JP2002507802A - Tamper proof postal security with long life battery - Google Patents

Abstract

In accordance with the invention, a postal security device (PSD) (10) contains a non-volatile memory (13) which does not depend on battery power such as an EEPROM (13), and contains a nonvolatile memory (14, 16) which does depend on battery power, such as a static RAM. The PSD (10) also contains an encryption engine (12, 14, 22). An encryption key is developed and is stored in the static RAM (14), which is sized to be only large enough to contain the encryption key. A large body of data, too large to fit in the static RAM, is encrypted by means of the encryption engine (12, 14, 22) and with reference to the encryption key, and is stored in the EEPROM (13). This body of data typically includes cryptographic keys and sensitive bit-images. When the PSD is powered, a large RAM (typically a dynamic RAM) (16) is available to receive the large body of data, decrypted using the encryption key. A tamper switch (17) cuts power to both RAMs (14, 16) in the event of tampering.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

TECHNICAL FIELD OF THE INVENTION

The present invention relates to postage meters, and in particular, to protect against undetected tampering, the postage value is determined by a postal security device.
, PSD). This application was filed on March 1, 1998.
Claim priority of US Patent Application No. 60 / 078,487, filed on the 8th, which is incorporated by reference to the extent permitted in the designated and elected countries.

[0002]

[Prior art]

2. Description of the Related Art In recent years, it has been proposed to print postal delivery indicia by a conventional printer whose security is not guaranteed, such as a laser printer, an ink jet printer, or a thermal transfer printer. This type of printer is called "not secure" because they are not in a secure housing and the communication channel that links the printer to other devices is not secured.

[0006] Such a problem naturally arises as to what can prevent the user from repeatedly printing the postage-based indicia that has not paid the postage to the post office. As a means of preventing fraud, it has been proposed to store information within the range of postage-based indicia to enable fraud detection. Postage-specific indicia includes not only visually readable text such as date and postage, but also machine readable information via two-dimensional barcodes. The machine readable information is cryptographically signed and includes within its scope certain information that makes fraud more difficult. The information will generally include a postage meter permit certificate (whether approved by the meter maker or postal authority depending on the country), the number of mail items indicated, the postage paid, postage, and more detailed below. It includes a postal security device identifier, a zip code for the destination of the mail, and an indication of the postal code.

[0004] Typical devices for printing the postage of this type of "encrypted postage stamp" include so-called postal security devices, or PSDs. The PSD has a security housing that includes an accounting register and a cryptographic engine. The engine performs cryptographic authentication and signatures and communicates with external devices, such as meter makers and post office computers. The engine also authorizes the creation of postal invoices containing specific information and signed cryptographically. PSDs can be physically smaller when compared to conventional postage meters. PSD is PCM
It can be as large as a CIA card or a smart card.

[0005] The memory inside the PSD must be protected from accidental damage due to a malfunction of the PSD processor. An example is shown, for example, in US Pat. No. 5,668,973 “Protection System for Critical Memory Information” owned by the same assignee of the present application. PSDs must handle power outages in a sophisticated manner. Such an example is shown, for example, in US Pat. No. 5,571,542 entitled "Postage Meter Power Abnormality Handling Device" owned by the same assignee of the present application.

In order to reduce smearing, the printer may preferably be one described in Patent Cooperation Treaty Publication No. 97-46389 “Printing Apparatus” owned by the same assignee of the present application. It is. Although it has been proposed that the PSD include a real-time clock that keeps time continuously, it is desirable that this request be made by the Patent Cooperation Treaty Publication No. 98-083257 "Cryptographic Time Security" owned by the same assignee of the present application. It can be avoided by the invention shown in "Postage printing with tag". The PSD forms part of a network with multiple printers as set forth in Patent Cooperation Treaty Publication No. 98-13790, "Certification of Digital Shipping Charges", owned by the same assignee of the present application. be able to.

