter.
  • This security lock code is essentially a password to the data center computer, and is based upon a combination of factors, the combination of which only the data center computer would know.
  • the customer confirms the security lock code with the data center computer. Upon confirmation from the computer, the computer provides a security clear code back to the customer.
  • the security clear code is essentially a password from the data center computer to the meter stating that it is permissible to clear the security lock flag.
  • a third stage 62 the customer enters the security clear code to the meter. The meter confirms the security clear code and clears the security lock flag.
  • Fig. 4 is a detailed flowchart of stage 60 as shown in Fig. 3.
  • a first step 40′ (corresponding to step 40 of Figure 2), the customer presses a certain key sequence, causing the meter to enter a remote setting mode.
  • the meter enters the remote setting mode by setting a mode register located in BAM (step 42′).
  • the meter determines whether the security lock flag has been set (step 44′). If so, the meter then displays a message and other needed information and prompts for the security clear code (step 46′).
  • the meter displays the meter serial number, the meter BAM initialization date, and the encrypted security lock code.
  • the BAM initialization date is preferably a four digit number wherein the four digits YDDD express the date in which the meter was last initialized.
  • the DDD stands for the number of days since December 31, and Y is the least significant digit of the year in which the meter was initialized.
  • the meter displays the above numbers and the Control Register amount or some other meter specific identifying information.
  • the Control Register contains the amount of postage the meter has printed since the meter has been initialized plus the amount the meter is currently authorized to print. The customer should write these numbers down on a separate piece of paper for later use in the method.
  • CTID configuration transaction identifier
  • TID setting transaction identifier
  • Figs. 5a and 5b are detailed flowcharts of stage 61 as shown in Fig. 3.
  • the customer establishes communication with the data center computer over a standard telephone.
  • the customer may communicate to the data center computer on a touch tone telephone by pressing the key.
  • Alternative embodiments may utilize a telephone communications device that includes a user or meter interface and a modem, or by voice recognition over the telephone.
  • the customer first enters a request code for clearing the security extension flag (step 70).
  • the customer then enters the customer account number (step 72) and the meter serial number which was given above can be found on the exterior of the meter (step 74).
  • the data center computer determines whether the serial number is valid given the customer account number (step 76). If the serial number is valid then the customer may continue, otherwise the customer is notified (step 78) and is given the opportunity to decide whether to try again (step 80). If the customer does not decide to try again, the customer should then contact his agent in order to determine how to clear up this problem.
  • step 84 the customer enters the amount of the Control Register (step 84) obtained earlier in the procedure.
  • the customer then enters the security lock code which was also obtained from the meter in the procedure above (step 86).
  • the computer then generates a security lock code in a like manner (step 88) and compares that code to that entered by the customer (step 90). If the codes are not equal, then the customer is notified (step 92) and is given the opportunity to try again.
  • the computer determines whether the Control Register amount is valid (step 96).
  • the Control Register amount is valid if the amount is equal to any prior Control Register amounts stored on the computer.
  • the Control Register amount is not valid if it is greater than or equal to the present computer Control Register amount. If the Control Register amount is not valid, then the customer is notified and the occurrence of the invalid Control Register amount is logged in the computer (step 98).
  • control Register amount If the Control Register amount is valid, then the customer enters the current remote setting code (step 100). The computer then determines whether it is a valid code (step 102). If the remote setting code is not valid, then the computer passes the customer to a live operator for assistance (step 104). If the remote setting code is valid, then the computer generates a security extension code (step 106), increments the CTID (step 108), flags that this event has occurred (step 110), and displays or returns the security extension code to the customer for use further in this method (step 112).
