EP0388840A2 - Security extension procedure for electronic remote setting meter - Google Patents
Security extension procedure for electronic remote setting meter Download PDFInfo
- Publication number
- EP0388840A2 EP0388840A2 EP90105118A EP90105118A EP0388840A2 EP 0388840 A2 EP0388840 A2 EP 0388840A2 EP 90105118 A EP90105118 A EP 90105118A EP 90105118 A EP90105118 A EP 90105118A EP 0388840 A2 EP0388840 A2 EP 0388840A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- meter
- code
- entry
- security
- remote setting
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
- G07F7/1016—Devices or methods for securing the PIN and other transaction-data, e.g. by encryption
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00016—Relations between apparatus, e.g. franking machine at customer or apparatus at post office, in a franking system
- G07B17/0008—Communication details outside or between apparatus
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00733—Cryptography or similar special procedures in a franking system
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/30—Individual registration on entry or exit not involving the use of a pass
- G07C9/32—Individual registration on entry or exit not involving the use of a pass in combination with an identity check
- G07C9/33—Individual registration on entry or exit not involving the use of a pass in combination with an identity check by means of a password
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00016—Relations between apparatus, e.g. franking machine at customer or apparatus at post office, in a franking system
- G07B17/0008—Communication details outside or between apparatus
- G07B2017/00153—Communication details outside or between apparatus for sending information
- G07B2017/00161—Communication details outside or between apparatus for sending information from a central, non-user location, e.g. for updating rates or software, or for refilling funds
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00016—Relations between apparatus, e.g. franking machine at customer or apparatus at post office, in a franking system
- G07B17/0008—Communication details outside or between apparatus
- G07B2017/00153—Communication details outside or between apparatus for sending information
- G07B2017/00169—Communication details outside or between apparatus for sending information from a franking apparatus, e.g. for verifying accounting
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00185—Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
- G07B17/00362—Calculation or computing within apparatus, e.g. calculation of postage value
- G07B2017/00419—Software organization, e.g. separation into objects
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00733—Cryptography or similar special procedures in a franking system
- G07B2017/00822—Cryptography or similar special procedures in a franking system including unique details
- G07B2017/0083—Postal data, e.g. postage, address, sender, machine ID, vendor
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00733—Cryptography or similar special procedures in a franking system
- G07B2017/00935—Passwords
Definitions
- This invention relates generally to postage meters, and more particularly, to electronic postage meters capable of being remotely set.
- the present invention provides a technique for securely clearing the meter after it has been disabled without returning the meter to the factory.
- the meter generates a security lock code which is transmitted to a data center computer.
- the data center computer compares the security lock code with an internally generated security lock code. If the codes agree, the data center computer then generates a security clear code which is transmitted to the meter.
- the meter compares this code with an internally generated security clear code. If these codes agree, then the meter clears a security lock flag thereby enabling the meter. As a result, the customer can subsequently remotely set the meter.
- Fig. 1 is a block diagram of a preferred postage meter 10 that can be remotely set in the field by the customer.
- Meter 10 includes a print mechanism 12, accounting registers, and control electronics, all enclosed within a secure meter housing 13.
- a keyboard 14 and a display 16 provide the user interface.
- a connector 17 provides an electrical connection with a mailing machine for control of the printing process.
- the control electronics includes a digital microprocessor 18 which controls the operation of the meter, including the basic functions of printing and accounting for postage, and optional features such as department accounting and remote setting.
- the microprocessor is connected to a clock 20, a read only memory (ROM) 22, a random access memory (RAM) 24, and a battery augmented memory (BAM) 26.
- ROM read only memory
- RAM random access memory
- BAM battery augmented memory
- ROM 22 is primarily used for storing non-volatile information such as software and data/function tables necessary to run the microprocessor. The ROM can only be changed at the factory.
- RAM 24 is used for intermediate storage of variables and other data during meter operation.
- BAM 26 is primarily used to store accounting information that must be kept when the meter is powered down. The BAM is also used for storing certain flags and other information that is necessary to the functioning of the microprocessor. Such information includes meter identifying data such as the meter serial number and BAM initialization date, and a number of parameters relevant to the remote setting of the meter.
- Fig. 2 is a detailed flowchart of the manner in which the security lock flag is set.
- the customer may then continue the remote setting procedure.
- the customer enters the remote setting code (step 48).
- the meter checks whether the security lock flag has already been set (step 50). If so, then the customer is returned to step 48 as if the remote setting code were incorrect. If the security lock flag has not been set, then the meter determines whether the remote setting code is correct (step 52). If the code is correct, then the meter resets the counter to zero (step 53) and the customer may continue the remote setting procedure (which is not shown as it does not directly relate to the present procedure). If the code is not correct, then the meter then checks to see whether the customer has already attempted over a predetermined number of allowed attempts (step 56).
