EP1063619A1 - Module de sécurité et procédé pour protection du registre postal contre la manipulation - Google Patents

Module de sécurité et procédé pour protection du registre postal contre la manipulation Download PDF

Info

Publication number
EP1063619A1
EP1063619A1 EP00250185A EP00250185A EP1063619A1 EP 1063619 A1 EP1063619 A1 EP 1063619A1 EP 00250185 A EP00250185 A EP 00250185A EP 00250185 A EP00250185 A EP 00250185A EP 1063619 A1 EP1063619 A1 EP 1063619A1
Authority
EP
European Patent Office
Prior art keywords
mac
new
data
processing unit
postal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP00250185A
Other languages
German (de)
English (en)
Other versions
EP1063619B1 (fr
Inventor
Dirk Rosenau
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Francotyp Postalia GmbH
Original Assignee
Francotyp Postalia GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Francotyp Postalia GmbH filed Critical Francotyp Postalia GmbH
Publication of EP1063619A1 publication Critical patent/EP1063619A1/fr
Application granted granted Critical
Publication of EP1063619B1 publication Critical patent/EP1063619B1/fr
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00733Cryptography or similar special procedures in a franking system
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00185Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
    • G07B17/00193Constructional details of apparatus in a franking system
    • G07B2017/00233Housing, e.g. lock or hardened casing
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00185Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
    • G07B17/00193Constructional details of apparatus in a franking system
    • G07B2017/00266Man-machine interface on the apparatus
    • G07B2017/00298Visual, e.g. screens and their layouts
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00185Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
    • G07B17/00193Constructional details of apparatus in a franking system
    • G07B2017/00266Man-machine interface on the apparatus
    • G07B2017/00306Acoustic, e.g. voice control or speech prompting
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00185Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
    • G07B17/00314Communication within apparatus, personal computer [PC] system, or server, e.g. between printhead and central unit in a franking machine
    • G07B2017/00346Power handling, e.g. power-down routine
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00185Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
    • G07B17/00362Calculation or computing within apparatus, e.g. calculation of postage value
    • G07B2017/00395Memory organization
    • G07B2017/00403Memory zones protected from unauthorized reading or writing
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00733Cryptography or similar special procedures in a franking system
    • G07B2017/00959Cryptographic modules, e.g. a PC encryption board
    • G07B2017/00967PSD [Postal Security Device] as defined by the USPS [US Postal Service]