  • Fig. 6 is a detailed flowchart of stage 62 shown above in Fig. 3.
  • the customer enters the security clear code obtained from the computer into the meter (step 120).
  • the meter then generates its own security clear code (step 122) and compares the computer generated code with the meter generated code (step 124). If the codes are not equal, then the customer is notified (step 126) and the customer is given an opportunity to try again or contact an agent (step 130). If the codes are equal, then the meter increments the CTID such that it is equal to the CTID stored in the computer (step 132), the meter clears the security lock flag (step 134) and the meter enters the remote setting mode by changing the mode register in BAM (step 136).
  • the security lock code and the security clear code are generated by an encryption routine, stored both in the meter ROM and in the data center computer.
  • the encryption routine is a nonlinear algorithm that generates a number that is apparently random to an outside person.
  • the encryption routine is performed by an encryption program in combination with a permanent encryption table. In the first and second embodiments, encryption routine uses a 16 digit (or 64 bit) key and a 16 digit input number.
  • the security lock code is generated by the encryption routine performed on the CTID as the key and a combination of the STID and Control Register amount as the input number.
  • the key is composed of the serial number and the BAM initialization and the input number is composed of the STID and the Control Register.
  • the security clear flag is generated by the encryption routine performed on the CTID as the key and a combination of the meter serial number and the STID as the input number.
  • the CTID is a 16 digit number that is stored in BAM.
  • the initial value of the CTID is obtained by performing an algorithm upon the BAM initialization date in combination with the meter serial number.
  • the BAM initialization date is used to prevent starting with the same CTID everytime the meter is initialized.
  • the algorithm is not stored in the meter for security reasons.
  • the initial CTID is stored in BAM during the initialization process at the factory.
  • the CTID is incremented by a non-linear algorithm within the meter after the security lock flag is cleared.
  • the codes generated by the encryption routine are 16-digits long.
  • the lower digits of the codes are then communicated to the customer by the meter or the data center computer.
  • the number of lower digits that are communicated is determined by the HSL value (see Appendix A for details).
  • the present invention provides a secure and efficient technique for allowing the meter to be cleared in the field.
  • the electronics of the resettable meter may be structured differently.
  • the security lock flag or another flag can be used to prevent other forms of memory modification when an improper code is entered a predetermined number of times.
  • the encryption key used to generate the request codes could be composed of a meter cycle counter instead of the meter serial number.
  • Other security measures may be implemented such as requiring periodic inspection of the meter.
  • An algorithm is used to generate an apparently random code with multiple digits. However, only a selected number of digits (usually the lower digits) of this code needs to be used in most applications. The number of digits needed depends upon the level of security needed. It is preferred to use as few digits as possible to decrease the number of keystrokes that must be entered, thereby increasing convenience and decreasing the potential for error.
  • HSL high security length
  • Each code generated by the meter or data center computer has a variable length of digits used depending upon the HSL value. That is, if the HSL value is 1, then the security lock code should have 6 digits. If the HSL value is higher, then the security lock code should be longer. Other codes may have different lengths for a given HSL value, but each code will increase or decrease in length if the HSL value is increased or decreased.
  • This predetermined relationship between code length and the HSL value allows the meter manufacturer to increase or decrease security for the meter without having to recover and initialize each meter. Changes in the HSL value are communicated to the meter when performing a remote meter configuration.
  • multiple security variables may be used to vary the lengths of individual or groups of codes without affective the length of the remaining codes.

