EP0996097A2 - Verfahren zur Verbesserung der Sicherheit von Frankiermaschinen bei der Guthabenübertragung - Google Patents
Verfahren zur Verbesserung der Sicherheit von Frankiermaschinen bei der Guthabenübertragung Download PDFInfo
- Publication number
- EP0996097A2 EP0996097A2 EP00250033A EP00250033A EP0996097A2 EP 0996097 A2 EP0996097 A2 EP 0996097A2 EP 00250033 A EP00250033 A EP 00250033A EP 00250033 A EP00250033 A EP 00250033A EP 0996097 A2 EP0996097 A2 EP 0996097A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- franking machine
- data center
- transaction
- franking
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00185—Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
- G07B17/00362—Calculation or computing within apparatus, e.g. calculation of postage value
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00016—Relations between apparatus, e.g. franking machine at customer or apparatus at post office, in a franking system
- G07B17/0008—Communication details outside or between apparatus
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00016—Relations between apparatus, e.g. franking machine at customer or apparatus at post office, in a franking system
- G07B17/0008—Communication details outside or between apparatus
- G07B2017/00153—Communication details outside or between apparatus for sending information
- G07B2017/00161—Communication details outside or between apparatus for sending information from a central, non-user location, e.g. for updating rates or software, or for refilling funds
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00185—Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
- G07B17/00193—Constructional details of apparatus in a franking system
- G07B2017/00241—Modular design
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00185—Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
- G07B17/00193—Constructional details of apparatus in a franking system
- G07B2017/00258—Electronic hardware aspects, e.g. type of circuits used
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00185—Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
- G07B17/00362—Calculation or computing within apparatus, e.g. calculation of postage value
- G07B2017/00419—Software organization, e.g. separation into objects
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00733—Cryptography or similar special procedures in a franking system
- G07B2017/0079—Time-dependency
Definitions
- the invention relates to a method for improvement the security of franking machines when transferring credit, especially for fund retransfer to Data center, according to the in the preamble of claim 1 or 3 specified Art.
- a franking machine usually creates an imprint right-justified in a form agreed with Swiss Post, starting parallel to the upper edge of the mail with the content of postage in the postmark, date in Daily stamps and stamp impressions for advertising slogan and if necessary, type of shipment in the election stamp.
- the post value that The date and the type of shipment form the corresponding ones variable information to be entered into the item of mail.
- the post value is usually that of the sender prepaid transportation fee (franking), the one taken from the refillable credit register and at Postage is used.
- a register is opened in the current account procedure Dependence on those made with the post value Frankings only counted up and in regular Intervals, read by a postal inspector.
- a known franking machine has at least one Input means, an output means, an input / output control module, a program, data and in particular the storage device carrying the accounting register, a control device and a printer module.
- a printer module with print mechanics Measures are also taken so that when switched off Condition the print mechanics not for unpaid Imprints can be misused.
- the invention relates to a method for franking machines, which produces a fully electronic impression for franking mail, including printing a Deliver advertising clichés. The result is that only a non-billed valid one when switched on Franking must be prevented.
- a method of controlling the printing a postage stamp image in columns proposed a franking machine EP 578 042 A2, which is separated from each other in graphical Pixel image data converted fixed and variable data during column printing. It would therefore be difficult without great and expensive effort to manipulate the pressure control signal, when printing at a high speed he follows.
- the storage device comprises at least a non-volatile memory device that currently contains remaining credit, which results from that from earlier into the franking machine loaded credit of the respective postage value to be printed is subtracted. The franking machine is blocked, if the remaining balance is zero.
- Known franking machines contain at least one Store three relevant postal registers for total value used (increasing register), still available balance (falling register) and Register for a checksum.
- the checksum is with the sum of the total value used and available credit compared. That is one Verification of correct billing possible.
- a security housing for franking machines which has internal sensors, is from DE 41 29 302 A1 known.
- the sensors are especially with a battery connected switches, which when opening the safety housing to be active to the remaining credit storing memory (falling postal register) by interrupting the energy supply Clear.
- memory falling postal register
- the residual value balance at least partially discharged. But that would be one Inspection disadvantageous, because the residual value which had been paid by the franking machine user, too the amount of this remaining credit must be reloaded however by the above Influences are falsified can. Finally, the description cannot be seen how to prevent a manipulator restores an unpaid remaining balance.
- the password can be obtained through a personal computer MODEM, through a chip card or manually in the Postage meter can be entered. After positive Comparison with one in the franking machine The franking machine will save the saved password Approved.
- a safety module EPROM
- an encryption module separate microprocessor or program for FM CPU based on DES or RSA code provided the one the postage value, the subscriber number, a transaction number and similar comprehensive identification number generated in the franking stamp. With enough criminal energy could also be a password researched and owned together with franking machine of a manipulator.
- a manipulation is found, the franking machine during remote inspection via modem a signal emanating from the data center is blocked. Skillful manipulation could on the other hand consist of producing after billing Franking imprints, the flag and the registers to restore it to its original state. A such manipulation would be via remote inspection by the Data center not recognizable if this reverses manipulation before the remote inspection. Also the receipt of the postcard from the data center which is a franking to be made for inspection purposes the manipulator is allowed to Franking machine in sufficient time in the original Reset state. So that's still no higher security can be achieved.
- a security imprint in accordance with FP's own European patent application EP 576 113 A2 provides symbols in a marking field in the franking stamp which contain cryptified information. This allows the postal authority, which interacts with the data center, to identify manipulation of the franking machine at any point in time from the respective security imprint.
- a current control n is such provided with a security imprint of mail ting via appropriate security markings in the stamp image technically possible, but this means an extra effort in the post office. In the case of a control based on random samples, however, manipulation is usually only detected late.
- a franking machine is known from US Pat. No. 4,785,417 a program sequence monitoring known. The correct one The course of a larger program is carried out using a Special codes assigned to each program section checked that when the program part was called in a specific memory cell is stored in RAM. It is now checked whether the in the aforementioned Memory cell stored code in the currently running Program part is still available. Would at one Manipulation of the run of a program part interrupted and another part of the program is running such control question an error can be found. The comparison can only be carried out in the main process become. Secondary processes, for example security-relevant Calculations made by several main processes can be used by such monitoring but not checked for the execution of the program part because the program control is independent of the The program runs.
- Another type of expected manipulation is that Reloading the franking machine register with a not billed credit value. This results in the requirement secure reloading.
- An additional Safety measure is the comparison according to US 4,549,281 an internal one in a non-volatile register stored fixed combination with an entered external combination, after a number of failed attempts, i.e. Non-identity of the combinations that Franking machine using escapement electronics is blocked. According to US 4,835,697 can prevent unauthorized access to the franking machine the combination can always be changed.
- From US 5,077,660 is also a method for Change in the configuration of the franking machine is known, the franking machine by means of suitable input Using a keyboard from the operating mode to a configuration mode switched and a new meter type number can be entered, which of the desired number corresponds to characteristics.
- the franking machine generates a code for communicating with the computer Data center and the entry of the identification data and the new meter type number in the aforementioned computer, which also has a corresponding code for transmission and input generated in the franking machine, in the two code are compared. If they match with both codes the franking machine is configured and switched to the operating mode.
- the data center has thereby of the respectively set meter type for the corresponding franking machine always accurate records.
- security is solely from encryption the transmitted code depends.
- EP 388 840 A2 is a comparable one Safety technology for setting one Postage meter is known to get this from data clean without the franking machine going to the manufacturer must be transported.
- the Security solely from the encryption of the transmitted Code dependent.
- the transactions are known from US 4,811,234 encrypted and the registers of To query the franking machine and the register data of the Data center to transmit a temporal reference the reduction in the right of disposal stored in the register Amount.
- the franking machine at the data center when a preset threshold is reached is by means of its encrypted register content.
- the data center is modified by appropriate ones
- Authorization signals the desired franking amount, up to which postage can be paid.
- the encryption is the only security against a manipulation of the register status. So if a manipulator properly the same amount loads at the same time intervals, but in the meantime with the manipulated franking machine franked much higher amount than he paid the data center found no manipulation.
- the franking machine communicates according to GB 22 33 937 A and US 5 181 245 the franking machine periodically with the data center.
- the franking machine permits a blocking means Expiration of a predetermined time or after a predetermined time Number of operation cycles, block and provides a warning to the user.
- To unlock an encrypted code must be entered from the outside which is encrypted with an internally generated Code is compared.
- the warning coincides with the blocking of the Franking machine takes place without the user Possibility to act accordingly in time to change.
- a franking machine is known from US Pat. No. 5,243,654. where the current delivered by clock / date block Time data compared with stored decommissioning time data become. Is the saved shutdown time reached by the current time, the Franking machine deactivated, i.e. printing prevented.
- the franking machine When connecting to a Data center, which the accounting data from the reading the rising register, the franking machine an encrypted combination value is transmitted and set a new deadline, causing the franking machine is made operational again.
- the Amount of consumption representing the postage used contains summed and read from the data center is also part of the encrypted transmitted Combination value. After decryption of the combination value becomes the total consumption amount separated and with that stored in the franking machine Amount of consumption compared.
- a postal treatment system is included Postage transfer and billing capability known.
- Information is sent to the data center via Telephone using the touch tone common in the USA Procedure transmitted. By pressing one The operator can press the corresponding key on the telephone transfer a digit.
- Information from the data center are sent to the operator using a computer voice which transfers the transferred values into the Franking machine must enter.
- For fund transfer is the transfer of a negative postal Funds to a postal device in a first step Establishing communication with a central station intended. The central station monitors the Total amount of mail (residual value credit) that is in the Postal device is stored.
