-
This application is a continuation-in-part of U.S. Serial No. 08/091,098, filed with the United States Patent and Trademark Office on July 13, 1993.
-
This invention relates generally to electronic postage meters, and more particularly the invention relates to a postage meter having electronic access control for enhanced security.
-
A postage meter normally includes a postage selection mechanism, a postage printing mechanism, and a plurality of internal registers for maintaining accounting information. The internal registers most commonly contain numerical values representative of the total postage paid for (control total), the total postage printed (ascending balance or ascending register), and the total postage remaining (descending balance or descending register). The information contained in the internal registers is redundant, since the ascending balance and descending balance normally sum to the control total.
-
Prior to using the meter, a user must buy from a postal service employee a fixed amount of postage. The postal service employee accesses the internal registers through a mechanical key lock/switch and alters the contents of the internal registers to reflect the amount of postage paid by increasing the control total and the descending balance by this amount. To use the meter, the user first selects the value of postage to be printed, and then activates the printing mechanism. The meter may be used until the descending balance reaches a predetermined minimum (e.g., until the postage paid for has been exhausted or has reached a minimum threshold value).
-
It can be seen that postage meters are subject to stringent security requirements to insure that all postage actually printed has been paid for, and that the meter is not in the possession of an unauthorized user or a licensee in default on his license. Thus, the level of security can be measured by the difficulty of activating the meter printing mechanism without correspondingly updating the counting registers within the meter, and also by the difficulty of altering or losing the meter register values, whether intentionally, inadvertently, or accidentally. To this end, the print mechanism and the counting registers are located within a secure housing, and access thereto is restricted to the manufacture of the meter under postal service supervision, with partial access also allowed to postal service employees when they reset the meter.
-
The present invention provides enhanced security by replacing the mechanical key lock/switch with an electronic access control system requiring the participation of the meter manufacturer prior to resetting of the meter.
-
The present invention provides improved security, facilitates the administration and control of postage meters, and enhances the collection of data on the meter population. Briefly, and in accordance with the invention, a postage meter is reset by a postal service employee only after an encrypted security code is issued to the postal employee by the meter manufacturer or other authorized entity.
-
After the meter is delivered to the postal employee, the employee activates a Security Access mode in the meter by activating a dedicated switch in the meter or alternatively by depressing a specific combination of keys, which keys may be located on the main keyboard used for all functions in all modes or, alternatively, may be located on an auxiliary keyboard dedicated to resetting functions only. The switch and/or the auxiliary keyboard, if either or both are used, will normally be located in a chamber in the meter which is sealed by a wire and crimped lead removable by the postal employee.
-
Thereafter, the postal employee sends a coded two-part password to the meter manufacturer, the first part of which identifies the postal employee or the post office station and, if validated by the meter manufacturer, enables the transmittal of the second part which identifies the meter and can provide other information as prescribed by the postal authorities and the meter manufacturer. The manufacturer, through a central computer for example, verifies the password and issues an encrypted security code which is required to enable the postage reset operation. Alternatively, the password might not be correct or might identify an unauthorized meter, in which case the security code is withheld and possibly the meter is confiscated.
-
The security code can be a changing code which is operable only once, or a fixed code which can be used repeatedly. The security code is entered into the meter by the main or auxiliary keyboard, and when the meter verifies the code, the meter is placed in a post office reset (PO) mode which enables the reset of revenue registers. After reset of the registers, the meter is returned to a standard operating mode by the postal employee using keyboard entries.
-
The invention and objects and features thereof will be more readily apparent from the following detailed description and dependent claims when taken with the drawing.
- Fig. 1 is a functional block diagram of an electronic postage meter in which the present invention is employed; and
- Figs. 2a and 2b are a flow diagram of the process in resetting a postage meter in accordance with the invention.
- Figs. 3a and 3b are a flow diagram of a modified process in resetting a postage meter in accordance with the invention.