- the meter If the customer has attempted less than the predetermined number of allowed attempts, then the meter returns the customer to the step of entering the remote setting code. If the customer has attempted over the predetermined number of allowed attempts then the security lock flag in BAM in set and the meter returns the customer to the step of entering the remote setting code.
- Fig. 3 is a high level flow chart of the process necessary for clearing the security lock flag in the meter.
- a security lock code generated by the meter.
- This security lock code is essentially a password to the data center computer, and is based upon a combination of factors, the combination of which only the data center computer would know.
- the customer confirms the security lock code with the data center computer. Upon confirmation from the computer, the computer provides a security clear code back to the customer.
- the security clear code is essentially a password from the data center computer to the meter stating that it is permissible to clear the security lock flag.
- a third stage 62 the customer enters the security clear code to the meter. The meter confirms the security clear code and clears the security lock flag.
- Fig. 4 is a detailed flowchart of stage 60 as shown in Fig. 3.
- a first step 40′ (corresponding to step 40 of Figure 2), the customer presses a certain key sequence, causing the meter to enter a remote setting mode.
- the meter enters the remote setting mode by setting a mode register located in BAM (step 42′).
- the meter determines whether the security lock flag has been set (step 44′). If so, the meter then displays a message and other needed information and prompts for the security clear code (step 46′).
- the meter displays the meter serial number, the meter BAM initialization date, and the encrypted security lock code.
- the BAM initialization date is preferably a four digit number wherein the four digits YDDD express the date in which the meter was last initialized.
- the DDD stands for the number of days since December 31, and Y is the least significant digit of the year in which the meter was initialized.
- the meter displays the above numbers and the Control Register amount or some other meter specific identifying information.
- the Control Register contains the amount of postage the meter has printed since the meter has been initialized plus the amount the meter is currently authorized to print. The customer should write these numbers down on a separate piece of paper for later use in the method.
- CTID configuration transaction identifier
- TID setting transaction identifier
- Figs. 5a and 5b are detailed flowcharts of stage 61 as shown in Fig. 3.
- the customer establishes communication with the data center computer over a standard telephone.
- the customer may communicate to the data center computer on a touch tone telephone by pressing the key.
- Alternative embodiments may utilize a telephone communications device that includes a user or meter interface and a modem, or by voice recognition over the telephone.
- the customer first enters a request code for clearing the security extension flag (step 70).
- the customer then enters the customer account number (step 72) and the meter serial number which was given above can be found on the exterior of the meter (step 74).
- the data center computer determines whether the serial number is valid given the customer account number (step 76). If the serial number is valid then the customer may continue, otherwise the customer is notified (step 78) and is given the opportunity to decide whether to try again (step 80). If the customer does not decide to try again, the customer should then contact his agent in order to determine how to clear up this problem.
- step 84 the customer enters the amount of the Control Register (step 84) obtained earlier in the procedure.
- the customer then enters the security lock code which was also obtained from the meter in the procedure above (step 86).
- the computer then generates a security lock code in a like manner (step 88) and compares that code to that entered by the customer (step 90). If the codes are not equal, then the customer is notified (step 92) and is given the opportunity to try again.
- the computer determines whether the Control Register amount is valid (step 96).
- the Control Register amount is valid if the amount is equal to any prior Control Register amounts stored on the computer.
- the Control Register amount is not valid if it is greater than or equal to the present computer Control Register amount. If the Control Register amount is not valid, then the customer is notified and the occurrence of the invalid Control Register amount is logged in the computer (step 98).
- control Register amount If the Control Register amount is valid, then the customer enters the current remote setting code (step 100). The computer then determines whether it is a valid code (step 102). If the remote setting code is not valid, then the computer passes the customer to a live operator for assistance (step 104). If the remote setting code is valid, then the computer generates a security extension code (step 106), increments the CTID (step 108), flags that this event has occurred (step 110), and displays or returns the security extension code to the customer for use further in this method (step 112).
- Fig. 6 is a detailed flowchart of stage 62 shown above in Fig. 3.
- the customer enters the security clear code obtained from the computer into the meter (step 120).
- the meter then generates its own security clear code (step 122) and compares the computer generated code with the meter generated code (step 124). If the codes are not equal, then the customer is notified (step 126) and the customer is given an opportunity to try again or contact an agent (step 130). If the codes are equal, then the meter increments the CTID such that it is equal to the CTID stored in the computer (step 132), the meter clears the security lock flag (step 134) and the meter enters the remote setting mode by changing the mode register in BAM (step 136).