- a second step the central station is supplied with information related to a desired change, to reduce the total amount of postage, which is available in the aforementioned postal device, and with a clear identification regarding the aforementioned Postal device.
- a third step involves Receive from the central station and input one first unique codes in the aforementioned postal device, where the input is operated to the total on postage values stored in the postal device, to reduce in accordance with the aforementioned desire.
- the fourth step is generating one provided second unique codes in the postal device, when the first unique code is entered into the postal device , the second unique code is a Indication so that the aforementioned postage value, which is available for printing on the post, has been reduced in the aforementioned postal device.
- the task was to solve a process for Improve the security of franking machines too create and a significant increase in security to ensure when transferring credit.
- the solution according to the invention is based on the one hand on the Realization that only centrally in a data center stored data sufficient before manipulation can be protected.
- a significant increase in Security and synchronicity in the stored data is predetermined by reporting data before each Action on the franking machine reached. Likewise increases that in more or less large intervals reports, especially for reloading a Credit in connection with the above Logging the security against possible manipulation.
- the data to be stored centrally include at least Date, time, identification number of the franking machine (ID number or PIN) and the type of data (e.g. Register values, parameters) if the franking machine starts communication with the data center.
- ID number or PIN identification number
- the type of data e.g. Register values, parameters
- the control unit of the franking machine checked whether with predetermined actuating means defined procedure for entering the site Special mode for negative remote value specification made and a predetermined timing during the negative Remote value specification was complied with, and if so further steps for automatic execution of communication must be carried out in order to Retransmission to complete if the previous ones Steps to execute a negative remote value specification interrupted or faulty to the franking machine encrypted data was transmitted.
- communication takes place between Franking machine and data center with at least encrypted Messages, preferably the DES algorithm is used.
- the franking machine thus points to the task at least two special modes.
- a first fashion is provided to deal with fraudulent acts or Intention to manipulate the franking machine at franking with postage values to prevent (kill mode). This inhibition can be carried out at the next inspection on site by of an authorized person.
- the Postage meter has another fashion to The franking machine fulfills selected criteria for automatic communication with the To initiate data center. With such a Another fashion is according to the invention Special mode negative remote value transmission or by one second (sleeping) mode. After completing the special mode is only for checking the franking machine a limited number of ZERO frankings possible. If the intended number of pieces is used up, automatic communication with the Data center triggered, which is thus informed and learns relevant register data. The franking machine is inhibited in sleeping mode. By the interaction of at least two aforementioned modes security in the handling of credit, which are loaded into or out of the franking machine Data center are to be retransmitted fraudulent manipulation.
- An authorized operator of the franking machine preferably the service technician leads to the side entrance a negative remote value specification in the special mode predetermined operating action, which in addition to Service technicians only known to the data center is.
- a special flag is set, which as special transaction request is evaluated.
- the time is also monitored by the Data center when a transaction in special mode negative remote value specification is made.
- the Register data of the franking machine are central can be checked if a connection to the A remote value specification is carried out, for example to top up a credit. Either takes if the transaction has not been completed, the franking machine automatically reconnects to the To complete the transaction or the authorized Service technician hands over to the data center by End of day a message about the current status the franking machine for the purpose of canceling the im Special mode negative remote value mode transmitted data. Otherwise the time monitoring on the part of Data center after the predetermined time period has expired, a recognition of the negative in special mode Remote value specification transmitted data.
- security is achieved by a check of the operating sequence for compliance with a predetermined operating sequence in the franking machine and by checking the default request in the data center in accordance with one stored there Code for a predetermined default request elevated. It is possible to change the operating sequence depending on the time to change, being in the data center and in the Franking machine the same calculation algorithm is used to create a current operating sequence determine. A transfer of a valid operating sequence from the data center to the franking machine it becomes superfluous.
- the security is through a combination of a number of measures increases.
- a first transaction is distinguishable Log in to the data center. This is transmitted in
- a new security flag X and / or a predetermined operating procedure for a side entry in the special mode negative remote value specification for Postage meter if the postage meter machine is switched on normally was and the communication link records in a first transaction a predetermined Default request in the data center and in the franking machine has been saved.
- the transmitted default request corresponds to a predetermined default request.
- the registered transaction is carried out and a default value according to the default request in the corresponding memory of the franking machine and also to check the transaction in one corresponding memory of the data center added.
- the service technician For a side entry into the special mode negative The service technician must specify the remote value for the operating sequence while the franking machine is switched on as it was transmitted from the data center, be carried out, i.e. at the same time as switching on a certain key combination has to be pressed.
- the solution according to the invention also assumes that the funds stored in the franking machine protected against unauthorized access have to. Adulteration in the franking machine stored data is so difficult that the effort for a manipulator is no longer worth it.
- MAC message authentication code
- MAC message authentication code
- DES Data Encryption Standard
- the procedure to improve the security of a Franking machine, which is used for communication with a remote data center is capable and a microprocessor in a control device of the franking machine also includes forming one Checksum in the OTP processor about the content of the external Program memory and comparison of the result with a predetermined value stored in the OTP processor before and / or after the franking mode or operating mode has expired, especially during initialization (i.e. when the franking machine is started), or at times when there is no printing (i.e. when the franking machine is operated in standby mode). In the event of an error, logging and subsequent blocking of the franking machine.
- a decremental Counter or an incremental counter is used to an exceeding of the time t1 in the special mode as on sure indication of a failed transmission too detect and that a special subroutine is called, which means that the Special mode negative remote value specification prepared and automatically triggers so the first and second Transaction will be repeated automatically.
- security is ensured an additional input security means increased, which brought into contact with the franking machine is to get a remaining balance from an authorized Transfer person back to the data center.
- Figure 1 shows a block diagram of each Franking machine according to the invention with a printer module 1 for a fully electronically generated franking image, with at least one of several actuators having input means 2, a display unit 3, and communication with a data center manufacturing MODEM 23, which has an input / output control module 4 coupled to a control device 6 and with a non-volatile memory 5 or 11 for the variable or the constant parts of the Franking image.
- a character memory 9 supplies the necessary print data for a volatile working memory 7.
- the control device 6 has a microprocessor ⁇ P which with the input / output control module 4, with the character memory 9, with the volatile memory 7 and with the non-volatile memory 5, with a Cost center memory 10, with a program memory 11, with the motor of a transport or feed device if necessary with stripe release 12, an encoder (Coding disk) 13 and with a clock / date module 8 communicates.
- the individual stores can be in several physically separate or in summarized in a few modules, not shown be realized by at least one additional measure, for example sticking on the PCB, sealing or potting with epoxy resin, are secured against removal.
- FIG. 2 shows a flow chart for a franking machine with a security system according to a preferred one Variant of the solution according to the invention shown.
- Start 100 is then within a start routine 101 a functional test with subsequent Initialization done.
- This step also includes several - in FIG. 7 illustrated in more detail - sub-steps 102 to 105 for Storage of a security flag or code word.
- a step 103 if according to step 102 new security flag X'in another predetermined one Storage location E of the non-volatile memory 5 exists, this new security flag X 'in the Memory location of old security flag X copied, if there is no longer a valid safety flag X there saved.
- the security flag X be deleted (kill mode). If not a valid one Security flag X is stored more can in Franking mode 400 no more postage value can be printed. If no action is taken, no new code word is transmitted been. In this case it is not copied and after Step 104 remains the old security flag X in Get memory.
- Step 104 remains the old security flag X in Get memory.
- the system routine 200 comprises several steps 201 to 220 of the security system.
- step 201 the Calling up current data, which is linked below with the invention for a second fashion, namely for the sleeping mode is executed.
- step 202 it is shown in step 202 whether the Criteria for entering sleeping mode met are. If this is the case, the process branches to step 203, by at least one warning by means of the display unit 3 display. According to the above In any case, steps will the point t reached.
- Step 217 the aforementioned security flag X deleted.
- the safety flag X also act as a MAC-secured security flag, as well as an encrypted code.
- the verification the security flag X is valid, for example in step 409 of a franking mode 400 using a selected checksum procedure within a OTP processor (ONE TIME PROGRAMMABLE) carried out, the internally the corresponding program parts and also the code for forming a MAC (MESSAGE AUTHENTIFICATION CODE), which is why the The manipulator does not manipulate the type of checksum procedure can understand.
- step 217 where a relevant deficiency identified and the safety flag X was deleted in step 209, the point e, i.e. the start of a communication mode 300 is reached and in a - shown in Figures 2 and 3a - Step 301 queries whether a transaction request is present. If this is not the case, the Leave communication mode 300 and point f, i.e. operating mode 290 reached. Have relevant data transmitted in communication mode, then is to To branch data evaluation to step 213. Or otherwise if in step 211 the non-transmission step 212 is determined branch. Now it is checked whether appropriate Inputs have been made to test request 212 in test mode 216, otherwise at intended registry check 214 into one Display mode 215 to enter. Is not that the case, the point d, i.e. the franking mode 400 reached.
- the point d i.e. the franking mode 400 reached.
- step 213 becomes Statistics and error evaluation achieved.
- step 213 enters display mode 215 and then branched back to the system routine. Locking can thus advantageously take place by the branching on the franking mode 400 no longer executed becomes.
- Step 213 carried out a statistical and error evaluation to get more current data, which after branching to system routine 200 in Step 201 can also be called, for example for a aforesaid second fashion or another Special fashion.