Abstract

A technique for securely clearing the meter after it has been disabled by a security detection scheme without returning the meter to the factory. During this technique, the meter generates a security lock code which is transmitted to a data center computer. The data center computer compares the security lock code with an internally generated security lock code. If the codes agree, the data center computer then generates a security clear code which is transmitted to the meter. The meter then compares this code with an internally generated security clear code. If these codes agree, then the meter clears the security lock flag thereby enabling the meter. As a result, the customer can subsequently remotely set the meter.

Description

    FIELD OF THE INVENTION
  • This invention relates generally to postage meters, and more particularly, to electronic postage meters capable of being remotely set.
    • BACKGROUND OF THE INVENTION
  • With the advent of electronic postage meters, it has become possible to offer meter customers the feature of remotely adding postage credit (remote setting) to the postage meter. This feature enables the customer to more readily and conveniently remotely set the amount of postage in the meter. Extensive procedures and controls are used to insure that the postage meter amount is remotely set only when authorized. For example, the customer is usually required to enter a long code that varies each time the meter is remotely set. However, such procedures are not infallible, particularly when the postage meter has been stolen and in the possession of a persistent person.
  • As a result and of these security concerns, some meters have been designed to detect the entry of an invalid code for remote setting a predetermined consecutive number of times. Once detected, the meter is disabled and must be returned to the factory to be enabled. Although effective for preventing unauthorized remote setting of the meter, this approach also causes problems for authorized users who accidently enter an incorrect remote setting code for the predetermined number of times.
    • SUMMARY OF THE INVENTION
  • The present invention provides a technique for securely clearing the meter after it has been disabled without returning the meter to the factory. During this technique, the meter generates a security lock code which is transmitted to a data center computer. The data center computer compares the security lock code with an internally generated security lock code. If the codes agree, the data center computer then generates a security clear code which is transmitted to the meter. The meter then compares this code with an internally generated security clear code. If these codes agree, then the meter clears a security lock flag thereby enabling the meter. As a result, the customer can subsequently remotely set the meter.
  • A further understanding of the nature and advantages of the present invention can be realized by the reference to the remaining portions of the specification and the attached drawings.
    • BRIEF DESCRIPTION OF THE DRAWINGS
    • Fig. 1 is a block diagram of a preferred postage meter capable of being remotely set in the field by the customer;
    • Fig. 2 is a detailed flowchart of the manner in which the security lock flag is set;
    • Fig. 3 is a high level flowchart of the process for clearing the security lock flag;
    • Fig. 4 is a detailed flowchart of the procedure for the customer to obtain a security lock code generated by the meter;
    • Figs. 5a and 5b are detailed flowcharts of the procedure for the customer to confirm the security lock code with the data center computer; and
    • Fig. 6 is a detailed flowchart of the procedure for the customer to clear the security lock flag.
    DESCRIPTION OF THE SPECIFIC EMBODIMENTS Meter Overview: Structure
  • Fig. 1 is a block diagram of a preferred postage meter 10 that can be remotely set in the field by the customer. Meter 10 includes a print mechanism 12, accounting registers, and control electronics, all enclosed within a secure meter housing 13. A keyboard 14 and a display 16 provide the user interface. A connector 17 provides an electrical connection with a mailing machine for control of the printing process. The control electronics includes a digital microprocessor 18 which controls the operation of the meter, including the basic functions of printing and accounting for postage, and optional features such as department accounting and remote setting. The microprocessor is connected to a clock 20, a read only memory (ROM) 22, a random access memory (RAM) 24, and a battery augmented memory (BAM) 26.
  • ROM 22 is primarily used for storing non-­volatile information such as software and data/function tables necessary to run the microprocessor. The ROM can only be changed at the factory. RAM 24 is used for intermediate storage of variables and other data during meter operation. BAM 26 is primarily used to store accounting information that must be kept when the meter is powered down. The BAM is also used for storing certain flags and other information that is necessary to the functioning of the microprocessor. Such information includes meter identifying data such as the meter serial number and BAM initialization date, and a number of parameters relevant to the remote setting of the meter.
    • How the Security Lock Flag is Set
  • Fig. 2 is a detailed flowchart of the manner in which the security lock flag is set. Once the customer has a remote setting code for remotely setting the meter (or is attempting to remotely set the meter without the remote setting code), the customer puts the meter in a remote setting mode (step 40) by pressing a certain key sequence. The meter enters the remote setting mode by setting a mode register located in BAM (step 42). This prevents the meter from being used for printing purposes while being remotely set. The meter then determines whether the security lock flag has already been set (step 44). If so, the meter then displays a message and other needed information such as the security lock code and prompts for the security clear code (step 46). The customer is then unable to continue the remote setting process until the security lock flag has been cleared by the procedure shown in Figs. 3-6.