- the security lock code and the security clear code are generated by an encryption routine, stored both in the meter ROM and in the data center computer.
- the encryption routine is a nonlinear algorithm that generates a number that is apparently random to an outside person.
- the encryption routine is performed by an encryption program in combination with a permanent encryption table. In the first and second embodiments, encryption routine uses a 16 digit (or 64 bit) key and a 16 digit input number.
- the security lock code is generated by the encryption routine performed on the CTID as the key and a combination of the STID and Control Register amount as the input number.
- the key is composed of the serial number and the BAM initialization and the input number is composed of the STID and the Control Register.
- the security clear flag is generated by the encryption routine performed on the CTID as the key and a combination of the meter serial number and the STID as the input number.
- the CTID is a 16 digit number that is stored in BAM.
- the initial value of the CTID is obtained by performing an algorithm upon the BAM initialization date in combination with the meter serial number.
- the BAM initialization date is used to prevent starting with the same CTID everytime the meter is initialized.
- the algorithm is not stored in the meter for security reasons.
- the initial CTID is stored in BAM during the initialization process at the factory.
- the CTID is incremented by a non-linear algorithm within the meter after the security lock flag is cleared.
- the codes generated by the encryption routine are 16-digits long.
- the lower digits of the codes are then communicated to the customer by the meter or the data center computer.
- the number of lower digits that are communicated is determined by the HSL value (see Appendix A for details).
- the present invention provides a secure and efficient technique for allowing the meter to be cleared in the field.
- the electronics of the resettable meter may be structured differently.
- the security lock flag or another flag can be used to prevent other forms of memory modification when an improper code is entered a predetermined number of times.
- the encryption key used to generate the request codes could be composed of a meter cycle counter instead of the meter serial number.
- Other security measures may be implemented such as requiring periodic inspection of the meter.
- An algorithm is used to generate an apparently random code with multiple digits. However, only a selected number of digits (usually the lower digits) of this code needs to be used in most applications. The number of digits needed depends upon the level of security needed. It is preferred to use as few digits as possible to decrease the number of keystrokes that must be entered, thereby increasing convenience and decreasing the potential for error.
- HSL high security length
- Each code generated by the meter or data center computer has a variable length of digits used depending upon the HSL value. That is, if the HSL value is 1, then the security lock code should have 6 digits. If the HSL value is higher, then the security lock code should be longer. Other codes may have different lengths for a given HSL value, but each code will increase or decrease in length if the HSL value is increased or decreased.
- This predetermined relationship between code length and the HSL value allows the meter manufacturer to increase or decrease security for the meter without having to recover and initialize each meter. Changes in the HSL value are communicated to the meter when performing a remote meter configuration.
- multiple security variables may be used to vary the lengths of individual or groups of codes without affective the length of the remaining codes.
Abstract
Description
- This invention relates generally to postage meters, and more particularly, to electronic postage meters capable of being remotely set.
- With the advent of electronic postage meters, it has become possible to offer meter customers the feature of remotely adding postage credit (remote setting) to the postage meter. This feature enables the customer to more readily and conveniently remotely set the amount of postage in the meter. Extensive procedures and controls are used to insure that the postage meter amount is remotely set only when authorized. For example, the customer is usually required to enter a long code that varies each time the meter is remotely set. However, such procedures are not infallible, particularly when the postage meter has been stolen and in the possession of a persistent person.
- As a result and of these security concerns, some meters have been designed to detect the entry of an invalid code for remote setting a predetermined consecutive number of times. Once detected, the meter is disabled and must be returned to the factory to be enabled. Although effective for preventing unauthorized remote setting of the meter, this approach also causes problems for authorized users who accidently enter an incorrect remote setting code for the predetermined number of times.
- The present invention provides a technique for securely clearing the meter after it has been disabled without returning the meter to the factory. During this technique, the meter generates a security lock code which is transmitted to a data center computer. The data center computer compares the security lock code with an internally generated security lock code. If the codes agree, the data center computer then generates a security clear code which is transmitted to the meter. The meter then compares this code with an internally generated security clear code. If these codes agree, then the meter clears a security lock flag thereby enabling the meter. As a result, the customer can subsequently remotely set the meter.
- A further understanding of the nature and advantages of the present invention can be realized by the reference to the remaining portions of the specification and the attached drawings.