- Step 217 In the event of an authorized operation, the - in of FIG. 2 - step 217 recognized that none prohibited side entry was carried out. On allowed side entry for another entry was carried out, is not shown in Figure 2 been shown. However, such a removal criterion is also provided for example in Step 212 to determine whether an operator action was made to get into a test mode. With the allowed side entry, which is not the right one Side entry for the special mode of a negative Remote value specification for the purpose of transferring funds back from Postage meter to the data center becomes a point The system routine 200 branches. Otherwise when entering the correct side to step 220 branches to a special flag for entry into the To set special mode.
- Step 219 possibly a further query step 219 before the Step 220 provided to go with another criterion security against unauthorized access to the Special mode to increase further, if not of the criterion to point e of system routine 200 is branched.
- the one in FIG query step 219 shown such another Query criterion whether the identification number (ID no. or PIN) was entered. Through the side entrance the security is already high enough so that in the interest of easier operation such additional additional criteria queries too can be dispensed with.
- the special flag set in step 220 N also a MAC-secured for the special mode Flag N is.
- Security is additionally checked in the data center increased whether a predetermined Default request transmitted by the franking machine has been. It is envisaged that the transmitted Requirement specified in the data center as code to perform a very specific transaction.
- the transmitted default request can be in the data center be used as a code for a fund retransfer to allow. Otherwise, the transmitted Default request in the data center as code be evaluated, a transfer for a security flag To allow X or for an X code word.
- FIGS. 3a and 3b show the Security processes of those in communication mode Franking machine on the one hand and the security processes the data center in communication mode on the other hand.
- the user selects the communication or remote value default mode the franking machine by entering the Identification number (eight-digit postage call number) on. It is now assumed, for example, that the Fund transfer back to the amount in the franking machine remaining residual value. Here the descending register is queried first R1, which contains the residual value saved. After the franking machine is switched off, the Reactivate a side entry into the special mode performed. After entering the identification number the entry is made with the Teleset key confirmed and the default request in the amount of the previously queried residual value entered. Through the side entrance the default request is automatically closed subtracting default value. The default request is activated by pressing the Teleset key (T key) approved.
- T key Teleset key
- FIG. 3a That part of the communication is shown in FIG. 3a represented a transaction with unencrypted Messages is made. Still, these can Messages contain data which are secured by MAC, for example the identification number of the franking machine.
- step 302 an input of the identification number (ID no.) And the intended input parameters done in the following way.
- ID no. it can the serial number of the franking machine
- the input parameter is a combination of numbers which in the data center is understood as a request, for example a new security flag or code word X 'to be transmitted if previously an authorization has been caught up. If the above is entered incorrectly
- the display can be input parameters by pressing a C key.
- the data center Only through the previous notification, for example by means of a separate call to the data center or another form of communication, the data center notified that a new security flag X ' to be transmitted to the franking machine if then within a predetermined period of time on the part of the franking machine a transaction for the Value zero is started.
- the request for intervention only applies then as posed if after registering one authorized intervention in the franking machine in such a way agreed communication mode occurs.
- any other input parameter agreed with the data center takes place upon entry this input parameter except the transmission of a new security flags X 'according to the pre-agreed Codes of by the predetermined default request a reload of the credit is also formed according to the entered default value in the result a second transaction.
- the Modification of the input parameter via MODEM connection started.
- the input is checked (step 303) and the further process runs automatically, the process accompanied by a corresponding ad.
- the franking machine checks whether a MODEM is connected and is ready for use. Isn't that Case, a branch is made to step 310 to indicate that the transaction requests are repeated got to. Otherwise the franking machine reads the selection parameters, consisting of the selection parameters (Main / extension, etc.) and the telephone number the NVRAM memory area F and sends it with a Dial request command to the modem 23. Then the connection setup required for communication takes place via the MODEM 23 with the data center in a step 304.
- Step 501 is constantly checked whether there is a call in the Data center is done. If so, and that MODEM 23 has dialed the opposite side, takes place in Step 502 parallel the connection establishment also in the Data center. And in step 503 it is constantly monitored whether the connection to the data center was broken has been. If this is the case, an error message appears in step 513 a branch back to step 501.
- the step in the franking machine 305 monitors whether communication errors have occurred and optionally branched back to step 304 to on the part of the franking machine the connection again build up.
- a predetermined number n unsuccessful Redials to establish a connection via a display step 310 to point e branched back.
- the step 307 branches to an opening message or identification, leader or register data to send.
- the subsequent step 308 the same check as performed in step 305, i.e. in the event of a communication error branched back to step 304. Otherwise an opening message from the franking machine sent the data center.
- the Postage call number to announce the caller, i.e. the franking machine included in the data center.
- This opening message is in the data center in Step 504 checked for plausibility and on evaluated by then again in step 505 it is checked whether the data is transmitted without errors have been. If this is not the case, a Back to the error message in step 513.
- the data is error-free and in the data center it is recognized that the franking machine is a Has made requests for reloading, then in step 506 a reply message to the franking machine as a leader Posted.
- step 507 it is checked whether in Step 506 including the header message Leader end has been sent. But it is not if so, the process branches back to step 513.
- step 309 it is checked in step 309 whether from the data center now a leader as Reply message was sent or received. Is if not, will be displayed on the step 310 branched back and then on again Transaction requests queried in step 301.
- Has been received a leader and has the franking machine received an OK message a occurs in step 311 Checking the preload parameters with regard to a Change phone number. If an encrypted parameter no phone number change has been transmitted before and it goes to step 313 in the Figure 3b branches.
- the safety processes are shown in FIG. 3b the one in communication mode Franking machine and parallel to that in the Data center.
- step 313 the franking machine sends the Data center sent a start message encrypted.
- step 314 the communication error message checked. There is a communication error the process branches back to step 304 and it another attempt is made to connect to the data center build up to encrypt the start message to send.
- This encrypted start message is sent from the data center received if at step 506 the header message had been sent completely and in step 507 the leader end has been communicated.
- the Step 508 checks in the data center whether this has received the start message and the data in Are okay. If not, the crotch 509 checks whether the error can be remedied. Is the Error cannot be corrected, go to step 513 branches after an error message from the Data center DZ to the FM franking machine in step 511 was transmitted. Otherwise, in step 510 performed an error handling and on the step 507 branches.
- the data center begins to detect data perform a transaction in step 511. in the aforementioned example will be at least the identification number by means of an encrypted message to the Transfer franking machine, which in step 315 the Transaction data received.
- step 316 the data is checked. If there is an error, the method branches back to step 310. Otherwise it takes place in the data center in Step 512 storing the same above Data like in the franking machine. In step 318 the transaction with the in the franking machine Data storage completed. Then becomes Step 305 branches back. Shouldn't be another Transaction is performed, step 310 is displayed and then reached step 301.
- step 211 If no transaction request is made, will in step 211 according to FIG. 2 checks whether data have been transmitted. If data has been transmitted, step 213 is reached. According to the input request the franking machine places the current one Default request or the new code word Y 'or others Transaction data, for example in the memory area E the non-volatile memory 5.
- an input parameter in step 302 is a entered a combination of numbers other than zero and the Entry was OK (step 303)
- a connection is established (Step 304).
- Step 305 a connection is established (Step 306), an identification and leader message sent to the data center.
- the opening message is again also the postage call number PAN to identify the franking machine included in the data center.
- the data center recognizes from the entered number combination, if the data is error-free (step 505), that in the Franking machine, for example, a credit with a Default value should be increased.
- step 506 the data center a reply message with the elements change the phone number and current phone number are unencrypted Posted.
- the franking machine that this Receives message recognizes in step 311 that the phone number should be changed. Now it becomes a step 312 branches to the current phone number to save.
- step 304 branched back. Is the connection still established and a communication error does not exist (305), is Step 306 then checked to see if there was another Transaction should take place. If that is not the case, the method branches to step 301 via step 310.
- the transmission of the telephone number can also be MAC-secured respectively.
- the franking machine After saving the current phone number the franking machine automatically builds a new one Connection to the data center with the help of new phone number.
- the default request is thus automatic, i.e. without one further intervention by the user of the franking machine, carried out.
- a Communication can be a phone number storage, as also a credit reload or fund retransfer include. Without interrupting communication so multiple transactions are carried out.
- a successful transaction runs as follows: The franking machine sends your ID number and one Default value for the amount of the desired Reload credit together with a MAC to the Data center. This checks such a transmitted Message against the MAC, then also a MAC-secured OK message to the franking machine send. The OK message does not contain the default value more.
- At least one encrypted message to the data center as well Franking machine transmitted is only in the encrypted message of the first transaction contain. Every transmitted message, which security-relevant Transaction data is encrypted.
- an encryption algorithm for the encrypted messages is, for example, the DES algorithm intended.
- a transaction request results in the franking machine to a specially secured credit reload.
- the outside of the processor is secured in the cost center memory 10 postal register also during the credit reload using a time control.
- the communication and Billing routines not within a predetermined one Time is running out. If so, i.e. who need routines considerably more time, becomes part of the DES key changed.
- the data center can do this modified key during a communication routine determine with register query and then report the franking machine as suspect as soon as in accordance with Step 313 an encrypted start message is sent becomes.
- step 509 determines that the error cannot be remedied.
- the data center cannot then carry out a transaction (step 511), because branching back to step 513.
- step 310 opens up branched back to step 301 for a display to recheck whether a transaction request continues is provided.
- Safety sets in the event of an authorized intervention ahead, the reliability of the authorized person (Service, inspector) and the possibility of their presence to check. Control of the seal and checking the register status during an inspection the franking machine and regardless of the data in the data center then provides verification security. The control of the franked postal items under Inclusion of a security imprint provides one additional security of verification.