  • If the security lock flag has not already been set, the customer may then continue the remote setting procedure. The customer enters the remote setting code (step 48). The meter then checks whether the security lock flag has already been set (step 50). If so, then the customer is returned to step 48 as if the remote setting code were incorrect. If the security lock flag has not been set, then the meter determines whether the remote setting code is correct (step 52). If the code is correct, then the meter resets the counter to zero (step 53) and the customer may continue the remote setting procedure (which is not shown as it does not directly relate to the present procedure). If the code is not correct, then the meter then checks to see whether the customer has already attempted over a predetermined number of allowed attempts (step 56). If the customer has attempted less than the predetermined number of allowed attempts, then the meter returns the customer to the step of entering the remote setting code. If the customer has attempted over the predetermined number of allowed attempts then the security lock flag in BAM in set and the meter returns the customer to the step of entering the remote setting code.
    • Method for Clearing the Meter Security Lock Flag
  • Fig. 3 is a high level flow chart of the process necessary for clearing the security lock flag in the meter. In a first stage 60, the customer obtains a security lock code generated by the meter. This security lock code is essentially a password to the data center computer, and is based upon a combination of factors, the combination of which only the data center computer would know. In a second stage 61, the customer confirms the security lock code with the data center computer. Upon confirmation from the computer, the computer provides a security clear code back to the customer. The security clear code is essentially a password from the data center computer to the meter stating that it is permissible to clear the security lock flag. In a third stage 62, the customer enters the security clear code to the meter. The meter confirms the security clear code and clears the security lock flag.
  • Fig. 4 is a detailed flowchart of stage 60 as shown in Fig. 3. In a first step 40′ (corresponding to step 40 of Figure 2), the customer presses a certain key sequence, causing the meter to enter a remote setting mode. The meter enters the remote setting mode by setting a mode register located in BAM (step 42′).
  • The meter then determines whether the security lock flag has been set (step 44′). If so, the meter then displays a message and other needed information and prompts for the security clear code (step 46′). In a first embodiment, the meter displays the meter serial number, the meter BAM initialization date, and the encrypted security lock code. The BAM initialization date is preferably a four digit number wherein the four digits YDDD express the date in which the meter was last initialized. The DDD stands for the number of days since December 31, and Y is the least significant digit of the year in which the meter was initialized. In a second embodiment, the meter displays the above numbers and the Control Register amount or some other meter specific identifying information. The Control Register contains the amount of postage the meter has printed since the meter has been initialized plus the amount the meter is currently authorized to print. The customer should write these numbers down on a separate piece of paper for later use in the method.
  • Two input numbers used by the meter and the computer to generate encrypted codes are the configuration transaction identifier ("CTID") and the setting transaction identifier ("STID"). They are both specific to the meter and dependent upon the meter serial number. They may also be incremented after each use. The CTID is normally used for reconfiguring the meter functions and clearing the security lock flag and the STID is normally used for resetting the meter postage. Separate numbers are used for the separate procedures in order to maximize security and minimize complexity caused by interdependence. The encryption routine is described in greater detail.
  • Figs. 5a and 5b are detailed flowcharts of stage 61 as shown in Fig. 3. The customer establishes communication with the data center computer over a standard telephone. In the first and second embodiments, the customer may communicate to the data center computer on a touch tone telephone by pressing the key. Alternative embodiments may utilize a telephone communications device that includes a user or meter interface and a modem, or by voice recognition over the telephone.
  • The customer first enters a request code for clearing the security extension flag (step 70). The customer then enters the customer account number (step 72) and the meter serial number which was given above can be found on the exterior of the meter (step 74).
  • The data center computer then determines whether the serial number is valid given the customer account number (step 76). If the serial number is valid then the customer may continue, otherwise the customer is notified (step 78) and is given the opportunity to decide whether to try again (step 80). If the customer does not decide to try again, the customer should then contact his agent in order to determine how to clear up this problem.
  • If the serial number is valid, then the customer enters the amount of the Control Register (step 84) obtained earlier in the procedure. The customer then enters the security lock code which was also obtained from the meter in the procedure above (step 86). The computer then generates a security lock code in a like manner (step 88) and compares that code to that entered by the customer (step 90). If the codes are not equal, then the customer is notified (step 92) and is given the opportunity to try again.
  • If the codes are equal, then the computer determines whether the Control Register amount is valid (step 96). The Control Register amount is valid if the amount is equal to any prior Control Register amounts stored on the computer. The Control Register amount is not valid if it is greater than or equal to the present computer Control Register amount. If the Control Register amount is not valid, then the customer is notified and the occurrence of the invalid Control Register amount is logged in the computer (step 98).