[0007]

[Problems to be solved by the invention]

Postal authorities are facing the issue of how PSDs are protected from tampering. For example, all PSD systems rely on the use of cryptographic keys. The key is used to authenticate communication between the PSD and the manufacturer's system or with the postal authority's system. This type of communication is used to fill or "reset" the PSD to reflect the ability to set and maintain the PSD and print more shipping costs. The key is also used to "sign" information that is cryptographically printed on the postage stamp of the post. If the encryption key fails, the user can be scammed from the post office and / or PSD manufacturer.

[0008] Many methods have been proposed to protect this type of encryption key from failure. A common method is to provide a RAM encryption key that retains its contents as long as the RAM (random access memory) is powered by a battery. The safety housing of the PSD includes a tamper-proof switch so that if the safety housing is modified, it is switched off. The switch shuts off the power because of the RAM (and especially the interruption of battery power to the RAM), and its contents are lost. In this way,
Information in the RAM (for example, an encryption key) is prevented from being altered. Other methods have been proposed, which include commercial memory chips (eg, Dallas Semiconductor).
DS1283 and Benchmark
arq) provides pins on the package that clear the memory based on a preset input voltage level. This switch is
It is set so that a predetermined voltage is applied when the alteration is detected.

[0009] A number of methods have also been proposed for detecting tampering. For example, EP 820041 proposes a setting in which the safety housing of a conventional mechanical or electromechanical postage meter includes a significantly higher or lower air pressure than normal air pressure. If the safety housing is compromised, the pressure inside the safety housing will be adjusted to the surrounding pressure. A sensor in the housing detects a change in pressure and thus a violation. The sensor inhibits further execution of the postage meter.

The method of powering off volatile memory, such as RAM, discussed above, has the disadvantage that during power down, the RAM relies on an internal battery to avoid loss of information in the RAM. According to postal authorities and design requirements made by PSD manufacturers, the amount of data that needs protection is very large. The data to be protected includes encryption keys used for PSD configuration, keys used for remote resets, keys for signing postage stamps and keys used for management of other keys. . In addition, it may be desirable to protect the bit image that creates the visually readable portion of the printed postage stamp. RAM large enough to hold all these important data items is also supplied with a non-negligible current from the internal battery. This may require a limited, commercially unacceptable battery life.

Therefore, it is desirable to have a PSD design that prevents many stored important data items, but one that does not consume a significant amount of battery power and that has a commercially acceptable battery life.

[0012]

[Means for Solving the Problems]

A mail security device according to the present invention includes a non-volatile memory that is independent of battery power (such as EEP ROM) and a non-volatile memory that is independent of battery power (such as static RAM). The PSD also includes an encryption engine. The encryption key is stored in static RAM, but it is set large enough to store the encryption key. Large amounts of data that do not fit in the static RAM are encrypted using an encryption engine and stored in the EEP ROM along with a reference to the encryption key. This data content typically includes an encryption key and a fine bit image. When power is supplied to the PSD, a large RAM (
Generally, a dynamic RAM is used and decrypted using an encryption key. The tampering prevention switch turns off both RAMs if tampered. In this manner, during the power down period, the minimum battery power required to maintain the PSD is ensured, while large amounts of data become inaccessible if it is to be altered.

[0013]

BEST MODE FOR CARRYING OUT THE INVENTION

The present invention is described with reference to the figures. FIG. 1 shows a mail security device according to the invention. The PSD includes a microprocessor 12 that communicates with an input / output (I / O) device 18 via a bus 22, a memory 13 that does not require battery backup, such as EEP ROM or flash memory, a relatively small RAM 14, ROM 22 and a larger RA
M16. The input / output device 18 communicates with external devices via a communication channel 19 such as a serial asynchronous data line. External power supply 21 and ground 2
0 is also defined. The larger RAM 16 and most other active elements receive external power. The smaller RAM 14 can be powered by a lithium cell backup battery 15, which preferably has a very long (eg, 10 years) life. A tampering prevention switch 17 is provided to turn off the small RAM 14 and the large RAM 16 when started.