- the franking machine performs regularly and / or at Switch on the register check and can thus Detect missing information if in the machine intervened unauthorized or if this is unauthorized had been served. The franking machine will then blocked. Without the invention in connection with a security flag X the manipulator would Clear blockage easily. But that's how it works Security flag X lost and it would Manipulator cost too much time and effort, the valid one MAC-secured security flag X or code word Attempts to determine. In the meantime, that would be Franking machine long ago in the data center as suspect registered.
- a suitable processor type is, for example, the TMS 370 C010 from Texas Instruments, which has a 256 bytes E 2 PROM. This allows security-relevant data (keys, flags, etc.) to be stored in the processor in a tamper-proof manner.
- the franking machine is converted into the first mode is effective with franking with a Postage value prevented.
- the potential manipulator of a franking machine must overcome multiple thresholds, which of course a certain Time required. Takes place at certain intervals no connection from the franking machine the franking machine becomes the data center already suspect. It can be assumed that the one who tampered with the franking machine commits himself hardly at the data center again will report.
- the error register are, for example, with the help of a special Service EPROM can be read out, which replaces the Advert EPROM is inserted. If on this EPROM slot is not accessed by the processor usually access to the data lines special - not shown in FIG. 1 - Driver circuits prevented. The data lines, which can be reached here through a sealed housing door can not be contacted without authorization become. Another variant is the reading out of Error register data through an interface connected service computer.
- the registers of the franking machine become intervening queried to determine the type of intervention required determine. Before intervening in the franking machine and the housing is opened, there is a separate one Call the data center. Then inside a predetermined period of time the default value to zero changed and become the data center in the context of a transaction transmitted, i.e. the type of intervention and the Register data was communicated to the data center, was done a transmission of data from a data center to the franking machine according to one requested Authorized intervention in the franking machine, which is logged as an allowed intervention.
- the franking machine is able to differentiate between requested authorized and unauthorized Intervention in the franking machine by means of the control unit the franking machine in connection with the of the data center transmitted data, with unauthorized Intervention in the franking machine this intervention is logged as an error, but after authorized intervention in the franking machine the original operating state by means of the aforementioned transmitted data is restored.
- the old MAC is secured loaded from the NV-RAM 5 and with the newly determined MAC-secured checksum compared in the OTP.
- the security against manipulation is in a another variant for a kill mode 2 the checksum in the processor about the content of the external program memory PSP 11 formed and the result with an im Processor stored predetermined value compared. This is preferably done in step 101 if the Franking machine is started, or in step 213, when the franking machine is operating in standby mode becomes. Standby mode is reached when a predetermined time no input or print request he follows. The latter is the case if one is in itself known - not shown - letter sensor no next envelope determines which one to be franked.
- the - shown in Figure 4 - Step 405 in franking mode 400 therefore includes another further query after a time lapse or after the Number of passes through the program loop, which ultimately corresponds to the input routine Step 401 leads. If the query criterion is met, a standby flag is set in step 408 and directly branched back to system routine 200 at point s, without the billing and printing routine in step 406 is run through. The standby flag will appear later in the Step 211 queried and after the checksum check reset in step 213 if no manipulation attempt is recognized.
- the query criterion in step 211 is increased by the Question extended whether the standby flag is set, i.e. whether the standby mode is reached.
- the standby flag is set, i.e. whether the standby mode is reached.
- a preferred variant is in those already described Way to clear the security flag X if a Manipulation attempt in standby mode on the aforementioned Has been determined in step 213.
- the specially secured special flag N can also be in the Step 213 should be checked, especially if it is MAC secured is by the flag content with the MAC content is compared.
- the absence of the security flag X will recognized in query step 409 and then on the step 213 branches.
- the advantage of this procedure in Connection with the first mode is that the Manipulation attempt statistically recorded in step 213 becomes.
- FIG. 4 shows the flow chart for the franking mode according to a preferred variant.
- the invention goes assume that the Postage value in the imprint according to the last one Entry before switching off the franking machine and the date in the day stamp according to the current one Date specified that the variable data in the fixed data for the frame and for all associated data that remain unchanged be electronically embedded.
- the number strings (sTrings) that are used to generate the Input data with a keyboard 2 or via one connected to the input / output device 4, the Postage calculated electronic scale 22 entered are automatically stored in memory area D of the non-volatile memory 5 stored. Moreover there are also records of the sub-storage areas, for example Bj, C etc. This ensures that the last input values even when the Franking machine remain intact so that after switching on automatically the postage value in the value print accordingly the last entry before switching off the Franking machine and the date in the day stamp accordingly the current date. If a scale 22 is connected, the postage will be off taken from memory area D. In step 404 waited until one is currently saved. If a new input request is made in step 404 the method branches back to step 401.
- step 405 is branched to Wait for print output request.
- a letter sensor the letter to be franked is detected and thus triggering a print request.
- step 406 the billing and printing routine in step 406 be branched.
- Step 405 goes to step 301 (point e) branched back.
- a communication request can be made at any time or another entry according to the Steps test request 212, register check 214, Input routine 401 are made.
- a further query criterion can be made in step 405 are queried in order to obtain a standby flag in step 408 set if none after a predetermined time Print request is pending.
- the standby flag can be in the communication mode 300 following step 211 are queried. This does not branch to franking mode 400, before the checksum check is complete result in all or at least selected programs Has.
- Step 409 Presence of a valid security flag X or a corresponding MAC-secured flag X, the Reaching a further quantity criterion and / or in Step 406 for billing in the known manner queried register data.
- the predetermined number of pieces at the previous one Franking used i.e. Number of pieces equal Zero is automatically branched to point e in order to Communication mode 300 to enter so that from the Data center a new predetermined number of pieces S again is credited.
- the predetermined number of pieces is not yet consumed, is from step 410 to Billing and printing routine branches in step 406.
- the number of letters printed, and the current one Values in the postal registers are made according to the entered cost center in the non-volatile memory 10 of the franking machine in a billing routine 406 registered and are available for later evaluation to disposal.
- a special sleeping mode counter is used during those immediately before printing Billing routine causes a counting step to continue.
- the register values can be displayed 215 if necessary be queried. It is also provided that Register values with the print head of the franking machine Print out billing purposes. For example as well as in the German one Laid-open specification P 42 24 955 A1 becomes.
- Another variant also provides that also variable pixel image data during printing be embedded in the remaining pixel image data. Corresponding the position report provided by encoder 13 about the feed of the postal items or Strips of paper in relation to the printer module 1 the compressed data from the working memory 5 read and using the character memory 9 in one converted binary image printed image, which is also in such decompressed form in volatile memory 7 is stored. Closer Executions are the European applications EP 576 113 A2 and EP 578 042 A2 can be removed.
- the pixel memory area in the pixel memory 7c is thus for the selected decompressed data of the fixed Parts of the franking image and for the selected decompressed ones Data of the variable parts of the franking image intended.
- the actual Print routine (at step 406).
- the Pixel memory 7c is on the output side to a first one Input of the printer controller 14 switched to the further control inputs, output signals of the microprocessor control device 6 concerns. Are all columns of a printed image is printed again System routine 200 branches back.
- FIG. 5 shows the process with two transactions for reloading with a credit value, preferably shown in simplified form with a zero credit value.
- a zero remote value specification always comprises two Transactions.
- the first transaction of communication with the Data center DZ includes the notification of a predetermined default request.
- a ZERO default request suitable.
- Such leads during a second transaction at a NULL default value at Descending register value can be added without the Change the value of the remaining credit.
- the first step in a first transaction includes after entering the communication mode (positive remote value specification or teleset mode) one Sub-step 301 to check for a set Transaction requests and further sub-steps 302 to 308 for entering the identification and others Data to establish the communication link and to communicate with unencrypted data in order at least identification and transaction type data to transfer to the data center.
- the communication mode positive remote value specification or teleset mode
- a first step of the first Transaction sub-steps 301 to 308 of the franking machine includes to establish the connection, for communication with unencrypted data and at least Identification, transaction type and other data to transfer to the data center.
- the transaction type data (1 byte), includes the message to the data center DZ below the teleset mode for one Desired positive remote value specification with the identified Franking machine.
- a second step of the first transaction involves Sub-steps 501 to 506 in the data center to Receive the data and check the identification the franking machine and for transmitting one unencrypted ok -Message to the franking machine.
- the second step of the first transaction also includes Sub-steps to deal with incorrect unencrypted messages 505 via a sub-step 513 for Error message on a sleep point q in the sub-step To branch 501 in the data center until the Communication from a franking machine again is recorded.
- a third step involves the first transaction Sub-steps 309 to 314 of the franking machine, for Formation of a first encrypted message Crypto cv by means of a stored in the franking machine first key Kn and for the transmission of encrypted Data on the data center, including at least the default request, identification and postal register data.
- the security measures includes this encrypted message too Data in the form of CRC data (cyclic redundancy check data).
- CRC data cyclic redundancy check data
- the default request, the identification, Postal register and other data, such as a Checksum (CRC data) are in one with the DES algorithm encrypted message transmitted;
- a fourth step of the first transaction the sub-steps 507 to 511 in the data center to receive and decrypt the first encrypted Notification provided.
- An exam for Decryptibility is determined by means of a Data center stored key performed. If successful, a calculation is made in the data center to form a second key Kn + 1, corresponding to that used by the franking machine Key. Then a second is encrypted Message crypto Cv + 1 formed which at least the aforementioned second key Kn + 1, the Contains identification and transaction data, again the DES algorithm for encryption is being used. In conclusion is a transfer of the second encrypted message crypto Cv + 1 Postage meter provided.