  • If the Control Register amount is valid, then the customer enters the current remote setting code (step 100). The computer then determines whether it is a valid code (step 102). If the remote setting code is not valid, then the computer passes the customer to a live operator for assistance (step 104). If the remote setting code is valid, then the computer generates a security extension code (step 106), increments the CTID (step 108), flags that this event has occurred (step 110), and displays or returns the security extension code to the customer for use further in this method (step 112).
  • Fig. 6 is a detailed flowchart of stage 62 shown above in Fig. 3. The customer enters the security clear code obtained from the computer into the meter (step 120). The meter then generates its own security clear code (step 122) and compares the computer generated code with the meter generated code (step 124). If the codes are not equal, then the customer is notified (step 126) and the customer is given an opportunity to try again or contact an agent (step 130). If the codes are equal, then the meter increments the CTID such that it is equal to the CTID stored in the computer (step 132), the meter clears the security lock flag (step 134) and the meter enters the remote setting mode by changing the mode register in BAM (step 136).
    • Encryption Technique
  • In order to perform the above procedure in the secure manner and to confirm certain data, the security lock code and the security clear code are generated by an encryption routine, stored both in the meter ROM and in the data center computer. The encryption routine is a nonlinear algorithm that generates a number that is apparently random to an outside person. The encryption routine is performed by an encryption program in combination with a permanent encryption table. In the first and second embodiments, encryption routine uses a 16 digit (or 64 bit) key and a 16 digit input number.
  • In the first embodiment, the security lock code is generated by the encryption routine performed on the CTID as the key and a combination of the STID and Control Register amount as the input number. In the second embodiment, the key is composed of the serial number and the BAM initialization and the input number is composed of the STID and the Control Register.
  • In the preferred and second embodiments, the security clear flag is generated by the encryption routine performed on the CTID as the key and a combination of the meter serial number and the STID as the input number.
  • The CTID is a 16 digit number that is stored in BAM. The initial value of the CTID is obtained by performing an algorithm upon the BAM initialization date in combination with the meter serial number. The BAM initialization date is used to prevent starting with the same CTID everytime the meter is initialized. The algorithm is not stored in the meter for security reasons. The initial CTID is stored in BAM during the initialization process at the factory. The CTID is incremented by a non-linear algorithm within the meter after the security lock flag is cleared.
  • The codes generated by the encryption routine are 16-digits long. The lower digits of the codes are then communicated to the customer by the meter or the data center computer. The number of lower digits that are communicated is determined by the HSL value (see Appendix A for details).
    • Conclusion
  • It can be seen that the present invention provides a secure and efficient technique for allowing the meter to be cleared in the field.
  • While the above is a complete description of the specific embodiments of the invention, various modifications, alternative constructions, and equivalents may be used. For example, the electronics of the resettable meter may be structured differently. In addition, the security lock flag or another flag can be used to prevent other forms of memory modification when an improper code is entered a predetermined number of times. Furthermore, the encryption key used to generate the request codes could be composed of a meter cycle counter instead of the meter serial number. Other security measures may be implemented such as requiring periodic inspection of the meter.
  • Therefore, the above description and illustration should not be taken as limiting the scope of the present invention, which is defined by the appended claims.
    • APPENDIX A VARIABLE LENGTH SECURITY CODES
  • An algorithm is used to generate an apparently random code with multiple digits. However, only a selected number of digits (usually the lower digits) of this code needs to be used in most applications. The number of digits needed depends upon the level of security needed. It is preferred to use as few digits as possible to decrease the number of keystrokes that must be entered, thereby increasing convenience and decreasing the potential for error.
  • As a result, a variable has been created which defines the overall level of security required by the meter or data center computer. This variable is called the high security length (HSL) value.
  • Each code generated by the meter or data center computer has a variable length of digits used depending upon the HSL value. That is, if the HSL value is 1, then the security lock code should have 6 digits. If the HSL value is higher, then the security lock code should be longer. Other codes may have different lengths for a given HSL value, but each code will increase or decrease in length if the HSL value is increased or decreased.
  • This predetermined relationship between code length and the HSL value allows the meter manufacturer to increase or decrease security for the meter without having to recover and initialize each meter. Changes in the HSL value are communicated to the meter when performing a remote meter configuration.
  • In an alternative embodiment, multiple security variables may be used to vary the lengths of individual or groups of codes without affective the length of the remaining codes.

