EP0996097A9 - Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit - Google Patents

Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit Download PDF

Info

Publication number
EP0996097A9
EP0996097A9 EP00250033.8A EP00250033A EP0996097A9 EP 0996097 A9 EP0996097 A9 EP 0996097A9 EP 00250033 A EP00250033 A EP 00250033A EP 0996097 A9 EP0996097 A9 EP 0996097A9
Authority
EP
European Patent Office
Prior art keywords
data center
franking machine
data
transaction
postage meter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP00250033.8A
Other languages
German (de)
English (en)
Other versions
EP0996097A3 (fr
EP0996097B1 (fr
EP0996097A2 (fr
Inventor
Enno Bischoff
George G. Gelfer
Wolfgang Dr. Thiel
Andreas Wagner
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Francotyp Postalia GmbH
Original Assignee
Francotyp Postalia GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from DE4446667A external-priority patent/DE4446667C2/de
Application filed by Francotyp Postalia GmbH filed Critical Francotyp Postalia GmbH
Publication of EP0996097A2 publication Critical patent/EP0996097A2/fr
Publication of EP0996097A3 publication Critical patent/EP0996097A3/fr
Publication of EP0996097A9 publication Critical patent/EP0996097A9/fr
Application granted granted Critical
Publication of EP0996097B1 publication Critical patent/EP0996097B1/fr
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Definitions

