EP0717379A2 - Procédé pour l'amélioration de la sécurité des machines à timbrer pendant le transfert du crédit - Google Patents

Procédé pour l'amélioration de la sécurité des machines à timbrer pendant le transfert du crédit Download PDF

Info

Publication number
EP0717379A2
EP0717379A2 EP95250286A EP95250286A EP0717379A2 EP 0717379 A2 EP0717379 A2 EP 0717379A2 EP 95250286 A EP95250286 A EP 95250286A EP 95250286 A EP95250286 A EP 95250286A EP 0717379 A2 EP0717379 A2 EP 0717379A2
Authority
EP
European Patent Office
Prior art keywords
franking machine
data center
transaction
franking
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP95250286A
Other languages
German (de)
English (en)
Other versions
EP0717379A3 (fr
EP0717379B1 (fr
Inventor
Enno Bischoff
George G. Gelfer
Wolfgang Dr. Thiel
Andreas Wagner
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Francotyp Postalia GmbH
Original Assignee
Francotyp Postalia GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Francotyp Postalia GmbH filed Critical Francotyp Postalia GmbH
Priority to EP00250033A priority Critical patent/EP0996097B1/fr
Priority to EP00250032A priority patent/EP0996096B1/fr
Publication of EP0717379A2 publication Critical patent/EP0717379A2/fr
Publication of EP0717379A3 publication Critical patent/EP0717379A3/fr
Application granted granted Critical
Publication of EP0717379B1 publication Critical patent/EP0717379B1/fr
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00185Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
    • G07B17/00362Calculation or computing within apparatus, e.g. calculation of postage value
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00016Relations between apparatus, e.g. franking machine at customer or apparatus at post office, in a franking system
    • G07B17/0008Communication details outside or between apparatus
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00016Relations between apparatus, e.g. franking machine at customer or apparatus at post office, in a franking system
    • G07B17/0008Communication details outside or between apparatus
    • G07B2017/00153Communication details outside or between apparatus for sending information
    • G07B2017/00161Communication details outside or between apparatus for sending information from a central, non-user location, e.g. for updating rates or software, or for refilling funds
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00185Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
    • G07B17/00193Constructional details of apparatus in a franking system
    • G07B2017/00241Modular design
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00185Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
    • G07B17/00193Constructional details of apparatus in a franking system
    • G07B2017/00258Electronic hardware aspects, e.g. type of circuits used
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00185Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
    • G07B17/00362Calculation or computing within apparatus, e.g. calculation of postage value
    • G07B2017/00419Software organization, e.g. separation into objects
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00733Cryptography or similar special procedures in a franking system
    • G07B2017/0079Time-dependency