Claims (8)

1. An electronic postage meter having memory capable of being modified by entry of a remote setting code, the meter comprising:
(a) detection means for detecting the entry of an invalid remote setting code a predetermined number of times;
(b) prevention means, responsive to the detection means, for selectively preventing the modification of memory upon the entry of an invalid code the predetermined number of times;
(c) generating means for generating a meter code;
(d) entry means for entering a non-meter code;
(e) comparison means, coupled to the generating means and the entry means, for comparing the meter and non-meter codes; and
(f) enabling means, responsive to the comparison means, for disabling the prevention means upon the meter and non-meter codes being equal.
2. The electronic postage meter of claim 1 further comprises;
(a) second generating means for generating a second meter code; and
(b) display means, coupled to the second generating means, for displaying the second meter code.
3. An electronic postage meter having a postage amount that can be remotely set by entry of a remote setting code, the meter comprising:
(a) detection means for detecting the entry of an invalid remote setting code a predetermined number at times;
(b) prevention means, responsive to the detection means for selectively preventing the postage amount from being remotely set upon the entry of an invalid code the predetermined number of times;
(c) generating means for generating a meter code;
(d) entry means for entering a non-meter code;
(e) comparison means coupled to the generating means and the entry means for comparing the meter and non-meter codes; and
(f) enabling means responsive to the comparison means, for disabling the prevention means upon the meter and non-meter codes being equal.
4. The electronic postage meter of claim 3 further comprising:
(a) second generating means for generating a second meter code; and
(b) display means, coupled to the second generating means, for displaying the second meter code.
5. The electronic postage meter of claim 3 further comprising a print means for printing postage not greater than the postage amount.
6. The electronic postage meter of claim 5 wherein the prevention means further prevents the print means from printing postage upon the entry of an invalid remote setting code the predetermined number of times.
7. The electronic postage meter of claim 3 further comprising enabling means for enabling the postage amount to be remotely set upon the entry of a second non-meter code.
8. An electronic postage meter having a postage amount that can be remotely set by the entry of a remote setting code, the meter comprising:
(a) detection means for detecting the entry of an invalid remote setting code a predetermined consecutive number of times;
(b) prevention means, responsive to the detection means, for selectively preventing the postage amount from being remotely set upon the entry of an invalid remote setting code the predetermined consecutive number of times;
(c) generating means for generating a first meter code and a second meter code;
(d) display means, coupled to the generating means, for displaying the first meter code;
(e) entry means for entering a non-meter code;
(f) comparison means, coupled to the generating means and the entry means, for comparing the second meter and non-meter codes; and
(g) enabling means, responsive to the comparison means, for disabling the prevention means upon the second meter and non-meter codes being equal.
EP90105118A 1989-03-23 1990-03-19 Security extension procedure for electronic remote setting meter Revoked EP0388840B1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US32809989A 1989-03-23 1989-03-23
US328099 1989-03-23

Publications (3)

Publication Number Publication Date
EP0388840A2 true EP0388840A2 (en) 1990-09-26
EP0388840A3 EP0388840A3 (en) 1991-07-24
EP0388840B1 EP0388840B1 (en) 1994-11-30

Family

ID=23279508

Family Applications (1)

Application Number Title Priority Date Filing Date
EP90105118A Revoked EP0388840B1 (en) 1989-03-23 1990-03-19 Security extension procedure for electronic remote setting meter

Country Status (2)

Country Link
EP (1) EP0388840B1 (en)
DE (1) DE69014361T2 (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2251210A (en) * 1990-12-31 1992-07-01 Alcatel Business Systems Unlocking operation of a "locked-out" post-payment postage meter
GB2251213A (en) * 1990-12-31 1992-07-01 Alcatel Business Systems Postage meter.
WO1994002913A1 (en) * 1992-07-21 1994-02-03 Bacon, Brian Equipment which includes electronics
EP0647924A2 (en) * 1993-10-08 1995-04-12 Pitney Bowes Inc. Encryption key control system for mail processing system having data center verification
DE4344476A1 (en) * 1993-12-21 1995-06-22 Francotyp Postalia Gmbh Process for improving the security of franking machines
EP0717379A2 (en) 1994-12-15 1996-06-19 Francotyp-Postalia GmbH Method for improving the security from franking machines at a credit transfer
EP0735719A2 (en) * 1995-03-31 1996-10-02 Pitney Bowes Inc. Method for providing secure boxes in a key management system
EP0735721A2 (en) * 1995-03-31 1996-10-02 Pitney Bowes Inc. Method for master key generation and registration
EP0735722A2 (en) * 1995-03-31 1996-10-02 Pitney Bowes Inc. Cryptographic key management and validation system
US5585613A (en) * 1995-11-24 1996-12-17 Pitney Bowes Inc. Postage metering apparatus including means for guarding against printing a postage value without accouting therefor
US5805711A (en) * 1993-12-21 1998-09-08 Francotyp-Postalia Ag & Co. Method of improving the security of postage meter machines
EP0780805A3 (en) * 1995-12-19 2000-01-12 Pitney Bowes Inc. Open metering system with super password vault access
US6775656B1 (en) 1999-03-17 2004-08-10 Francotyp-Postalia Ag & Co. Method for automatic installation of franking devices and arrangement for the implementation of the method