  • the invention relates to a method for improvement the security of franking machines in the credit transfer, especially in the case of fund redemption to Data center, according to the preamble of claim 1 or 3 specified type.
  • a postage meter usually generates a print in a form agreed with the post office, right-justified, Starting parallel to the top edge of the mail with the content postal value in the postmark, date in Daily stamps and stamps for advertising clichés and if necessary, shipment type in the optional cancellation stamp.
  • the postal value, the The date and the type of shipment are the corresponding ones variable information to be entered in the mail piece.
  • the postage is usually the one from the sender prepaid transport fee (Franko), the one taken from the refillable credit register and the Freeing the mail item is used.
  • a register is created in the current account procedure Dependence on those made with the postage value Frankings only counted up and in regular Intervals, read by a postal inspector.
  • a known postage meter is with at least one Input means, an output means, an input / output control module, a program, data and in particular the billing register bearing storage device, a control device and a printer module equipped.
  • a printer module with print mechanics must also measures are taken so that in the off Condition the print mechanics not for unbilled Imprints can be misused.
  • the invention relates to a method for franking machines, which produced a fully electronic impression for franking mail including an imprint Deliver advertising clichés. This has the consequence that only in the switched on state a not billed valid Franking must be prevented.
  • the memory device comprises at least a non-volatile memory device that is the current contains remaining credit balance resulting from that from one earlier into the franking machine loaded credit the respective postage value to be printed is deducted.
  • the franking machine blocks, if the balance is zero.
  • Known franking machines contain at least one Store three relevant postal registers for consumed sum value (rising register), still available balance (falling register) and Register for a checksum.
  • the checksum is with the sum of the used sum value and off available credit. Already with that is one Check for correct billing possible.
  • Patent is also known that the data center to receive register data and to check, whether the postage meter still has a specific one Phone number is connected - the connection with the franking machine after a defined period of time picks up and the franking machine only to predetermined Times answers.
  • a security housing for franking machines which has internal sensors, is known from DE 41 29 302 A1 known.
  • the sensors are in particular with a battery connected switches, which when opening the security case become active to clear the balance storing memory (falling post register) by interrupting the energy supply too Clear. It is known, but not predictable, which state a voltage-free memory module when the voltage returns. Thus could also an unpaid higher remaining balance arise.
  • the residual value credit at least partially discharges. But that would be at one Inspection disadvantageous, since the residual value credit, which paid by the meter user, too must be reloaded, the amount of this remaining balance however by o.g. Influences be distorted can.
  • the description is not removable, how can a manipulator be prevented restores an unpaid balance.
  • the password can be transmitted through a personal computer MODEM, by a smart card or manually in the Postage meter be entered. After positive Comparison with one in the franking machine stored password is the postage meter Approved.
  • a safety module EPROM
  • an encryption module separate microprocessor or program for FM CPU based on DES or RSA code
  • the postage meter Upon detection of tampering, the postage meter will during remote inspection via modem a signal coming from the data center is blocked.
  • a clever manipulation could, however, on the other hand consist in the production of unbilled Franking imprints, the flag and the registers to return to the original state. A Such manipulation would be via remote inspection by the Data center not recognizable if this undo made manipulation before the remote inspection.
  • the receipt of the postcard from the data center, on which is a postage to be made for inspection purposes should allow the manipulator the Postage meter in sufficient time in the original Restore condition. So that is still no higher security achievable.
  • a security print according to the FP's own European patent application EP 576 113 A2 provides symbols in a marking field in the franking stamp, which contain a cryptified information. This allows the postal authority, which interacts with the data center, to detect a manipulation of the franking machine at any time from the respective security print. Although a running control of such item of mail provided with a security imprint n ting via appropriate security markings in the stamp image is technically possible, but this means an extra effort in the post office. In a sample-based control, however, a manipulation is usually detected late.
  • ancillary processes are additionally integrated into main processes or omitted from last or on ancillary processes is branched, then no error would be detected because neither the length of the program part found, nor can it be determined which Program branch how often was passed.
  • From US 5,077,660 is also a method for Changing the configuration of the franking machine known wherein the franking machine by means of a suitable input via a keyboard from the operating mode into a configuration mode switched and a new meter type number can be entered, which of the desired number corresponds to characteristics.
  • the franking machine generates a code for communicating with the computer the Data center and the input of identification data and the new meter type number in the aforementioned computer, which also has a corresponding code for transmission and input to the postage meter machine generated in the two codes are compared. With agreement both codes will configure the postage meter and switched to the operating mode.
  • the data center has from the set meter type for the corresponding franking machine always accurate records. However, security is just about encryption depending on the transmitted code.
  • US 4 811 234 discloses the transactions encrypted and doing the registers of To query franking machine and the register data of the Data center to submit to a temporal reference the reduction of the person entitled to vote in the register Amount display.
  • the franking machine at the data center when a presettable threshold is reached is, by means of their encrypted register content.
  • the data center is modified by appropriate ones
  • Authorization signals the desired franking amount, up to which may be franked.
  • the encryption is thus the only security against a manipulation of the register states. So if a manipulator Although always the same amount properly loads in equal time intervals, but in the meantime with the manipulated franking machine one franked much higher than he has paid can the data center does not detect any tampering.
  • a blocking agent allows the postage meter to Expiration of a predetermined time or after a predetermined Number of operation cycles to block and provides a warning to the user.
  • To unlock must be entered from the outside an encrypted code which is encrypted with an internally generated Code is compared.
  • To prevent wrong billing data delivered to the data center Become in the encryption of the above Codes include the billing data. adversely is that the warning coincides with the blocking of the Franking machine is done without the user a Possibility to adjust his behavior on time to change.
  • a second step the supply of the aforementioned central station takes place with information related to a desired change, to reduce the total amount of postage, which is available in the aforementioned postal device, and with a clear identification of the above Post device.
  • a third step involves one, Received from the central station and entering a first unique codes in the aforementioned postal device, wherein the inputting is operated to the total amount Postal values stored in the postal device to reduce in accordance with the aforementioned desire.
  • the fourth step is generating one second unique codes provided in the mailing device, when the first unique code is entered into the postal device where the second unique code is a Indication such that the aforementioned postal value, which is available for printing the mail, has been reduced in the aforementioned postal device.
  • the solution according to the invention is based on the one hand on the Realization that only centrally in a data center stored data before manipulation sufficient can be protected.
  • a significant increase Security and synchronicity in the stored data is determined by a data reporting before each predetermined Action on the franking machine achieved. Likewise increases this in more or less large intervals reporting, in particular for reloading a Balance in connection with the o.g. logging the security against a possible manipulation.
  • the data to be stored centrally include at least Date, time, identification number of the franking machine (ID number or PIN) and the type of data (e.g. Register values, parameters) when the postage meter establishes communication with the data center.
  • ID number or PIN identification number
  • the type of data e.g. Register values, parameters
  • a communication takes place between Postage meter machine and data center at least with encrypted Messages, preferably the DES algorithm is used.
  • a first fashion is provided for in fraudulent actions or in Intended to manipulate the franking machine at the franking with postage values to prevent (kill mode). This inhibition can on the occasion of the next on-site inspection of a person authorized to do so.
  • the Postage meter has another mode to at Fulfillment of selected criteria the franking machine if necessary for automatic communication with the To initiate data center.
  • Another fashion according to the invention is the Special mode negative remote value transmission or by one second (Sleeping) mode. After completing the special mode is for checking the postage meter only still a limited number of zero-frankings possible.
  • An authorized operator of the postage meter preferably the service technician, leads to the page entry in the special mode negative remote value default one predetermined operator action, which except the Service technician only known the data center is.
  • a special flag is set, which as special transaction request.
  • a monitoring by the control unit of the franking machine while executing a transaction in the Special mode ensures that when left unfinished Transaction the transactions in special mode negative Remote value specification to be carried out to the end. at completed transaction in special mode becomes the special flag reset.
  • a time monitoring is also carried out by the Data center when a transaction in special mode negative remote value default is made.
  • the Register data of the franking machine are central verifiable when reconnecting to the Carrying out a remote value specification takes place, for example to recharge a credit. Either takes if the transaction remained unfinished, the franking machine automatically reconnect to the Transaction completion or authorized Service technician hands over the data center by End of day a message about the current state the franking machine for the purpose of canceling the im Special mode negative remote mode transmitted data. Otherwise, the time monitoring results from the Data center after expiration of the predetermined period of time, a recognition of the negative mode in special mode Remote value specification transmitted data.
  • the security is through a check of the operation for conformity with a predetermined operation in the franking machine and by checking the default request in the data center to match with a stored there Code for a predetermined default elevated. It is possible to control the operation time-dependent to change, being in the data center and in the Postage meter the same calculation algorithm is used to a current operation determine. A transmission of a valid operating procedure from the data center to the franking machine becomes superfluous.
  • the security is through a combination of a number of measures increased.
  • a first transaction is a distinct one Log in to the data center. This transmits in Reaction to this a new security flag X and / or a predetermined operation for a page entry in the special mode negative remote value default to Postage meter, when the meter is turned on normally was and the communication link receives, wherein in a first transaction a predetermined Default request in the data center and in the postage meter was stored. In the data center a check is made as to whether the transmitted default request corresponds to a predetermined default request.
  • the registered transaction is performed and according to the default request a default value in the corresponding memory of the franking machine and in order to verify the transaction also in one corresponding memory of the data center added.
  • the second transaction reloads the Postage meter - according to the corresponding default value - with a negative balance, so that in the Result returns a residual value of zero.
  • the solution according to the invention furthermore assumes that the funds stored in the franking machine funds protected against unauthorized access have to.
  • the adulteration of in the franking machine stored data is so difficult that the effort for a manipulator is no longer worthwhile.
  • OTP processors ONE TIME PROGRAMMABLE
  • All security relevant program parts in the Inside the processor housing in addition to the Code for forming the message authentication code (MAC).