Definitions

  • the invention relates to a security module with security of the postal register before manipulation, according to the in the preamble of claim 1 specified type and for a procedure for securing the postal register Manipulation according to that specified in the preamble of claim 8 Art.
  • a postal security module is particularly for the Use in a franking machine or mail processing machine or Suitable for computers with mail processing functions.
  • Modern franking machines, or other devices for franking from Postgut are using a printer to print the postage stamp on the postal matter, with a control for controlling the printing and the peripheral components of the franking machine, with an accounting unit for billing postal charges stored in non-volatile memories and a unit for cryptographically securing the Postage data provided.
  • a security module (EP 789 333 A2) can be a hardware accounting unit and / or the security unit of printing the postage data.
  • the former as the user circuit ASIC and the latter as the OTP processor (One Time Programmable) can be realized.
  • the internal OTP-ROM saves read-out-sensitive data (cryptographic keys) that for example, to reload a credit.
  • a Encapsulation by a security housing offers further protection.
  • a MAC MESSAGE AUTHENTIFICATION CODE
  • the microprocessor of the security module can also be positioned in front of one Check the validity (freedom from manipulation) of the postal register.
  • the microprocessor calculates a MAC based on the data in the Registers and compares this MAC with a comparison MAC of the has previously been saved for these postal registers. Subsequently there will be a settlement. Then the microprocessor must again Comparison MAC for those modified by the user circuit ASIC Calculate the postal register to update it. At this time, from the start billing until the new comparison MAC is written however, for a fraudster with memory access, the postal registers can be manipulated, without this being recognized by the microprocessor.
  • the invention is based, for a security module Increase billing security.
  • a method is to be found which requires minimal effort maximum security against manipulation of the stored Data enabled.
  • the method is said to be used, for example, in franking machines Find application for special security requirements Regarding the postal register data, the monetary values in particular apply Billing data must be manipulable.
  • the object is with the features of claim 1 for an arrangement and solved with the features of claim 8 for a method.
  • a hash function is first applied to the postal register data and the data generated in this way using a private key to a digital one Signature encrypted.
  • the advantage of the signature lies in the public Keys, which are used without secrecy to decrypt the signature can be used to verify the postal register data. This allows recovery options in the event of a defective security module, from which the register data is read out via an interface become.
  • a security module for example for a franking machine, takes whose function was billing, especially postage and / or their cryptographic security and additional security functions.
  • the security module has its own signaling means marked, which are directly controlled by the module processor of the Security module a statement about the current state of the Allow security module.
  • the module processor takes one Monitoring and signaling of the module status before and will only activated when the safety module is supplied with system voltage, to save a battery.
  • the module processor monitors the hardware accounting unit, memory and assemblies regarding other functions. The availability of the system is not in the Foreground, but the reliable detection of malfunctions or Failures as well as an appropriate response to it, as is particularly the case security-sensitive, rather time-uncritical processes is the case.
  • the franking machine consists of a meter 1 and a base 2.
  • the latter is equipped with a chip card read / write unit 70 which is arranged behind the guide plate 20 and is accessible from the upper edge 22 of the housing.
  • a chip card 49 is inserted into the insertion slot 72 from top to bottom.
  • a fed letter 3 standing on the edge, which lies with its surface to be printed on the guide plate, is then printed with a franking stamp 31 in accordance with the input data.
  • the letter feed opening is laterally delimited by a transparent plate 21 and the guide plate 20.
  • the security module is plugged onto the main board of the meter of the franking machine or another suitable device.
  • the meter housing is preferably housed within the meter housing, which is designed as a safety housing.
  • the meter housing is advantageously constructed so that the user can still see the status display of the security module from the outside through an opening 109, the opening 109 extending to the user interface 88, 89 of the meter 1.
  • the display is controlled directly by the internal module processor and is therefore not easily manipulated from the outside.
  • the display is constantly active in the operating state, so that the application of the system voltage Us + to the module processor of the security module is sufficient to activate the display in order to be able to read the module state.
  • FIG. 2 shows a block diagram of the postal security module PSM 100 in a preferred variant.
  • the negative pole of the battery 134 is grounded and a pin P23 of the contact group 102.
  • the positive pole of the battery 134 is connected via line 193 to one input of voltage changeover switch 180 and line 191 carrying system voltage is connected to the other input of voltage changeover switch 180.
  • the SL-389 / P is suitable as a battery 134 for a lifespan of up to 3.5 years or the SL-386 / P for a lifespan of up to 6 years with a maximum power consumption by the PSM 100 commercially available circuit type ADM 8693ARN can be used.
  • the output of the voltage changeover switch 180 is connected to a voltage monitoring unit 12 and a detection unit 13 via the line 136.
  • the voltage monitoring unit 12 and the detection unit 13 are in communication with the pins 1, 2, 4 and 5 of the module processor 120 via the lines 135, 164 and 137, 139.
  • the output of the voltage changeover switch 180 is also present via the line 136 at the supply input of a first memory 116, for example a static read-only memory, which becomes a non-volatile memory NVRAM 116 of a first technology due to the existing battery 134.
  • the security module is connected to the franking machine via the system bus 115, 117, 118.
  • the module processor 120 can communicate with a remote data center via the system bus and a modem 83.
  • the billing is carried out by the user-specific circuit ASIC 150.
  • the first and a second non-volatile memory are designed accordingly to store the postal accounting data in non-volatile memories of different technologies.
  • System voltage is present at the supply input of the second non-volatile memory NVRAM 114.
  • This is a non-volatile memory NVRAM of a second technology, (SHADOW-RAM).
