Method for the secure distribution of security modules

US 20020046175A1
Filed: 04/24/2001
Published: 04/18/2002
Est. Priority Date: 04/28/2000
Status: Active Grant

First Claim

Patent Images

1. A method for the distributing security modules in a secure manner from a manufacturing location via a distribution location to a user location, comprising the steps:

a) generating and storing an electronic key in a security module at the manufacturing location;

b) transmitting the electronic key together with the security module to the distribution location, with the electronic key being visible in externally readable form at said security module;

c) generating an identification code allocated to the electronic key at the distribution location and transmitting the identification code from the distribution location to a central data bank and storing the identification code at the central data bank, and after generating the identification code, making the electronic key in externally readable form unreadable at the distribution location and shipping the security module from the distribution location with the identification code in externally readable form;

d) using the security module at the user location, and generating a verification code from the identification code and the electronic key stored in the security module;

e) at a service center, verifying that the verification code, and the identification code and the electronic key obtained from the central data bank, belong together; and

f) upon verification by the service center, registering said security module for use at said user location.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a method and a distribution system for the secure distribution of security modules, particularly for postage meter machines, for protecting against manipulation of security modules, only devices with security modules whose keys have not been comprised can be placed in operation by the customer under all circumstances, i.e. even when the cryptographic initialization at the production location has been comprehensively undermined. The generation and checking of markings, potentially in combination with certificates proceeds with a first marking of the shipping packaging of the security module ensuing at the manufacturing location after a first cryptographic initialization. The first marking is preferably a public key printed on a first label. A second marking ensues at the entry point remote from the manufacturing location upon registration of the packaging and enables an identification upon later registration of the device, triggered by the user located at the use location, before the loading of requested data into the postage meter machine.

Citations

36 Claims

1. A method for the distributing security modules in a secure manner from a manufacturing location via a distribution location to a user location, comprising the steps:
- a) generating and storing an electronic key in a security module at the manufacturing location;
  
  b) transmitting the electronic key together with the security module to the distribution location, with the electronic key being visible in externally readable form at said security module;
  
  c) generating an identification code allocated to the electronic key at the distribution location and transmitting the identification code from the distribution location to a central data bank and storing the identification code at the central data bank, and after generating the identification code, making the electronic key in externally readable form unreadable at the distribution location and shipping the security module from the distribution location with the identification code in externally readable form;
  
  d) using the security module at the user location, and generating a verification code from the identification code and the electronic key stored in the security module;
  
  e) at a service center, verifying that the verification code, and the identification code and the electronic key obtained from the central data bank, belong together; and
  
  f) upon verification by the service center, registering said security module for use at said user location.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 2. A method as claimed in claim 1 wherein step (c) comprises physically attaching at least one of said electronic key and said identification code to said security module for shipment with said security module.
  - 3. A method as claimed in claim 2 comprising physically attaching at least one of said electronic key and said identification code to said security module in machine-readable form.
  - 4. A method as claimed in claim 3 comprising physically attaching at least one of said electronic key and said identification code to said security module as a bar code.
  - 5. A method as claimed in claim 3 comprising physically attaching at least one of said electronic key and said identification code to said security module as a data carrier.
  - 6. A method as claimed in claim 5 comprising selecting said data carrier from the group of data carriers consisting of chip cards, magnetic strip cards, and identification tags.
  - 7. A method as claimed in claim 1 comprising installing said security module in a device, and wherein step (c) comprises physically attaching at least one of said electronic key and said identification code to said device.
  - 8. A method as claimed in claim 7 comprising physically attaching at least one of said electronic key and said identification code to said device in machine-readable form.
  - 9. A method as claimed in claim 8 comprising physically attaching at least one of said electronic key and said identification code to said device as a bar code.
  - 10. A method as claimed in claim 8 comprising physically attaching at least one of said electronic key and said identification code to said device as a data carrier.
  - 11. A method as claimed in claim 10 comprising selecting said data carrier from the group of data carriers consisting of chip cards, magnetic strip cards, and identification tags.
  - 12. A method as claimed in claim 1 comprising packaging said security module in transport packaging and step (c) comprises physically attaching at least one of said electronic key and said identification code to said transport packaging.
  - 13. A method as claimed in claim 12 comprising physically attaching at least one of said electronic key and said identification code to said transport packaging in machine-readable form.
  - 14. A method as claimed in claim 13 comprising physically attaching at least one of said electronic key and said identification code to said transport packaging as a bar code.
  - 15. A method as claimed in claim 13 comprising physically attaching at least one of said electronic key and said identification code to said transport packaging as a data carrier.
  - 16. A method as claimed in claim 15 comprising selecting said data carrier from the group of data carriers consisting of chip cards, magnetic strip cards, and identification tags.
  - 17. A method as claimed in claim 1 comprising installing said security module in a device and packaging said device in transport packaging, and wherein step (c) physically attaching at least one of said electronic key and said identification code to said transport packaging of said device.
  - 18. A method as claimed in claim 13 comprising physically attaching at least one of said electronic key and said identification code to said transport packaging in machine-readable form.
  - 19. A method as claimed in claim 18 comprising physically attaching at least one of said electronic key and said identification code to said transport packaging as a bar code.
  - 20. A method as claimed in claim 18 comprising physically attaching at least one of said electronic key and said identification code to said transport packaging as a data carrier.
  - 21. A method as claimed in claim 20 comprising selecting said data carrier from the group of data carriers consisting of chip cards, magnetic strip cards, and identification tags.
  - 22. A method as claimed in claim 1 where step (e) comprises entering said identification code into said security module for generating said verification code.
  - 23. A method as claimed in claim 1 comprising providing a manufacturing center at the manufacturing location for at least partially fabricating said security module, providing a distribution location at said distribution center for packaging said security module with said identification code in externally readable form and for distributing the packaged security module, and providing said service center for supplying said security module with a fee unit to said user location.
  - 24. A method as claimed in claim 1 wherein step (a) comprises generating a single electronic key with an authentification algorithm.
  - 25. A method as claimed in claim 24 comprising allowing said single electronic key o be known only at said manufacturing location and at said service center.
  - 26. A method as claimed in claim 1 wherein step (a) comprises generating an electronic key pair, comprised of a private key and a public key, with a digital signature algorithm and employing said electronic key pair as said electronic key.
  - 27. A method as claimed in claim 26 comprising storing only said public key at said central data bank, and wherein step (b) comprises transmitting only said public key in externally readable form with said security module to said distribution location, and storing only said private key in said security module, and wherein step (e) comprises using said private key stored in said security module for generating said verification code.
  - 28. A method as claimed in claim 27 wherein step (f) comprises employing said private key and said public key for registering said security module.
  - 29. A method as claimed in claim 1 comprising encrypting data at said central data bank, and providing said manufacturing location and said service center with a key for decrypting data encrypted at said central data bank.
  - 30. A method as claimed in claim 1 comprising packaging said security module in a sealed package at said manufacturing location, and maintaining said sealed package in sealed form until said sealed package is at said user location.
  - 31. A method as claimed in claim 1 comprising also storing said electronic key at said central data bank.