  • MAC message authentication code
  • the latter is an encrypted checksum, which is attached to an information.
  • a crypto-algorithm is for example Data Encryption Standard (DES) suitable. This allows for MAC information the relevant security and special flags or on attach the register data and thus the difficulty the manipulation of the aforementioned flags or Increase postregisters maximally.
  • DES Data Encryption Standard
  • the method for improving the safety of a Postage meter which is used for communication with a remote data center is capable and a microprocessor in a control device of the franking machine Also includes forming a Checksum in the OTP processor about the contents of the external Program memory and comparison of the result with a predetermined value stored in the OTP processor before and / or after expiry of the franking mode or operating mode, especially during initialization (i.e., when the postage meter machine is started), or in times not printed (i.e., when the postage meter is operated in standby mode). In the event of an error then a logging and subsequent blocking of the franking machine.
  • the security is through an additional input safety agent increases, which brought into contact with the franking machine is to have a remaining balance from an authorized one Transfer person back to the data center.
  • FIG. 1 shows a block diagram of each Postage meter according to the invention with a printer module 1 for a fully electronically generated franking picture, with at least one multiple actuators having input means 2, a display unit 3, and one communicating with a data center producing MODEM 23, which via an input / output control module 4 coupled to a control device 6 are and with a non-volatile memory 5 and 11, respectively for the variable or the constant parts of the Franking.
  • a character memory 9 provides the necessary print data for a volatile working memory 7.
  • the control device 6 has a microprocessor ⁇ P, the with the input / output control module 4, with the character memory 9, with the volatile memory 7 and with the non-volatile working memory 5, with a Cost center memory 10, with a program memory 11, with the engine of a transport or feed device if necessary with strip release 12, an encoder (Coding disc) 13 and with a clock / date module 8 communicates.
  • the individual memories can be in several physically separated or in not shown way summarized in a few blocks be realized, which by at least one additional measure, such as sticking on the Printed circuit board, sealing or casting with epoxy resin, secured against removal.
  • FIG. 2 shows a flowchart for a franking machine with a security system according to a preferred Variant of the solution according to the invention shown.
  • Start 100 After switching on the postage meter in step Start 100 will then be within a startup routine 101 a functional test followed by Initialization made.
  • This step also includes several - in the figure 7 shown in detail - sub-steps 102 to 105 for Storage of a security flag or codeword.
  • step 103 if in step 102, a new security flag X'in another predetermined Memory E of the nonvolatile memory 5 exists, this new security flag X 'in the Memory space of the old security flag X copied, if there is no valid security flag X anymore stored exists.
  • the latter applies equally the case of an authorized as well as unauthorized Intervention, because with each intervention the old Security flag X is deleted.
  • the security flag X be deleted (kill mode).
  • If not valid Security flag X is more present, can be stored in the Franking mode 400 no postage value can be printed anymore. In case of non-intervention, no new code word is transmitted Service. In this case will not be copied and after Step 104 remains the old security flag X in Memory received.
  • the System routine 200 reached.
  • the system routine 200 comprises a plurality of steps 201 to 220 of the security system.
  • step 201 the Calling up current data, what's below with the invention for a second mode, namely for the sleeping mode is executed.
  • step 202 checks whether the Criteria for entering the sleeping mode met are. If this is the case, a branch is made to step 203, by at least one warning by means of the display unit 3 display. After the o.g. Steps will definitely work the point t reached.
  • the aforementioned security flag X Upon detection of a prohibited page decline (Step 217), the aforementioned security flag X becomes deleted. It may be the security flag X also a MAC secured security flag, as well as an encrypted code.
  • the verification for example, validity of the security flag X becomes in step 409 of a franking mode 400 by means of a selected checksum method within a OTP processor (ONE TIME PROGRAMMABLE) performed, internally the corresponding program parts and also the code for forming a MAC (MESSAGE AUTHENTIFICATION CODE) contains, which is why the Manipulator the type of checksum method not can understand.
  • step 217 Upon examination in step 217, wherein a relevant defect detected and the safety flag X was deleted in step 209, the point e, i. the beginning of a communication mode 300 is reached and in a - shown in Figures 2 and 3a - Step 301 queried if a transaction request is present. If that is not the case, the Leave communication mode 300 and point f, i. the operating mode reaches 290. Were relevant data transmitted in communication mode, then is to Data branching to step 213 branch. Or otherwise, if in step 211 the non-transmission is determined, is the step 212 to branch. Now it is checked if appropriate Entries have been made to test request 212 in the test mode 216, otherwise at intended register check 214 in a Display mode 215 to arrive. Is not that the case, automatically the point d, i. the franking mode 400 reached.
  • Step 213 becomes Statistics and error evaluation achieved.
  • the display mode 215 is reached and then branched back to the system routine.
  • the lock can thus advantageously done by the branching no longer run on the franking mode 400 becomes.
  • Step 213 performed a statistics and error evaluation will be to gain more current data, which after branching to the system routine 200 in Step 201 are also invoked, for example for an aforementioned second mode or another Special fashion.
  • step 217 recognizes that no Prohibited page entry. On allowed page entry, that for another input has been performed is not closer in Figure 2 been presented. However, such a removal criterion is also provided, for example, in Step 212 to recognize if an operator action was made to enter a test mode. At the allowed side entry, which is not the right one Side entry for the special mode of a negative Defaults for the purpose of fund repatriation from the Franking machine to the data center is, becomes the point e system routine 200 branches. Otherwise it will at the correct page entry to step 220 branches to a special flag for entry into the To set special mode.
  • Step 219 possibly another query step 219 before Step 220 provided with a further criterion the security against unauthorized call of the Special mode continues to increase, failing to comply of the criterion to the point e of the system routine 200 is branched.
  • Query step 219 shown such another Check criterion whether the identification number (ID no. or PIN). Through the side entrance is the security already high enough, so for the sake of easier operation such additional additional queries queries also can be waived.
  • query step 219 such query another criterion, if at least n times the same predetermined default request made and a corresponding default value added to the credit balance was is also optional and therefore dashed lines drawn in the figure 2. It can do this are a NULL default request to the Transmission of a NULL default value leads to and Residual value can be added without affecting the height stored credit is changed.
  • step 220 special flag N for the special mode also a MAC-secured Flag N is.
  • the security is additionally checked by a review in the data center increases, whether a predetermined Default request transmitted from the franking machine has been. It is envisaged that the transmitted Default request in the data center evaluated as a code will do a very specific transaction. The transmitted default request can be in the data center be considered a code to fund redemption to allow. Otherwise, the transmitted Default request in the data center as code be evaluated, a transmission for a security flag X or for an X codeword to allow.
  • FIGS. 3 a and 3 b show a representation of FIG Safety procedures of the communication mode Franking machine on the one hand and the safety procedures the data center in communication mode on the other hand.
  • the user selects the communication or remote value default mode the franking machine via the input of Identification number (eight-digit postage code number) on. It is now assumed, for example, it should be the Fund reverse transfer equal to that in the franking machine Remaining residual value.
  • Identification number epi-digit postage code number
  • R1 the register query of the Descending-register takes place R1 which contains the residual value stored.
  • R1 contains the residual value stored.
  • After switching off the postage meter is at Restart a page entry into the special mode performed.
  • After entering the identification number will input with the teleset button confirmed and the default request in the amount of the previous entered residual value. Through the side entrance the default is automatically considered as too subtracting default value.
  • the default wish is activated by pressing the Teleset button (T button) approved.
  • step 302 an input of the identification number (ID No.) and the intended input parameter done in the following way.
  • ID no. it can about the serial number of the postage meter, about a PIN or PAN (postage code) act by pressing by means of a predetermined T-key of the input means 2 is acknowledged.
  • PIN or PAN postage code
  • the display unit 3 appears at the last remote value specification (recharge) used input parameter (default value), which now by overwrite the input of the desired input parameter or maintained.
  • the input parameter it is a combination of numbers, which in the data center is understood as an invitation, For example, a new security flag or code word X 'to transmit, if previously an intervention authority has been obtained. In case of incorrect entry of the aforementioned Input parameters can be displayed by pressing a C key.
  • the desired input parameter is displayed correctly, this is done by re-pressing the predetermined T-key the input means 2 confirmed. In the display unit 3 then a representation appears accordingly an input parameter change or according to the Non-change (old default value).
  • the postage meter checks to see if a MODEM is connected and is ready. Is not that the Case, branching is made to step 310 to indicate that the transaction request will be repeated got to. Otherwise, the franking machine reads the election parameters, consisting of the selection parameters (Main / extension, etc.) and the telephone number the NVRAM memory area F and sends them with a Dial request command to the modem 23. Then the connection establishment required for the communication takes place via the MODEM 23 with the data center in a step 304.
  • Step 501 is constantly checking to see if there is a call in the Data center is done. Is that the case, and that MODEM 23 has dialed the far side, takes place in Step 502 parallel the connection establishment also in the Data center. And in step 503 is constantly monitored whether the connection to the data center is solved has been. If this is the case, an error message occurs in step 513, branch back to the step Five hundred and first
  • step 305 monitors for communication errors and optionally branched back to step 304 to on the part of the franking machine the connection again build.
  • Step 307 branches to an opening message or to identification, preload or register data to send.
  • step 308 the same check as performed in step 305, i.e. when a communication error occurs branched back to step 304. Otherwise it was an opening message from the franking machine sent the data center.
  • the Postage code for the notice of the caller, i.e. the postage meter, at the data center included.
  • Step 504 This opening message will be in the data center in Step 504 checked for plausibility and continue evaluated by then in step 505 again It checks whether the data is transmitted without errors have been. If this is not the case, a Return branch to the error message at step 513.
  • the data is error-free and in the data center it is recognized that the franking machine a Has asked for reimbursement, then in step 506 a reply message to the franking machine as a header Posted.
  • step 507 it is checked whether in Step 506 includes the preamble message Header end has been sent. Is not that If so, then branch back to step 513.
  • step 309 it is checked in step 309 whether from the data center meanwhile a header as Reply message was sent or received. is If not, it will be displayed on the step 310 branches back and then again Transaction request queried in step 301.
  • Has been received a header and has the postage meter receive an OK message in step 311 a Verification of the preload parameters with regard to a Telephone number change. If an encrypted parameter has been transmitted, there is no telephone number change and it is on the step 313 in the Figure 3b branches.
  • step 313 from the postage meter to the Data center sent a start message encrypted.
  • step 314 the message becomes communication error checked. Is there a communication error , it is branched back to step 304 and it another attempt is made to connect to the data center build up to the beginning message encrypted to send.
  • step 508 From the data center is this encrypted start message received when in step 506 the preamble message had been completely sent and in step 507 the header end has been transmitted.