  • This second technology preferably comprises a RAM and an EEPROM, the latter automatically taking over the data content in the event of a system power failure.
  • the NVRAM 114 of the second technology is connected to the corresponding address and data inputs of the circuit ASIC 150 via an internal address and data bus 112, 113.
  • the ASIC 150 contains at least one hardware accounting unit for the Calculation of the postal data to be saved.
  • PAL 160 is an access logic for the ASIC 150 housed.
  • the ASIC 150 is controlled by the PAL 160 logic.
  • There is an address and control bus 117, 115 from the meter 1 motherboard connected to corresponding pins of the logic PAL 160 and the PAL 160 generates at least one control signal for ASIC 150 and one Control signal 119 for the program memory FLASH 128.
  • Der Module processor 120 executes a program that is in FLASH 128 is saved.
  • the module processor 120 and the other assemblies, like FLASH 28, ASIC 150 and PAL 160 have an internal module System bus interconnected, the lines 110,111,126,119 for Contains data, address and control signals.
  • the RESET unit 130 is connected via line 131 to pin 3 of the Module processor 120 and connected to a pin of the ASIC's 150.
  • the Module processor 120 and the ASIC 150 are when the Supply voltage through a reset generation in the RESET unit 130 reset.
  • the module processor 120 internally has a processing unit CPU 121, a real time clock RTC 122, a RAM unit 124 and an input / output unit 125 on.
  • the module processor 120 of the security module 100 is via a module-internal data bus 126 with a FLASH 128 and with connected to the ASIC 150.
  • the FLASH 128 serves as program memory and is supplied with system voltage Us +. For example, it is a 128 Kbyte FLASH memory of the type AM29F010-45EC.
  • the ASIC 150 of the postal security module 100 delivers via an internal module Address bus 110 addresses 0 through 7 to the corresponding address inputs of the FLASH 128.
  • the module processor 120 of the Security module 100 delivers the via an internal address bus 111 Addresses 8 to 15 to the corresponding address inputs of the FLASH 128.
  • the ASIC 150 of the security module 100 is above the Contact group 101 of the interface with the data bus 118 with which Address bus 117 and the control bus 115 of the main board of the meter 1 in Communication link.
  • the voltage switch 180 gives as the output voltage on the Line 136 for the voltage monitoring unit 12 and memory 116 that of its input voltages further, the greater than the other is. Due to the possibility of depending on the circuit described of the level of the voltages Us + and Ub + automatically with the To feed the larger of the two can during normal operation Battery 134 can be replaced without data loss.
  • the RTC real-time clock 122 and the static read-only memory SRAM 124 are from a Operating voltage supplied via line 138. This tension will issued by the voltage monitoring unit 12 and generated from the SRAM 124 a non-volatile memory.
  • the module processor 120 an internal non-volatile memory 124 , in which at least one key for the calculation of a Authorization codes are stored in order to protect MAC from access the associated authorization code MAC via a postal register set form. The latter is valid for checking the postal register record required.
  • the battery of the franking machine feeds outside during idle times the normal operation in the aforementioned manner with the real-time clock 122 Date / time registers and / or the static read-only memory SRAM 124, which holds security-relevant data.
  • the tension of the Battery during battery operation below a certain limit, see above the feed point for the real-time clock RTC and SRAM connected to ground. That means the voltage on the real-time clock The RTC and the read-only memory SRAM is then 0V. This leads to, that the read only memory SRAM 124, e.g. important cryptographic Key is deleted very quickly.
  • the Register of real-time clock RTC 122 deleted and the current time and the current date will be lost.
  • the circuit of the voltage monitoring unit 12 is, for example dimensioned so that any drop in battery voltage on the Line 136 below the specified 2.6 V threshold to respond the circuit 12 leads. Simultaneously with the indication of undervoltage the battery, the circuit 12 changes to a self-holding state, in to which it remains even when the voltage is increased afterwards. It delivers also a status signal 164. The next time the module is switched on the module processor 120 can determine the state of the circuit (status signal) query and / or about the evaluation of the content of the deleted The memory suggests that the battery voltage in the meantime has fallen below a certain value. The module processor 120 may reset monitoring circuit 12, i.e. "sharp" do. The latter responds to a control signal on line 135.
  • the line 136 at the input of the battery observer 12 supplies at the same time a detection unit 13 with operating or battery voltage.
  • From Processor 120 is the state of the detection unit 13 via the Line 139 queried or the detection unit 13 is from Module processor 120 triggered or set via line 137.
  • a static check for connection is carried out.
  • To is queried via a line 192 ground potential, which on Connection P4 of the interface of the postal security module PSM 100 is present and can only be queried if the security module 100 is properly inserted.
  • Ground potential of the negative pole 104 of the battery 134 of the postal Safety module PSM 100 on connection P23 of interface 8 and is thus at connection P4 of the interface via line 192 can be queried by the detection unit 13.
  • module processor 120 There are lines on pins 6 and 7 of module processor 120 connected, which only for one, for example to the main board of the meter 1, the security module 100 inserted, a conductor loop 18 form.
  • the module processor 120 changes signal levels throughout irregular intervals on pins 6, 7 and over the Looped back.
  • the module processor 120 is equipped with the input / output unit 125, whose connections pins 8, 9 for outputting at least one signal for Signaling the state of the security module 100 serve.
  • To the Pins 8 and 9 are I / O ports of the input / output unit 125, to which Internal signal means are connected, for example colored Light emitting diodes LEDs 107, 108. These signal the module status with a security module plugged onto the main board of meter 1 100 through an opening 109 in the meter housing.
  • the security modules can assume various states in their life cycle. For example, be detected whether the security module is valid contains cryptographic keys. Furthermore, it is also important to distinguish whether the safety module is working or defective. The the exact type and number of module states is realized Functions in the security module and depending on the implementation.
  • FIG. 3 shows the mechanical structure of the security module in side view.
  • the security module is designed as a multi-chip module, i.e. several functional units are on a printed circuit board 106 interconnected.