-
Referring now to the drawing, Fig. 1 is a block diagram of a postage meter 10 in which the present invention is employed. Meter 10 includes a print mechanism 12, accounting registers, and control electronics, all enclosed within a secure meter housing 13. A keyboard 14 and a display 16 provide the user interface. A connector 17 provides an electrical connection with a mailing machine for control of the printing process. The control electronics includes a digital microprocessor 18 which controls the operation of the meter, including the basic functions of printing and accounting for postage, and optional features such as department accounting. The microprocessor is connected to a clock 20, a read only memory (ROM) 22, a random access memory (RAM) 24, and a battery-augmented memory (BAM) 26.
-
ROM 22 is primarily used for storing nonvolatile information such as software and data/function tables necessary to run the microprocessor. The ROM can only be changed at the factory. RAM 24 is used for intermediate storage of variables and other data during meter operation. BAM 26 is primarily used to store accounting information that must be kept when the meter is powered down. The BAM is also used for storing certain flags and certain information that is necessary to the functioning of the microprocessor. Such information includes meter identifying data such as the meter serial number and the BAM initialization date, a control total (CT) register, a descending register (DR), an ascending (AR), and an encrypted security code. A sealed switch or an auxiliary keyboard 28, if either or both are provided, will be located within the secure meter housing 13.
-
The postage meter is delivered to a post office employee for resetting the descending register. The postal employee must place the meter into a Security Access mode as a prerequisite to setting the registers; in this operating mode, the meter can receive an encrypted security code which will be provided by the meter manufacturer's central office computer. In one implementation, neither the sealed switch 28 or the auxiliary keyboard 28 are provided: Security Access and PO modes are both set through the main keyboard 14 alone. In a second implementation, auxiliary keyboard 28 is not provided; Security Access mode is set using the sealed switch 28, and PO mode is set using main keyboard 14. In a third implementation, Security Access mode is set by sealed switch 28, and PO mode is set using auxiliary keyboard 28 within the secure meter housing. In a fourth implementation, sealed switch 28 is not provided, and Security Access and PO modes are set by means of auxiliary keyboard 28 alone within the secure meter housing.
-
A postal identification password is then transmitted to the meter manufacturer's central office computer by the postal employee at 33, which identifies either the employee of the post office. If this identification is recognized, the employee then transmits the meter identification password, and the computer sends back an encrypted security code which will enable the employee to place the meter into PO mode for accessing the descending register. The postal employee then enters the encrypted security code through the keyboard on the meter or through the auxiliary keyboard to put the meter into a reset mode. The meter can be made resistant to trial-and-error experimentation or hacking by requiring that the code must be entered correctly within a specified number of attempts. Exceeding the retry limit puts the meter into a lockout mode where the meter can be neither reset nor operated to print postage. The meter manufacturer must then be contacted for additional specific procedures for clearing the lockout.
-
The encryption algorithm can produce a changing code which is unique to an individual meter and valid for a single postage value reset transaction. In this version, each change from the PO mode to reset mode requires a complete new cycle of communication with the manufacturer's central computer. In another software version, the encrypted security code issued by the central office computer is unique to the individual meter, but may be used as many times as desired to switch the meter from Security Access mode to PO mode with no further access to the manufacturer's central computer.
-
The dedicated switch or auxiliary keyboard may be located inside a door in the meter cover which can be secured by sealing with a wire and crimped lead as required by postal regulations for physical security of the key lock/switch. Once the encrypted security code has been entered, the meter can be designed to allow the remainder of the transaction to be done through the auxiliary keyboard or the main keyboard.