- Additional sub-steps are used to help you determine of irreversibly incorrect encrypted messages in sub-step 509 via a sub-step 513 Error message on a hibernation in the 501 Data center to branch out until communication is resumed by a franking machine.
- Sub-steps are also provided in order to Sub-step 509 detected incorrect encrypted Notices but with correctable errors a sub-step 510 for canceling the previous one Transaction and then to step 511 in the Branch data center.
- This sub-step serves to form a second key Kn + 1, which for Franking machine should be transmitted encrypted, to form a second encrypted message crypto Cv + 1 and to transfer the encrypted Message about the franking machine.
- the fourth step of the first transaction is a sub-step 512 of the data center for storing the default request from which to the first sub-step 701 of the second Step of the second transaction is branched to the first key Kn as the previous key and the second key Kn + 1 as successor key to save.
- a fifth step of the first transaction which comprises sub-steps 315 to 318 of the postage meter machine, serves to receive and to decrypt the second encrypted message, to extract at least the identification data and the transmitted second key Kn + 1 Cv + 1 , and to verify the encrypted received Notification based on the extracted identification data. Upon verification, the transmitted second key Kn + 1 Cv + 1 and the default request are stored in the franking machine. Otherwise, if not verified, the process branches back to the first step of the first transaction.
- a second transaction which is preferably through an additional manual Entry in step 602 is triggered.
- This temporary entry is triggered the second transaction or leaving the second transaction in communication mode if the Entry time is exceeded.
- the T key are actuated within 30 seconds or the Entry time is exceeded and it becomes the first Branched back step of the first transaction.
- the Communication can now be omitted as required be repeated.
- a first step of the second transaction comprises sub-steps 602 to 608 of the franking machine for communication with unencrypted data to connect to build up and at least identification and Transmit transaction type data to the data center.
- a second step of the second transaction the sub-steps 701 to 706 of the data center is for Receive the data and check the identification the franking machine and for transmitting one unencrypted ok -Message to the franking machine intended. It is also contemplated that the second Step of the second transaction includes sub-steps to in the case of incorrect unencrypted messages 705 via a sub-step 513 to the error message on one To branch to sleep state 501 in the data center until communication from a franking machine again is recorded.
- a third step of the second transaction comprises sub-steps 609 to 614 of the franking machine for education a third encrypted message crypto cv + 2 by means of the aforementioned in the franking machine stored second key Kn + 1 and for Transmission of the third encrypted message crypto cv + 2 to the data center, comprising at least Identification and postal register data, but without Data for a default value.
- a fourth step of the second transaction the sub-steps 707 to 711 of the data center for reception and to decrypt the third encrypted Message containing crypto Cv + 2 lists their check Decryptibility by means of a in the data center saved key. Then there is a Form a third key Kn + 2, which for Franking machine should be transmitted encrypted, forming a fourth encrypted message crypto Cv + 3, which is at least the aforementioned third Key Kn + 2, the identification and the Contains transaction data and the transfer of the fourth encrypted message crypto Cv + 3 Franking machine.
- the fourth step of the second transaction closes Sub steps to get rid of undetectable errors encrypted messages (substep 709) a sub-step 513 for the error message on one To branch to sleep state 501 in the data center until communication from a franking machine again is recorded. If determined in a step 709 incorrect encrypted messages with recoverable error goes to a step 710 Cancellation of the previous transaction branches. This is followed in the data center in sub-step 711 forming a third key Kn + 2, which is used for Franking machine should be transmitted encrypted. To form a fourth encrypted message crypto Cv + 3 uses the DES algorithm again. Then the encrypted is transmitted Message about the franking machine.
- the fourth step of the second transaction to save the default value comprises a data center sub-step 712 which is based on the first sub-step 501 of the second step of first transaction branches to the second key Kn + 1 as the previous key Kn-1 and the third Key Kn + 2 as successor key Kn for others save first and second transactions.
- a fifth step of the second transaction which includes sub-steps 615 to 618 of the postage meter machine, serves to receive and decrypt the fourth encrypted message, to extract at least the identification data and the transmitted third key Kn + 2 Cv + 3 and the transaction data, and to verify the received encrypted message based on the extracted identification data.
- the transmitted second key Kn + 2 Cv + 3 and the default value in the franking machine are correspondingly added to the descending register value R1 and the resulting credit is stored or, if not verified, the process branches back to the first step of the first transaction.
- a negative remote value specification differs in Special mode especially through special tamper-proof Flags and a time watch.
- Such tamper evident Flags are especially a MAC secured Security flag X and a MAC-secured Special flag N.
- the process is with two transactions for reloading with a negative credit value, i.e. a negative remote value requirement for fund retransfer presented to the data center.
- a negative Remote value specification comprises at least two transactions.
- the first transaction of communication with the Data center DZ includes the notification of a predetermined default request, preferably one Zero default request to the consistency of the Register statuses between the data center DZ and the Manufacture franking machine FM.
- a Securing individual data in the message can again by a MAC or by means of CRC data in the can be achieved.
- the defined side entry is achieved by pressing a secret predetermined key combination while switching on the franking machine.
- the control unit of the franking machine can distinguish between authorized actions (service technician) and unauthorized actions (intention to manipulate) in connection with the data previously transmitted by the data center and an input process.
- authorized action a special flag N is set in step 220, because if the franking machine FM is switched off, the continuation of the transactions must be ensured after the franking machine is switched on again.
- the special flag N is also stored in a non-volatile MAC-protected manner.
- a step 209 is initiated to prevent further franking. It is envisaged that a predetermined key combination for each franking machine is stored in the data center and only the authorized person (service technician) is informed in order to achieve a predetermined operating sequence on the franking machine. The correct side entry causes a message on the display about the opening of the communication.
- a flag N is protected against manipulation Step 220 set if a specific criteria fulfilled, with the specific criterion for the special mode negative remote value specification at least the Use the predetermined key combination for Side entry into special mode while switching on the franking machine comprises.
- T key Teleset key
- Communication with the data center comprises at least two transactions, which in the event of an error be run repeatedly, after interruption communication automatically resumes and / or is carried out as long as the aforementioned Special flag N for the special mode is set by which made an automatic transaction request is to complete the retransfer of the credit.
- a first step of the first Transaction sub-steps 301 to 308 of the franking machine includes to establish the connection, for communication with unencrypted data and at least Identification, transaction type and other data to transfer to the data center.
- the transaction type data (1 byte), includes the message to the data center DZ then the special mode of a desired one negative remote value specification with the identified Franking machine.
- a second step of the first transaction involves Sub-steps 501 to 506 in the data center to Receive the data and check the identification the franking machine and for transmitting one unencrypted OK notification to the franking machine.
- the second step of the first transaction also includes Sub-steps to deal with incorrect unencrypted messages 505 via a sub-step 513 for Error message on a hibernation in the 501 Data center to branch out until communication is resumed by a franking machine.
- a third step involves the first transaction Sub-steps 309 to 314 of the franking machine, for Formation of a first encrypted message Crypto cv by means of a stored in the franking machine first key Kn and for the transmission of encrypted Data on the data center, including at least the default request, identification and postal register data.
- the security measures includes this encrypted message in Form of CRC data (cyclic redundancy check data) Notification to the data center DZ below Special mode of a desired negative remote value specification perform.
- CRC data cyclic redundancy check data
- the two-byte Cyclic Redundancey Check is a checksum which is a manipulation of the individual to the checksum processed data can be recognized. This checksum can individual data or the components of all communications Include (transaction type) on the part of the franking machine.
- the default request, the identification, Postal register and CRC data are merged with the DES algorithm encrypted message transmitted. So it is not necessary to have data in the first Step MAC-secured or encrypted to the data center transferred to.
- a fourth step of the first transaction the sub-steps 507 to 511 in the data center to receive and decrypt the first encrypted Notification or its check for decryptibility by means of one in the data center stored key, to form a second Key Kn + 1 corresponding to that of the franking machine key used to form a second encrypted message crypto Cv + 1 which at least the aforementioned second key Kn + 1, the Contains identification and transaction data and to transmit the second encrypted message crypto Cv + 1 intended for franking machine.
- the fourth step of the first Transaction also includes sub-steps to get rid of incorrect encrypted messages over 509 a sub-step 513 for the error message on one To branch to sleep state 501 in the data center until communication from a franking machine again is recorded.
- This sub-step serves to form a second or third key Kn + 1, which is transmitted in encrypted form to the franking machine should be used to form a second encrypted Message crypto Cv + 1 and to transfer the encrypted message to the franking machine.
- the fourth step of the first transaction a sub-step 512 of the data center for storage of the default request, of which the first sub-step 701 of the second step of the second transaction is branched to the first key Kn as Previous key and the second key Kn + 1 as Store successor key.
- a fifth step of the first transaction which comprises sub-steps 315 to 318 of the postage meter machine, serves to receive and to decrypt the second encrypted message, to extract at least the identification data and the transmitted second key Kn + 1 Cv + 1 , and to verify the encrypted received Notification based on the extracted identification data. Upon verification, the transmitted second key Kn + 1 Cv + 1 and the default request are stored in the franking machine. Otherwise, if not verified, the process branches back to the first step of the first transaction.
- a first step of the second transaction includes Sub-steps 602 to 608 of the franking machine for Communication with unencrypted data to the Establish connection and at least identification and transaction type data to the data center transferred to.