Definitions

  • the invention relates to a method for improving the security of franking machines in credit transfer, especially in fund transfer back to the data center, according to the type specified in the preamble of claim 1.
  • a franking machine generally creates an imprint in a form agreed with the post right-aligned, parallel to the upper edge of the mail item, starting with the content of the postage in the postmark, the date in the day stamp and stamp imprints for the advertising slogan and, if applicable, the type of shipment in the election print stamp.
  • the post value, the date and the type of shipment form the variable information to be entered according to the item.
  • the postage value is usually the transport fee paid in advance by the sender, which is taken from a refillable credit register and used to clear the mail item.
  • a register is only counted up depending on the frankings made with the postage value and is read at regular intervals by a postal inspector.
  • a known franking machine is equipped with at least one input means, an output means, an input / output control module, a program, data and in particular storage device carrying the accounting register, a control device and a printer module.
  • measures must also be taken so that the printing mechanism cannot be misused for unpredictable impressions when it is switched off.
  • the invention relates in particular to franking machines which provide a fully electronic impression for franking mail, including an advertisement cliché. The result of this is that a valid franking that has not been invoiced must only be prevented when it is switched on.
  • EP 578 042 A2 A method for controlling the column-by-column printing of a postage stamp image in a franking machine has also already been proposed EP 578 042 A2, which separately and separately composes fixed and variable data converted into graphic pixel image data during column-by-column printing. It would therefore be difficult to manipulate the print control signal without high and expensive effort when printing at a high speed.
  • the memory device comprises at least one non-volatile memory module which contains the currently remaining remaining credit, which results from the fact that the respective postage value to be printed is subtracted from a credit previously loaded into the franking machine.
  • the franking machine blocks when the remaining credit is zero.
  • Known franking machines contain in at least one memory three relevant post registers for the total value used (increasing register), remaining credit remaining (falling register) and registers for a checksum. The checksum is compared with the sum of the total value used and the available credit. A check for correct billing is already possible with this.
  • the data center for receiving register data and for checking whether the franking machine is still connected to a specific telephone number - establishes a connection with the franking machine after a defined period of time and the franking machine responds only at predetermined times.
  • the communication of the data center with the franking machine need not be limited to mere transfer of credit into the franking machine. Rather, if the franking machine is deregistered, the communication between the data center and the franking machine is used to transfer the remaining credit of the franking machine to the data center. The value in the falling post register of the franking machine is then zero, which effectively puts the franking machine out of operation.
  • a security housing for franking machines which has internal sensors, is known from DE 41 29 302 A1.
  • the sensors are especially with a battery connected switches, which become active when the security housing is opened, in order to erase a memory storing the residual value credit (falling postal register) by interrupting the energy supply.
  • the residual value credit fallsing postal register
  • unauthorized access to use of the franking machine is also to be prevented by blocking the franking machine if a predetermined password is entered incorrectly.
  • the franking machine can be set by means of a password and corresponding input on the keyboard so that franking is only possible during a predetermined time interval or times of day.
  • the password can be entered by a personal computer via MODEM, by a chip card or manually in the franking machine. After positive The franking machine is released for comparison with a password stored in the franking machine.
  • a security module (EPROM) is integrated in the control module of the accounting unit.
  • an encryption module (separate microprocessor or program for FM-CPU based on DES or RSA code) is provided, which generates an identification number in the franking stamp that includes the postage value, the subscriber number, a transaction number and the like. If there is enough criminal energy, a password could also be researched and, together with the franking machine, brought into the possession of a manipulator.
  • a remote inspection system for franking machines has already been proposed in US Pat. No. 4,812,965, which is based on special messages in the printing of mail pieces that have to be sent to the central office, or on a remote query via MODEM. Sensors within the postage meter machine are to detect any counterfeiting act that has been carried out, so that a flag can be set in associated memories if the postage meter machine has been tampered with for manipulation purposes. Such an intervention could take place in order to load an unpaid credit into the register.
  • the franking machine is blocked by a signal from the data center during remote inspection via modem.
  • a clever manipulation could consist in returning the flag and the registers to the original state after franking imprints have not been billed. Such manipulation would not be recognizable via remote inspection by the data center if this reversed manipulation was prior to the remote inspection.
  • the manipulator allows the franking machine to be returned to its original state in sufficient time. This means that no higher security can be achieved.
  • a security imprint in accordance with FP's own European patent application EP 576 113 A2 provides symbols in a marking field in the franking stamp which contain cryptified information. This allows the postal authority, which interacts with the data center, to identify manipulation of the franking machine at any point in time from the respective security imprint. It is technically possible to continuously check such pieces of mail provided with a security imprint by means of appropriate security markings in the stamp image, but this means additional effort in the post office. In the case of a control based on random samples, however, manipulation is usually only detected late.
  • a franking machine with program sequence monitoring is known from US Pat. No. 4,785,417.
  • the correct execution of a larger program section is checked by means of a special code assigned to each program section, which code is stored in a specific memory cell in RAM when the program section is called up. It is now checked whether the code stored in the aforementioned memory cell is still present in the program section currently running. If, during manipulation, one part of the program was interrupted and another part of the program was running, an error can be determined by such a control question. The comparison can only be carried out in the main process. Secondary processes, for example safety-relevant calculations, which are used by several main processes, can be carried out by such monitoring However, the execution of the program section cannot be checked because the program control takes place independently of the program sequence.
  • a method for changing the configuration of the franking machine is also known from US Pat. No. 5,077,660, wherein the franking machine can be switched from the operating mode to a configuration mode by means of a suitable input via a keyboard and a new meter type number can be entered which corresponds to the desired number of features.
  • the franking machine generates a code for communication with the computer of the data center and the input of the identification data and the new meter type number in the aforementioned computer, which also generates a corresponding code for transmission and input into the franking machine, in which the two codes are compared. If they match Both codes are used to configure the franking machine and switch to the operating mode.
  • the data center always has precise records of the meter type set for the corresponding franking machine.
  • security depends solely on the encryption of the transmitted code.
  • EP 388 840 A2 discloses a comparable security technique for setting a franking machine in order to clean it of data without the franking machine having to be transported to the manufacturer.
  • security depends solely on the encryption of the transmitted code.
  • the franking machine periodically communicates with the data center.
  • a blocking means allows the franking machine to block after a predetermined time or after a predetermined number of operation cycles and provides a warning to the user.
  • To unlock an encrypted code must be entered from the outside, which is compared with an internally generated encrypted code.
  • the billing data are included in the encryption of the aforementioned code. It is disadvantageous that the warning occurs at the same time as the franking machine is blocked, without the user being able to change his behavior accordingly in good time.
  • a franking machine is known from US Pat. No. 5,243,654, where the current time data supplied by the clock / date module are compared with stored decommissioning time data. If the stored shutdown time is reached by the current time, the franking machine is deactivated, that is to say printing is prevented.
  • the franking machine is transmitted an encrypted combination value and a new period is set, which makes the franking machine operational again.
  • the total amount of consumption which contains the total postage used and is read by the data center, is also part of the encrypted combination value. After decoding the combination value, the amount of consumption sum is separated and compared with the amount of consumption amount stored in the franking machine.
  • the franking machine is automatically blocked. This solution ensures that the franking machine periodically reports to the data center in order to transmit accounting data.
  • use cases are quite conceivable where the amount of mail to be franked fluctuates (seasonal operation). In these cases, the franking machine would disadvantageously be blocked unnecessarily often.
  • a second step the aforementioned central station is supplied with information relating to a desired change in order to reduce the total amount of postal values available in the aforementioned postal device and with a clear identification regarding the aforementioned postal device.
  • a third step includes receiving from the central station and inputting a first unique code into the aforementioned postal device, the input being operated to reduce the total amount of postal values stored in the postal device in accordance with the aforementioned request.
  • a generation of a second unique code is provided in the postal device when the first unique code has been entered into the postal device, the second unique code providing an indication such that the aforementioned postage value is available for printing on the mail , has been reduced in the aforementioned postal device.
  • the task was to solve the disadvantages of the prior art and to ensure a significant increase in security when transferring credit.
  • the solution according to the invention is based on the one hand on the knowledge that only data stored centrally in a data center can be adequately protected against manipulation.
  • a significant increase in security and synchronicity in the stored data is achieved by reporting data on the franking machine before each predetermined action. Also increases the reporting in more or less large intervals, especially for reloading a credit in connection with the above logging, the security against any manipulation.
  • the data to be stored centrally include at least the date, time, identification number of the franking machine (ID number or PIN) and the type of data (for example register values, parameters) when the franking machine starts communication with the data center.
  • ID number or PIN identification number
  • type of data for example register values, parameters
  • the control unit of the postage meter machine checks whether a defined sequence for entering the side into the special mode for negative remote value specification has been carried out with predetermined actuating means and whether a predetermined period of time has been observed during the negative remote value specification and whether further steps for the automatic implementation of the communication have to be carried out if necessary, to complete the retransmission if the previous steps for executing a negative remote value specification were interrupted or incorrect encrypted data were transmitted to the franking machine.
  • communication between the franking machine and the data center takes place at least with encrypted messages, the DES algorithm preferably being used.
  • the franking machine thus has at least two special modes for solving the task.
  • a first mode is provided in order to prevent the franking machine from franking with postage values in the case of fraudulent actions or in the event of manipulation (kill mode). This inhibition can be removed by an authorized person on the next inspection on site.
  • the franking machine has a further mode in order, if selected criteria are met, to cause the franking machine to automatically communicate with the data center, if necessary.
  • a further mode is the special mode of negative remote value transmission or a second (sleeping) mode. After completion of the special mode, only a limited number of ZERO frankings is possible for the purpose of checking the franking machine.
  • security is achieved by a predetermined operating sequence while switching on the franking machine for a side entry into the special mode, negative remote value specification and later, when the franking machine has started the communication connection, by encrypted transmission Messages during two transactions.
  • a predetermined default request is stored in the data center and in the franking machine. It is therefore no longer necessary to retransmit the preset request already saved during a second transaction.
  • a corresponding default value is subtracted from the content of the DescendingRegister or a negative value is added, so that a zero credit is stored in the franking machine.
  • the franking machine switches to the aforementioned first mode in order to lock the franking machine for franking with a postage value ( Kill mode).
  • the authorized operator (service technician) from the data center changes a previously entered side entry into the special mode negative remote value specification.
  • the operating sequence that will be valid in the future can at least partially be transmitted in connection with at least one transaction during a positive or negative remote value specification.
  • An authorized operator of the franking machine preferably the service technician, carries out a predetermined operating action for entering the special remote negative value setting mode, which apart from the service technician is only known to the data center.
  • a special flag is set, which is evaluated as a special transaction request.
  • the data center also monitors the time when a transaction in the special mode negative remote value specification is carried out.
  • the register data of the franking machine can be checked centrally when a connection is established again to carry out a remote value specification, for example to top up a credit. Either if the transaction remains incomplete, the franking machine automatically reconnects to complete the transaction or the authorized service technician provides the data center with a message about the current state of the franking machine by the end of the day in order to cancel the data transmitted in the special mode, negative remote mode. Otherwise, the time monitoring on the part of the data center after the end of the predetermined period of time results in an acknowledgment of the data transmitted in the special mode, negative remote value specification.