  • step 508 checks in the data center whether this has received the start message and the data in Order are. If this is not the case, in step 509 checks if the error is recoverable. Is the Error not recoverable, is moved to step 513 branches out after receiving an error message from the Data central DZ to the franking machine FM in step 511 was transmitted. Otherwise, in step 510 performed an error handling and on the step 507 branches.
  • step 508 the reception becomes more proper Data is detected, the data center begins to perform a transaction in step 511. in the above example, at least the identification number by means of an encrypted message to Postage meter, which in step 315 the Receives transaction data.
  • step 316 the data is checked. If there is an error, branch back to step 310. Otherwise, the data center is in the Step 512 is a storage of the same ones mentioned above Data, as in the franking machine. In step 318 So in the franking machine the transaction with the Data storage completed. Subsequently, the Step 305 branches back. Should no further Transaction will be displayed to step 310 and then reached step 301.
  • step 211 checks whether data have been transmitted. If data has been transmitted, it will reached step 213. According to the input request the franking machine places the current one Default request or the new codeword Y 'or other Transaction data, for example, in memory area E the nonvolatile memory 5.
  • Step 303 Is used as an input parameter in step 302 but a other number combination entered as zero and the Input was OK (step 303), a connection is established (Step 304). And if without mistakes (Step 305) a connection is established (Step 306), an identification and preamble message sent to the data center. In this Opening message is again u.a. also the postage code PAN for identification of the franking machine included in the data center. The data center recognizes from the entered number combination, if the data is error free (step 505) that in the Franking machine, for example, a credit with a Default value should be increased.
  • step 506 is then from the data center a reply message with the elements change the phone number and current phone number unencrypted Posted.
  • the franking machine this one Message receives, in step 311 that the phone number to be changed. Now it becomes a step 312 branches to the current phone number to save. Subsequently, the step 304 branches back. Is the connection still established and a communication error is not present (305), is in Step 306 then checked if another Transaction should take place. If that is not the case, is branched via step 310 to step 301.
  • the transmission of the telephone number can also be MAC-secured respectively.
  • the franking machine After saving the current telephone number the franking machine automatically builds a new one Connection to the data center with the help of the new phone number.
  • a remote value default of the new security flag X 'or a submission of a for verification suitable encrypted message for reloading the residual value credit corresponding to one Preset-request is thus automatically, i. without one further intervention by the user of the franking machine, carried out.
  • the display will show a appropriate communication that due to the Phone number change the connection automatically is built.
  • a Communication can be a phone number storage, as also a credit recharge or fund redemption include. Without interruption of communication can so several transactions are performed.
  • a successful transaction runs as follows: The franking machine sends its ID number and one Default value for the height of the desired Reload credit if applicable together with a MAC to the Data center. This checks such transmitted Message against the MAC, then a likewise MAC-secured OK message to the franking machine too send. The OK message does not contain the default value more.
  • At least one encrypted message to the data center as well as to Postage meter transmitted is transmitted.
  • the default is only in the encrypted message of the first transaction contain.
  • Each message sent, which is security relevant Transaction data is encrypted.
  • encryption algorithm for the encrypted messages is for example the DES algorithm intended.
  • a transaction request results in the postage meter machine for a specially secured credit recharge.
  • a fuse is taken out of the processor in the cost center memory 10 present postal register also during the credit recharge by means of a time control.
  • the postage meter For example, with an emulator / debugger observed, then it is likely that the communication and Billing routines not within a predetermined Time running out. If that is the case, i. need the routines Significantly more time will be part of the DES key changed.
  • the data center this can modified key during a communication routine determine with register query and then report the postage meter as suspect as soon as Step 313 sent a start message encrypted becomes.
  • step 509 it is determined in step 509, that the error can not be corrected.
  • the data center then can not perform a transaction (step 511) because branching back to step 513. Because in the Postage meter received in step 315 no data were, the transaction was not done correctly (Step 316). Then, then, via step 310 branched back to step 301 to look for an indication to re-examine whether a transaction request continues is provided.
  • Safety begins with an authorized intervention advance, the reliability of the authorized person (Service, inspector) and the possibility of their presence to check.
  • the control of the seal and the control of the register status during an inspection the franking machine and regardless of the data in the data center then gives the verification security.
  • the control of the franked mail under Inclusion of a security impression provides a additional verification security.
  • the franking machine performs regularly and / or at Turn on the register check and can thus the Detect missing information if in the machine unauthorized intervention or if unauthorized had been served. The franking machine will then blocked. Without the invention in connection with a security flag X would the manipulator the Overcome blocking easily. That's how it works Security flag X lost and it would Manipulator too much time and effort cost, the valid MAC-secured security flag X or codeword Attempts to determine. In the meantime, that would be Franking machine long ago in the data center as Suspicious registered.
  • a suitable processor type is, for example, the TMS 370 C010 from Texas Instruments, which has a 256 bytes E 2 PROM.
  • security-relevant data keys, flags, etc.
  • the franking machine is transformed by transferring into the first mode is effective at franking with a Postage value hindered.
  • the potential manipulator of a franking machine must overcome several thresholds, which of course a certain Time required. Occurs at certain intervals no connection from the franking machine to the data center, is the postage meter already suspect. It is assumed that the one who manipulates the postage meter commits to barely getting back to the data center will report.
  • the error registers are for example with the help of a special Service EPROM readable, which replaces the Advert EPROM is plugged. If on this EPROM slot will not be accessed by the processor usually accessing the data lines through special - not shown in the figure 1 - Driver circuits prevented. The data lines, which can be reached through a sealed door can not be contacted without authorization become. Another variant is the reading of Error register data through one via an interface connected service computer.
  • the franking machine is capable of distinguishing between requested authorized and unauthorized Engaging in the franking machine by means of the control unit the franking machine in conjunction with the the data center transmitted data, with unauthorized Engaging in the postage meter this intervention is logged as an error case, but after Authorized intervention in the franking machine the original operating state by means of the aforementioned transmitted data is restored.
  • Tampering security is in one another variant for a kill mode 2 the checksum in the processor about the contents of the external program memory PSP 11 formed and the result with an im Processor stored predetermined value compared. This is preferably done in step 101 when the Franking machine is started, or in step 213, when the postage meter is operating in standby mode becomes.
  • the standby mode is reached when a predetermined time no input or print request he follows. The latter is the case if a ansich known - not shown - letter sensor no next envelope determined, which to be franked.
  • the - shown in Figure 4 - Step 405 in franking mode 400 therefore still includes one further inquiry after a time expiration or after the Number of passes through the program loop, which finally back to the input routine according to Step 401 leads. If the query criterion is met, At step 408, a standby flag is set and directly branched back to system routine 200 at point s, without the billing and printing routine in step 406 is passed. The standby flag will appear later in the Step 211 queried and after the checksum check reset in step 213 if no manipulation attempt is recognized.
  • step 211 The query criterion in step 211 is added to the Question expands whether the standby flag is set, i. whether the standby mode is reached. In this case will also branched to step 213.
  • a preferred variant consists in already described Way to clear the security flag X when a Manipulation attempt in standby mode on the aforementioned Way has been determined in step 213.
  • the specially secured special flag N can also be found in the Step 213 will be checked, especially if it is MAC-secured is by changing the flag content with the MAC content is compared.
  • the absence of the security flag X will detected in query step 409 and then on the step 213 branches.
  • the advantage of this method in Connection with the first mode is that the Manipulation attempt statistically detected in step 213 becomes.
  • FIG. 4 shows the flow chart for the franking mode according to a preferred variant.
  • the invention works assume that after switching automatically the Postal value in the value impression corresponding to the last one Input before turning off the franking machine and the date in the day stamp according to the current one Date are given, that for the impression the variable data in the fixed data for the frame and for all unchanged data embedded electronically.
  • the number strings (sTrings) used to generate the Input data with a keyboard 2 or via a connected to the input / output device 4, the Postage value calculating electronic balance 22 entered are automatically stored in memory area D of the nonvolatile random access memory 5 stored. also remain also records of sub-storage areas, for example, Bj, C, etc., received. This is assured that the last input sizes even when you turn off the Postage meter will be preserved, so that after switching automatically the postage value in the value impression accordingly the last entry before switching off the Franking machine and the date in the day stamp accordingly the current date is given. If a scale 22 is connected, the postage value is canceled taken from the memory area D. In step 404 waited until one is currently stored.
  • step 404 Upon a renewed input request in step 404 is branched back to the step 401 again. Otherwise, branching is made to step 405 to obtain the To wait for print output request. Through a letter sensor the letter to be franked is detected and to trigger a print request. Thus, can up the billing and printing routine in step 406 be branched. There is no print output request (Step 405), it goes to Step 301 (Point e) branches back.
  • Steps test request 212 register check 214
  • Input routine 401 are made.
  • Another query criterion may be in step 405 to request a standby flag in step 408 set if no after a predetermined time Print output request is present.
  • the standby flag in the communication mode 300 following step 211 are queried. This is not branched to the franking mode 400, before not the checksum check the completeness all or at least selected programs Has.
  • Step 409 the Presence of a valid safety flag X resp. a corresponding MAC-secured flag X, the Achieving a further quantity criterion and / or im Step 406 in the known manner for billing retrieved registered register data.
  • the Presence of a valid safety flag X resp. a corresponding MAC-secured flag X the Achieving a further quantity criterion and / or im Step 406 in the known manner for billing retrieved registered register data.
  • Quantity equal Zero is automatically branched to the point e to enter the Communication mode 300 to enter from the Data Center a new predetermined number S again is credited.
  • the predetermined number of pieces not yet consumed from step 410 to the Billing and printing routine branches in step 406.
  • the number of printed letters, and the current ones Values in the postal registers are calculated according to the entered cost center in non-volatile memory 10 of the franking machine in a billing routine 406 registered and stand for a later evaluation to disposal.
  • a special Sleeping Mode counter will be during the immediately before printing Billing routine causes counting on a counting step.
  • the register values can be displayed in display mode 215 be queried. It is also envisaged that Register values with the print head of the franking machine too To print billing purposes. That can for example as well as that already in the German Laid-open patent P 42 24 955 A1 explained in more detail becomes.
  • variable pixel image data during printing embedded in the remaining pixel image data.
  • the compressed data from the main memory 5 read and with the help of the character memory 9 in a converted to binary pixel data containing print image, which also in such a decompressed form in volatile memory 7 is stored.