- a second step of the second transaction the sub-steps 701 to 706 of the data center is for Receive the data and check the identification the franking machine and for transmitting one unencrypted OK notification to the franking machine intended. It is also contemplated that the second Step of the second transaction includes sub-steps to in the case of incorrect unencrypted messages 705 via a sub-step 513 to the error message on one To branch to sleep state 501 in the data center until communication from a franking machine again is recorded.
- a third step of the second transaction comprises sub-steps 609 to 614 of the franking machine for education a third encrypted message crypto cv + 2 by means of the aforementioned in the franking machine stored second key Kn + 1 and for Transmission of the third encrypted message crypto cv + 2 to the data center, comprising at least Identification and postal register data, but without Data for a default value.
- a fourth step of the second transaction the sub-steps 707 to 711 of the data center for reception and to decrypt the third encrypted Message containing crypto Cv + 2 lists their check Decryptibility by means of a in the data center saved key. Then there is a Form a third key Kn + 2, which is to the franking machine should be transmitted in encrypted form Form a fourth encrypted message crypto Cv + 3, at least the aforementioned third key Kn + 2, the identification and transaction data contains and transmitting the fourth encrypted Message crypto Cv + 3 to the franking machine.
- the fourth step of the second transaction closes Sub steps to get rid of undetectable errors encrypted messages 709 about a sub-step 513 for the error message on a sleep state 501 in the Data center to branch out until communication is resumed by a franking machine.
- Encrypts to the franking machine should be transmitted.
- To form a fourth encrypted Message crypto Cv + 3 will be the again DES algorithm used. Then there is a Transfer the encrypted message to Franking machine.
- the fourth step of the second transaction to save the default value comprises a data center sub-step 712 which is based on the first sub-step 501 of the second step of first transaction branches to the second key Kn + 1 as the previous key Kn-1 and the third Key Kn + 2 as successor key Kn for others save first and second transactions.
- a fifth step of the second transaction which includes sub-steps 615 to 618 of the postage meter machine, serves to receive and decrypt the fourth encrypted message, to extract at least the identification data and the transmitted third key Kn + 2 Cv + 3 and the transaction data, and to verify the received encrypted message based on the extracted identification data.
- the above step has a further query criterion for identifying the completion in contrast to the positive remote value specification.
- the franking machine FM is to receive the fourth crypto message within a predetermined time from the sending of the third crypto message. If the connection was free of interruption, the reception would take place in the predetermined time t1.
- the corresponding program section a Routine activated, which sets a counter that in turn by the system clock or its multiple is decremented. For a longer period of time, for example in the order of 10 seconds monitor several meters are cascaded. Reached now the fourth within the critical period Crypto message from the data center, the franking machine, the counter is deactivated. This remains the last crypto message, however, is set Counter decremented further.
- interrupt At the zero crossing of the A program interrupt signal (interrupt) triggered.
- This signal triggers the call a special subroutine, which is a new one Prepared and triggered transaction. Part of this Another transaction is the transmission of the Contents of the postal register.
- One that takes place in the data center Consistency check then leads to the result that an unfinished transaction in special mode negative Remote value specification preceded.
- the inconsistent records are corrected and the negative remote value specification is accomplished.
- Another variant of the invention results if an incremental counter instead of a decremental counter is used.
- the after each counting cycle Comparison can be made with the number that the monitored period corresponds.
- Exceeding time t1 is a sure indication for a failed transmission and causes the call a special subroutine, which is a new one Execution of the special mode negative remote value specification prepared and triggered automatically. The first and second transaction will be automatic in this case repeated with key Kn + 2.
- the transmitted second key Kn + 2 Cv + 3 and the default value in the franking machine are added to the descending register value R1 and the resulting credit is saved or, if not verified or the time is exceeded, the first step is the branched back in the first transaction.
- the fifth step of the second transaction closes a sub-step (620) of the franking machine for Resetting the aforementioned special flag N or Return to the normal mode of the franking machine, whereby the aforementioned automatic transaction request is canceled again when performing the second transaction has been completed.
- the service technician present secures the others trouble-free process until the completion of the negative Remote value specification.
- the negative remote value specification when entering the special mode set special flag N was successful Transaction rolled back.
- the franking machine prevents all frankings with values greater than zero because no more credit is loaded.
- the franking machine is still zero for frankings with values and other modes of operation as long as these No credit required or as long as no postage franked and the quantity limit is not reached.
- PIN identification number
- step 603 takes place triggering the second transaction and one Leave or repeat the first transaction in communication mode or in special mode if the Entry time is exceeded.
- the T key are actuated within 30 seconds or the Entry time has been exceeded.
- the data center any desired request agreed as a code.
- a zero default request is preferably agreed. Is now within a certain time after the Agreement of the special mode negative remote value specification called and the zero default request entered or confirmed as the default request is in the franking machine automatically the remaining amount R1 to zero reset.
- a corresponding query step 219 according to such another specific criterion for the franking machine was dashed in FIG. 2 shown. From this, step 220 proceeds to Setting the special flag N branches.
- a third variant security is increased by a combination of different measures.
- a first communication link is established between the authorized user and the data center for storing a code for registering an authorized action on the franking machine by means of a default request that is transmitted later.
- the franking machine can now be switched on to carry out an authorized predetermined operating sequence in order to enter a negative remote value specification via a side entry into a special mode.
- a second communication connection is established between the franking machine and the data center and the input of a default request.
- a distinguishable logon to the data center takes place if the transmitted request matches a corresponding code.
- a new code word or security flag and / or operating sequence is transmitted to the franking machine.
- the security-relevant data is transmitted and its storage in the franking machine is completed.
- the specification value is added to the remaining credit in the corresponding memory of the franking machine and, in order to check the transaction, in an appropriate memory of the data center. Otherwise, execution of a step 209 for deleting a tamper-proof stored security flag X as a result of at least one unauthorized deviation from the predetermined operating sequence or because the franking machine has been interfered with is provided.
- the franking machine is thus transferred to a first mode in order to effectively put it out of operation for franking (franking mode 400) (step 409), in contrast to the authorized action or intervention.
- a transfer of a valid operating sequence from the data center to the franking machine becomes superfluous if the operating sequence is changed depending on the time.
- the same calculation algorithm is used in the data center and in the franking machine to determine a current operating sequence.
- Another variant is based on the storage of the current operating sequence in the franking machine by means of a special reset E 2 PROM by the service technician.
- the security of an authorized person by means of an additional Input security means increased, which with the Franking machine is brought in contact to a Transfer remaining credit back to the data center.
- the topicality of the data center produced by the register stands by means of a Zero remote value specification can be reported.
- the service technician Reset read-only memory chip to a predetermined one Base of the at least partially opened franking machine used.
- a reset read-only memory chip Refunds EPROM
- step 209 for deletion of a flag X are branched, which in step 409 of the Franking mode ( Figure 4) would be noticed and for statistics and error evaluation or registration in step 213 leads. Otherwise, with the correct side entry and when the refund EPROM is inserted, a special flag N what is automatically set in communication mode Transfer the remaining credit back to the data center triggers.
- steps 218 and 219 run reversed in order according to FIG. 2, so that only with regard to the inserted refund EPROM and only after the correct side entry is asked.
- Such a sub-variant has the advantage that the information about the correct side entry can also be saved in the Refunds EPROM, instead of in the franking machine. With that the Protection against tampering further increased.
- the input security means can of course also be implemented as a chip card.
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Mathematical Physics (AREA)
- Theoretical Computer Science (AREA)
- Devices For Checking Fares Or Tickets At Control Points (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Detection And Prevention Of Errors In Transmission (AREA)
Abstract
Description
- Figur 1,
- Blockschaltbild einer Frankiermaschine,
- Figur 2,
- Ablaufplan nach der erfindungsgemäßen Lösung,
- Figur 3a und 3b,
- Darstellung der Sicherheitsabläufe der im Kommunikationsmodus befindlichen Frankiermaschine und Datenzentrum,
- Figur 4,
- Ablaufplan für den Frankiermodus nach einer bevorzugten Variante,
- Figur 5,
- allgemene Blockdarstellung eines Ablaufes mit zwei Transaktionen für das Nachladen mit einem Null-Guthabenwert,
- Figur 6,
- Blockdarstellung eines Ablaufes mit zwei Transaktionen für das Nachladen mit einem negativen-Guthabenwert,
- Figur 7,
- Ablaufplan zur Einspeicherung eines Sicherheits-Flags bzw. Codewortes nach der erfindungsgemäßen Lösung
Beim autorisierten Handeln wird ein Sonder-Flag N im Schritt 220 gesetzt, denn falls die Frankiermaschine FM ausgeschaltet wird, muß die Weiterführung der Transaktionen nach dem Wiedereinschalten der Frankiermaschine gesichert sein. Als Schutz gegen eine eventuelle Manipulation wird das Sonder-Flag N ebenfalls MAC-gesichert nichtflüchtig gespeichert.
Es ist vorgesehen, daß eine vorbestimmte Tastenkombination für jede Frankiermaschine in der Datenzentrale gespeichert wird und nur der autorisierten Person (Service-Techniker) mitgeteilt wird, um einen yorbestimmten Bedienablauf bei der Frankiermaschine zu erzielen. Der richtige Seiteneinstieg bewirkt eine Meldung auf dem Display über eine Eröffnung der Kommunikation.
Anderenfalls ist eine Ausführung eines Schrittes 209 zur Löschung eines manipulationssicher gespeicherten Sicherheitsflags X im Ergebnis mindestens einer unerlaubten Abweichung vom vorbestimmten Bedienablauf bzw. weil in die Frankiermaschine eingegriffen wurde, vorgesehen. Damit wird die Frankiermaschine in einen ersten Modus überführt, um sie damit für ein Frankieren (Frankiermodus 400) wirksam außer Betrieb zu setzen (Schritt 409), im Gegensatz zur authorisierten Handlung bzw. Eingriff.