  • security is checked by checking the operating sequence for agreement with a predetermined operating sequence in the franking machine and by checking the desired request in the data center for agreement with one stored there Code for a predetermined default request increased. It is possible to change the operating sequence as a function of time, the same calculation algorithm being used in the data center and in the franking machine in order to determine a current operating sequence. This makes it unnecessary to transfer a valid operating sequence from the data center to the franking machine.
  • security is increased by a combination of a number of measures.
  • a distinguishable logon to the data center takes place.
  • this transmits a new security flag X and / or a predetermined operating sequence for a page entry into the special mode negative remote value specification to the franking machine if the franking machine was switched on normally and establishes the communication connection, a predetermined transaction request being made in a first transaction the data center and in the franking machine.
  • a check is carried out in the data center as to whether the transmitted default request corresponds to a predetermined default request.
  • a new code word or security flag and / or operating sequence is transmitted to the franking machine, and in a second transaction the registered transaction is carried out and, in accordance with the desired request, a default value in the corresponding memory of the franking machine and also for checking the transaction added in a corresponding memory of the data center.
  • the service technician For a page entry into the special mode negative remote value specification, the service technician must carry out the operating sequence while switching on the franking machine as it was transmitted by the data center, that is to say pressing a certain key combination at the same time as switching on.
  • the franking machine is reloaded with a negative credit, in accordance with the corresponding default value, so that the result is a residual value credit of NULL.
  • the solution according to the invention also assumes that the funds stored in the franking machine must be protected against unauthorized access.
  • the falsification of data stored in the franking machine is made so difficult that the effort for a manipulator is no longer worthwhile.
  • ONE TIME PROGRAMMABLE can contain all security-relevant program parts inside the processor housing, as well as the code for forming the message authentication code (MAC).
  • the latter is an encrypted checksum that is attached to information.
  • Data encryption standard (DES), for example, is suitable as the crypto-algorithm. This means that MAC information can be attached to the relevant security and special flags or to the register data, thus increasing the difficulty of manipulating the aforementioned flags or postal registers to a maximum.
  • the method for improving the security of a postage meter machine which is capable of communicating with a remote data center and has a microprocessor in a control device of the postage meter machine also comprises forming a checksum in the OTP processor about the content of the external program memory and comparing the result with one Predetermined value stored in the OTP processor before and / or after expiry of the franking mode or operating mode, in particular during initialization (ie when the franking machine is started) or at times in which printing is not carried out (ie when the franking machine is in standby mode is operated).
  • the franking machine In the event of an error, the franking machine is then logged and subsequently blocked.
  • the time period from the sending of a third encrypted message on the part of the franking machine to the receipt of the fourth encrypted message sent from the data center to the franking machine, which triggers a zeroing of the credit value upon verification, is monitored. It is envisaged that a decremental counter or an incremental counter is used to detect that the time tl has been exceeded in the special mode as a sure indication of a failed transmission and that a special subroutine is called which prepares the special mode to carry out the negative remote value specification again and automatically triggers so that the first and second transactions are automatically repeated.
  • security is increased by an additional input security means, which is brought into contact with the franking machine, in order to return a remaining credit from an authorized person to transfer to the data center.
  • FIG. 1 each shows a block diagram of the franking machine according to the invention with a printer module 1 for a fully electronically generated franking image, with at least one input means 2 having several actuating elements, a display unit 3, and one for communicating with a data center Manufacturing MODEM 23, which are coupled via an input / output control module 4 with a control device 6 and with a non-volatile memory 5 or 11 for the variable or the constant parts of the franking image.
  • a character memory 9 supplies the necessary print data for a volatile working memory 7.
  • the control device 6 has a microprocessor ⁇ P, which with the input / output control module 4, with the character memory 9, with the volatile working memory 7 and with the non-volatile working memory 5 a cost center memory 10, with a program memory 11, with the motor of a transport or feed device, possibly with a strip release 12, an encoder (coding disk) 13 and with a clock / date module 8.
  • the individual memories can be implemented in several physically separate or combined, in a manner not shown, in a few building blocks, which are secured against removal by at least one additional measure, for example gluing on the circuit board, sealing or potting with epoxy resin.
  • FIG. 2 shows a flow chart for a franking machine with a security system according to a preferred variant of the solution according to the invention.
  • a function test with subsequent initialization is then carried out within a start routine 101.
  • This step also includes several sub-steps 102 to 105 - shown in more detail in FIG. 7 - for storing a security flag or code word.
  • step 103 if, according to step 102, a new security flag X ′ is predetermined in another Memory location E of the non-volatile memory 5 exists, this new security flag X 'is copied into the memory location of the old security flag X if there is no longer a valid security flag X stored there.
  • the security flag X can also be deleted (kill mode).
  • postage value 400 can no longer be printed in franking mode 400. If no action is taken, no new code word has been transmitted. In this case, no copying takes place and after step 104 the old security flag X is retained in the memory. Finally, the system routine 200 is reached with point s.
  • the system routine 200 comprises several steps 201 to 220 of the security system.
  • Current data is called in step 201, which is carried out further below in connection with the invention for a second mode, namely for the sleeping mode.
  • step 202 it is checked in step 202 whether the criteria for entering the sleeping mode are met. If this is the case, a branch is made to step 203 in order to display at least one warning by means of the display unit 3. According to the above In every case point t is reached.
  • the security flag X can be a MAC-secured security flag as well as an encrypted code.
  • the validity of the security flag X is checked, for example, in step 409 of a franking mode 400 by means of a selected checksum method within one OTP processor (ONE TIME PROGRAMMABLE) carried out, which internally contains the corresponding program parts and also the code for forming a MAC (MESSAGE AUTHENTIFICATION CODE), which is why the manipulator cannot understand the type of checksum procedure.
  • Other security-relevant key data and processes are also stored exclusively in the interior of the OTP processor, for example to supplement key data with the new key transmitted from the data center to the franking machine, so that the key data thus supplemented can be used to encrypt messages that are transmitted to the data center become.
  • the same security-relevant key data or processes allow security to be placed in the postal register.
  • a further security variant which does not require an OTP processor consists in making it difficult to find the key by coding it and partially storing it in different memory areas.
  • MACs are appended to every piece of information in the security-related registers. Manipulation of the register data can be detected by checking the MAC. This routine takes place in step 406 in the franking mode, which is shown in FIG. This increases the difficulty of manipulating the postal registers as much as possible.
  • step 217 When the check in step 217 has been carried out, a relevant defect having been found and the security flag X having been deleted in step 209, the point e, ie the start of a communication mode 300, is reached and in a step 301 - shown in FIGS. 2 and 3a asked whether there was a transaction request. If this is not the case, communication mode 300 is exited and point f, ie operating mode 290, is reached. Have relevant data transmitted in communication mode, then branching to step 213 for data evaluation. Or otherwise, if the non-transmission is determined in step 211, branch to step 212.
  • step 213 for statistical and error evaluation is reached.
  • the display mode 215 is reached via step 213 and then branched back to the system routine.
  • the blocking can therefore advantageously take place in that the branching to the franking mode 400 is no longer carried out.
  • a statistical and error evaluation is carried out in step 213 in order to obtain further current data which, after branching to the system routine 200, can also be called up in step 201, for example for a aforementioned second mode or another special mode.
  • the presence of the security flag X is not queried between the points s and t but only in step 409 in the franking mode.
  • the service technician can still restore the full functionality of the franking machine by loading the new security flag X 'even after deleting the aforementioned flag. This now allows, for example, a check to be carried out to determine whether an unauthorized action actually leads to the deletion of the security flag or code word, or whether deletion has been prevented by manipulation.
  • step 217 - shown in FIG. 2 - recognizes that no prohibited side entry has been carried out.
  • An allowed side entry, which was carried out for another input, has not been shown in FIG. 2.
  • a query criterion is also provided, for example in order to recognize in step 212 whether an operating action has been carried out in order to enter a test mode.
  • the system routine 200 branches to point e. Otherwise, branching to step 220 takes place at the correct side entry in order to set a special flag for entering the special mode.
  • a further query step 219 is provided before step 220 in order to further increase the security against unauthorized calling of the special mode with a further criterion, with branching to point e of the system routine 200 if the criterion is not met.
  • query step 219 shown in FIG. 2 can query such a further criterion as to whether the identification number (ID number or PIN) has been entered. Security is already sufficiently high as a result of the side entry so that, in the interest of simpler operation, such additional additional criteria queries can also be dispensed with.
  • the special flag N set in step 220 for the special mode is also a MAC-secured flag N.
  • Security is additionally increased by a check in the data center as to whether a predetermined specification has been transmitted by the franking machine. It is provided that the transmitted request for specification is evaluated in the data center as a code to carry out a very specific transaction. The transmitted default request can be evaluated as a code in the data center to allow a fund retransfer. Otherwise, the transmitted The default request in the data center can be evaluated as a code to allow transmission for a security flag X or for an X code word.
  • FIGS. 3a and 3b show the security processes of the franking machine in communication mode on the one hand and the security processes of the data center in communication mode on the other hand.
  • step 301 - shown in FIGS. 2 and 3a - whether there is a transaction request. This can be used, for example, to top up your credit, change your phone number, etc. be put.
  • the user selects the communication or remote value default mode of the franking machine by entering the identification number (eight-digit postage request number). It is now assumed, for example, that the fund is to be transferred back in the amount of the residual value remaining in the franking machine.
  • a register query of the descending register R1, which contains the residual value, is first carried out. After the franking machine is switched off, a side entry into the special mode is carried out when the franking machine is switched on again. After entering the identification number, the entry is confirmed with the Teleset button and the default request is entered in the amount of the previously requested residual value. By entering the page, the default request is automatically evaluated as the default value to be subtracted. The default request is confirmed by pressing the Teleset button (T button).
  • FIG. 3a shows that part of the communication of a transaction that is carried out with unencrypted messages. Nevertheless, these messages can contain data that are MAC-secured, for example the identification number of the franking machine.
  • the identification number (ID number) and the intended input parameters can be entered in the following manner.
  • ID no. it can be the serial number of the franking machine, a PIN or PAN (postage call-off number), which is acknowledged by actuation by means of a predetermined T key on the input means 2.
  • PIN or PAN postage call-off number
  • the input parameter (default value) used in the last remote value specification (reloading) appears in the display unit 3 and is now overwritten or maintained by the input of the desired input parameter.
  • the input parameter is a combination of numbers which is understood as a request in the data center, for example a new security flag or code word X 'to be transmitted if an authorization to intervene has previously been obtained. If the aforementioned input parameter is entered incorrectly, the display can be deleted by pressing a C key.
  • a change is entered to load a zero-value credit in a transaction, but no authorization is obtained beforehand.
  • the input parameter therefore only serves as a new default value.
  • the value for franking is not increased in value if the input parameter has the value zero, nor is a new security flag loaded.
  • a number of items S ' can be transmitted for each communication, as can also be seen from German application P 43 44 476.8, method for improving the security of franking machines.
  • the result is only a reload in the amount of the selected new default amount, where, in contrast to the other transaction data, the default amount does not need to be transmitted to the franking machine. Rather, the fact that a valid transaction has been verified is sufficient for the franking machine to increase or decrease the content of the descending register by the amount specified in accordance with the stored request.
  • the change of the input parameter is started via the MODEM connection.
  • the input is checked (step 303) and the further process runs automatically, the process being accompanied by a corresponding display.
  • the franking machine checks whether a MODEM is connected and ready for operation. If this is not the case, the process branches to step 310 to indicate that the transaction request must be repeated. Otherwise, the franking machine reads the dialing parameters, consisting of the dialing-out parameters (main / extension, etc.) and the telephone number from the NVRAM memory area F and sends them to the modem 23 with a dial request command. The connection required for communication is then established via the MODEM 23 with the data center in a step 304.
  • Step 501 continuously checks whether a call has been made to the data center. If this is the case and the MODEM 23 has dialed the opposite side, the connection is established in parallel in the data center in step 502. And in step 503, it is constantly monitored whether the connection to the data center has been released. If this is the case, an error message in step 513 branches back to step 501.