-
- Fig. 1 is a block diagram of a preferred postage meter capable of being remotely set in the field by the customer;
- Fig. 2 is a detailed flowchart of the manner in which the security lock flag is set;
- Fig. 3 is a high level flowchart of the process for clearing the security lock flag;
- Fig. 4 is a detailed flowchart of the procedure for the customer to obtain a security lock code generated by the meter;
- Figs. 5a and 5b are detailed flowcharts of the procedure for the customer to confirm the security lock code with the data center computer; and
- Fig. 6 is a detailed flowchart of the procedure for the customer to clear the security lock flag.
- Fig. 1 is a block diagram of a
preferred postage meter 10 that can be remotely set in the field by the customer.Meter 10 includes aprint mechanism 12, accounting registers, and control electronics, all enclosed within asecure meter housing 13. Akeyboard 14 and adisplay 16 provide the user interface. Aconnector 17 provides an electrical connection with a mailing machine for control of the printing process. The control electronics includes adigital microprocessor 18 which controls the operation of the meter, including the basic functions of printing and accounting for postage, and optional features such as department accounting and remote setting. The microprocessor is connected to aclock 20, a read only memory (ROM) 22, a random access memory (RAM) 24, and a battery augmented memory (BAM) 26. - ROM 22 is primarily used for storing non-volatile information such as software and data/function tables necessary to run the microprocessor. The ROM can only be changed at the factory.
RAM 24 is used for intermediate storage of variables and other data during meter operation. BAM 26 is primarily used to store accounting information that must be kept when the meter is powered down. The BAM is also used for storing certain flags and other information that is necessary to the functioning of the microprocessor. Such information includes meter identifying data such as the meter serial number and BAM initialization date, and a number of parameters relevant to the remote setting of the meter. - Fig. 2 is a detailed flowchart of the manner in which the security lock flag is set. Once the customer has a remote setting code for remotely setting the meter (or is attempting to remotely set the meter without the remote setting code), the customer puts the meter in a remote setting mode (step 40) by pressing a certain key sequence. The meter enters the remote setting mode by setting a mode register located in BAM (step 42). This prevents the meter from being used for printing purposes while being remotely set. The meter then determines whether the security lock flag has already been set (step 44). If so, the meter then displays a message and other needed information such as the security lock code and prompts for the security clear code (step 46). The customer is then unable to continue the remote setting process until the security lock flag has been cleared by the procedure shown in Figs. 3-6.
- If the security lock flag has not already been set, the customer may then continue the remote setting procedure. The customer enters the remote setting code (step 48). The meter then checks whether the security lock flag has already been set (step 50). If so, then the customer is returned to
step 48 as if the remote setting code were incorrect. If the security lock flag has not been set, then the meter determines whether the remote setting code is correct (step 52). If the code is correct, then the meter resets the counter to zero (step 53) and the customer may continue the remote setting procedure (which is not shown as it does not directly relate to the present procedure). If the code is not correct, then the meter then checks to see whether the customer has already attempted over a predetermined number of allowed attempts (step 56). If the customer has attempted less than the predetermined number of allowed attempts, then the meter returns the customer to the step of entering the remote setting code. If the customer has attempted over the predetermined number of allowed attempts then the security lock flag in BAM in set and the meter returns the customer to the step of entering the remote setting code. - Fig. 3 is a high level flow chart of the process necessary for clearing the security lock flag in the meter. In a
first stage 60, the customer obtains a security lock code generated by the meter. This security lock code is essentially a password to the data center computer, and is based upon a combination of factors, the combination of which only the data center computer would know. In asecond stage 61, the customer confirms the security lock code with the data center computer. Upon confirmation from the computer, the computer provides a security clear code back to the customer. The security clear code is essentially a password from the data center computer to the meter stating that it is permissible to clear the security lock flag. In athird stage 62, the customer enters the security clear code to the meter. The meter confirms the security clear code and clears the security lock flag. - Fig. 4 is a detailed flowchart of
stage 60 as shown in Fig. 3. In afirst step 40′ (corresponding to step 40 of Figure 2), the customer presses a certain key sequence, causing the meter to enter a remote setting mode. The meter enters the remote setting mode by setting a mode register located in BAM (step 42′). - The meter then determines whether the security lock flag has been set (
step 44′). If so, the meter then displays a message and other needed information and prompts for the security clear code (step 46′). In a first embodiment, the meter displays the meter serial number, the meter BAM initialization date, and the encrypted security lock code. The BAM initialization date is preferably a four digit number wherein the four digits YDDD express the date in which the meter was last initialized. The DDD stands for the number of days since December 31, and Y is the least significant digit of the year in which the meter was initialized. In a second embodiment, the meter displays the above numbers and the Control Register amount or some other meter specific identifying information. The Control Register contains the amount of postage the meter has printed since the meter has been initialized plus the amount the meter is currently authorized to print. The customer should write these numbers down on a separate piece of paper for later use in the method. - Two input numbers used by the meter and the computer to generate encrypted codes are the configuration transaction identifier ("CTID") and the setting transaction identifier ("STID"). They are both specific to the meter and dependent upon the meter serial number. They may also be incremented after each use. The CTID is normally used for reconfiguring the meter functions and clearing the security lock flag and the STID is normally used for resetting the meter postage. Separate numbers are used for the separate procedures in order to maximize security and minimize complexity caused by interdependence. The encryption routine is described in greater detail.