  • details Designs are the European applications EP 576 113 A2 and EP 578 042 A2 can be removed.
  • the pixel memory area in the pixel memory 7c is thus for the selected decompressed data of the fixed Parts of the franking image and for the selected decompressed ones Data of the variable parts of the franking picture intended.
  • the actual takes place Print routine (in step 406).
  • the memory 7b and the pixel memory 7c with the printer module 1 via a a print register (DR) 15 and an output logic having printer controller 14 in conjunction.
  • the Pixel memory 7c is the output side to a first Input of the printer controller 14 connected to the further control inputs output signals of the microprocessor control device 6 abut. Are all columns a printed image has been printed, is back to System routine 200 branches back.
  • a new predetermined number of pieces S ' is then transmitted and decremented as a quantity S while the franking is running.
  • the comparison piece number S ref is internally calculated from the new predetermined number of pieces S '(step 213).
  • a warning "CALL FP" can be issued before reaching the number zero. The user of the franking machine is thus requested to carry out communication with the data center in order to carry out at least one ZERO remote value specification for the subsequent accreditation of at least the number of pieces S.
  • the first transaction of communication with the Data Center DZ includes the message of a predetermined default wish.
  • To the consistency of Register statuses between the data center DZ and the Making a franking machine FM is a NULL default request suitable. Such leads during a second transaction to a NULL default value of the Descending register value can be added without the Value of the remaining balance to change.
  • the system routine 200 shown in FIG queried whether the user has a correct page entry was carried out. If that is not the case becomes Point e of the system routine 200 branches. On the The display will show a message about the opening of the Communication, if an input of the PIN and pressing the teleset key (T key) takes place. In addition will the previous default value indicated by the new default request NULL can be overridden. After the zero entry, the T key is pressed again. Now there is a transaction request and the Communication can be done.
  • the first step during a first transaction includes after entering the communication mode (positive remote value default or Teleset mode) one Sub-step 301 for checking for a posed Transaction request and further sub-steps 302 to 308 for entering the identification and other Data to establish the communication link and to communicate with unencrypted data to at least identification and transaction type data to transfer to the data center.
  • the communication mode positive remote value default or Teleset mode
  • a first step of the first Transaction sub-steps 301 to 308 of the franking machine includes to establish the connection for communication with unencrypted data and at least Identification, transaction type and other data to transfer to the data center.
  • the transaction type data (1 byte), includes the message to the data center DZ below the Teleset mode for a desired positive remote value specification with the identified To perform franking machine.
  • a second step of the first transaction comprises Sub-steps 501 to 506 in the data center, for Receiving the data and checking the identification the franking machine and for the transmission of a unencrypted o.K. Message to postage meter.
  • the second step of the first transaction also includes Sub-steps to erroneous unencrypted messages 505 via a sub-step 513 to Error message on a resting state point q in the sub-step Branch 501 in the data center until the Communication on the part of a franking machine again is recorded.
  • a third step of the first transaction involves Sub-steps 309 to 314 of the franking machine, for Formation of a first encrypted message crypto cv by means of a stored in the postage meter first key Kn and for transmission of encrypted Data center data, including at least the default, identification and postregister data.
  • this encrypted message too Data in the form of CRC data (cyclic redundancy check data).
  • CRC data cyclic redundancy check data
  • the default request, the identification, Postal register and other data, such as a Checksum (CRC data) will be in one with the DES algorithm encrypted message transmitted;
  • a fourth step of the first transaction the sub-steps 507 to 511 in the data center is to receive and decrypt the first encrypted Communication.
  • An examination on Decryptivity is by means of a in the Data center stored key performed. If successful, a calculation is made in the data center to make a second key Kn + 1, corresponding to that used by the postage meter Key. Subsequently, a second encrypted Message crypto Cv + 1 made which at least the aforementioned second key Kn + 1, the Contains identification and transaction data, where for encryption again the DES algorithm is being used. Finally, a transfer of the second encrypted message crypto Cv + 1 to Franking machine provided.
  • Sub-steps are used to determine irrecoverably incorrect encrypted messages in sub-step 509 via a sub-step 513 to Error message on a hibernation 501 in the Data center branch until the communication is resumed by a franking machine.
  • Substeps are still provided to be included in the Sub-step 509 detected erroneous encrypted Messages but with recoverable errors, up a sub-step 510 to cancel the previous one Transaction and then to the sub-step 511 in the Branch data center.
  • This sub-step is used for forming a second key Kn + 1 which belongs to Franking machine should be transmitted encrypted, for forming a second encrypted message crypto Cv + 1 and to transfer the encrypted Message about postage meter.
  • the closes fourth step of the first transaction a sub-step 512 of the data center for storing the default request from which the first sub-step 701 of the second Step of the second transaction is branched to the first key Kn as the predecessor key and the second key Kn + 1 as successor key too to save.
  • a fifth step of the first transaction is for receiving and decrypting the second encrypted message, extracting at least the identification data and the transmitted second key Kn + 1 Cv + 1 , and verifying the received encrypted ones Message based on the extracted identification data. Upon verification, the transmitted second key Kn + 1 Cv + 1 and the default request are stored in the postage meter machine. Otherwise, if not verified, the first step of the first transaction is branched back.
  • a second transaction which preferably by an additional manual Input in step 602 is triggered.
  • This time-limited entry is triggered the second transaction or leaving the second transaction in communication mode when the Input time is exceeded.
  • the T key must be pressed within 30 sec or the Entry time is exceeded and it becomes the first Step of the first transaction branched back. The Communication can now refrain as needed or be repeated.
  • a first step of the second transaction comprises sub-steps 602 to 608 of the franking machine for communication with unencrypted data to the connection build up and at least identify and Transmit transaction type data to the data center.
  • a second step of the second transaction, the sub-steps 701 to 706 of the data center is to Receiving the data and checking the identification the franking machine and for the transmission of a unencrypted o.K. Message to postage meter intended. It is further envisaged that the second Step of the second transaction sub-steps to for faulty unencrypted messages 705 via a sub-step 513 to the error message to a Hibernate state 501 in the data center until the communication from a franking machine again is recorded.
  • a third step of the second transaction comprises sub-steps 609-614 of the franking machine for formation a third encrypted message crypto cv + 2 by means of the aforementioned in the franking machine stored second key Kn + 1 and to Transmission of the third encrypted message crypto cv + 2 to the data center, comprising at least Identification and post register data, but without Data for a default value.
  • a fourth step of the second transaction the sub-steps 707 to 711 the data center for reception and for decryptification of the third encrypted Message contains crypto Cv + 2, performs their check on Decryptivity by means of one in the data center stored key through. Then there is a Forming a third key Kn + 2, which to Franking machine should be transmitted encrypted, forming a fourth encrypted message crypto Cv + 3, which at least the aforementioned third Key Kn + 2, the identification and the Contains transaction data and transferring the fourth encrypted message crypto Cv + 3 to Franking machine.
  • the fourth step of the second transaction closes Sub-steps to in case of irrecoverably faulty ones encrypted messages (sub-step 709) a sub-step 513 for the error message to a Hibernate state 501 in the data center until the communication from a franking machine again is recorded. Detected in step 709 with incorrect encrypted messages A recoverable error is made to a step 710 Cancellation of the previous transaction branches. This is then done in the data center in sub-step 711 forming a third key Kn + 2 which belongs to Postage meter machine should be transmitted encrypted. To make a fourth encrypted message crypto Cv + 3 again uses the DES algorithm. Subsequently, a transfer of the encrypted Message about postage meter.
  • the fourth step of the second transaction to store the default value a sub-step 712 of the data center, the on the first sub-step 501 of the second step of first transaction branches to the second key Kn + 1 as predecessor key Kn-1 and the third Key Kn + 2 as successor key Kn for more store first and second transactions.
  • a fifth step of the second transaction is for receiving and decrypting the fourth encrypted message, extracting at least the identification data and the transmitted third key Kn + 2 Cv + 3, and the transaction data, as well as for verification the received encrypted message based on the extracted identification data.
  • the transmitted second key Kn + 2 Cv + 3 and the default value in the meter are added in accordance with the descending register value R1 and the resulting balance stored or otherwise, if not verified, is branched back to the first step of the first transaction.
  • NULL distance preset in communication mode differs a negative distance value default in Special mode especially by special tamper-proof Flags and a time monitoring.
  • tamper-proof Flags are in particular a MAC-secured Security Flag X and a MAC-secured Special flag N.
  • the flow is two transactions for reloading with a negative credit value, i. a negative fair value default for fund redemption presented to the data center.
  • a negative Remote value specification comprises at least two transactions.
  • the first transaction of communication with the Data Center DZ includes the message of a predetermined default wish, preferably one Null-Vorgabe-Wunsches, to the consistency of the Register statuses between the data center DZ and the Franking machine FM produce.
  • the first step during a first transaction includes after a defined page entry into the Special mode negative remote value preset compared to one normal entry into the communication mode (Teleset mode) after the start of the franking machine a Sub-step 301 for checking for a posed Transaction request and further sub-steps 302 to 308 for entering the identification and other Data to establish the communication link and for communication with an unencrypted message, at least identification and transaction type data to transfer to the data center.
  • a Securing individual data in the message can again by a MAC or CRC data in the be achieved above.
  • the defined page entry is achieved by pressing a secret predetermined key combination while turning on the postage meter.
  • the control unit of the franking machine in conjunction with the data previously transmitted by the data center, and an input procedure between authorized action (service technician) and unauthorized action (intent to manipulate) may differ.
  • a special flag N is set in step 220, because if the franking machine FM is switched off, the continuation of the transactions must be ensured after the franking machine has been switched on again.
  • the special flag N is also stored non-volatile MAC-secured.
  • step 209 is initiated to prevent further franking. It is envisaged that a predetermined combination of keys for each franking machine will be stored in the data center and communicated only to the authorized person (service technician) in order to achieve a specific operation in the postage meter machine. The correct page entry causes a message on the display about opening the communication.
  • the specific criterion for the special mode negative remote value default at least the Use of the predetermined key combination for Side entry into special mode during power up the franking machine comprises.
  • Communication with the data center includes at least two transactions, which in case of error be repeated, and after interruption the communication automatically resumes and / or as long as the aforesaid Special flag N is set for the special mode, by that made an automatic transaction request is to complete the retransfer of the credit.
  • a first step of the first Transaction sub-steps 301 to 308 of the franking machine includes to establish the connection for communication with unencrypted data and at least Identification, transaction type and other data to transfer to the data center.
  • the transaction type data (1 byte), includes the message to the data center DZ below the special mode of a desired negative remote value specification with the identified To perform franking machine.