32. A method for the distributing security modules in a secure manner from a manufacturing location via a distribution location to a user location, comprising the steps:
- a) generating and storing an electronic key in a security module at the manufacturing location;
  
  b) transmitting the electronic key together with the security module to the distribution location, with the electronic key being visible in externally readable form at said security module;
  
  c) generating an identification code allocated to the electronic key at the distribution location and storing the identification code in said security module, after generating the identification code, making the electronic key in externally readable form unreadable at the distribution location and shipping the security module from the distribution location with the identification code in externally readable form;
  
  d) using the security module at the user location, and generating a verification code from the identification code and the electronic key stored in the security module;
  
  e) at a service center, verifying that the verification code, and the identification code and the electronic key obtained from the security module, belong together; and
  
  f) upon verification by the service center, registering said security module for use at said user location.

33. A method for the distributing security modules in a secure manner from a manufacturing location via a distribution location to a user location, comprising the steps:
- a) generating and storing an electronic key in a security module at the manufacturing location;
  
  b) making the electronic key available via a network;
  
  c) transmitting the electronic key together with the security module to the distribution location, with the electronic key being visible in externally readable form at said security module;
  
  d) generating an identification code allocated to the electronic key at the distribution location and making the identification code available via said network, after generating the identification code, making the electronic key in externally readable form unreadable at the distribution location and shipping the security module from the distribution location with the identification code in externally readable form;
  
  e) using the security module at the user location, and generating a verification code from the identification code and the electronic key stored in the security module;
  
  f) at a service center, verifying that the verification code, and the identification code and the electronic key obtained from the network, belong together; and
  
  g) upon verification by the service center, registering said security module for use at said user location.
- View Dependent Claims (35, 36)
- - 35. A distribution center as claimed in claim 34 wherein said distribution center includes said service center and wherein at least one of said distribution center and said service center are operated by a regional operator.
  - 36. A distribution center as claimed in claim 34 wherein said distribution center is operated so that all security modules be used in a territorial region must pass through said distribution center before registration.

34. A distribution system for distributing security modules in a secure manner, comprising:
- a manufacturing center for generating and storing at least one electronic key in a security module and for storing said electronic key in a central data bank and for shipping the electronic key together with the security module with the electronic key in externally readable form;
  
  a distribution center which receives the security module from the manufacturing center, for generating an identification code allocated to the electronic key and for storing the identification code at the central data bank, and, after generating the identification code, for making the electronic key in externally readable form unreadable, and for shipping the identification code in externally readable form together with the security module;
  
  a user device supplied with said security module that is placed in operation after receiving the security module, and wherein said security module generates a verification code from the identification code and the electronic key; and
  
  a service center for verifying affiliation of said verification code, said identification code and said electronic key after obtaining said electronic key from said central data bank, and for registering said security module upon successful verification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Francotyp-Postalia GmbH (Francotyp-Postalia Holding AG)
Original Assignee
Francotyp-Postalia GmbH (Francotyp-Postalia Holding AG)
Inventors
Bleumer, Gerritt

Granted Patent

US 6,850,912 B2
Time in Patent Office

Days
Field of Search
US Class Current

705/51
CPC Class Codes

G07B 17/00733   Cryptography or similar spe...

G07B 2017/0087   Key distribution

G07B 2017/00967   PSD [Postal Security Device...

Method for the secure distribution of security modules

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Method for the secure distribution of security modules

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links