- Figs. 5a and 5b are detailed flowcharts of
stage 61 as shown in Fig. 3. The customer establishes communication with the data center computer over a standard telephone. In the first and second embodiments, the customer may communicate to the data center computer on a touch tone telephone by pressing the key. Alternative embodiments may utilize a telephone communications device that includes a user or meter interface and a modem, or by voice recognition over the telephone. - The customer first enters a request code for clearing the security extension flag (step 70). The customer then enters the customer account number (step 72) and the meter serial number which was given above can be found on the exterior of the meter (step 74).
- The data center computer then determines whether the serial number is valid given the customer account number (step 76). If the serial number is valid then the customer may continue, otherwise the customer is notified (step 78) and is given the opportunity to decide whether to try again (step 80). If the customer does not decide to try again, the customer should then contact his agent in order to determine how to clear up this problem.
- If the serial number is valid, then the customer enters the amount of the Control Register (step 84) obtained earlier in the procedure. The customer then enters the security lock code which was also obtained from the meter in the procedure above (step 86). The computer then generates a security lock code in a like manner (step 88) and compares that code to that entered by the customer (step 90). If the codes are not equal, then the customer is notified (step 92) and is given the opportunity to try again.
- If the codes are equal, then the computer determines whether the Control Register amount is valid (step 96). The Control Register amount is valid if the amount is equal to any prior Control Register amounts stored on the computer. The Control Register amount is not valid if it is greater than or equal to the present computer Control Register amount. If the Control Register amount is not valid, then the customer is notified and the occurrence of the invalid Control Register amount is logged in the computer (step 98).
- If the Control Register amount is valid, then the customer enters the current remote setting code (step 100). The computer then determines whether it is a valid code (step 102). If the remote setting code is not valid, then the computer passes the customer to a live operator for assistance (step 104). If the remote setting code is valid, then the computer generates a security extension code (step 106), increments the CTID (step 108), flags that this event has occurred (step 110), and displays or returns the security extension code to the customer for use further in this method (step 112).
- Fig. 6 is a detailed flowchart of
stage 62 shown above in Fig. 3. The customer enters the security clear code obtained from the computer into the meter (step 120). The meter then generates its own security clear code (step 122) and compares the computer generated code with the meter generated code (step 124). If the codes are not equal, then the customer is notified (step 126) and the customer is given an opportunity to try again or contact an agent (step 130). If the codes are equal, then the meter increments the CTID such that it is equal to the CTID stored in the computer (step 132), the meter clears the security lock flag (step 134) and the meter enters the remote setting mode by changing the mode register in BAM (step 136). - In order to perform the above procedure in the secure manner and to confirm certain data, the security lock code and the security clear code are generated by an encryption routine, stored both in the meter ROM and in the data center computer. The encryption routine is a nonlinear algorithm that generates a number that is apparently random to an outside person. The encryption routine is performed by an encryption program in combination with a permanent encryption table. In the first and second embodiments, encryption routine uses a 16 digit (or 64 bit) key and a 16 digit input number.
- In the first embodiment, the security lock code is generated by the encryption routine performed on the CTID as the key and a combination of the STID and Control Register amount as the input number. In the second embodiment, the key is composed of the serial number and the BAM initialization and the input number is composed of the STID and the Control Register.
- In the preferred and second embodiments, the security clear flag is generated by the encryption routine performed on the CTID as the key and a combination of the meter serial number and the STID as the input number.
- The CTID is a 16 digit number that is stored in BAM. The initial value of the CTID is obtained by performing an algorithm upon the BAM initialization date in combination with the meter serial number. The BAM initialization date is used to prevent starting with the same CTID everytime the meter is initialized. The algorithm is not stored in the meter for security reasons. The initial CTID is stored in BAM during the initialization process at the factory. The CTID is incremented by a non-linear algorithm within the meter after the security lock flag is cleared.
- The codes generated by the encryption routine are 16-digits long. The lower digits of the codes are then communicated to the customer by the meter or the data center computer. The number of lower digits that are communicated is determined by the HSL value (see Appendix A for details).