  • a second step of the first transaction comprises Sub-steps 501 to 506 in the data center, for Receiving the data and checking the identification the franking machine and for the transmission of a unencrypted o.K. message to the franking machine.
  • the second step of the first transaction also includes Sub-steps to erroneous unencrypted messages 505 via a sub-step 513 to Error message on a hibernation 501 in the Data center branch until the communication is resumed by a franking machine.
  • a third step of the first transaction involves Sub-steps 309 to 314 of the franking machine, for Formation of a first encrypted message crypto cv by means of a stored in the postage meter first key Kn and for transmission of encrypted Data center data, including at least the default, identification and postregister data.
  • this encrypted message in Form of CRC (Cyclic Redundancyy Check Data) data Communication to the data center DZ following the Special mode of a desired negative distance value specification perform.
  • Cyclic Redundancey Check is a checksum the one manipulation to the individual to the checksum processed data. This checksum can individual data or the components of all messages (Transaction type) on the part of the franking machine.
  • the default request, the identification, Postregister and the CRC data are in one with the DES algorithm encrypted message transfer. Thus, it is not necessary to data in the first Step MAC-secured or encrypted to the data center transferred to.
  • a fourth step of the first transaction, the sub-steps 507 to 511 in the data center is to receive and decrypt the first encrypted Notification or examination for decryptivity by means of one in the data center stored key, to form a second Key Kn + 1 corresponding to that of the franking machine used keys, to make a second one crypto Cv + 1 encrypted message which at least the aforementioned second key Kn + 1, the Identification and the transaction data contains and for transmitting the second encrypted message crypto Cv + 1 provided for franking machine.
  • the fourth step of the first Transaction also includes sub-steps to be irrecoverable erroneous encrypted messages 509 via a sub-step 513 for the error message to a Hibernate state 501 in the data center until the communication from a franking machine again is recorded. They are still sub-steps provided to encrypted in case of faulty Messages 509 with recoverable errors, to one Step 510 to cancel the previous transaction and then to the sub-step 511 in the Branch data center.
  • This sub-step is used for forming a second or third key Kn + 1, which transmits encrypted to the franking machine should be, to form a second encrypted Message crypto Cv + 1 and to transfer the encrypted message to postage meter.
  • a fifth step of the first transaction is for receiving and decrypting the second encrypted message, extracting at least the identification data and the transmitted second key Kn + 1 Cv + 1 , and verifying the received encrypted ones Message based on the extracted identification data. Upon verification, the transmitted second key Kn + 1 Cv + 1 and the default request are stored in the postage meter machine. Otherwise, if not verified, the first step of the first transaction is branched back.
  • a first step of the second transaction comprises Sub-steps 602 to 608 of the franking machine for Communication with unencrypted data to the Establish connection and at least identification and transaction type data to the data center transferred to.
  • a second step of the second transaction, the sub-steps 701 to 706 of the data center is to Receiving the data and checking the identification the franking machine and for the transmission of a unencrypted o.K. message to the franking machine intended. It is further envisaged that the second Step of the second transaction sub-steps to for faulty unencrypted messages 705 via a sub-step 513 to the error message to a Hibernate state 501 in the data center until the communication from a franking machine again is recorded.
  • a third step of the second transaction comprises sub-steps 609-614 of the franking machine for formation a third encrypted message crypto cv + 2 by means of the aforementioned in the franking machine stored second key Kn + 1 and to Transmission of the third encrypted message crypto cv + 2 to the data center, comprising at least Identification and post register data, but without Data for a default value.
  • a fourth step of the second transaction the sub-steps 707 to 711 the data center for reception and for decryptification of the third encrypted Message contains crypto Cv + 2, performs their check on Decryptivity by means of one in the data center stored key through. Then there is a Forming a third key Kn + 2, which to the franking machine encrypted is to be transmitted Making a fourth encrypted message crypto Cv + 3, the at least the aforementioned third key Kn + 2, the identification and the transaction data contains and transmitting the fourth encrypted Message crypto Cv + 3 to the postage meter.
  • the fourth step of the second transaction closes Sub-steps to in case of irrecoverably faulty ones encrypted messages 709 via a sub-step 513 to the error message on a sleep state 501 in the Data center branch until the communication is resumed by a franking machine.
  • Encrypted messages with recoverable errors to a step 710 to cancel the previous one Transaction branches.
  • forming a third one Key Kn + 2 which encrypts the postage meter should be transmitted.
  • a fourth encrypted Message crypto Cv + 3 will be back DES algorithm used. Subsequently, a Transferring the encrypted message to Franking machine.
  • the fourth step of the second transaction to store the default value a sub-step 712 of the data center, the on the first sub-step 501 of the second step of first transaction branches to the second key Kn + 1 as predecessor key Kn-1 and the third Key Kn + 2 as successor key Kn for more store first and second transactions.
  • a fifth step of the second transaction comprising sub-steps 615-618 of the postage meter, is for receiving and decrypting the fourth encrypted message, extracting at least the identification data and the transmitted third key Kn + 2 Cv + 3, and the transaction data, as well as for verification the received encrypted message based on the extracted identification data.
  • the aforementioned step has to identify the completed implementation in contrast to the positive remote value default on another query criterion.
  • the fourth crypto message is to be received by the franking machine FM. If the connection was uninterrupted, the reception would take place in the predetermined time t1.
  • This is to be transmitted during the penultimate Message, from the sending of the third crypto message in the processor (control unit 6) of the franking machine started a time counting.
  • the corresponding program section a Routine activated, which sets a counter, the in turn by the system clock or its multiple is decremented.
  • the fourth Crypto message from the data center the franking machine the counter is deactivated.
  • Another variant of the invention results when an incremental instead of a decremental counter is used. It must after each count clock the Comparison can be done with the number given to the monitored period corresponds.
  • Exceeding the time t1 is a sure indication for a failed transfer and causes the call a special subprogram, which is a renewed Execution of the special mode negative remote value default prepared and automatically triggered.
  • the first and second transaction will be automatic in this case repeated with key Kn + 2.
  • the transmitted second key Kn + 2 Cv + 3 and the default value in the postage meter are added according to Descendingregisterwert R1 and the resulting balance stored or otherwise in the case of non-verification or timeout is the first step of branched back to the first transaction.
  • the fifth step of the second transaction closes a sub-step (620) of the postage meter for Resetting the aforementioned special flag N or Return to the normal mode of the franking machine, whereby the aforementioned automatic transaction request is canceled again when carrying out the second transaction has been completed.
  • the present service technician secures the further one disturbance-free process until the completion of the negative Telesetting.
  • At each remote value default can be at least R1 query and statistically evaluate.
  • the data center is at the end of the day on the Validity of fund redemption as a result of Special mode negative remote value setting decided. If no incident is reported by the service technician that, for example, the negative Fernwertvorgabe not was feasible, or if by the same franking machine no request to reload a positive one Credit, the validity is assumed.
  • the negative remote value default when entering the special mode set special flag N was successful at Transaction reset.
  • the franking machine prevents all frankings with values greater than zero, because no more credit is loaded.
  • the franking machine is still zero for frankings with values and other modes are operational as long as they are do not require credit or as long as there is no postage franked and the quantity limit is not reached.
  • a trigger the Transactions in special mode causes or it is in another variant at least one manual step 302 in special mode negative remote value preset after one Page entry to enter an identification number (PIN) and to enter the predetermined default as provided for the positive distance value specification, which is queried in step 303.
  • PIN identification number
  • step 603 takes place a triggering of the second transaction and a Exit or repeat the first transaction in communication mode or in special mode, if the Input time is exceeded.
  • the T key must be pressed within 30 sec or the Entry time is exceeded.
  • a NULL default request is agreed.
  • a NULL default request is agreed.
  • a corresponding query step 219 according to such a further specific criterion for the franking machine has been dashed in FIG shown. From this is the step 220 for Setting the special flag N branched.
  • a third variant safety is increased by a combination of different measures.
  • a first communication connection between the authorized user and the data center for storing a code for registering an authorized action on the postage meter machine is established by a later-transmitted default request.
  • a turning on the postage meter for making an authorized predetermined operation can be done to enter via a page entry into a special mode negative Fernwertvorgabe.
  • a second communication connection between postage meter and the data center and input of a default request is made.
  • a distinctive log on to the data center occurs when the submitted default request matches a corresponding code.
  • the first transaction for example, a new code word or security flag and / or operating sequence is transmitted to the franking machine.
  • the security-relevant data are transmitted and their storage in the postage meter machine is completed.
  • the default value in the corresponding memory of the franking machine and for the purpose of checking the transaction is also added to the remaining balance in a corresponding memory of the data center.
  • the postage meter machine is placed in a first mode to effectively disable it for franking (franking mode 400) (step 409) as opposed to the authorized action.
  • a transmission of a valid operating procedure from the data center to the franking machine becomes superfluous if the operating sequence is changed over time.
  • the same calculation algorithm is used to determine a current operating procedure.
  • Another variant is based on the storage of the current operating procedure in the franking machine by means of a special reset E 2 PROM by the service technician.
  • the safety of an authorized person by means of an additional Input security increases, which with the Franking machine is brought into contact with a Transfer remaining credit back to the data center.
  • the data center becomes up to date produced by the register states by means of a Zero-distance value preset to be reported. Subsequently, will as input security by the service technician Reset read only memory device in a predetermined Base of the at least partially open franking machine used. After switching on or one Page entry into the program of the franking machine a check is made as to whether a read-only memory is reset (Refunds EPROM) was used. That can be beneficial in - shown in Figure 2 - step 219 to verification of another criterion.
  • step 209 may be for deletion of a flag X, which in step 409 of FIG Franking mode ( Figure 4) would be noticed and the statistics and error evaluation or registration in step 213 leads. Otherwise, the correct page entry and when Refunds EPROM is inserted, a special flag N set what happens automatically in communication mode Return the remaining balance to the data center triggers.
  • steps 218 and 219 according to Figure 2 run in their order reversed, so that only with regard to the inserted Refunds EPROM and only then after the right side entry is asked.
  • Such a sub-variant has the advantage that information about the correct page entry can also be stored in the Refunds EPROM, instead of in the franking machine. This will be the Security against tampering with manipulation further increased.
  • chip card read / write unit can the input security
  • chip card read / write unit can the input security
  • chip card can the input security
  • chip card also be realized as a chip card.
EP00250033A 1994-12-15 1995-11-21 Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit Expired - Lifetime EP0996097B1 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
DE4446667 1994-12-15
DE4446667A DE4446667C2 (de) 1994-12-15 1994-12-15 Verfahren zur Verbesserung der Sicherheit von Frankiermaschinen bei der Guthabenübertragung
EP95250286A EP0717379B1 (fr) 1994-12-15 1995-11-21 Procédé pour l'amélioration de la sécurité des machines à timbrer pendant le transfert du crédit