  • the franking machine monitors in step 305 whether communication errors have occurred and, if necessary, branches back to step 304 in order to be re-established by the franking machine. After a predetermined number n of unsuccessful redials for the purpose of establishing a connection, a branch is made back to point e via a display step 310. If there was no error that could be determined in step 305, the franking machine determines in step 306 that the connection has been established and that a transaction is still to take place, branching to step 307 in order to receive an opening message or identification, pretensioning or To send register data. In the following step 308, the same check as in step 305 is carried out, i.e.
  • step 304 if a communication error has occurred, the method branches back to step 304. Otherwise, an opening message was sent from the franking machine to the data center.
  • the postage call number to announce the caller, i.e. the franking machine included in the data center.
  • This opening message is in the data center in Step 504 is checked for plausibility and further evaluated by subsequently checking in step 505 whether the data has been transmitted without errors. If this is not the case, the error message is branched back to step 513. On the other hand, if the data are error-free and it is recognized in the data center that the franking machine has made a request for reloading, then in step 506 a reply message is sent to the franking machine as the header. In step 507 it is checked whether in step 506 the leader message including the end of the leader has been sent. If this is not the case, the process branches back to step 513.
  • step 309 it is checked in step 309 whether a header has now been sent or received as a reply message by the data center. If this is not the case, the method branches back to step 310 and a transaction request is then queried again in step 301. If a header has been received and the franking machine has received an OK message, the header parameters are checked in step 311 with regard to a telephone number change. If an encrypted parameter has been transmitted, there is no change in the telephone number and a branch is made to step 313 in FIG. 3b.
  • FIG. 3b shows the security processes of the franking machine in communication mode and, in parallel, that of the data center.
  • step 313 the franking machine sends an encrypted start message to the data center.
  • step 314 the communication error message checked. If there is a communication error, the method branches back to step 304 and an attempt is made again to establish the connection to the data center in order to send the start message encrypted.
  • step 508 it is checked in the data center whether it has received the start message and whether the data is OK. If this is not the case, step 509 checks whether the error can be remedied. If the error cannot be remedied, a branch is made to step 513 after an error message has been transmitted from the data center DZ to the franking machine FM in step 511. Otherwise, error handling is carried out in step 510 and branching to step 507. If the receipt of correct data is determined in step 508, the data center begins a transaction in step 511. In the aforementioned example, at least the identification number is transmitted to the franking machine by means of an encrypted message, which receives the transaction data in step 315.
  • step 316 the data is checked. If there is an error, the method branches back to step 310. Otherwise, the same data mentioned above is stored in the data center in step 512 as in the franking machine. In step 318, the transaction with the data storage is thus completed in the franking machine. The method then branches back to step 305. If no further transaction is to take place, step 310 and then step 301 are reached for display.
  • step 211 in FIG. 2 checks whether data have been transmitted. If data has been transmitted, step 213 is reached. In accordance with the input request, the franking machine places the current default request or the new code word Y ′ or other transaction data, for example in the memory area E of the non-volatile memory 5.
  • step 304 If, however, a number combination other than zero is entered as input parameter in step 302 and the input was OK (step 303), a connection is established (step 304). And if a connection is established (step 305) without an error (step 306), an identification and header message is sent to the data center. In this opening message, also contain the postage call-off number PAN for identifying the franking machine at the data center. If the data is correct (step 505), the data center recognizes from the combination of numbers entered that, for example, a credit with a default value is to be added to the franking machine.
  • step 506 the data center then sends a reply message with the elements change of the telephone number and current telephone number in unencrypted form.
  • the franking machine that receives this message recognizes in step 311 that the telephone number should be changed.
  • the process now branches to step 312 in order to save the current telephone number.
  • the method then branches back to step 304. If the connection is still established and there is no communication error (305), a check is then made in step 306 to determine whether there is another Transaction should take place. If this is not the case, step 310 branches to step 301.
  • the transmission of the telephone number can also be MAC-secured.
  • the franking machine After the current telephone number has been saved, the franking machine automatically establishes a new connection to the data center with the aid of the new telephone number.
  • the actual transaction intended by the user, a remote value specification of the new security flag X 'or a transmission of an encrypted message suitable for verification for reloading the residual value credit in accordance with a specification request is thus automatic, i.e. carried out without further intervention by the user of the franking machine.
  • a corresponding message appears in the display that the connection is automatically re-established due to the change in the telephone number.
  • the franking machine is controlled in communication mode 300.
  • the authorized person can then also inform the data center of the completed check.
  • a communication can include a telephone number storage as well as a credit reload or fund retransfer. This means that several transactions can be carried out without interrupting communication.
  • the franking machine sends its ID number and a default value for the amount of the reload credit desired, possibly together with a MAC, to the data center.
  • the latter checks such a transmitted message against the MAC in order to then send an OK message, likewise MAC-secured, to the franking machine.
  • the OK message no longer contains the default value.
  • the transmission of a new security flag X 'or of relevant data for a change in the credit balance in the franking machine is in encrypted form, but the transmission of telephone number is in unencrypted form.
  • MAC protection is also possible. If it is determined in the data center that the connection to the postage meter machine has been terminated (step 503) or that there are faulty data (505) or unrecoverable errors (509) or that no leader has been sent (507), communication is ended. After an error message, the communication connection is released, the transmitted data is saved and evaluated in step 513 by the data center.
  • At least one encrypted message is transmitted to the data center and to the franking machine during a first transaction.
  • the default request is only contained in the encrypted message of the first transaction.
  • Every transmitted message, which contains security-relevant transaction data, is encrypted.
  • the DES algorithm for example, is provided as the encryption algorithm for the encrypted messages.
  • a transaction request results in a specially secured credit reload in the franking machine.
  • the outside of the processor is preferably protected in the cost center memory 10 postal register also during the credit reloading by means of a time control. If the franking machine is observed with an emulator / debugger, for example, then it is likely that the communication and accounting routines will not run within a predetermined time. If this is the case, ie the routines take considerably more time, part of the DES key is changed.
  • the data center can determine this modified key during a communication routine with a register query and then report the franking machine as suspect as soon as a start message is encrypted in accordance with step 313.
  • the data center determines in step 509 that the error cannot be remedied.
  • the data center cannot then carry out a transaction (step 511) because the process branches back to step 513. Since no data was received in the franking machine in step 315, the transaction was not carried out without errors (step 316).
  • the system then branches back to step 301 via step 310 in order to check again after a display whether a transaction request is still being made.
  • security requires the reliability of the authorized person (Service, inspector) and the possibility to check their presence.
  • the inspection of the seal and the inspection of the register status during an inspection of the franking machine and regardless of the data in the data center then results in the security of the inspection.
  • the control of the franked mail, including a security imprint provides additional security for verification.
  • the franking machine performs the register check regularly and / or when it is switched on and can thus recognize the missing information if the machine has been tampered with or if it has been operated without authorization. The franking machine is then blocked. Without the invention in connection with a security flag X, the manipulator would easily overcome the blockage. However, the security flag X is lost and it would take too much time and effort for the manipulator to try to determine the valid MAC-secured security flag X or code word. In the meantime, the franking machine would have long been registered as suspect in the data center.
  • a suitable processor type is, for example, the TMS 370 C010 from Texas Instruments, which has a 256 bytes E 2 PROM. This allows security-relevant data (keys, flags, etc.) to be stored in the processor in a tamper-proof manner.
  • the franking machine is effectively prevented from franking with a postage value by switching to the first mode.
  • the potential manipulator of a franking machine has to overcome several thresholds, which of course takes a certain amount of time. If there is no connection from the franking machine to the data center at certain time intervals, the franking machine becomes suspect. It can be assumed that anyone who tampering with the franking machine will hardly report back to the data center.
  • the seal of the franking machine is first checked for integrity and then the register status. If necessary, a test impression with the value 0 can be made.
  • the franking machine may have to be accessed.
  • the error registers can be read out, for example, with the help of a special service EPROM, which is inserted in the place of the advert EPROM. If the processor does not access this EPROM slot, access to the data lines is usually prevented by special driver circuits (not shown in FIG. 1). The data lines, which can be reached through a sealed housing door cannot be contacted without authorization.
  • Another variant is the reading out of error register data by a service computer connected via an interface.
  • the registers of the franking machine are queried in order to determine the type of intervention required. Before intervening in the franking machine and opening the housing, a separate call is made to the data center. If the default value is then changed to zero within a predetermined period of time and transmitted to the data center as part of a transaction, i.e. the type of intervention and the register data have been communicated to the data center, data is transmitted from a data center to the franking machine in accordance with an authorized intervention requested in the Franking machine, which is logged as an allowed intervention.
  • the franking machine is able to distinguish between requested and unauthorized intervention in the franking machine by means of the control unit of the franking machine in connection with the data transmitted by the data center, this intervention being logged as an error in the case of unauthorized intervention in the franking machine, but after the authorized intervention has taken place the original operating state is restored into the franking machine by means of the aforementioned transmitted data.
  • the processes according to the franking mode shown in FIG. 4 are explained in connection with the flow chart shown in FIG. It is also provided at times when there is no printing (standby mode) that a query regarding manipulation attempts is made and / or the checksum of the register statuses and / or the content of the program memory PSP 11 is formed.
  • the aforementioned checksum is stored by the franking machine manufacturer in a MAC-secured manner in the non-volatile memory 5 (memory area E of the NV-RAM).
  • the checksum is determined again and a MAC is formed using a stored key that has remained unchanged.
  • the aforementioned key is a tamper-proof (non-readable) partial key.
  • the old MAC-secured from NV-RAM 5 is loaded and compared with the newly determined MAC-secured checksum in the OTP.
  • the checksum is formed in the processor via the content of the external program memory PSP 11 and the result is compared with a predetermined value stored in the processor. This is preferably done in step 101 when the postage meter machine is started, or in step 213 when the postage meter machine is operated in standby mode.
  • the standby mode is reached when there is no input or print request for a predetermined time. The latter is the case if a letter sensor known per se - not shown in detail - does not determine the next envelope to be franked.
  • the step 405 in the franking mode 400, shown in FIG. 4, therefore includes a further query for a time lapse or for the number of passes through the program loop, which ultimately corresponds to the input routine Step 401 leads. If the query criterion is met, a standby flag is set in step 408 and a branch is made back directly to the point s to the system routine 200, without the billing and printing routine being executed in step 406. The standby flag is queried later in step 211 and reset after the checksum check in step 213 if no attempted manipulation is detected.
  • step 211 is expanded to include the question of whether the standby flag is set, i.e. whether the standby mode is reached.
  • step 213 is also branched to.
  • a preferred variant is to delete the security flag X in the manner already described if a manipulation attempt in standby mode has been determined in step 213 in the aforementioned manner.
  • the specially secured special flag N can also be checked in step 213, in particular if it is MAC-secured by comparing the flag content with the MAC content.
  • the absence of the security flag X is recognized in query step 409 and then branched to step 213.
  • the advantage of this method in connection with the first mode is that the manipulation attempt is statistically recorded in step 213.
  • FIG. 4 shows the flow chart for the franking mode according to a preferred variant.
  • the invention is based on the fact that after switching on, the postage value in the value print corresponding to the last entry before switching off the franking machine and the date in the day stamp corresponding to the current date are automatically specified that the variable data in the fixed data for the frame for the print and be electronically embedded for all associated data that remain unchanged.
  • the number strings (sTrings), which are entered for the generation of the input data with a keyboard 2 or via an electronic balance 22 connected to the input / output device 4 and calculating the postage value, are automatically stored in the memory area D of the non-volatile working memory 5.
  • data records of the sub memory areas, for example Bj, C etc. are also retained. This ensures that the last input values are retained even when the franking machine is switched off, so that after switching on the postage value in the value print is automatically specified in accordance with the last entry before the franking machine was switched off and the date in the day stamp is specified in accordance with the current date. If a scale 22 is connected, the postage value is taken from the storage area D.