- It can be seen that the present invention provides a secure and efficient technique for allowing the meter to be cleared in the field.
- While the above is a complete description of the specific embodiments of the invention, various modifications, alternative constructions, and equivalents may be used. For example, the electronics of the resettable meter may be structured differently. In addition, the security lock flag or another flag can be used to prevent other forms of memory modification when an improper code is entered a predetermined number of times. Furthermore, the encryption key used to generate the request codes could be composed of a meter cycle counter instead of the meter serial number. Other security measures may be implemented such as requiring periodic inspection of the meter.
- Therefore, the above description and illustration should not be taken as limiting the scope of the present invention, which is defined by the appended claims.
- An algorithm is used to generate an apparently random code with multiple digits. However, only a selected number of digits (usually the lower digits) of this code needs to be used in most applications. The number of digits needed depends upon the level of security needed. It is preferred to use as few digits as possible to decrease the number of keystrokes that must be entered, thereby increasing convenience and decreasing the potential for error.
- As a result, a variable has been created which defines the overall level of security required by the meter or data center computer. This variable is called the high security length (HSL) value.
- Each code generated by the meter or data center computer has a variable length of digits used depending upon the HSL value. That is, if the HSL value is 1, then the security lock code should have 6 digits. If the HSL value is higher, then the security lock code should be longer. Other codes may have different lengths for a given HSL value, but each code will increase or decrease in length if the HSL value is increased or decreased.
- This predetermined relationship between code length and the HSL value allows the meter manufacturer to increase or decrease security for the meter without having to recover and initialize each meter. Changes in the HSL value are communicated to the meter when performing a remote meter configuration.
- In an alternative embodiment, multiple security variables may be used to vary the lengths of individual or groups of codes without affective the length of the remaining codes.
Claims (8)
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US32809989A | 1989-03-23 | 1989-03-23 | |
US328099 | 1989-03-23 |
Publications (3)
Publication Number | Publication Date |
---|---|
EP0388840A2 true EP0388840A2 (en) | 1990-09-26 |
EP0388840A3 EP0388840A3 (en) | 1991-07-24 |
EP0388840B1 EP0388840B1 (en) | 1994-11-30 |
Family
ID=23279508
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP90105118A Revoked EP0388840B1 (en) | 1989-03-23 | 1990-03-19 | Security extension procedure for electronic remote setting meter |
Country Status (2)
Country | Link |
---|---|
EP (1) | EP0388840B1 (en) |
DE (1) | DE69014361T2 (en) |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2251210A (en) * | 1990-12-31 | 1992-07-01 | Alcatel Business Systems | Unlocking operation of a "locked-out" post-payment postage meter |
GB2251213A (en) * | 1990-12-31 | 1992-07-01 | Alcatel Business Systems | Postage meter. |
WO1994002913A1 (en) * | 1992-07-21 | 1994-02-03 | Bacon, Brian | Equipment which includes electronics |
EP0647924A2 (en) * | 1993-10-08 | 1995-04-12 | Pitney Bowes Inc. | Encryption key control system for mail processing system having data center verification |
DE4344476A1 (en) * | 1993-12-21 | 1995-06-22 | Francotyp Postalia Gmbh | Process for improving the security of franking machines |
EP0717379A2 (en) | 1994-12-15 | 1996-06-19 | Francotyp-Postalia GmbH | Method for improving the security from franking machines at a credit transfer |
EP0735719A2 (en) * | 1995-03-31 | 1996-10-02 | Pitney Bowes Inc. | Method for providing secure boxes in a key management system |
EP0735721A2 (en) * | 1995-03-31 | 1996-10-02 | Pitney Bowes Inc. | Method for master key generation and registration |
EP0735722A2 (en) * | 1995-03-31 | 1996-10-02 | Pitney Bowes Inc. | Cryptographic key management and validation system |
US5585613A (en) * | 1995-11-24 | 1996-12-17 | Pitney Bowes Inc. | Postage metering apparatus including means for guarding against printing a postage value without accouting therefor |