  • the security module 100 is with a hard potting compound 105 potted, the battery 134 of the security module 100 exchangeable outside the sealing compound 105 on a printed circuit board 106 is arranged.
  • it is with a potting material 105 potted that the signaling means 107, 108 from the potting material protrudes at a first point and that the circuit board 106 with the inserted battery 134 protrudes to the side of a second location.
  • the Circuit board 106 also has battery contact terminals 103 and 104 for the connection of the poles of the battery 134, preferably on the Component side above the circuit board 106. It is provided that to connect the PSM 100 postal security module to the Motherboard of meter 1, the contact groups 101 and 102 below the Printed circuit board 106 (conductor track side) of the security module 100 are.
  • the ASIC 150 user circuit is higher than the first Contact group 101 - in a manner not shown - with the system bus one Control device 1 in communication connection and the second Contact group 102 serves to supply safety module 100 with the system voltage.
  • the security module is on the main board inserted, then it is preferably within the meter housing arranged so that the signal means 107, 108 near a Opening 109 is or protrudes into this.
  • the meter case is so advantageously constructed so that the user can view the status of the Security module can still see from the outside.
  • the two LEDs 107 and 108 of the signaling means are via two output signals of the I / O ports on the pins 8, 9 of the module processor 120 are controlled. Both LEDs are housed in a common component housing (Bicolor LED), which is why the dimensions or diameter the opening can remain relatively small and of the order of magnitude Signal means is. In principle, three different colors can be displayed (red, green, orange), according to which the light emitting diodes LED individually or can be controlled simultaneously. To differentiate between the states LEDs also blinking individually or together, if necessary alternately flashing controlled so that nine different states A distinction can be made in which at least one of the two LEDs are activated.
  • FIG. 4 is a top view of the postal security module shown.
  • the potting compound 105 surrounds a first part in a cuboid shape the circuit board 106, while a second part of the circuit board 106 for the replaceable battery 134 remains free of potting compound.
  • the battery contact terminals 103 and 104 are here from the battery covered.
  • the first data processing unit is preferably a module processor 120 and the second data processing unit 150 is a user-specific circuit (ASIC) with a hardware processing unit.
  • the module processor is programmed to check the validity of post-register data and to carry out a static or dynamic self-test. During the validity check, an associated authorization code (MAC) is formed from the postal register data stored in the previous accounting and is compared with the authorization code stored in the non-volatile memory 114, 116. If there is a match, the validity of the previous billing is signaled and the second data processing unit 150 is authorized to carry out a further billing. If there is a mismatch, signaling takes place.
  • MAC authorization code
  • the module processor 120 of the security module 100 is programmed to monitor and signal the module status of the security module (100), an optical or acoustic signaling means 107, 108 being connected to the module processor 120 to signal the module status.
  • the signaling means are preferably light emitting diodes LED's, which are controlled differently in order to differentiate between the states. According to a - self-explanatory - table for status signaling shown in FIG. 5, a large number of possible status displays can be seen. A green light-emitting diode LED 107 signals an OK state 220, but a light-emitting diode LED 108 signals an error state 230 as a result of an at least static self-test.
  • the long time watchdog timer has expired if the data center has not been contacted for a long time, for example to reload a credit.
  • State 250 is also reached when the safety module has been disconnected from the meter. Further status displays for the states 270, 280, 290 are optionally provided for various other tests.
  • FIG. 6 shows a representation of the tests in the system for static and dynamically changeable states.
  • a switched off system in the State 200 enters transition Start 201 after switching on state 210, in which the security module has a static one Self-test is carried out as soon as the operating voltage is present.
  • the self-test is an OK if correct
  • the result is that the state of 220 LED lights up green. Starting from the latter state, there is a repeated one if necessary static self-test and a dynamic self-test can be carried out.
  • a such transition 203 or 206 either leads back to the state 220 LED green on OK or on the status 240 LED orange on Error.
  • the security module 100 shown in FIG. 2 is equipped with a Program memory 128, which is a program for securing the postal register before manipulation, a first and second data processing unit 120, 150, with non-volatile memories 114, 116, with others interconnected functional units 12, 13, 130, 160 and 180 connected, with all the aforementioned functional units with a Potting compound 105 are covered, except for battery 134 ( Figures 3 and 4).
  • the first data processing unit 120 is the Module processor.
  • the latter is for carrying out at least one Authorization routine programmed for the postal register data, where Authorization in connection with the associated authorization code MAC in the non-volatile memory 114, 116 a module state signals which permits further billing to be carried out, and wherein an optical or acoustic signaling means 107, 108 is connected to the module processor.
  • the first data processing unit 120 can be used for the implementation additional security routines in conjunction with others interconnected functional units 12, 13 can be programmed.
  • the Signaling means 107, 108 is used to differentiate the state controlled. A separate safety case that is close to the potting compound 105 and arranged around can be saved if the meter already has a safety housing, i.e. that the surrounding Safety housing is part of a meter 1.
  • the signal means 107, 108 protrudes in that area of the security module 100 through the potting material 105, where the surrounding meter housing has an opening 109 for signaling the module status, which extends to the user interface 88, 89 of the meter 1.
  • the dimensions or the diameter of the opening are of the order of magnitude of the signaling means, which is implemented, for example, as a display unit is.
  • a display unit can be one or more or multi-colored Include light emitting diodes (LED's). The latter can be used to differentiate between states can also be controlled flashing. If the LEDs LEDs 107, 108 simultaneously activated to distinguish between the states emitted visible light has a combined color (for example orange), which is the result of the authorization routine for dynamic self-test signals an error.