  • step 404 it is waited until there is one currently stored. If a new input request is made in step 404, the process branches back to step 401. Otherwise, the process branches to step 405 to wait for the print output request. The letter to be franked is detected by a letter sensor and thus a print request is triggered. It is thus possible to branch to the accounting and printing routine in step 406. If there is no print output request (step 405), the process branches back to step 301 (point e).
  • a communication request can be made at any time or another input can be made in accordance with the steps test request 212, register check 214, input routine 401.
  • a further query criterion can be queried in step 405 in order to set a standby flag in step 408 if none after a predetermined time Print request is pending.
  • the standby flag can be queried in step 211 following communication mode 300. This does not branch to franking mode 400 until the checksum check has shown that all or at least selected programs are complete.
  • step 409 the presence of a valid security flag X or a corresponding MAC-secured flag X
  • the achievement of a further quantity criterion and / or in step 406 the register data collected in known manner for billing are queried.
  • the system automatically branches to point e in order to enter communication mode 300 so that a new predetermined number of pieces S is again credited by the data center.
  • the process branches from step 410 to the billing and printing routine in step 406.
  • the number of printed letters and the current values in the mail registers are registered in a non-volatile memory 10 of the franking machine in a billing routine 406 in accordance with the entered cost center and are available for later evaluation.
  • a special sleeping mode counter is caused to continue counting during the accounting routine which takes place immediately before printing.
  • register values can be queried in display mode 215. It is also provided that Print out register values with the print head of the franking machine for billing purposes. This can be done, for example, in the same way as is already explained in more detail in German Offenlegungsschrift P 42 24 955 A1.
  • variable pixel image data to be embedded in the remaining pixel image data during printing.
  • the compressed data are read from the working memory 5 and converted with the help of the character memory 9 into a printed image having binary pixel data, which is also in such a decompressed form in the volatile memory 7 is stored. Further details can be found in European applications EP 576 113 A2 and EP 578 042 A2.
  • the pixel memory area in the pixel memory 7c is therefore provided for the selected decompressed data of the fixed parts of the franking image and for the selected decompressed data of the variable parts of the franking image.
  • the actual printing routine takes place (in step 406).
  • the main memory 7b and the pixel memory 7c are connected to the printer module 1 via a printer controller 14 having a print register (DR) 15 and an output logic.
  • the pixel memory 7c is connected on the output side to a first input of the printer controller 14, at whose further control inputs there are output signals from the microprocessor control device 6. If all columns of a print image have been printed, the system branches back to the system routine 200.
  • FIG. 5 shows the process with two transactions for reloading with a credit value, preferably with a zero credit value, in simplified form.
  • a NULL remote value specification always comprises two transactions.
  • the first transaction of communication with the data center DZ comprises the notification of a predetermined default request.
  • a ZERO default request is suitable.
  • the system routine 200 - shown in FIG. 2 - is queried in step 218 as to whether the user has correctly entered the page. If this is not the case, the system branches to point e in system routine 200. A message about the opening of the appears on the display Communication when the PIN is entered and the Teleset key (T key) is pressed. In addition, the previous default value is displayed, which can be overwritten by the new default request NULL. After entering zero, the T key is pressed again. Now there is a transaction request and the communication can be carried out.
  • the first step during a first transaction comprises a sub-step 301 for checking whether a transaction request has been made and further sub-steps 302 to 308 for entering the identification and other data relating to the communication connection and to communicate with unencrypted data in order to transmit at least identification and transaction type data to the data center.
  • a first step of the first transaction comprises sub-steps 301 to 308 of the postage meter machine in order to establish the connection, for communication with unencrypted data and to transmit at least identification, transaction type and other data to the data center.
  • the transaction type data (1 byte) includes the message to the data center DZ to subsequently carry out the teleset mode for a desired positive remote value specification with the franking machine identified.
  • a second step of the first transaction comprises sub-steps 501 to 506 in the data center, for receiving the data and for checking the identification of the postage meter machine and for transmitting an unencrypted OK message to the postage meter machine.
  • the second step of the first transaction also includes sub-steps to step through a sub-step 513 in the event of incorrect unencrypted messages 505 Error message to branch to an idle point q in sub-step 501 in the data center until communication is resumed by a franking machine.
  • a third step of the first transaction comprises sub-steps 309 to 314 of the franking machine, for forming a first encrypted message Crypto cv by means of a first key Kn stored in the franking machine and for transmitting encrypted data to the data center, comprising at least the default request, identification and postal register. Data.
  • this encrypted message also includes data in the form of CRC data (cyclic redundancy check data).
  • CRC data cyclic redundancy check data
  • the default request, the identification, postal register and other data such as a checksum (CRC data) are transmitted in a message encrypted with the DES algorithm.
  • a fourth step of the first transaction which comprises sub-steps 507 to 511 in the data center, is provided for receiving and decrypting the first encrypted message.
  • a check for decryptibility is carried out using a key stored in the data center. If successful, a calculation is made in the data center to form a second key Kn + 1, corresponding to the key used by the franking machine.
  • a second encrypted message crypto Cv + 1 is then formed, which contains at least the aforementioned second key Kn + 1, the identification and the transaction data, the DES algorithm again being used for the encryption. Finally, the second encrypted message crypto Cv + 1 is transmitted to the franking machine.
  • sub-steps serve to branch to an idle state 501 in the data center in the event of unrecoverable incorrectly encrypted messages in sub-step 509 via a sub-step 513 until communication is resumed by a franking machine.
  • Sub-steps are also provided in order to branch to sub-step 510 for canceling the previous transaction in the case of incorrectly encrypted messages found in sub-step 509 but with correctable errors, and then to branch to sub-step 511 in the data center.
  • This sub-step serves to form a second key Kn + 1, which is to be transmitted in encrypted form to the franking machine, to form a second encrypted message crypto Cv + 1 and to transmit the encrypted message to the franking machine.
  • the fourth step of the first transaction includes a sub-step 512 of the data center for storing the default request, from which a branch is made to the first sub-step 701 of the second step of the second transaction in order to have the first key Kn as the predecessor key and the second key Kn + 1 as Store successor key.
  • a fifth step of the first transaction which comprises sub-steps 315 to 318 of the postage meter machine, serves to receive and to decrypt the second encrypted message, to extract at least the identification data and the transmitted second key Kn + 1 Cv + 1 , and to verify the encrypted received Notification based on the extracted identification data. Upon verification, the transmitted second key Kn + 1 Cv + 1 and the default request are stored in the franking machine. Otherwise, if not verified, the process branches back to the first step of the first transaction.
  • a second transaction begins, which is preferably triggered by an additional manual entry in step 602.
  • the second transaction is triggered or the second transaction is left in communication mode if the entry time is exceeded.
  • the T key must preferably be pressed within 30 seconds or the entry time has been exceeded and the process branches back to the first step of the first transaction. Communication can now be omitted or repeated as required.
  • a first step of the second transaction comprises substeps 602 to 608 of the franking machine for communicating with unencrypted data, for establishing the connection and for at least transmitting identification and transaction type data to the data center.
  • a second step of the second transaction which includes sub-steps 701 to 706 of the data center, is provided for receiving the data and for checking the identification of the postage meter machine and for transmitting an unencrypted OK message to the postage meter machine. It is further provided that the second step of the second transaction comprises sub-steps in order to branch to an idle state 501 in the data center in the event of faulty unencrypted messages 705 via a sub-step 513 until the communication is resumed by a franking machine.
  • a third step of the second transaction comprises sub-steps 609 to 614 of the franking machine for forming a third encrypted message crypto cv + 2 by means of the aforementioned second key Kn + 1 and for Transmission of the third encrypted message crypto cv + 2 to the data center, comprising at least identification and postal register data, but without data for a default value.
  • a fourth step of the second transaction which contains sub-steps 707 to 711 of the data center for receiving and decrypting the third encrypted message crypto Cv + 2, carries out its check for decryptibility by means of a key stored in the data center. Then a third key Kn + 2 is formed, which is to be transmitted in encrypted form to the franking machine, a fourth encrypted message crypto Cv + 3 is formed, which contains at least the aforementioned third key Kn + 2, the identification and transaction data and the transmission the fourth encrypted message crypto Cv + 3 to the franking machine.
  • the fourth step of the second transaction includes sub-steps in order to branch to an idle state 501 in the data center in the event of an unrecoverable incorrectly encrypted messages (sub-step 709) via a sub-step 513 until the communication is resumed by a franking machine. If erroneous encrypted messages with correctable errors are found in step 709, a branch is made to step 710 for canceling the previous transaction.
  • a third key Kn + 2 is then formed in sub-step 711 in the data center, which is to be transmitted in encrypted form to the franking machine.
  • the DES algorithm is used again to form a fourth encrypted message crypto Cv + 3. The encrypted message is then transmitted to the franking machine.
  • the fourth step of the second transaction for storing the default value comprises a sub-step 712 of the data center, which branches to the first sub-step 501 of the second step of the first transaction by the second key Kn + 1 as the previous key Kn-1 and store the third key Kn + 2 as successor key Kn for further first and second transactions.
  • a fifth step of the second transaction which includes sub-steps 615 to 618 of the postage meter machine, serves to receive and decrypt the fourth encrypted message, to extract at least the identification data and the transmitted third key Kn + 2 Cv + 3 and the transaction data, and to verify the received encrypted message based on the extracted identification data.
  • the transmitted second key Kn + 2 Cv + 3 and the default value in the postage meter machine are correspondingly added to the descending register value R1 and the resulting credit is stored or, if not verified, the process branches back to the first step of the first transaction.
  • a negative remote value specification in special mode differs from this ZERO remote value specification in communication mode primarily by special tamper-proof flags and time monitoring.
  • Such tamper-proof flags are, in particular, a MAC-secured security flag X and a MAC-secured special flag N.
  • a negative remote value specification for fund retransfer to the data center is shown.
  • Such a negative remote value specification comprises at least two transactions.
  • the first transaction of communication with the data center DZ comprises the notification of a predetermined default request, preferably a ZERO default request, in order to establish the consistency of the register statuses between the data center DZ and the franking machine FM.
  • the first step during a first transaction after a defined page entry into the special mode negative remote value specification compared to a normal entry into the communication mode (teleset mode) after the start of the franking machine, comprises a sub-step 301 for checking for a transaction request and further sub-steps 302 to 308 Input of the identification and other data to establish the communication connection and for communication with an unencrypted message to transmit at least identification and transaction type data to the data center.
  • Individual data in the message can again be secured by a MAC or by means of CRC data in the aforementioned manner.
  • the defined side entry is achieved by pressing a secret predetermined key combination while switching on the franking machine.
  • the control unit of the franking machine can distinguish between authorized actions (service technician) and unauthorized actions (intention to manipulate) in connection with the data previously transmitted by the data center and an input process.
  • a special flag N is set in step 220, because if the franking machine FM is switched off, the continuation of the transactions must be ensured after the franking machine is switched on again. To protect against possible manipulation, the special flag N is also stored in a non-volatile MAC-protected manner.
  • a step 209 is initiated to prevent further franking. It is provided that a predetermined key combination for each franking machine is stored in the data center and only the authorized person (service technician) is informed in order to achieve a predetermined operating sequence on the franking machine. The correct side entry causes a message on the display about the opening of the communication.
  • a flag N secured against manipulation is set in step 220 if a specific criterion is met, the specific criterion for the negative remote value specification for the special mode being at least the use of the predetermined key combination for entering the special mode when switching on the Franking machine includes.
  • the PIN is entered and the Teleset key (T key) is pressed, then the zero is entered and the T key is pressed before the communication is carried out.
  • T key Teleset key
  • Communication with the data center comprises at least two transactions, which are repeated in the event of an error, the communication being automatically resumed after an interruption and / or being carried out for as long as the aforementioned special flag N is set for the special mode, by means of which an automatic transaction request is made for the retransmission to complete the credit.
  • a first step of the first transaction comprises sub-steps 301 to 308 of the postage meter machine in order to establish the connection, for communication with unencrypted data and to transmit at least identification, transaction type and other data to the data center.
  • the transaction type data (1 byte) includes the message to the data center DZ to subsequently carry out the special mode of a desired negative remote value specification with the franking machine identified.
  • a second step of the first transaction comprises sub-steps 501 to 506 in the data center, for receiving the data and for checking the identification of the franking machine and for transmitting an unencrypted OK message to the franking machine.
  • the second step of the first transaction also includes sub-steps in order to branch to an idle state 501 in the data center in the event of faulty unencrypted messages 505 via a sub-step 513 until the communication is resumed by a franking machine.