Large amounts of data require protection from the user trying to modify it. E
The EProm is chosen to be large enough to keep the contents of the data encrypted. When power is applied and the system is in a stable state, the contents of the data (or the selected data portion) are decrypted and transferred to RAM 16. Microprocessor 1 executes a decryption routine stored in ROM 22.
2, decryption is performed in connection with the decryption key in RAM 14. Alternatively, decryption can be performed by any engine, although omitted for clarity in FIG. The decrypted data in RAM 16 is used as needed for normal PSD functionality, including communication with a user computer, manufacturer's system, or postal authority system via communication channel 19, and The generation of postage indicia printed by the company.

When the external power supply 21 is turned off, or when the PSD enters a normal power-off routine, the information in the RAM 16 is lost. On the other hand, since the battery 15 is provided, the information in the RAM 14 is stored even if the external power supply 21 is lost. During normal operation, data that needs protection from the user (or some portion thereof) that is about to be modified is located on RAM 16 in an "apparent" state, i.e., unencrypted. When this data changes, it is necessary to encrypt the data and store it again in the memory 13. This encryption can be performed by the processor 12 executing the encryption software in the ROM 22, or by the encryption engine omitted for clarity in FIG.

When the power of the PSD 10 is turned off, it is assumed that no power is present on the line 21. In that case, the only powered device is the RA
M14. The RAM 14 is intentionally selected to be large enough to hold the encryption key, but not very large, and in any event, has a large amount of capacity that is deemed to require protection from the user attempting to modify it. Smaller than the data.
Because the RAM 14 is of limited size, the larger the RAM used, such as the RAM 16, the less current is consumed from the battery 15. Therefore, battery life is optimized, especially when compared to the resulting short battery life, such that all large amounts of data are stored in battery-backed RAM.

Modifications can occur during the time that the external power supply 21 is present. At least, the tamper-proof switch must turn off the power to the RAM 14. (Alternatively, the tamper-proof switch applies a predetermined voltage to the RAM to clear the RAM.
It may be added to M14. Preferably, the tamper-proof switch may also power down (or clear) the RAM 16 because some sensitive data content exists "in the clear" in the RAM 16. And should not be in the hands of the user trying to modify it. Alternatively, the tamper-proof switch can interrupt processor 12 so that processor 12 clears the sensitive portion of RAM 16.

Alterations can also occur when the external power supply 21 is not present. In such a case, since the power is turned off, the RAM 16 is already cleared if it is set. The tampering prevention switch executes clearing of the RAM 14. Even if the user trying to modify extracts the contents of the memory 13, there is almost no effect. Because
The contents are useless unless decrypted by a key in RAM 14,
This is because the key no longer exists in the RAM 14. After being modified, PS
If D10 is powered on again, the decryption routine will not work because the keys in RAM 14 are gone. In addition, and preferably under program control, if the processor 12 detects that the RAM 14 is empty, it sends the message via the communication channel 19 directly to the manufacturer or to the postal authority.

Those skilled in the art will be able to conceive of the use of electronic components in addition to or instead of FIG. 1 given design considerations, all of which are within the scope of the present invention. For example, a cryptographic chip can be used to remove the computational load from a microprocessor. As other embodiments, there are many ways in which the tamper-proof switch can power down the RAM, and the particular type of tamper-proof switch can be selected from among several types, all of which are in the present invention. It does not depart from the invention. Those skilled in the art can readily make obvious modifications and improvements to the present invention, all of which are included in the claims set forth herein.

[Brief description of the drawings]

FIG. 1 is a schematic functional block diagram of the device of the present invention.