  • NVRAM_A The memories 114 and SRAM 116 shown in FIG. 2 are referred to below for simplicity as NVRAM_A.
  • NVRAM_A for example, ascending, descending, number of pieces and other data are given at time t i , which are to be used for future billing.
  • P ' ti postal register record.
  • the sign means ' after the letter P that this postal register record was calculated by the ASIC 150.
  • Each postal register set is also secured with a code MAC, which was calculated by the module processor 120 and is also stored in the NVRAM_A.
  • the battery-supported static RAM 124 of the OTP processor module 120 shown in FIG. 2 is referred to below as NVRAM_P because OTP data stored internally in a non-volatile manner cannot be read from the outside.
  • a voltage Ub + supplied by the battery 134 via the changeover switch 180 and via the voltage monitoring unit 12 is constantly available on the line 138 and supplies the OTP-internal memory RAM 124, which can thereby store data in a non-volatile manner.
  • a postage value that has already been entered thus remains non-volatile until it is overwritten. Therefore, a postage value p ti is given at time t i in NVRAM_A or NVRAM_P, which can be used for future billing.
  • FIG. 7 shows a representation of processes during billing on the basis of a time line.
  • the entry of a new postage value or a letter system forms the starting point t 0 for a number of processes.
  • an already entered postage value will continue to be used as a new postage value.
  • a MAC is fetched from the old module processor 120 from the NVRAM_A and defined by the time t 0 is stored as a MAC (P to) in NVRAM_P.
  • the P ' ti register data are processed to a MAC, the result being available at the latest at time t 1 and likewise being buffered in NVRAM_P.
  • the MAC (P ' to ) present at time t 1 is compared with the MAC (P to ). If there is a match, there is no error and the module processor 120 waits for the end of the input at time t 2 .
  • the module processor 120 triggers a pre-calculation of a new postal register set P t2 and a further formation of a new MAC, the value of the MAC being stored again. The process is completed at time t 3 and a known accounting and formation of a new postal register record is now carried out by the ASIC 150.
  • the microprocessor CPU 121 is programmed by a corresponding program stored in the flash 128 to carry out the aforementioned self-tests, a power-on self-test being carried out in a first step 300 after the start 299 and then a question being asked in step 301 as to whether the power on Self-test has given an OK. If this is the case, in step 302 the green LED 107 is controlled by the microprocessor CPU 121 via an I / O port 125 to light up. Otherwise, the red LED 108 in the document 303 is controlled by the microprocessor CPU 121 via an I / O port 125 to light up.
  • Step 302 branches to query 304, in which it is checked whether a further static check is required. If this is the case, the method branches back to step 300. Otherwise, a branch is made to query 305, in which it is checked whether a letter system is detected by a letter sensor or whether an input of a new postage value is recognized by module processor 120. If neither of these is the case, a branch is made back to font 302 and thus a waiting loop is run through until a letter system / new entry has been determined. In the latter case, a branch is made to step 306 in order to finish entering the data.
  • a font 307 for MAC calculation is started on the basis of the postal register data P ' to available at time t 0 .
  • a MAC (P to ) formed earlier by the OTP is valid at time t 0 .
  • the MAC calculation is completed at time t 1 .
  • the calculated MAC (P ' to ) is compared with the old MAC (P to ) valid at time t 0 (already formed by the OTP earlier) at time t 1 in step 308. If they do not match, a branch is made to step 315 in order to control the LEDs 107, 108 with an orange light. Otherwise, a branch is made to steps 309, 310.
  • the new postal register set P t2 is calculated in advance and then a MAC is formed, possibly with storage of the MAC (P t2 ) in NVRAM_P.
  • the other data processing unit namely a hardware processing unit (not shown) in ASIC 150 calculates the new one Postal register record performed in step 312.
  • the results P ' t3 and MAC (P t2 ) are again stored in NVRAM_A.
  • the step 314 with providing print data for franking can optionally include a sub-step (not shown) for transmitting a generated security code.
  • a basically comparable educational procedure is also used, as with MAC formation, but the data authorization code DAC is composed of other data and the generation takes place at a different time t i + 1 from the end of data input Value DAC (P t (i + 1) , other data).
  • the module processor 120 works with a control processor (not shown) of the meter, the latter receiving the security code, compiling the print data and transmitting it to the print head.
  • step 309 both the green LED 107 and the red LED 108 from the microprocessor CPU 121 controlled via an I / O port 125 lit. This results in the Overall impression that the LEDs glow orange.
  • a new postal register set P ti can just as well be calculated in advance by the module processor 120, taking into account a stored postage value p t that has already been entered.
  • a new postage value p ti + 2 is entered up to the time t i + 2 .
  • the freedom from manipulation of P ' t (i + 1) can be checked again by calculating MAC (P' t (i + 1) ) and old with the value MAC (P ti ) stored in NVRAM_A is compared.
  • generation of an additional security code MAC (P t (i + 1) , other data) can optionally also be started.
  • the module processor again calculates the MAC.
  • the module processor calculates a new authorization code at time t i + 3 :
  • the associated authorization code formed due to the pre-calculated new post register record is stored MAC newly after its generation in a region of the nonvolatile memory 114, 116 (NVRAM_A for the post register data).
  • the associated authorization code formed due to the pre-calculated new post register set MAC 120 can re after its generation will be stored in an area of the internal non-volatile memory 124 (NVRAM_P) of the first data processing unit.
  • the security module is for use in postal Devices determined, especially for use in a franking machine.
  • the security module can also have a different design, which allows it to be, for example, on the motherboard of a Personal computer can be plugged in as a PC franking machine controls conventional printer.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Devices For Checking Fares Or Tickets At Control Points (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
EP00250185A 1999-06-15 2000-06-09 Module de sécurité et procédé pour protection du registre postal contre la manipulation Expired - Lifetime EP1063619B1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE19928057A DE19928057B4 (de) 1999-06-15 1999-06-15 Sicherheitsmodul und Verfahren zur Sicherung der Postregister vor Manipulation
DE19928057 1999-06-15