  • a third step of the first transaction comprises sub-steps 309 to 314 of the franking machine, for forming a first encrypted message Crypto cv by means of a first key Kn stored in the franking machine and for transmitting encrypted data to the data center, comprising at least the default request, identification and postal register. Data.
  • this encrypted message in the form of CRC data includes the message to the data center DZ to subsequently carry out the special mode of a desired negative remote value specification.
  • the two-byte cyclic redundancy check is a checksum that reveals tampering with individual data processed for the checksum.
  • This checksum can include individual data or the components of all messages (transaction type) on the part of the franking machine.
  • the default request, the identification, postal register and CRC data are transmitted in a message encrypted with the DES algorithm. It is therefore not necessary to transmit MAC-encrypted or encrypted data to the data center in the first step.
  • a fourth step of the first transaction which comprises sub-steps 507 to 511 in the data center, is corresponding to receiving and decrypting the first encrypted message or checking its decryptibility by means of a key stored in the data center, to form a second key Kn + 1 the key used by the franking machine to form a second encrypted message crypto Cv + 1, which contains at least the aforementioned second key Kn + 1, the identification and transaction data, and to transmit the second encrypted message crypto Cv + 1 to the franking machine.
  • the fourth step of the first transaction also comprises sub-steps in order to branch to an idle state 501 in the data center in the event of unrecoverable incorrectly encrypted messages 509 via a sub-step 513 until the communication on the part of a postage meter machine again is recorded.
  • Sub-steps are also provided in order to branch to erroneous encrypted messages 509 with correctable errors, to a step 510 to cancel the previous transaction and then to branch to sub-step 511 in the data center.
  • This sub-step is used to form a second or third key Kn + 1, which is to be transmitted in encrypted form to the franking machine, to form a second encrypted message crypto Cv + 1 and to transmit the encrypted message to the franking machine.
  • the fourth step of the first transaction includes a sub-step 512 of the data center for storing the default request, from which the first sub-step 701 of the second step of the second transaction is branched, with the first key Kn as the preceding key and the second key Kn + 1 as the successor key save.
  • a fifth step of the first transaction which comprises sub-steps 315 to 318 of the postage meter machine, serves to receive and to decrypt the second encrypted message, to extract at least the identification data and the transmitted second key Kn + 1 Cv + 1 , and to verify the encrypted received Notification based on the extracted identification data. Upon verification, the transmitted second key Kn + 1 Cv + 1 and the default request are stored in the franking machine. Otherwise, if not verified, the process branches back to the first step of the first transaction.
  • a second transaction takes place.
  • a first step of the second transaction comprises sub-steps 602 to 608 of the franking machine for communication with unencrypted data in order to establish the connection and to at least identify and transfer transaction type data to the data center.
  • a second step of the second transaction which includes sub-steps 701 to 706 of the data center, is provided for receiving the data and for checking the identification of the postage meter machine and for transmitting an unencrypted OK message to the postage meter machine. It is further provided that the second step of the second transaction comprises sub-steps in order to branch to an idle state 501 in the data center in the event of faulty unencrypted messages 705 via a sub-step 513 until the communication is resumed by a franking machine.
  • a third step of the second transaction comprises sub-steps 609 to 614 of the franking machine for forming a third encrypted message crypto cv + 2 by means of the aforementioned second key Kn + 1 stored in the franking machine and for transmitting the third encrypted message crypto cv + 2 to the data center at least identification and postal register data, but without data for a default value.
  • a fourth step of the second transaction which contains sub-steps 707 to 711 of the data center for receiving and decrypting the third encrypted message crypto Cv + 2, carries out its check for decryptibility by means of a key stored in the data center. Then a third key Kn + 2 is formed, which is to be transmitted in encrypted form to the franking machine, a fourth encrypted message crypto Cv + 3 is formed, which contains at least the aforementioned third key Kn + 2, the identification and transaction data and the transmission the fourth encrypted Message crypto Cv + 3 to the franking machine.
  • the fourth step of the second transaction includes sub-steps in order to branch to an idle state 501 in the data center in the event of an unrecoverable incorrectly encrypted messages 709 via a sub-step 513 until the communication is resumed by a franking machine. If erroneous encrypted messages with correctable errors are found in step 709, a branch is made to step 710 for canceling the previous transaction.
  • a third key Kn + 2 is then formed in sub-step 711 in the data center, which is to be transmitted in encrypted form to the franking machine.
  • the DES algorithm is used again to form a fourth encrypted message crypto Cv + 3. The encrypted message is then transmitted to the franking machine.
  • the fourth step of the second transaction for storing the default value comprises a sub-step 712 of the data center, which branches to the first sub-step 501 of the second step of the first transaction by the second key Kn + 1 as the previous key Kn-1 and store the third key Kn + 2 as successor key Kn for further first and second transactions.
  • a fifth step of the second transaction which includes sub-steps 615 to 618 of the postage meter machine, serves to receive and decrypt the fourth encrypted message, to extract at least the identification data and the transmitted third key Kn + 2 Cv + 3 and the transaction data, and to verify the received encrypted message based on the extracted identification data.
  • the above step points to the identification of the completed implementation, in contrast to the positive remote value specification, a further query criterion.
  • the franking machine FM is to receive the fourth crypto message within a predetermined time from the sending of the third crypto message. If the connection was free of interruption, the reception would take place in the predetermined time t1.
  • the last and particularly critical section of the second transaction is monitored for the time t1 being exceeded.
  • the possible manipulation time is thus severely limited.
  • a time count is started in the processor (control unit 6) of the franking machine during the second to last message to be transmitted, after the third crypto message has been sent.
  • the corresponding program section activates a routine which sets a counter, which in turn is decremented by the system clock or its multiple.
  • several counters are cascaded. If the fourth crypto message from the data center reaches the franking machine within the critical time period, the counter is deactivated.
  • a further variant of the invention results if an incremental counter is used instead of a decremental counter. After each counting cycle, the comparison with the number that corresponds to the monitored period must be carried out.
  • Exceeding the time t1 is a sure sign of a failed transmission and causes a special subroutine to be called which prepares and automatically triggers a new execution of the negative remote value specification. In this case, the first and second transactions are repeated automatically with key Kn + 2.
  • the transmitted second key Kn + 2 Cv + 3 and the default value in the franking machine are added to the descending register value R1 and the resulting credit is saved or, if it is not verified or times out, becomes the first Branched back step of the first transaction.
  • the fifth step of the second transaction includes a sub-step (620) of the postage meter machine for resetting the aforementioned special flag N or for returning to the normal mode of the postage meter machine, whereby the aforementioned automatic transaction request is canceled again when the execution of the second transaction has been completed is.
  • the service technician present ensures the continued trouble-free process until the negative remote value specification is completed.
  • At least R1 can be queried and statistically evaluated.
  • the data center decides on the validity of the fund retransfer as a result of the special remote value setting. If no event is reported by the service technician, for example that the negative remote value specification could not be carried out, or if the same franking machine makes no request to reload a positive credit, the validity is assumed.
  • the special flag N set when entering the special mode negative remote value specification was reset when the transaction was successful.
  • the franking machine prevents all frankings with values greater than zero because no more credit is loaded.
  • the franking machine is still ready for frankings with values equal to zero and other operating modes as long as they do not require a credit or as long as no postage is franked and the quantity limit is not reached.
  • the predetermined side entry triggers the transactions in the special mode
  • at least one manual step 302 in the special mode is negative remote value specification after a side entry to enter an identification number (PIN) and to enter the predetermined default request as provided for the positive remote value specification, which is queried in step 303.
  • An additional manual step for temporary entry which is queried in step 603, triggers the second transaction and exits or repeats the first transaction in communication mode or in special mode if the entry time is exceeded.
  • the T key must preferably be pressed within 30 seconds or the entry time has been exceeded.
  • a number of variants with different security levels can also be implemented.
  • a check for transmission of a predetermined default request can be carried out in the data center.
  • the default request - analogous to the remaining amount R1 still available in the descending register in display mode 215 - must be entered and transmitted to the data center. Since the postal register content, but at least R1, is automatically transmitted to the data center for every transaction a negative remote value target for fund retransfer is achieved if the target amount corresponds to the remaining amount.
  • any desired request is agreed as a code with the data center.
  • a zero default request is preferably agreed. If the special mode negative remote value specification is called up within a certain time after the agreement and the ZERO specification request is entered or confirmed as the specification request, the remaining amount R1 is automatically reset to ZERO in the franking machine.
  • a corresponding query step 219 for such a further specific criterion for the franking machine was shown in dashed lines in FIG. This branches to step 220 for setting the special flag N.
  • Manipulation is limited in time by starting time monitoring from sub-step 613 of sending the third crypto message to the data center until the fourth crypto message is received by the franking machine. If the fourth crypto message could not be received within a predetermined time t1, a special subroutine is called which prepares a new execution of the special mode negative remote value specification and triggers it automatically.
  • a special subroutine is called which prepares a new execution of the special mode negative remote value specification and triggers it automatically.
  • the communication continues as long as the aforementioned special flag N is set.
  • the special flag N evaluated as a transaction request, is non-volatile and is stored in a MAC-secured manner against manipulation.
  • the special flag N is only reset in step 620 after the retransfer of the credit has been completed.
  • a third variant security is increased by a combination of different measures.
  • a first communication link is established between the authorized user and the data center for storing a code for registering an authorized action on the franking machine by means of a default request that is transmitted later.
  • the franking machine can now be switched on to carry out an authorized predetermined operating sequence in order to enter a negative remote value specification via a side entry into a special mode.
  • a second communication connection is established between the franking machine and the data center and the input of a default request.
  • a distinguishable logon to the data center takes place if the transmitted request matches a corresponding code.
  • a new code word or security flag and / or operating sequence is transmitted to the franking machine.
  • the security-relevant data is transmitted and its storage in the franking machine is completed.
  • the specification value is added to the remaining credit in the corresponding memory of the franking machine and, in order to check the transaction, in an appropriate memory of the data center.
  • step 209 for deleting a tamper-proof stored security flag X as a result of at least one unauthorized deviation from the predetermined operating sequence or because the franking machine has been tampered with is provided.
  • the franking machine is thus transferred to a first mode in order to effectively put it out of operation for franking (franking mode 400) (step 409), in contrast to the authorized action or intervention.
  • a transfer of a valid operating sequence from the data center to the franking machine becomes superfluous if the operating sequence is changed depending on the time.
  • the same calculation algorithm is used in the data center and in the franking machine to determine a current operating sequence.
  • Another variant is based on the storage of the current operating sequence in the franking machine by means of a special reset E 2 PROM by the service technician.
  • the security is increased by an authorized person by means of an additional input security means which is brought into contact with the franking machine in order to transfer a remaining credit back to the data center.
  • the data center ensures that it is up-to-date by reporting the register status using a zero remote value specification.
  • the service technician then uses a reset read-only memory module (refund EPROM) as input security means in a predetermined base of the at least partially opened franking machine. After switching on or entering the program of the franking machine, it is checked whether a refund EPROM has been used. This can advantageously be carried out in step 219 - shown in FIG. 2 - for checking a further criterion.
  • a correct side entry with a non-available refund EPROM leads to point e or, in a variant not shown, a step to abort the routine.
  • a step 209 can be branched to delete a flag X, which would be noticed in step 409 of the franking mode (FIG. 4) and leads to statistics and error evaluation or registration in step 213.
  • a special flag N is set, which automatically triggers the transfer of the remaining credit to the data center in communication mode.
  • steps 218 and 219 according to FIG. 2 can be reversed in their sequence, so that only after the plugged-in refund EPROM has been asked and only then has the correct side entry been asked for.
  • Such a sub-variant has the advantage that the information about the correct page entry can also be stored in the refund EPROM instead of in the franking machine. This further increases the security against tampering with the intention of forgery.
  • the status of the franking machine (out of service) is stored in the data center.
  • the authorized person removes the input security device from the base and closes the housing of the franking machine.
  • the customer's remaining balance is returned to the customer's corresponding account.
  • the input security means can of course also be implemented as a chip card.
  • the invention is not limited to the present embodiments. Rather, a number of variants are conceivable which make use of the solution shown, even in the case of fundamentally different types.