Related Parent Applications (2)

Application Number Title Priority Date Filing Date
EP95250286A Division EP0717379B1 (fr) 1994-12-15 1995-11-21 Procédé pour l'amélioration de la sécurité des machines à timbrer pendant le transfert du crédit
EP95250286.2 Division 1995-11-21

Publications (4)

Publication Number Publication Date
EP0996097A2 EP0996097A2 (fr) 2000-04-26
EP0996097A3 EP0996097A3 (fr) 2004-06-16
EP0996097A9 true EP0996097A9 (fr) 2005-06-22
EP0996097B1 EP0996097B1 (fr) 2006-05-03

Family

ID=6537174

Family Applications (3)

Application Number Title Priority Date Filing Date
EP95250286A Expired - Lifetime EP0717379B1 (fr) 1994-12-15 1995-11-21 Procédé pour l'amélioration de la sécurité des machines à timbrer pendant le transfert du crédit
EP00250032A Expired - Lifetime EP0996096B1 (fr) 1994-12-15 1995-11-21 Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit et dispositif pour la mise en oeuvre du procédé
EP00250033A Expired - Lifetime EP0996097B1 (fr) 1994-12-15 1995-11-21 Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit

Family Applications Before (2)

Application Number Title Priority Date Filing Date
EP95250286A Expired - Lifetime EP0717379B1 (fr) 1994-12-15 1995-11-21 Procédé pour l'amélioration de la sécurité des machines à timbrer pendant le transfert du crédit
EP00250032A Expired - Lifetime EP0996096B1 (fr) 1994-12-15 1995-11-21 Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit et dispositif pour la mise en oeuvre du procédé

Country Status (2)

Country Link
EP (3) EP0717379B1 (fr)
DE (4) DE4446667C2 (fr)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19731304B4 (de) 1997-07-14 2005-02-24 Francotyp-Postalia Ag & Co. Kg Verfahren zur Statistikmodusnachladung und zur statistischen Erfassung nach Statistikklassen bei der Speicherung eines Datensatzes
US6058384A (en) * 1997-12-23 2000-05-02 Pitney Bowes Inc. Method for removing funds from a postal security device
DE19818708A1 (de) * 1998-04-21 1999-11-04 Francotyp Postalia Gmbh Verfahren zum Nachladen eines Portoguthabens in eine elektronische Frankiereinrichtung

Family Cites Families (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3255439A (en) 1961-07-13 1966-06-07 Gen Res Inc Postage metering system
US4251874A (en) 1978-10-16 1981-02-17 Pitney Bowes Inc. Electronic postal meter system
GB2144081B (en) 1983-07-23 1987-10-28 Pa Consulting Services Postal franking machines
US4835697A (en) 1984-04-02 1989-05-30 Pitney Bowes Inc. Combination generator for an electronic postage meter
US4549281A (en) 1985-02-21 1985-10-22 Pitney Bowes, Inc. Electronic postage meter having keyboard entered combination for recharging
US4812965A (en) 1985-08-06 1989-03-14 Pitney Bowes Inc. Remote postage meter insepction system
CA1263752A (fr) * 1985-08-06 1989-12-05 Michael P. Taylor Dispositif de verrouillage pour compteur postal
US4812994A (en) 1985-08-06 1989-03-14 Pitney Bowes Inc. Postage meter locking system
US4760532A (en) 1985-12-26 1988-07-26 Pitney Bowes Inc. Mailing system with postage value transfer and accounting capability
US4864506A (en) * 1986-04-10 1989-09-05 Pitney Bowes Inc. Postage meter recharging system
US4811234A (en) 1986-04-10 1989-03-07 Pitney Bowes Inc. Postage meter recharging system
US4785417A (en) * 1986-04-28 1988-11-15 Pitney Bowes Inc. Electronic postage meter having an out of sequence checking arrangement
US4846506A (en) 1987-09-04 1989-07-11 U.S. Plastics Corporation Quick connect coupling
EP0388840B1 (fr) 1989-03-23 1994-11-30 Neopost Industrie Procédé d'augmentation de la sécurité d'une machine à affranchir avec revalorisation à distance
US5077660A (en) 1989-03-23 1991-12-31 F.M.E. Corporation Remote meter configuration
CH678368A5 (fr) * 1989-03-29 1991-08-30 Frama Ag
GB2233937B (en) 1989-07-13 1993-10-06 Pitney Bowes Plc A machine incorporating an accounts verification system
US5237506A (en) * 1990-02-16 1993-08-17 Ascom Autelca Ag Remote resetting postage meter
US5243654A (en) * 1991-03-18 1993-09-07 Pitney Bowes Inc. Metering system with remotely resettable time lockout
GB2256396B (en) 1991-05-29 1995-03-29 Alcatel Business Systems Method of remote diagnostics for franking machines
DE4129302A1 (de) 1991-09-03 1993-03-04 Helmut Lembens Frankiermaschine
GB2261748B (en) * 1991-11-22 1995-07-19 Pitney Bowes Inc Method of diagnosis in an electrically controlled mechanical device
US5309363A (en) * 1992-03-05 1994-05-03 Frank M. Graves Remotely rechargeable postage meter
DE4221270A1 (de) 1992-06-26 1994-01-05 Francotyp Postalia Gmbh Anordnung und Verfahren zur Klischeetextteiländerung für Frankiermaschinen
DE4224955C2 (de) 1992-07-24 1998-11-26 Francotyp Postalia Gmbh Anordnung und Verfahren für einen internen Kostenstellendruck