Publications (2)

Publication Number Publication Date
EP1063619A1 true EP1063619A1 (fr) 2000-12-27
EP1063619B1 EP1063619B1 (fr) 2007-02-07

Family

ID=7911798

Family Applications (1)

Application Number Title Priority Date Filing Date
EP00250185A Expired - Lifetime EP1063619B1 (fr) 1999-06-15 2000-06-09 Module de sécurité et procédé pour protection du registre postal contre la manipulation

Country Status (3)

Country Link
US (1) US6362724B1 (fr)
EP (1) EP1063619B1 (fr)
DE (2) DE19928057B4 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE10136608B4 (de) * 2001-07-16 2005-12-08 Francotyp-Postalia Ag & Co. Kg Verfahren und System zur Echtzeitaufzeichnung mit Sicherheitsmodul

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE10142537A1 (de) * 2001-08-30 2003-03-20 Adp Gauselmann Gmbh Verfahren zur Aktivierung einer in einem Gehäuse angeordneten Steuereinheit, die gegen ein Ausspähen von Daten geschützt ist
US6823321B2 (en) * 2001-09-14 2004-11-23 Pitney Bowes Inc. Method and system for optimizing refill amount for automatic refill of a shared virtual postage meter
US20030097337A1 (en) * 2001-11-16 2003-05-22 George Brookner Secure data capture apparatus and method
AU2002359279A1 (en) * 2001-11-16 2003-06-10 Neopost Group Secure data capture apparatus and method
DE102006022315A1 (de) * 2006-05-11 2007-11-15 Francotyp-Postalia Gmbh Anordnung und Verfahren zum Erstellen eines Frankierabdrucks
US8308819B2 (en) * 2006-12-19 2012-11-13 Pitney Bowes Inc. Method for detecting the removal of a processing unit from a printed circuit board
DE102007011309B4 (de) * 2007-03-06 2008-11-20 Francotyp-Postalia Gmbh Verfahren zur authentisierten Übermittlung eines personalisierten Datensatzes oder Programms an ein Hardware-Sicherheitsmodul, insbesondere einer Frankiermaschine
KR101692417B1 (ko) 2011-12-29 2017-01-05 인텔 코포레이션 다이렉트 액세스를 갖는 다중-레벨 메모리
GB2499985A (en) 2012-02-29 2013-09-11 Nds Ltd Current state of OTP memory used with new received information to define new OTP state for computation of new digital signature in preventing playback attacks
US9311508B2 (en) * 2013-12-27 2016-04-12 Intel Corporation Processors, methods, systems, and instructions to change addresses of pages of secure enclaves
US20160085695A1 (en) 2014-09-24 2016-03-24 Intel Corporation Memory initialization in a protected region