-
Figs. 2a and 2b are a flow diagram of the resetting process. The meter as delivered to the post office by the user or meter manufacturer's representative at 30 for reset is in a standard operating mode. The postal employee puts the meter in the Security Access mode at 32 using the sealed switch or auxiliary keyboard 28 in Fig. 1. The postal employee then sends a coded password to the meter manufacturer's central computer by telephone line from a computer terminal with modem in the post office or by voice communication using the telephone either via an audio response unit or through an intermediary operator. The postal identification password contains identifying information as prescribed by the postal authorities, which may include any or all of the following:
Post office station identity code
Postal employee identity code
If the postal identification password is not recognized by the meter manufacturer's computer at 35, the computer aborts the procedure and defaults to a live operator at 38, who can then take action appropriate to the circumstances. If the postal identification password is recognized by the computer, the computer then accepts the entry of the meter identification password at 34; content of the meter identification password is determined by the meter manufacturer and may include any or all of the following:
Post office station identity
Postal employee identity
Meter serial number
User's meter license number (unique to user)
Meter status: "In Service,"
"New Installation," or "Withdrawal"
Revenue register contents (DR, AR and CT)
-
The manufacturer's computer then validates the password at 36. If the password is not recognized or if the meter license number has been flagged in the computer as being invalid, the computer aborts the procedure and defaults to a live computer operator at 38 who can then take action appropriate to the circumstances.
-
If the password is recognized but the user has a delinquent account as noted at 40, the live operator again takes over at 38. If the account is not delinquent, then the central computer issues an encrypted security code to the postal employee at 42. The encrypted security code can be used to enable the postage reset operation if correctly entered in a specified number of tries. The encrypted security code will appear on the post office video display terminal, VDT, screen, if used, or else will be heard by the postal employee over the telephone, either synthesized through the audio response unit, ARU, or spoken by the meter manufacturer's operator.
-
The security code in accordance with one embodiment is encrypted as a changing code which works only once in enabling the meter. Alternatively, the security code can be encrypted as a fixed code which works repeatedly with the meter without further communication with the central processor. The encrypted security code can also contain other identifying information as prescribed by postal authorities including any or all of the following:
Meter serial number
User's meter license number
Meter status, "In Service,"
"New Installation," or "Withdrawal"
-
The postal employee then enters the encrypted security data into the meter by means of the main keyboard or by the auxiliary keyboard as shown at 44. If the meter verifies the encrypted security code at 46, then the meter moves from the Security Access mode to the PO mode at 48 which enables the reset of the descending registers. However, if the password verification at 46 is unsuccessful and the maximum retries has not been reached as determined at 48, then an error message instructing try again is noted at 50. If the password verification is unsuccessful within a predetermined number of attempts, the meter goes into a lockout mode at 52 and the manufacturer must be contacted for specific additional procedures to clear the lockout and allow the resetting process to continue.
-
If the code is validated by the meter at 46, the meter then goes to the reset mode at 54 which enables the reset of the descending register. The postal employee then resets the meter registers using either the main or auxiliary keyboards at 56. Thereafter, the meter is returned to the standard operating mode by the postal employee through use of keyboard entries at 58, and the meter is returned to the user or to the meter manufacturer's representative at 60.
-
The invention provides a number of advantages as compared to the existing system of mechanically locked key switch located behind a sealed door including greatly improved security, better protection of postal service revenues, easier and more effective administration and control of postage meters, real time control of meters, and enhanced collection of data on the meter population. The electronic key aspect of the system provides access via encrypted security codes that are unique to a single meter as opposed to the present key lock system in which many meters are keyed alike with a single key. Thus, in the fixed code software version, a stolen code would allow ongoing illegal access but only to one particular meter. Further, in the changing code software version, a stolen code cannot provide any illegal access since each encrypted security code can be used only once.
-
Better administration and control of meters is provided since a meter manufacturer can request the post office to cancel a meter license for nonpayment of rental fees. If the company is not successful in retrieving a meter after the license has been cancelled for nonpayment, the meter's serial number and use status in the password can be flagged so that the meter is identified when the password is transmitted. The meter manufacturer can then prevent the reset by programming its computer to refuse an encrypted security code to specified passwords, and if desired, may also telephone the postal employee to request confiscation of the meter thus realizing real time control of meters. Further, the password can be used for data collection which is useful to the meter manufacturer and the postal service in maintaining real time control of the meters and for determining revenue usage patterns and meter inspection data. By including this data as part of the password, automatic and accurate reporting of the information in a standardized format to the central computer system is provided.