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Theoretical Computer Science (AREA)
  • Devices For Checking Fares Or Tickets At Control Points (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Detection And Prevention Of Errors In Transmission (AREA)
EP95250286A 1994-12-15 1995-11-21 Procédé pour l'amélioration de la sécurité des machines à timbrer pendant le transfert du crédit Expired - Lifetime EP0717379B1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP00250033A EP0996097B1 (fr) 1994-12-15 1995-11-21 Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit
EP00250032A EP0996096B1 (fr) 1994-12-15 1995-11-21 Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit et dispositif pour la mise en oeuvre du procédé

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE4446667A DE4446667C2 (de) 1994-12-15 1994-12-15 Verfahren zur Verbesserung der Sicherheit von Frankiermaschinen bei der Guthabenübertragung
DE4446667 1994-12-15

Related Child Applications (2)

Application Number Title Priority Date Filing Date
EP00250032A Division EP0996096B1 (fr) 1994-12-15 1995-11-21 Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit et dispositif pour la mise en oeuvre du procédé
EP00250033A Division EP0996097B1 (fr) 1994-12-15 1995-11-21 Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit

Publications (3)

Publication Number Publication Date
EP0717379A2 true EP0717379A2 (fr) 1996-06-19
EP0717379A3 EP0717379A3 (fr) 1998-04-15
EP0717379B1 EP0717379B1 (fr) 2000-10-25

Family

ID=6537174

Family Applications (3)

Application Number Title Priority Date Filing Date
EP95250286A Expired - Lifetime EP0717379B1 (fr) 1994-12-15 1995-11-21 Procédé pour l'amélioration de la sécurité des machines à timbrer pendant le transfert du crédit
EP00250032A Expired - Lifetime EP0996096B1 (fr) 1994-12-15 1995-11-21 Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit et dispositif pour la mise en oeuvre du procédé
EP00250033A Expired - Lifetime EP0996097B1 (fr) 1994-12-15 1995-11-21 Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit

Family Applications After (2)

Application Number Title Priority Date Filing Date
EP00250032A Expired - Lifetime EP0996096B1 (fr) 1994-12-15 1995-11-21 Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit et dispositif pour la mise en oeuvre du procédé
EP00250033A Expired - Lifetime EP0996097B1 (fr) 1994-12-15 1995-11-21 Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit

Country Status (2)

Country Link
EP (3) EP0717379B1 (fr)
DE (4) DE4446667C2 (fr)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19731304B4 (de) 1997-07-14 2005-02-24 Francotyp-Postalia Ag & Co. Kg Verfahren zur Statistikmodusnachladung und zur statistischen Erfassung nach Statistikklassen bei der Speicherung eines Datensatzes
US6058384A (en) * 1997-12-23 2000-05-02 Pitney Bowes Inc. Method for removing funds from a postal security device
DE19818708A1 (de) * 1998-04-21 1999-11-04 Francotyp Postalia Gmbh Verfahren zum Nachladen eines Portoguthabens in eine elektronische Frankiereinrichtung

Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3255439A (en) 1961-07-13 1966-06-07 Gen Res Inc Postage metering system
US4251874A (en) 1978-10-16 1981-02-17 Pitney Bowes Inc. Electronic postal meter system
US4549281A (en) 1985-02-21 1985-10-22 Pitney Bowes, Inc. Electronic postage meter having keyboard entered combination for recharging
US4746234A (en) 1983-07-23 1988-05-24 Francotyp-Postalia Gmbh Relating to postal franking machines
US4760532A (en) 1985-12-26 1988-07-26 Pitney Bowes Inc. Mailing system with postage value transfer and accounting capability
US4785417A (en) 1986-04-28 1988-11-15 Pitney Bowes Inc. Electronic postage meter having an out of sequence checking arrangement
US4811234A (en) 1986-04-10 1989-03-07 Pitney Bowes Inc. Postage meter recharging system
US4812994A (en) 1985-08-06 1989-03-14 Pitney Bowes Inc. Postage meter locking system
US4812965A (en) 1985-08-06 1989-03-14 Pitney Bowes Inc. Remote postage meter insepction system
US4835697A (en) 1984-04-02 1989-05-30 Pitney Bowes Inc. Combination generator for an electronic postage meter
US4864506A (en) 1986-04-10 1989-09-05 Pitney Bowes Inc. Postage meter recharging system
EP0388840A2 (fr) 1989-03-23 1990-09-26 Neopost Industrie Procédé d'augmentation de la sécurité d'une machine à affranchir avec revalorisation à distance
GB2233937A (en) 1989-07-13 1991-01-23 Pitney Bowes Plc Machine incorporating an accounts verification system
US5077660A (en) 1989-03-23 1991-12-31 F.M.E. Corporation Remote meter configuration
EP0516403A2 (fr) 1991-05-29 1992-12-02 Neopost Limited Procédé de télédiagnostique pour machine à affranchir
DE4129302A1 (de) 1991-09-03 1993-03-04 Helmut Lembens Frankiermaschine
US5243654A (en) 1991-03-18 1993-09-07 Pitney Bowes Inc. Metering system with remotely resettable time lockout
EP0576113A2 (fr) 1992-06-26 1993-12-29 Francotyp-Postalia GmbH Procédé et dispositif pour la génération d'une impression de sécurité
DE4224955A1 (de) 1992-07-24 1994-01-27 Francotyp Postalia Gmbh Verfahren und Anordnung für einen internen Kostenstellendruck