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0762338A2 (fr) 1995-09-08 1997-03-12 Francotyp-Postalia Aktiengesellschaft & Co. Procédé pour sécuriser les données et le code de programme d'une machine d'affranchissement
EP0780808A2 (fr) * 1995-12-19 1997-06-25 Pitney Bowes Inc. Système et procédé de reprise en cas de sinistre dans un système ouvert de dosage
EP0789333A2 (fr) 1996-01-31 1997-08-13 Francotyp-Postalia Aktiengesellschaft & Co. Machine d'affranchissement
EP0417447B1 (fr) 1989-09-12 1997-10-29 International Business Machines Corporation Protection de données par détection d'intrusions dans des ensembles électroniques
EP0805421A2 (fr) * 1996-05-02 1997-11-05 Francotyp-Postalia AG & Co. Procédé et arrangement pour le traitement de l'information dans un système de traitement de courrier avec une machine d'affranchissement
US5734571A (en) * 1995-09-08 1998-03-31 Francotyp-Postalia Ag & Co. Method for modifying data loaded into memory cells of an electronic postage meter machine
US5805711A (en) 1993-12-21 1998-09-08 Francotyp-Postalia Ag & Co. Method of improving the security of postage meter machines
DE29905219U1 (de) 1999-03-12 1999-06-17 Francotyp-Postalia AG & Co., 16547 Birkenwerder Sicherheitsmodul mit Statussignalisierung
DE19816572A1 (de) 1998-04-07 1999-10-14 Francotyp Postalia Gmbh Anordnung für einen Sicherheitsmodul
DE19816571A1 (de) 1998-04-07 1999-10-14 Francotyp Postalia Gmbh Anordnung für den Zugriffsschutz für Sicherheitsmodule
DE19912780A1 (de) 1999-03-12 2000-09-14 Francotyp Postalia Gmbh Anordnung für ein Sicherheitsmodul
DE19912781A1 (de) 1999-03-12 2000-11-23 Francotyp Postalia Gmbh Verfahren zum Schutz eines Sicherheitsmoduls und Anordnung zur Durchführung des Verfahrens

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE4217830C2 (de) * 1992-05-29 1996-01-18 Francotyp Postalia Gmbh Verfahren zum Betreiben einer Datenverarbeitungsanlage
GB9425953D0 (en) * 1994-12-22 1995-02-22 Neopost Ltd Franking machine
DE69735672T2 (de) * 1996-09-24 2007-03-29 Ascom Hasler Mailing Systems, Inc., Shelton Frankierung mit digitalem postgebührennachweis

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0417447B1 (fr) 1989-09-12 1997-10-29 International Business Machines Corporation Protection de données par détection d'intrusions dans des ensembles électroniques
US5805711A (en) 1993-12-21 1998-09-08 Francotyp-Postalia Ag & Co. Method of improving the security of postage meter machines
EP0762338A2 (fr) 1995-09-08 1997-03-12 Francotyp-Postalia Aktiengesellschaft & Co. Procédé pour sécuriser les données et le code de programme d'une machine d'affranchissement
US5734571A (en) * 1995-09-08 1998-03-31 Francotyp-Postalia Ag & Co. Method for modifying data loaded into memory cells of an electronic postage meter machine
EP0780808A2 (fr) * 1995-12-19 1997-06-25 Pitney Bowes Inc. Système et procédé de reprise en cas de sinistre dans un système ouvert de dosage
EP0789333A2 (fr) 1996-01-31 1997-08-13 Francotyp-Postalia Aktiengesellschaft & Co. Machine d'affranchissement
EP0805421A2 (fr) * 1996-05-02 1997-11-05 Francotyp-Postalia AG & Co. Procédé et arrangement pour le traitement de l'information dans un système de traitement de courrier avec une machine d'affranchissement
DE19816572A1 (de) 1998-04-07 1999-10-14 Francotyp Postalia Gmbh Anordnung für einen Sicherheitsmodul
DE19816571A1 (de) 1998-04-07 1999-10-14 Francotyp Postalia Gmbh Anordnung für den Zugriffsschutz für Sicherheitsmodule
DE29905219U1 (de) 1999-03-12 1999-06-17 Francotyp-Postalia AG & Co., 16547 Birkenwerder Sicherheitsmodul mit Statussignalisierung
DE19912780A1 (de) 1999-03-12 2000-09-14 Francotyp Postalia Gmbh Anordnung für ein Sicherheitsmodul
DE19912781A1 (de) 1999-03-12 2000-11-23 Francotyp Postalia Gmbh Verfahren zum Schutz eines Sicherheitsmoduls und Anordnung zur Durchführung des Verfahrens