US5805711A (en) * | 1993-12-21 | 1998-09-08 | Francotyp-Postalia Ag & Co. | Method of improving the security of postage meter machines |
EP0780805A3 (en) * | 1995-12-19 | 2000-01-12 | Pitney Bowes Inc. | Open metering system with super password vault access |
US6775656B1 (en) | 1999-03-17 | 2004-08-10 | Francotyp-Postalia Ag & Co. | Method for automatic installation of franking devices and arrangement for the implementation of the method |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US3792446A (en) * | 1972-12-04 | 1974-02-12 | Pitney Bowes Inc | Remote postage meter resetting method |
US4097923A (en) * | 1975-04-16 | 1978-06-27 | Pitney-Bowes, Inc. | Remote postage meter charging system using an advanced microcomputerized postage meter |
GB2080202A (en) * | 1980-07-14 | 1982-02-03 | Pitney Bowes Inc | Re-funding postage meters |
EP0096386A2 (en) * | 1982-06-04 | 1983-12-21 | Pitney Bowes Inc. | Hand held electronic postage meter having secure postage meter doors |
GB2178696A (en) * | 1985-08-06 | 1987-02-18 | Pitney Bowes Inc | Postage metering locking system |
GB2188874A (en) * | 1986-04-10 | 1987-10-14 | Pitney Bowes Inc | Postage meter recharging system |
GB2188878A (en) * | 1986-04-10 | 1987-10-14 | Pitney Bowes Inc | Postage meter message printing system |
-
1990
- 1990-03-19 DE DE69014361T patent/DE69014361T2/en not_active Revoked
- 1990-03-19 EP EP90105118A patent/EP0388840B1/en not_active Revoked
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US3792446A (en) * | 1972-12-04 | 1974-02-12 | Pitney Bowes Inc | Remote postage meter resetting method |
US4097923A (en) * | 1975-04-16 | 1978-06-27 | Pitney-Bowes, Inc. | Remote postage meter charging system using an advanced microcomputerized postage meter |
GB2080202A (en) * | 1980-07-14 | 1982-02-03 | Pitney Bowes Inc | Re-funding postage meters |
EP0096386A2 (en) * | 1982-06-04 | 1983-12-21 | Pitney Bowes Inc. | Hand held electronic postage meter having secure postage meter doors |
GB2178696A (en) * | 1985-08-06 | 1987-02-18 | Pitney Bowes Inc | Postage metering locking system |
GB2188874A (en) * | 1986-04-10 | 1987-10-14 | Pitney Bowes Inc | Postage meter recharging system |
GB2188878A (en) * | 1986-04-10 | 1987-10-14 | Pitney Bowes Inc | Postage meter message printing system |
Cited By (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2251210B (en) * | 1990-12-31 | 1995-01-18 | Alcatel Business Systems | Postage meter system |
GB2251213A (en) * | 1990-12-31 | 1992-07-01 | Alcatel Business Systems | Postage meter. |
EP0493949A2 (en) * | 1990-12-31 | 1992-07-08 | Neopost Limited | Postage meter |
EP0493949A3 (en) * | 1990-12-31 | 1992-08-05 | Alcatel Business Systems Limited | Postage meter |
FR2673305A1 (en) * | 1990-12-31 | 1992-08-28 | Alcatel Business Systems | POSTAL POSTAGE COUNTER SYSTEM. |
GB2251210A (en) * | 1990-12-31 | 1992-07-01 | Alcatel Business Systems | Unlocking operation of a "locked-out" post-payment postage meter |
US5495531A (en) * | 1992-07-21 | 1996-02-27 | Son Holdings Limited Of C/O Celtic Trust Company Limited | Equipment which included electronics |
WO1994002913A1 (en) * | 1992-07-21 | 1994-02-03 | Bacon, Brian | Equipment which includes electronics |
EP0647924A3 (en) * | 1993-10-08 | 1995-09-20 | Pitney Bowes Inc | Encryption key control system for mail processing system having data center verification. |
EP0647924A2 (en) * | 1993-10-08 | 1995-04-12 | Pitney Bowes Inc. | Encryption key control system for mail processing system having data center verification |
EP0942398A3 (en) * | 1993-10-08 | 2000-09-27 | Pitney Bowes Inc. | Encryption key control system for mail processing system having data center verification |
DE4344476A1 (en) * | 1993-12-21 | 1995-06-22 | Francotyp Postalia Gmbh | Process for improving the security of franking machines |
US5671146A (en) * | 1993-12-21 | 1997-09-23 | Francotyp-Postalia Gmbh | Method for improving the security of postage meter machines |
US5805711A (en) * | 1993-12-21 | 1998-09-08 | Francotyp-Postalia Ag & Co. | Method of improving the security of postage meter machines |
EP0717379A2 (en) | 1994-12-15 | 1996-06-19 | Francotyp-Postalia GmbH | Method for improving the security from franking machines at a credit transfer |
EP0735719A2 (en) * | 1995-03-31 | 1996-10-02 | Pitney Bowes Inc. | Method for providing secure boxes in a key management system |
EP0735722A2 (en) * | 1995-03-31 | 1996-10-02 | Pitney Bowes Inc. | Cryptographic key management and validation system |
EP0735721A3 (en) * | 1995-03-31 | 1999-10-06 | Pitney Bowes Inc. | Method for master key generation and registration |