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA1263752A (fr) * 1985-08-06 1989-12-05 Michael P. Taylor Dispositif de verrouillage pour compteur postal
US4846506A (en) 1987-09-04 1989-07-11 U.S. Plastics Corporation Quick connect coupling
CH678368A5 (fr) * 1989-03-29 1991-08-30 Frama Ag
US5237506A (en) * 1990-02-16 1993-08-17 Ascom Autelca Ag Remote resetting postage meter
GB2261748B (en) * 1991-11-22 1995-07-19 Pitney Bowes Inc Method of diagnosis in an electrically controlled mechanical device
US5309363A (en) * 1992-03-05 1994-05-03 Frank M. Graves Remotely rechargeable postage meter

Patent Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3255439A (en) 1961-07-13 1966-06-07 Gen Res Inc Postage metering system
US4251874A (en) 1978-10-16 1981-02-17 Pitney Bowes Inc. Electronic postal meter system
US4746234A (en) 1983-07-23 1988-05-24 Francotyp-Postalia Gmbh Relating to postal franking machines
US4835697A (en) 1984-04-02 1989-05-30 Pitney Bowes Inc. Combination generator for an electronic postage meter
US4549281A (en) 1985-02-21 1985-10-22 Pitney Bowes, Inc. Electronic postage meter having keyboard entered combination for recharging
US4812994A (en) 1985-08-06 1989-03-14 Pitney Bowes Inc. Postage meter locking system
US4812965A (en) 1985-08-06 1989-03-14 Pitney Bowes Inc. Remote postage meter insepction system
US4760532A (en) 1985-12-26 1988-07-26 Pitney Bowes Inc. Mailing system with postage value transfer and accounting capability
US4864506A (en) 1986-04-10 1989-09-05 Pitney Bowes Inc. Postage meter recharging system
US4811234A (en) 1986-04-10 1989-03-07 Pitney Bowes Inc. Postage meter recharging system
US4785417A (en) 1986-04-28 1988-11-15 Pitney Bowes Inc. Electronic postage meter having an out of sequence checking arrangement
EP0388840A2 (fr) 1989-03-23 1990-09-26 Neopost Industrie Procédé d'augmentation de la sécurité d'une machine à affranchir avec revalorisation à distance
US5077660A (en) 1989-03-23 1991-12-31 F.M.E. Corporation Remote meter configuration
GB2233937A (en) 1989-07-13 1991-01-23 Pitney Bowes Plc Machine incorporating an accounts verification system
US5181245A (en) 1989-07-13 1993-01-19 Pitney Bowes Plc. Machine incorporating an accounts verification system
US5243654A (en) 1991-03-18 1993-09-07 Pitney Bowes Inc. Metering system with remotely resettable time lockout
EP0516403A2 (fr) 1991-05-29 1992-12-02 Neopost Limited Procédé de télédiagnostique pour machine à affranchir
DE4129302A1 (de) 1991-09-03 1993-03-04 Helmut Lembens Frankiermaschine
EP0576113A2 (fr) 1992-06-26 1993-12-29 Francotyp-Postalia GmbH Procédé et dispositif pour la génération d'une impression de sécurité
EP0578042A2 (fr) 1992-06-26 1994-01-12 Francotyp-Postalia GmbH Procédé pour commander l'impression colonne-par-colonne de l'image d'un timbre postal dans une machine d'affranchissement
DE4224955A1 (de) 1992-07-24 1994-01-27 Francotyp Postalia Gmbh Verfahren und Anordnung für einen internen Kostenstellendruck

Also Published As

Publication number Publication date
EP0996097A2 (fr) 2000-04-26
EP0717379A3 (fr) 1998-04-15
EP0996096A2 (fr) 2000-04-26
DE4446667C2 (de) 1998-09-17
EP0996096B1 (fr) 2006-05-10
EP0996096A3 (fr) 2004-06-16
DE59511048D1 (de) 2006-06-14
EP0996097B1 (fr) 2006-05-03
EP0996097A3 (fr) 2004-06-16
DE59508807D1 (de) 2000-11-30
EP0717379B1 (fr) 2000-10-25
DE4446667A1 (de) 1996-06-20
DE59511045D1 (de) 2006-06-08

Similar Documents

Publication Publication Date Title
EP0969421B1 (fr) Procédé pour l'amélioration de la sécurité des machines à affranchir
EP0762337A2 (fr) Procédé et dispositif pour augmenter la protection contre la manipulation de données critiques
DE3712138B4 (de) Verfahren zum Betrieb eines Frankiermaschinensystems
EP0944027B1 (fr) Machine à affranchir et un procédé pour générer des données valables pour affranchir
DE3040559C2 (fr)
EP0892368B1 (fr) Procédé pour le téléchargement de données statistiques et de recensement en ensembles statistiques lors du chargement des données
DE3712100A1 (de) Frankiermaschinen-botschaft-drucksystem
US6587843B1 (en) Method for improving the security of postage meter machines in the transfer of credit
DE3040549A1 (de) Elektronische frankiermaschine mit mehreren computersystemen
EP1035517B1 (fr) Procédé de protection d'un module de sécurité et ensemble pour mettre en oeuvre ledit procédé
EP1035516B1 (fr) Système pour un module de sécurité
EP1103924B1 (fr) Procédé de protection d'un dispositif contre son fonctionnement avec des articles de consommation non autorisés et dispositif pour la mise en oeuvre du procédé
EP1035518B1 (fr) Ensemble de protection d'un module de sécurité
DE69221538T2 (de) Ferndiagnoseverfahren für Frankiermaschine
DE19534530A1 (de) Verfahren zur Absicherung von Daten und Programmcode einer elektronischen Frankiermaschine
EP1063619B1 (fr) Module de sécurité et procédé pour protection du registre postal contre la manipulation
EP0969420B1 (fr) Procédé pour sécuriser la transmission de données de service à un terminal et dispositif pour la mise en oeuvre de ce procédé
EP1619630A2 (fr) Procédé et dispositif pour rembourser des frais d'affranchissement
EP0717379B1 (fr) Procédé pour l'amélioration de la sécurité des machines à timbrer pendant le transfert du crédit
DE60015907T2 (de) Verfahren und Vorrichtung zur Erzeugung von Nachrichten welche eine prüfbare Behauptung enthalten dass eine Veränderliche sich innerhalb bestimmter Grenzwerte befindet
EP1103923A2 (fr) Procédé pour commander automatiquement des articles de consommation et dispositif pour la mise en oeuvre du procédé
EP0996097A9 (fr) Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit
DE3040532C2 (de) Nachladbare elektronische Frankiermaschine
EP1061479A2 (fr) Dispositif et procédé pour générer un motif destiné à la sécurité
DE69534129T2 (de) Frankiermaschine und Frankiermaschinensystem

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): CH DE FR GB IT LI

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: FRANCOTYP-POSTALIA AKTIENGESELLSCHAFT & CO.

RAP3 Party data changed (applicant data changed or rights of an application transferred)

Owner name: FRANCOTYP-POSTALIA AKTIENGESELLSCHAFT & CO.

PUAL Search report despatched

Free format text: ORIGINAL CODE: 0009013

AK Designated contracting states

Kind code of ref document: A3

Designated state(s): CH DE FR GB IT LI

17P Request for examination filed

Effective date: 19980609

17Q First examination report despatched

Effective date: 19980908

GRAG Despatch of communication of intention to grant

Free format text: ORIGINAL CODE: EPIDOS AGRA

GRAG Despatch of communication of intention to grant

Free format text: ORIGINAL CODE: EPIDOS AGRA

GRAH Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOS IGRA

GRAG Despatch of communication of intention to grant

Free format text: ORIGINAL CODE: EPIDOS AGRA

GRAG Despatch of communication of intention to grant

Free format text: ORIGINAL CODE: EPIDOS AGRA

GRAH Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOS IGRA

GRAH Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOS IGRA

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): CH DE FR GB IT LI

REG Reference to a national code

Ref country code: CH

Ref legal event code: NV

Representative=s name: ROTTMANN, ZIMMERMANN + PARTNER AG

Ref country code: CH

Ref legal event code: EP

REF Corresponds to:

Ref document number: 59508807

Country of ref document: DE

Date of ref document: 20001130

ITF It: translation for a ep patent filed

Owner name: STUDIO JAUMANN P. & C. S.N.C.

ET Fr: translation filed
GBT Gb: translation of ep patent filed (gb section 77(6)(a)/1977)

Effective date: 20010118

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

26N No opposition filed
REG Reference to a national code

Ref country code: GB

Ref legal event code: IF02

REG Reference to a national code

Ref country code: CH

Ref legal event code: PFA

Owner name: FRANCOTYP-POSTALIA AKTIENGESELLSCHAFT & CO.

Free format text: FRANCOTYP-POSTALIA AKTIENGESELLSCHAFT & CO.#TRIFTWEG 21-26#16547 BIRKENWERDER (DE) -TRANSFER TO- FRANCOTYP-POSTALIA AKTIENGESELLSCHAFT & CO.#TRIFTWEG 21-26#16547 BIRKENWERDER (DE)

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20120908

Year of fee payment: 18

Ref country code: CH

Payment date: 20121122

Year of fee payment: 18

Ref country code: FR

Payment date: 20121130

Year of fee payment: 18

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20121120

Year of fee payment: 18

Ref country code: IT

Payment date: 20121123

Year of fee payment: 18

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

GBPC Gb: european patent ceased through non-payment of renewal fee

Effective date: 20131121

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20131130

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20131130

REG Reference to a national code

Ref country code: FR

Ref legal event code: ST

Effective date: 20140731

REG Reference to a national code

Ref country code: DE

Ref legal event code: R119

Ref document number: 59508807

Country of ref document: DE

Effective date: 20140603

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20140603

Ref country code: IT

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20131121

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20131202

Ref country code: GB

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20131121