Similar Documents

Publication Publication Date Title
EP0969422B1 (fr) Procédé pour l'amélioration de la sécurité des machines à affranchir
EP0762337A2 (fr) Procédé et dispositif pour augmenter la protection contre la manipulation de données critiques
CH675496A5 (fr)
DE3626580A1 (de) Fernfrankiermaschinen-inspektionssystem
US6587843B1 (en) Method for improving the security of postage meter machines in the transfer of credit
EP1035517B1 (fr) Procédé de protection d'un module de sécurité et ensemble pour mettre en oeuvre ledit procédé
EP1035516B1 (fr) Système pour un module de sécurité
DE19534528A1 (de) Verfahren zur Veränderung der in Speicherzellen geladenen Daten einer elektronischen Frankiermaschine
EP1103924B1 (fr) Procédé de protection d'un dispositif contre son fonctionnement avec des articles de consommation non autorisés et dispositif pour la mise en oeuvre du procédé
EP0892368A2 (fr) Procédé pour le téléchargement de données statistiques et de recensement en ensembles statistiques lors du chargement des données
EP1035518B1 (fr) Ensemble de protection d'un module de sécurité
DE19534530A1 (de) Verfahren zur Absicherung von Daten und Programmcode einer elektronischen Frankiermaschine
EP1063619B1 (fr) Module de sécurité et procédé pour protection du registre postal contre la manipulation
DE10305730B4 (de) Verfahren zum Überprüfen der Gültigkeit von digitalen Freimachungsvermerken
EP0969420B1 (fr) Procédé pour sécuriser la transmission de données de service à un terminal et dispositif pour la mise en oeuvre de ce procédé
EP0717379B1 (fr) Procédé pour l'amélioration de la sécurité des machines à timbrer pendant le transfert du crédit
EP1619630A2 (fr) Procédé et dispositif pour rembourser des frais d'affranchissement
EP0996097A9 (fr) Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit
DE60015907T2 (de) Verfahren und Vorrichtung zur Erzeugung von Nachrichten welche eine prüfbare Behauptung enthalten dass eine Veränderliche sich innerhalb bestimmter Grenzwerte befindet
EP1061479A2 (fr) Dispositif et procédé pour générer un motif destiné à la sécurité
DE19534527C2 (de) Verfahren zur Erhöhung der Manipulationssicherheit von kritischen Daten
DE19534529C2 (de) Verfahren zur Erhöhung der Manipulationssicherheit von kritischen Daten
DE69534129T2 (de) Frankiermaschine und Frankiermaschinensystem
DE69926222T2 (de) Betrugssichere frankiermaschinenvorrichtung mit langer nutzungsdauer der batterie

Legal Events

Date Code Title Description
AC Divisional application (art. 76) of:

Ref document number: 717379

Country of ref document: EP

Format of ref document f/p: P

AK Designated contracting states:

Kind code of ref document: A2

Designated state(s): AT BE CH DE DK ES FR GB GR IE IT LI LU MC NL PT SE

AX Extension of the european patent to

Free format text: LT;LV;SI

RAP1 Transfer of rights of an ep application

Owner name: FRANCOTYP-POSTALIA AG & CO. KG

AK Designated contracting states:

Kind code of ref document: A3

Designated state(s): AT BE CH DE DK ES FR GB GR IE IT LI LU MC NL PT SE

AX Extension of the european patent to

Countries concerned: LTLVSI

17P Request for examination filed

Effective date: 20040630

AKX Payment of designation fees

Designated state(s): CH DE FR GB IT LI

17Q First examination report

Effective date: 20050222

RAP1 Transfer of rights of an ep application

Owner name: FRANCOTYP-POSTALIA GMBH

AC Divisional application (art. 76) of:

Ref document number: 0717379

Country of ref document: EP

Kind code of ref document: P

AK Designated contracting states:

Kind code of ref document: B1

Designated state(s): CH DE FR GB IT LI

PG25 Lapsed in a contracting state announced via postgrant inform. from nat. office to epo

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20060503

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

Free format text: NOT ENGLISH

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: CH

Ref legal event code: NV

Representative=s name: ROTTMANN, ZIMMERMANN + PARTNER AG

REF Corresponds to:

Ref document number: 59511045

Country of ref document: DE

Date of ref document: 20060608

Kind code of ref document: P

PGFP Postgrant: annual fees paid to national office

Ref country code: DE

Payment date: 20060912

Year of fee payment: 12

GBT Gb: translation of ep patent filed (gb section 77(6)(a)/1977)

Effective date: 20060817

PGFP Postgrant: annual fees paid to national office

Ref country code: FR

Payment date: 20060913

Year of fee payment: 12

PGFP Postgrant: annual fees paid to national office

Ref country code: CH

Payment date: 20061031

Year of fee payment: 12

PGFP Postgrant: annual fees paid to national office

Ref country code: GB

Payment date: 20061109

Year of fee payment: 12

ET Fr: translation filed
PGFP Postgrant: annual fees paid to national office

Ref country code: IT

Payment date: 20061130

Year of fee payment: 12

26N No opposition filed

Effective date: 20070206

PGFP Postgrant: annual fees paid to national office

Ref country code: DE

Payment date: 20070920

Year of fee payment: 13

PGFP Postgrant: annual fees paid to national office

Ref country code: CH

Payment date: 20071115

Year of fee payment: 13

Ref country code: IT

Payment date: 20071126

Year of fee payment: 13

PGFP Postgrant: annual fees paid to national office

Ref country code: FR

Payment date: 20071122

Year of fee payment: 13

Ref country code: GB

Payment date: 20071120

Year of fee payment: 13

PGFP Postgrant: annual fees paid to national office

Ref country code: CH

Payment date: 20081114

Year of fee payment: 14

Ref country code: DE

Payment date: 20081007

Year of fee payment: 14

PGFP Postgrant: annual fees paid to national office

Ref country code: IT

Payment date: 20081125

Year of fee payment: 14

PGFP Postgrant: annual fees paid to national office

Ref country code: FR

Payment date: 20081113

Year of fee payment: 14

PGFP Postgrant: annual fees paid to national office

Ref country code: GB

Payment date: 20081117

Year of fee payment: 14

PGFP Postgrant: annual fees paid to national office

Ref country code: CH

Payment date: 20091124

Year of fee payment: 15

Ref country code: DE

Payment date: 20090916

Year of fee payment: 15

PGFP Postgrant: annual fees paid to national office

Ref country code: FR

Payment date: 20091201

Year of fee payment: 15

Ref country code: GB

Payment date: 20091119

Year of fee payment: 15

Ref country code: IT

Payment date: 20091121

Year of fee payment: 15

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

GBPC Gb: european patent ceased through non-payment of renewal fee

Effective date: 20101121

PG25 Lapsed in a contracting state announced via postgrant inform. from nat. office to epo

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20101130

Ref country code: LI

Effective date: 20101130

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

REG Reference to a national code

Effective date: 20110801

Ref country code: FR

Ref legal event code: ST

PG25 Lapsed in a contracting state announced via postgrant inform. from nat. office to epo

Effective date: 20110531

Ref country code: DE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

PG25 Lapsed in a contracting state announced via postgrant inform. from nat. office to epo

Effective date: 20101130

Ref country code: FR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

PG25 Lapsed in a contracting state announced via postgrant inform. from nat. office to epo

Ref country code: GB

Effective date: 20101121

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

PG25 Lapsed in a contracting state announced via postgrant inform. from nat. office to epo

Effective date: 20101121

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Ref country code: IT