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3792446A (en) * 1972-12-04 1974-02-12 Pitney Bowes Inc Remote postage meter resetting method
US4097923A (en) * 1975-04-16 1978-06-27 Pitney-Bowes, Inc. Remote postage meter charging system using an advanced microcomputerized postage meter
GB2080202A (en) * 1980-07-14 1982-02-03 Pitney Bowes Inc Re-funding postage meters
EP0096386A2 (en) * 1982-06-04 1983-12-21 Pitney Bowes Inc. Hand held electronic postage meter having secure postage meter doors
GB2178696A (en) * 1985-08-06 1987-02-18 Pitney Bowes Inc Postage metering locking system
GB2188874A (en) * 1986-04-10 1987-10-14 Pitney Bowes Inc Postage meter recharging system
GB2188878A (en) * 1986-04-10 1987-10-14 Pitney Bowes Inc Postage meter message printing system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3792446A (en) * 1972-12-04 1974-02-12 Pitney Bowes Inc Remote postage meter resetting method
US4097923A (en) * 1975-04-16 1978-06-27 Pitney-Bowes, Inc. Remote postage meter charging system using an advanced microcomputerized postage meter
GB2080202A (en) * 1980-07-14 1982-02-03 Pitney Bowes Inc Re-funding postage meters
EP0096386A2 (en) * 1982-06-04 1983-12-21 Pitney Bowes Inc. Hand held electronic postage meter having secure postage meter doors
GB2178696A (en) * 1985-08-06 1987-02-18 Pitney Bowes Inc Postage metering locking system
GB2188874A (en) * 1986-04-10 1987-10-14 Pitney Bowes Inc Postage meter recharging system
GB2188878A (en) * 1986-04-10 1987-10-14 Pitney Bowes Inc Postage meter message printing system

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2251210B (en) * 1990-12-31 1995-01-18 Alcatel Business Systems Postage meter system
GB2251213A (en) * 1990-12-31 1992-07-01 Alcatel Business Systems Postage meter.
EP0493949A2 (en) * 1990-12-31 1992-07-08 Neopost Limited Postage meter
EP0493949A3 (en) * 1990-12-31 1992-08-05 Alcatel Business Systems Limited Postage meter
FR2673305A1 (en) * 1990-12-31 1992-08-28 Alcatel Business Systems POSTAL POSTAGE COUNTER SYSTEM.
GB2251210A (en) * 1990-12-31 1992-07-01 Alcatel Business Systems Unlocking operation of a "locked-out" post-payment postage meter
US5495531A (en) * 1992-07-21 1996-02-27 Son Holdings Limited Of C/O Celtic Trust Company Limited Equipment which included electronics
WO1994002913A1 (en) * 1992-07-21 1994-02-03 Bacon, Brian Equipment which includes electronics
EP0647924A3 (en) * 1993-10-08 1995-09-20 Pitney Bowes Inc Encryption key control system for mail processing system having data center verification.
EP0647924A2 (en) * 1993-10-08 1995-04-12 Pitney Bowes Inc. Encryption key control system for mail processing system having data center verification
EP0942398A3 (en) * 1993-10-08 2000-09-27 Pitney Bowes Inc. Encryption key control system for mail processing system having data center verification
DE4344476A1 (en) * 1993-12-21 1995-06-22 Francotyp Postalia Gmbh Process for improving the security of franking machines
US5671146A (en) * 1993-12-21 1997-09-23 Francotyp-Postalia Gmbh Method for improving the security of postage meter machines
US5805711A (en) * 1993-12-21 1998-09-08 Francotyp-Postalia Ag & Co. Method of improving the security of postage meter machines
EP0717379A2 (en) 1994-12-15 1996-06-19 Francotyp-Postalia GmbH Method for improving the security from franking machines at a credit transfer
EP0735719A2 (en) * 1995-03-31 1996-10-02 Pitney Bowes Inc. Method for providing secure boxes in a key management system
EP0735722A2 (en) * 1995-03-31 1996-10-02 Pitney Bowes Inc. Cryptographic key management and validation system
EP0735721A3 (en) * 1995-03-31 1999-10-06 Pitney Bowes Inc. Method for master key generation and registration
EP0735719A3 (en) * 1995-03-31 1999-10-06 Pitney Bowes Inc. Method for providing secure boxes in a key management system
EP0735722A3 (en) * 1995-03-31 1999-10-06 Pitney Bowes Inc. Cryptographic key management and validation system
EP0735721A2 (en) * 1995-03-31 1996-10-02 Pitney Bowes Inc. Method for master key generation and registration
US5585613A (en) * 1995-11-24 1996-12-17 Pitney Bowes Inc. Postage metering apparatus including means for guarding against printing a postage value without accouting therefor
EP0780805A3 (en) * 1995-12-19 2000-01-12 Pitney Bowes Inc. Open metering system with super password vault access
US6775656B1 (en) 1999-03-17 2004-08-10 Francotyp-Postalia Ag & Co. Method for automatic installation of franking devices and arrangement for the implementation of the method