Claims (4)
- Verfahren zur Verbesserung der Sicherheit von Frankiermaschinen gegen Manipulation mit einem Mikroprozessor in einer Steuereinheit der Frankiermaschine zur Ausführung von Schritten für eine Start- und Initialisierungsroutine und nachfolgender Systemroutine mit einer Möglichkeit in einen Kommunikationsmodus mit einer entfernten Datenzentrale einzutreten, um einen Guthabenwert zu laden oder an die Datenzentrale zurück zu übertragen sowie weiteren Eingabeschritten, um in einen Frankiermodus einzutreten von dem nach Ausführung einer Abrechnungs-und Druckroutine in die Systemroutine zurückverzweigtwird, gekennzeichnet, durch Unterscheiden zwischen nichtmanipuliertem und manipuliertem Betrieb einer Frankiermaschine mittels der Steuereinrichtung (6), indem während eines Betriebsmodus (290) eine Überwachung der Zeitdauer des Ablaufes von Programmen, Programmteilen bzw. sicherheitsrelevanter Routinen vorgenommen wird und durch einen nach Ablauf von Programmen, Programmteilen bzw. sicherheitsrelevanten Routinen anschließenden Vergleich der gemessenen Laufzeit mit einer vorgegebenen Laufzeit.
- Verfahren, nach Anspruch 1, dadurch gekennzeichnet, daß ein decrementaler Zähler oder ein incrementaler Zähler verwendet wird, um ein Überschreiten der Zeit t1 im Sondermodus als ein sicheres Indiz für eine mißglückte Übertragung zu detektieren und daß ein spezielles Unterprogrammm aufgerufen wird, welches eine erneute Durchführung des Sondermodus negative Fernwertvorgabe vorbereitet und automatisch auslöst, so daß die erste und zweite Transaktion automatisch wiederholt werden.
- Verfahren zur Verbesserung der Sicherheit von Frankiermaschinen gegen Manipulation mit einem Mikroprozessor in einer Steuereinheit der Frankiermaschine zur Ausführung von Schritten für eine Start- und Initialisierungsroutine und nachfolgender Systemroutine mit einer Möglichkeit in einen Kommunikationsmodus mit einer entfernten Datenzentrale einzutreten, um einen Guthabenwert zu laden oder an die Datenzentrale zurück zu übertragen sowie weiteren Eingabeschritten, um in einen Frankiermodus einzutreten von dem nach Ausführung einer Abrechnungs-und Druckroutine in die Systemroutine zurückverzweigt wird, gekennzeichnet, durch während einer Kommunikation im Kommunikationsmodus (300) vorgenommene Überwachung der Einhaltung eines bestimmten Zeitablaufes im Sondermodus negative Fernwertvorgabe, insbesondere der Zeitdauer vom Senden einer dritten verschlüsselten Mitteilung seitens der Frankiermaschine bis zum Empfang der von der Datenzentrale an die Frankiermaschine gesendeten vierten verschlüsselten Mitteilung in der Frankiermaschine, welche bei Verifizierung ein Null-Setzen des Guthabenwerts auslöst.
- Verfahren, nach Anspruch 3, dadurch gekennzeichnet, daß ein decrementaler Zähler oder ein incrementaler Zähler verwendet wird, um ein Überschreiten der Zeit t1 im Sondermodus als ein sicheres Indiz für eine mißglückte Übertragung zu detektieren und daß ein spezielles Unterprogrammm aufgerufen wird, welches eine erneute Durchführung des Sondermodus negative Fernwertvorgabe vorbereitet und automatisch auslöst, so daß die erste und zweite Transaktion automatisch wiederholt werden.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE4446667A DE4446667C2 (de) | 1994-12-15 | 1994-12-15 | Verfahren zur Verbesserung der Sicherheit von Frankiermaschinen bei der Guthabenübertragung |
DE4446667 | 1994-12-15 | ||
EP95250286A EP0717379B1 (de) | 1994-12-15 | 1995-11-21 | Verfahren zur Verbesserung der Sicherheit von Frankiermachinen bei der Guthabenübertragung |
Related Parent Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP95250286.2 Division | 1995-11-21 | ||
EP95250286A Division EP0717379B1 (de) | 1994-12-15 | 1995-11-21 | Verfahren zur Verbesserung der Sicherheit von Frankiermachinen bei der Guthabenübertragung |
Publications (4)
Publication Number | Publication Date |
---|---|
EP0996097A2 true EP0996097A2 (de) | 2000-04-26 |
EP0996097A3 EP0996097A3 (de) | 2004-06-16 |
EP0996097A9 EP0996097A9 (de) | 2005-06-22 |
EP0996097B1 EP0996097B1 (de) | 2006-05-03 |
Family
ID=6537174
Family Applications (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP95250286A Expired - Lifetime EP0717379B1 (de) | 1994-12-15 | 1995-11-21 | Verfahren zur Verbesserung der Sicherheit von Frankiermachinen bei der Guthabenübertragung |
EP00250033A Expired - Lifetime EP0996097B1 (de) | 1994-12-15 | 1995-11-21 | Verfahren zur Verbesserung der Sicherheit von Frankiermaschinen bei der Guthabenübertragung |
EP00250032A Expired - Lifetime EP0996096B1 (de) | 1994-12-15 | 1995-11-21 | Verfahren zur Verbesserung der Sicherheit von Frankiermaschinen bei der Guthabenübertragung und Anordnung zur Durchführung des Verfahrens |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP95250286A Expired - Lifetime EP0717379B1 (de) | 1994-12-15 | 1995-11-21 | Verfahren zur Verbesserung der Sicherheit von Frankiermachinen bei der Guthabenübertragung |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP00250032A Expired - Lifetime EP0996096B1 (de) | 1994-12-15 | 1995-11-21 | Verfahren zur Verbesserung der Sicherheit von Frankiermaschinen bei der Guthabenübertragung und Anordnung zur Durchführung des Verfahrens |
Country Status (2)
Country | Link |
---|---|
EP (3) | EP0717379B1 (de) |
DE (4) | DE4446667C2 (de) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE19731304B4 (de) * | 1997-07-14 | 2005-02-24 | Francotyp-Postalia Ag & Co. Kg | Verfahren zur Statistikmodusnachladung und zur statistischen Erfassung nach Statistikklassen bei der Speicherung eines Datensatzes |
US6058384A (en) * | 1997-12-23 | 2000-05-02 | Pitney Bowes Inc. | Method for removing funds from a postal security device |
DE19818708A1 (de) * | 1998-04-21 | 1999-11-04 | Francotyp Postalia Gmbh | Verfahren zum Nachladen eines Portoguthabens in eine elektronische Frankiereinrichtung |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4251874A (en) | 1978-10-16 | 1981-02-17 | Pitney Bowes Inc. | Electronic postal meter system |
US4746234A (en) | 1983-07-23 | 1988-05-24 | Francotyp-Postalia Gmbh | Relating to postal franking machines |
US4785417A (en) | 1986-04-28 | 1988-11-15 | Pitney Bowes Inc. | Electronic postage meter having an out of sequence checking arrangement |
US4812994A (en) | 1985-08-06 | 1989-03-14 | Pitney Bowes Inc. | Postage meter locking system |
US4812965A (en) | 1985-08-06 | 1989-03-14 | Pitney Bowes Inc. | Remote postage meter insepction system |
US4835697A (en) | 1984-04-02 | 1989-05-30 | Pitney Bowes Inc. | Combination generator for an electronic postage meter |
US4846506A (en) | 1987-09-04 | 1989-07-11 | U.S. Plastics Corporation | Quick connect coupling |
EP0576113A2 (de) | 1992-06-26 | 1993-12-29 | Francotyp-Postalia GmbH | Verfahren und Anordnung zur schnellen Erzeugung eines Sicherheitsabdruckes |
Family Cites Families (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US3255439A (en) | 1961-07-13 | 1966-06-07 | Gen Res Inc | Postage metering system |
US4549281A (en) | 1985-02-21 | 1985-10-22 | Pitney Bowes, Inc. | Electronic postage meter having keyboard entered combination for recharging |
CH675497A5 (de) * | 1985-08-06 | 1990-09-28 | Pitney Bowes Inc | |
US4760532A (en) | 1985-12-26 | 1988-07-26 | Pitney Bowes Inc. | Mailing system with postage value transfer and accounting capability |
US4864506A (en) * | 1986-04-10 | 1989-09-05 | Pitney Bowes Inc. | Postage meter recharging system |
US4811234A (en) * | 1986-04-10 | 1989-03-07 | Pitney Bowes Inc. | Postage meter recharging system |
US5077660A (en) | 1989-03-23 | 1991-12-31 | F.M.E. Corporation | Remote meter configuration |
DE69014361T2 (de) | 1989-03-23 | 1995-04-27 | Neopost Ind | Verfahren zur Erhöhung der Sicherheit einer elektronischen Frankiermaschine mit Fernaufwertung. |
CH678368A5 (de) * | 1989-03-29 | 1991-08-30 | Frama Ag | |
GB2233937B (en) | 1989-07-13 | 1993-10-06 | Pitney Bowes Plc | A machine incorporating an accounts verification system |
US5237506A (en) * | 1990-02-16 | 1993-08-17 | Ascom Autelca Ag | Remote resetting postage meter |
US5243654A (en) * | 1991-03-18 | 1993-09-07 | Pitney Bowes Inc. | Metering system with remotely resettable time lockout |
GB2256396B (en) | 1991-05-29 | 1995-03-29 | Alcatel Business Systems | Method of remote diagnostics for franking machines |
DE4129302A1 (de) | 1991-09-03 | 1993-03-04 | Helmut Lembens | Frankiermaschine |
GB2261748B (en) * | 1991-11-22 | 1995-07-19 | Pitney Bowes Inc | Method of diagnosis in an electrically controlled mechanical device |
US5309363A (en) * | 1992-03-05 | 1994-05-03 | Frank M. Graves | Remotely rechargeable postage meter |