-
The resetting process described hereinbefore provides security in permitting access to the postage meter fro resetting the value of credit only to an authorized postal employee. In a modification of the process, increased security in respect of the variable amount of credit entered into the meter is provided such that only a variable amount of credit authorized by the manufacturer's central computer can be entered into the postage meter and hence the central computer can maintain a record of the amount of credit with which a postage meter is reset in each resetting transaction. Accordingly even if a resetting transaction is carried in an unauthorized and possibly fraudulent manner, the post office can be provided with a copy of the record of resetting transactions from the central computer to enable verification of each resetting transaction and hence of proper accounting for the credit values entered into the meter. Figs. 3a and 3b are a flow diagram of the modified resetting process. Steps in the flow chart of Figs. 3a and 3b which correspond to an are the same as those of the flow chart of Figs. 2a and 2b are referenced with the same reference numerals. After the meter is delivered to the post office by the user or meter manufacturer's representative at 30, the postal employee puts the meter into the Security Access mode at 32 by opening a post office seal on the meter and using the sealed switch or auxiliary keyboard 29 in Fig. 1 and the postal employee sends a post office identification code at 33 to the meter manufacturer's central computer by telephone line from a computer terminal in the post office or by voice communication using the telephone either via an audio response unit or through an intermediary operator at the location of the central computer. If the post office identification code is recognized by the central computer the post office employee then sends a meter password at 61 relating to the specific postage meter to be reset and to a variable credit amount (ΔC) by which the amount in the descending register of that meter is to be incremented in the resetting process to the meter manufacturer's computer. Accordingly the meter identification password includes any or all of the information items set out hereinbefore in relation to Fig. 2a and 34 and also includes the selected variable credit amount (ΔC). Also values stored in other registers of the meter may be required to be sent. The central computer carries out a validation routine at 61 in respect of the information sent by the postal employee. If the received information is valid and if the user does not have a delinquent account as determined at 40, the central computer generates an encrypted security code and this security code is transmitted at 62 to the postal employee. If the computer does not recognize the post office identification at 35, the information sent to the computer is not validated at 61 or the account is delinquent at 40, the procedures as shown in Fig. 2a and described hereinbefore are carried out.
-
The encrypted security code generated by the central computer and transmitted to the postal employee is generated using the variable amount of credit (ΔC). In addition it is preferred that apart from being based on the amount of credit (ΔC), the security code changes for each resetting transaction and works only once for permitting resetting of the postage meter. Accordingly in addition to being based on the variable credit amount (ΔC), the code is preferably based on a pseudo-random number generated by a pseudo-random number generator in the central computer which is incremented for each resetting transaction. The pseudo-random number generator may be implemented by a microprocessor of the central computer and an algorithm.
-
Upon receipt of the encrypted security code transmitted from the central computer, the postal employee enters into the meter at 63 by means of the main keyboard or the auxiliary keyboard the received encrypted security code together with the variable amount of credit (ΔC). The microprocessor 18 of the postage meter operates in conjunction with an algorithm to generate an internal code based on the entered variable amount of credit (ΔC) in the same manner as the central computer and compares the encrypted security code input by the postal employee with the internal code generated in the meter to validate at 64 the entered encrypted security code. If the comparison is successful the microprocessor 18 of the meter resets the credit in the meter by incrementing the descending register of the meter by the amount of credit (ΔC). If the comparison is unsuccessful, the meter carries out the procedure as shown at 48, 50 and 52 as described hereinbefore in relation to Fig. 2b. The postal employee verifies at 65 the setting of the registers to verify that the resetting procedure has been carried out satisfactorily and restores the meter to standard operating mode by entry on the keyboard, either main or auxiliary. If the post office seal has been opened for the resetting procedure, the meter is resealed and the meter is released by the post office at 60 and returned to the user or manufacturer's representative.
-
It is envisaged that the central computer is located at a meter manufacturer's premises and is operated by the meter manufacturer. However, if desired the central computer may be located in post office premises and be operated by the post office. The computer may be a central installation or may be a distributed system located in the post office.
-
While the invention has been described with reference to a specific embodiment, the description is illustrative of the invention and is not to be construed as limiting the invention. Various modifications and applications may occur to those skilled in the art without departing from the true spirit and scope of the invention as defined by the appended claims.