EP0735719A3 (en) * | 1995-03-31 | 1999-10-06 | Pitney Bowes Inc. | Method for providing secure boxes in a key management system |
EP0735722A3 (en) * | 1995-03-31 | 1999-10-06 | Pitney Bowes Inc. | Cryptographic key management and validation system |
EP0735721A2 (en) * | 1995-03-31 | 1996-10-02 | Pitney Bowes Inc. | Method for master key generation and registration |
US5585613A (en) * | 1995-11-24 | 1996-12-17 | Pitney Bowes Inc. | Postage metering apparatus including means for guarding against printing a postage value without accouting therefor |
EP0780805A3 (en) * | 1995-12-19 | 2000-01-12 | Pitney Bowes Inc. | Open metering system with super password vault access |
US6775656B1 (en) | 1999-03-17 | 2004-08-10 | Francotyp-Postalia Ag & Co. | Method for automatic installation of franking devices and arrangement for the implementation of the method |
Also Published As
Publication number | Publication date |
---|---|
EP0388840A3 (en) | 1991-07-24 |
EP0388840B1 (en) | 1994-11-30 |
DE69014361T2 (en) | 1995-04-27 |
DE69014361D1 (en) | 1995-01-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US5107455A (en) | Remote meter i/o configuration | |
EP0388839B1 (en) | Remote meter configuration | |
US5369401A (en) | Remote meter operation | |
US4812994A (en) | Postage meter locking system | |
US5715164A (en) | System and method for communications with postage meters | |
EP0780805B1 (en) | Open metering system with super password vault access | |
US4890323A (en) | Data communication systems and methods | |
EP0388840A2 (en) | Security extension procedure for electronic remote setting meter | |
US5699415A (en) | Method for matching the database between an electronic postage meter machine and a data center | |
JP4221680B2 (en) | Authentication system using smart card | |
US7716491B2 (en) | Generation and management of customer pin's | |
EP0574219A2 (en) | Access control | |
US5058025A (en) | Emergency post office setting for remote setting meter | |
WO2003003321A2 (en) | Transaction verification system and method | |
JPH11514467A (en) | User authentication method and device | |
EP1139200A2 (en) | Access code generating system including smart card and smart card reader | |
US7058613B1 (en) | Device and method for user identification check based on user-specific formula | |
CA1263752A (en) | Postage meter locking system | |
EP1307861A1 (en) | Security device and method | |
US20050268099A1 (en) | Security device and method | |
US4835697A (en) | Combination generator for an electronic postage meter | |
EP1022684B1 (en) | Method of limiting key usage in a postage metering system that produces cryptographically secured indicium | |
JPS63143667A (en) | Password protective device | |
JPH09212723A (en) | Personal information transaction device | |
EP0690417A2 (en) | Postage meter having electronic access control security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): DE FR GB |
|
PUAL | Search report despatched |
Free format text: ORIGINAL CODE: 0009013 |
|
AK | Designated contracting states |
Kind code of ref document: A3 Designated state(s): DE FR GB |
|
17P | Request for examination filed |
Effective date: 19920113 |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: NEOPOST INDUSTRIE |
|
17Q | First examination report despatched |
Effective date: 19930621 |
|
GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): DE FR GB |
|
REF | Corresponds to: |
Ref document number: 69014361 Country of ref document: DE Date of ref document: 19950112 |
|
ET | Fr: translation filed | ||
PLBI | Opposition filed |
Free format text: ORIGINAL CODE: 0009260 |
|
26 | Opposition filed |
Opponent name: PITNEY BOWES, INC. Effective date: 19950830 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: FR Payment date: 19951228 Year of fee payment: 7 |
|
PLBF | Reply of patent proprietor to notice(s) of opposition |
Free format text: ORIGINAL CODE: EPIDOS OBSO |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: GB Payment date: 19960312 Year of fee payment: 7 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: DE Payment date: 19960318 Year of fee payment: 7 |
|
RDAH | Patent revoked |
Free format text: ORIGINAL CODE: EPIDOS REVO |
|
RDAH | Patent revoked |
Free format text: ORIGINAL CODE: EPIDOS REVO |
|
RDAG | Patent revoked |
Free format text: ORIGINAL CODE: 0009271 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: PATENT REVOKED |
|
GBPR | Gb: patent revoked under art. 102 of the ep convention designating the uk as contracting state |
Free format text: 960722 |
|
27W | Patent revoked |
Effective date: 19960722 |