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
USPS, UNITED POSTAL SERVICE: "Information Based Indicia Program, Postal Security Device Specification", USPS IBIP, XP002137734 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE10136608B4 (de) * 2001-07-16 2005-12-08 Francotyp-Postalia Ag & Co. Kg Verfahren und System zur Echtzeitaufzeichnung mit Sicherheitsmodul

Also Published As

Publication number Publication date
DE19928057B4 (de) 2005-11-10
US6362724B1 (en) 2002-03-26
DE19928057A1 (de) 2000-12-28
EP1063619B1 (fr) 2007-02-07
DE50014030D1 (de) 2007-03-22

Similar Documents

Publication Publication Date Title
EP0660269B1 (fr) Procédé pour améliorer la sécurité de machines à affrauchir
EP0762337A2 (fr) Procédé et dispositif pour augmenter la protection contre la manipulation de données critiques
EP1278164B1 (fr) Système et méthode pour changer la fonctionnalité d'un module de sécurité
EP0762335B1 (fr) Procédé pour changer les données chargées dans des cellules de stockage d'une machine d'affranchissement
CH675496A5 (fr)
DE19928057B4 (de) Sicherheitsmodul und Verfahren zur Sicherung der Postregister vor Manipulation
EP1035516B1 (fr) Système pour un module de sécurité
DE3729342A1 (de) Sicherheitsdrucker fuer ein wertdrucksystem
EP1035517B1 (fr) Procédé de protection d'un module de sécurité et ensemble pour mettre en oeuvre ledit procédé
DE3729345A1 (de) Sicherheitsgehaeuse mit elektronischer anzeige fuer ein wertdrucksystem
EP1035518B1 (fr) Ensemble de protection d'un module de sécurité
EP1035513B1 (fr) Module de sécurité avec signalisation de l'état
DE19534530A1 (de) Verfahren zur Absicherung von Daten und Programmcode einer elektronischen Frankiermaschine
DE3884485T2 (de) Frankiermaschinensystem.
EP0927971A2 (fr) Procédé et dispositif postal avec une unité de lecture/écriture de cartes à puce pour le rechargement de données de changement dans une carte à puce
DE19928061C2 (de) Sicherheitsmodul zur Überwachung der Systemsicherheit und Verfahren
DE19534529C2 (de) Verfahren zur Erhöhung der Manipulationssicherheit von kritischen Daten
EP1061479A2 (fr) Dispositif et procédé pour générer un motif destiné à la sécurité
DE19534527C2 (de) Verfahren zur Erhöhung der Manipulationssicherheit von kritischen Daten
EP1857981A2 (fr) Agencement et procédé destinés à la fabrication d'un affranchissement
EP1855252B1 (fr) Agencement et procédé destinés à la fabrication d'un affranchissement
DE29522056U1 (de) Anordnung zur Erhöhung der Manipulationssicherheit von kritischen Daten
DE202008018098U1 (de) Sicherheitsmodul eines Benutzergeräts
DE102008047308A1 (de) Sicherheitsmodul eines Benutzergeräts

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): CH DE FR GB IT LI

AX Request for extension of the european patent

Free format text: AL;LT;LV;MK;RO;SI

17P Request for examination filed

Effective date: 20010417

AKX Designation fees paid

Free format text: CH DE FR GB IT LI

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: FRANCOTYP-POSTALIA AG & CO. KG

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: FRANCOTYP-POSTALIA GMBH

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAC Information related to communication of intention to grant a patent modified

Free format text: ORIGINAL CODE: EPIDOSCIGR1

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): CH DE FR GB IT LI

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

Free format text: NOT ENGLISH

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REF Corresponds to:

Ref document number: 50014030

Country of ref document: DE

Date of ref document: 20070322

Kind code of ref document: P

GBT Gb: translation of ep patent filed (gb section 77(6)(a)/1977)

Effective date: 20070416

ET Fr: translation filed
PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

26N No opposition filed

Effective date: 20071108

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20090421

Year of fee payment: 10

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20100706

Year of fee payment: 11

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: IT

Payment date: 20100623

Year of fee payment: 11

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: CH

Payment date: 20100623

Year of fee payment: 11

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20100618

Year of fee payment: 11

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110101

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

GBPC Gb: european patent ceased through non-payment of renewal fee

Effective date: 20110609

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110609

REG Reference to a national code

Ref country code: FR

Ref legal event code: ST

Effective date: 20120229

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110630

Ref country code: FR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110630

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110630

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GB

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110609