[Explanation of symbols]

 DESCRIPTION OF SYMBOLS 10 Mail security apparatus 12 Microprocessor 14 RAM 15 Battery 21 External power supply 22 ROM

[Procedural Amendment] Submission of translation of Article 34 Amendment of the Patent Cooperation Treaty

[Submission date] March 29, 2000 (2000.3.29)

[Procedure amendment 1]

[Document name to be amended] Statement

[Correction target item name] Claim 2

[Correction method] Change

[Correction contents]

[Procedure amendment 2]

[Document name to be amended] Statement

[Correction target item name] Claim 3

[Correction method] Change

[Correction contents]

[Procedure amendment 3]

[Document name to be amended] Statement

[Correction target item name] 0013

[Correction method] Change

[Correction contents]

[0013]

BRIEF DESCRIPTION OF THE DRAWINGS The invention will be described with reference to the figures. FIG. 1 shows a mail security device according to the invention. PSD is a secure housing 11, a microprocessor 12 which communicates with the input / output via the bus 2 3 (I / O) device 18, a memory 13 which does not require battery backup such as EEP ROM or flash memory, A relatively small RAM 14, a ROM 22,
And a larger RAM 16. The input / output device 18 communicates with external devices via a communication channel 19 such as a serial asynchronous data line. An external power supply 21 and a ground 20 are also defined. Larger RAM 16 and most other active elements receive external power. The smaller RAM 14 can be powered by a lithium cell backup battery 15, which preferably has a very long (eg, 10 years) life. A tampering prevention switch 17 is provided to turn off the small RAM 14 and the large RAM 16 when started.

────────────────────────────────────────────────── ─── Continued on the front page F term (reference) 2C087 AA13 AC05 AC07 AC08 BA04 BA05 BC02 BC04 BC07 BD55 DA13 5B017 AA03 BA08 BB00 CA11 5J104 AA08 AA16 EA09 NA02 NA27 PA00

Claims (3)

[Claims] 1. A mail security device including a security housing, comprising: a data content having a fixed size in the security housing; Means for generating print data for printing an indicium; a first memory of a type in the safety housing sized to capture the data content and requiring no power to retain the captured content; A second memory of a type that is not large enough to capture the data content in the secure housing and requires power to retain the captured content; and mechanically providing the second memory and the secure housing with Powering the connected tamper-proof switch and connecting from the second memory as soon as the safety housing is about to be tampered with Apparatus comprising a battery that is to disconnect, and the encrypted key stored in the second memory, and a cryptographic engine to encrypt the data contents associated with the encryption key. 2. A method of using a mail security device including a security housing, the device comprising: a data content having a fixed size in the security housing; and a partial data content in the security housing. Means for generating print data for printing a postage indicia depending on the type of the postage, a type having a size for taking in the data content in the safety housing and requiring no power for holding the content taken in A second memory of a type that is not large enough to capture the data content in the secure housing and requires power to retain the captured content; and a second memory; Powering a tamper-proof switch mechanically connected to the safety housing, and as soon as the safety housing is about to be modified, 2. An apparatus comprising: a battery adapted to be disconnected from the memory; an encryption key stored in the second memory; and an encryption engine, wherein the method of using the apparatus comprises: Storing the key in the second memory; encrypting the data content by the encryption engine in association with the encryption key; and storing the encrypted data content in the first memory. A method comprising: storing; and, when modified, removing power from said second memory. 3. A method of using a mail security device including a security housing, the device comprising: a data content having a fixed size in the security housing; Means for generating print data for printing a postage indicia depending on the type of the postage, a type having a size for taking in the data content in the safety housing and requiring no power for holding the content taken in And a first memory, which is not large enough to capture the data content in the safety housing, does not require power to retain the captured content, and erases the content in a predetermined electrical state A second memory of a kind, wherein said second memory is mechanically connected to said safety housing and said second An apparatus, comprising: a tamper-proof switch that allows Molly to assume the predetermined electrical state; an encryption key stored in the second memory; and an encryption engine, the method of using the apparatus. Storing the encryption key in the second memory; encrypting the data content by the encryption engine in association with the encryption key; and encrypting the data in the first memory. Storing the modified data content; and, when altered, causing the predetermined electrical state.