DE4224955C2 (de) | 1992-07-24 | 1998-11-26 | Francotyp Postalia Gmbh | Anordnung und Verfahren für einen internen Kostenstellendruck |
-
1994
- 1994-12-15 DE DE4446667A patent/DE4446667C2/de not_active Expired - Fee Related
-
1995
- 1995-11-21 EP EP95250286A patent/EP0717379B1/de not_active Expired - Lifetime
- 1995-11-21 DE DE59508807T patent/DE59508807D1/de not_active Expired - Lifetime
- 1995-11-21 EP EP00250033A patent/EP0996097B1/de not_active Expired - Lifetime
- 1995-11-21 DE DE59511048T patent/DE59511048D1/de not_active Expired - Lifetime
- 1995-11-21 DE DE59511045T patent/DE59511045D1/de not_active Expired - Lifetime
- 1995-11-21 EP EP00250032A patent/EP0996096B1/de not_active Expired - Lifetime
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4251874A (en) | 1978-10-16 | 1981-02-17 | Pitney Bowes Inc. | Electronic postal meter system |
US4746234A (en) | 1983-07-23 | 1988-05-24 | Francotyp-Postalia Gmbh | Relating to postal franking machines |
US4835697A (en) | 1984-04-02 | 1989-05-30 | Pitney Bowes Inc. | Combination generator for an electronic postage meter |
US4812994A (en) | 1985-08-06 | 1989-03-14 | Pitney Bowes Inc. | Postage meter locking system |
US4812965A (en) | 1985-08-06 | 1989-03-14 | Pitney Bowes Inc. | Remote postage meter insepction system |
US4785417A (en) | 1986-04-28 | 1988-11-15 | Pitney Bowes Inc. | Electronic postage meter having an out of sequence checking arrangement |
US4846506A (en) | 1987-09-04 | 1989-07-11 | U.S. Plastics Corporation | Quick connect coupling |
EP0576113A2 (de) | 1992-06-26 | 1993-12-29 | Francotyp-Postalia GmbH | Verfahren und Anordnung zur schnellen Erzeugung eines Sicherheitsabdruckes |
Also Published As
Publication number | Publication date |
---|---|
EP0996096A2 (de) | 2000-04-26 |
EP0996097A3 (de) | 2004-06-16 |
EP0717379A3 (de) | 1998-04-15 |
DE59511045D1 (de) | 2006-06-08 |
DE59508807D1 (de) | 2000-11-30 |
EP0717379B1 (de) | 2000-10-25 |
EP0996097B1 (de) | 2006-05-03 |
EP0996096B1 (de) | 2006-05-10 |
DE4446667A1 (de) | 1996-06-20 |
EP0996096A3 (de) | 2004-06-16 |
EP0717379A2 (de) | 1996-06-19 |
DE4446667C2 (de) | 1998-09-17 |
DE59511048D1 (de) | 2006-06-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP0969421B1 (de) | Verfahren zur Verbesserung der Sicherheit von Frankiermaschinen | |
EP0762337A2 (de) | Verfahren und Anordnung zur Erhöhung der Manipulationssicherheit von kritischen Daten | |
DE3712138B4 (de) | Verfahren zum Betrieb eines Frankiermaschinensystems | |
DE3040559C2 (de) | ||
EP0892368B1 (de) | Verfahren zur Statistikmodusnachladung und zur statistischen Erfassung nach Statistikklassen bei der Speicherung eines Datensatzes | |
DE3626580A1 (de) | Fernfrankiermaschinen-inspektionssystem | |
DE3712100A1 (de) | Frankiermaschinen-botschaft-drucksystem | |
DE19534528A1 (de) | Verfahren zur Veränderung der in Speicherzellen geladenen Daten einer elektronischen Frankiermaschine | |
EP1103924B1 (de) | Verfahren zum Schutz eines Gerätes vor einem Betreiben mit unzulässigem Verbrauchsmaterial und Anordnung zur Durchführung des Verfahrens | |
EP1035516B1 (de) | Anordnung für ein Sicherheitsmodul | |
DE69221538T2 (de) | Ferndiagnoseverfahren für Frankiermaschine | |
EP1035518B1 (de) | Anordnung zum Schutz eines Sicherheitsmoduls | |
EP1035517A2 (de) | Verfahren zum Schutz eines Sicherheitsmoduls und Anordnung zur Durchführung des Verfahrens | |
DE19534530A1 (de) | Verfahren zur Absicherung von Daten und Programmcode einer elektronischen Frankiermaschine | |
EP1063619B1 (de) | Sicherheitsmodul und Verfahren zur Sicherung der Postregister vor Manipulation | |
EP0717379B1 (de) | Verfahren zur Verbesserung der Sicherheit von Frankiermachinen bei der Guthabenübertragung | |
WO1989011134A1 (en) | Electronic computing and storage system for franking machines | |
DE10305730B4 (de) | Verfahren zum Überprüfen der Gültigkeit von digitalen Freimachungsvermerken | |
EP0969420B1 (de) | Verfahren zur sicheren Übertragung von Dienstdaten an ein Endgerät und Anordnung zur Durchführung des Verfahrens | |
EP1619630A2 (de) | Verfahren und Anordnung zum Erstatten von Porto | |
EP0996097A9 (de) | Verfahren zur Verbesserung der Sicherheit von Frankiermaschinen bei der Guthabenübertragung | |
DE60015907T2 (de) | Verfahren und Vorrichtung zur Erzeugung von Nachrichten welche eine prüfbare Behauptung enthalten dass eine Veränderliche sich innerhalb bestimmter Grenzwerte befindet | |
DE19534529C2 (de) | Verfahren zur Erhöhung der Manipulationssicherheit von kritischen Daten | |
EP1061479A2 (de) | Anordnung und Verfahren zur Generierung eines Sicherheitsabdruckes | |
DE19534527C2 (de) | Verfahren zur Erhöhung der Manipulationssicherheit von kritischen Daten |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
AC | Divisional application: reference to earlier application |
Ref document number: 717379 Country of ref document: EP |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT BE CH DE DK ES FR GB GR IE IT LI LU MC NL PT SE |
|
AX | Request for extension of the european patent |
Free format text: LT;LV;SI |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: FRANCOTYP-POSTALIA AG & CO. KG |
|
PUAL | Search report despatched |
Free format text: ORIGINAL CODE: 0009013 |
|
AK | Designated contracting states |
Kind code of ref document: A3 Designated state(s): AT BE CH DE DK ES FR GB GR IE IT LI LU MC NL PT SE |
|
AX | Request for extension of the european patent |
Extension state: LT LV SI |
|
17P | Request for examination filed |
Effective date: 20040630 |
|
AKX | Designation fees paid |
Designated state(s): CH DE FR GB IT LI |
|
17Q | First examination report despatched |
Effective date: 20050222 |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: FRANCOTYP-POSTALIA GMBH |
|
GRAS | Grant fee paid |
Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
|
GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
AC | Divisional application: reference to earlier application |
Ref document number: 0717379 Country of ref document: EP Kind code of ref document: P |
|
AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): CH DE FR GB IT LI |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT;WARNING: LAPSES OF ITALIAN PATENTS WITH EFFECTIVE DATE BEFORE 2007 MAY HAVE OCCURRED AT ANY TIME BEFORE 2007. THE CORRECT EFFECTIVE DATE MAY BE DIFFERENT FROM THE ONE RECORDED. Effective date: 20060503 |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: FG4D Free format text: NOT ENGLISH |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: EP |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: NV Representative=s name: ROTTMANN, ZIMMERMANN + PARTNER AG |
|
REF | Corresponds to: |
Ref document number: 59511045 Country of ref document: DE Date of ref document: 20060608 Kind code of ref document: P |
|
GBT | Gb: translation of ep patent filed (gb section 77(6)(a)/1977) |
Effective date: 20060817 |
|
ET | Fr: translation filed | ||
PLBE | No opposition filed within time limit |
Free format text: ORIGINAL CODE: 0009261 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT |
|
26N | No opposition filed |
Effective date: 20070206 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: DE Payment date: 20090916 Year of fee payment: 15 Ref country code: CH Payment date: 20091124 Year of fee payment: 15 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: FR Payment date: 20091201 Year of fee payment: 15 Ref country code: GB Payment date: 20091119 Year of fee payment: 15 Ref country code: IT Payment date: 20091121 Year of fee payment: 15 |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: PL |
|
GBPC | Gb: european patent ceased through non-payment of renewal fee |
Effective date: 20101121 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: CH Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20101130 Ref country code: LI Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20101130 |
|
REG | Reference to a national code |
Ref country code: FR Ref legal event code: ST Effective date: 20110801 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R119 Ref document number: 59511045 Country of ref document: DE Effective date: 20110601 Ref country code: DE Ref legal event code: R119 Ref document number: 59511045 Country of ref document: DE Effective date: 20110531 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: DE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20110531 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: FR Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20101130 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: GB Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20101121 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IT Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20101121 |