Also Published As

Publication number Publication date
EP0388840A3 (en) 1991-07-24
EP0388840B1 (en) 1994-11-30
DE69014361T2 (en) 1995-04-27
DE69014361D1 (en) 1995-01-12

Similar Documents

Publication Publication Date Title
US5107455A (en) Remote meter i/o configuration
EP0388839B1 (en) Remote meter configuration
US5369401A (en) Remote meter operation
US4812994A (en) Postage meter locking system
US5715164A (en) System and method for communications with postage meters
EP0780805B1 (en) Open metering system with super password vault access
US4890323A (en) Data communication systems and methods
EP0388840A2 (en) Security extension procedure for electronic remote setting meter
US5699415A (en) Method for matching the database between an electronic postage meter machine and a data center
JP4221680B2 (en) Authentication system using smart card
US7716491B2 (en) Generation and management of customer pin's
EP0574219A2 (en) Access control
US5058025A (en) Emergency post office setting for remote setting meter
WO2003003321A2 (en) Transaction verification system and method
JPH11514467A (en) User authentication method and device
EP1139200A2 (en) Access code generating system including smart card and smart card reader
US7058613B1 (en) Device and method for user identification check based on user-specific formula
CA1263752A (en) Postage meter locking system
EP1307861A1 (en) Security device and method
US20050268099A1 (en) Security device and method
US4835697A (en) Combination generator for an electronic postage meter
EP1022684B1 (en) Method of limiting key usage in a postage metering system that produces cryptographically secured indicium
JPS63143667A (en) Password protective device
JPH09212723A (en) Personal information transaction device
EP0690417A2 (en) Postage meter having electronic access control security

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): DE FR GB

PUAL Search report despatched

Free format text: ORIGINAL CODE: 0009013

AK Designated contracting states

Kind code of ref document: A3

Designated state(s): DE FR GB

17P Request for examination filed

Effective date: 19920113

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: NEOPOST INDUSTRIE

17Q First examination report despatched

Effective date: 19930621

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): DE FR GB

REF Corresponds to:

Ref document number: 69014361

Country of ref document: DE

Date of ref document: 19950112

ET Fr: translation filed
PLBI Opposition filed

Free format text: ORIGINAL CODE: 0009260

26 Opposition filed

Opponent name: PITNEY BOWES, INC.

Effective date: 19950830

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 19951228

Year of fee payment: 7

PLBF Reply of patent proprietor to notice(s) of opposition

Free format text: ORIGINAL CODE: EPIDOS OBSO

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 19960312

Year of fee payment: 7

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 19960318

Year of fee payment: 7

RDAH Patent revoked

Free format text: ORIGINAL CODE: EPIDOS REVO

RDAH Patent revoked

Free format text: ORIGINAL CODE: EPIDOS REVO

RDAG Patent revoked

Free format text: ORIGINAL CODE: 0009271

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: PATENT REVOKED

GBPR Gb: patent revoked under art. 102 of the ep convention designating the uk as contracting state

Free format text: 960722

27W Patent revoked

Effective date: 19960722