Method for improving the security of postage meter machines

US 5,671,146 A
Filed: 11/30/1994
Issued: 09/23/1997
Est. Priority Date: 12/21/1993
Status: Expired due to Term

First Claim

Patent Images

1. A method for improving the security of a postage meter machine which is capable of communication with a remote central data station, said postage meter machine being openable and containing a microprocessor which controls the execution of a system routine, said method comprising the steps of:

establishing a first communication link between a user and said central data station;

establishing a second communication link between said postage meter machine and said central data station and communicating data between said central data station and said postage meter machine which permits said postage meter machine to determine if a subsequent opening of said machine is authorized or unauthorized;

upon any opening of said housing of said postage meter machine, automatically causing said microprocessor to conduct a routine, employing said data communicated to said postage meter machine from said central data station, to determine whether said opening is authorized or unauthorized;

if said opening was authorized and said housing is closed, permitting said system routine to enter into said franking mode;

if said opening was unauthorized and said housing is closed, preventing said system routine from entering into said franking modereporting an intent to conduct an authorized opening of said postage meter machine by making a request for opening at said central data station after establishment of said communication link;

communicating a new code word to said postage meter machine from said central data station upon approval of said request for opening, as part of said data communicated between said postage meter machine and said central data station; and

automatically transferring said postage meter machine into a first mode for effectively shutting said postage meter machine off if said postage meter machine is opened and said new code word is absent from said postage meter machine.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a method for improving the security of postage meter machines, the intent to conduct an authorized opening of the machine, such as for inspection or maintenance purposes, is first reported to a central data station, after the postage meter machine to be opened has established communication between the machine and the central data station. The postage meter machine has a code word stored therein, the presence of this code word being necessary for authorized operation of the machine. Following the request to open, the central data station transmits a new code word to the postage meter machine, which is also stored therein. Upon any opening of the postage meter machine, the current code word is automatically erased. If the opening is authorized, and thus a new code word is stored in the machine, this new code word is automatically substituted for the erased code word, so that operation of the machine can proceed in a normal fashion. If the opening is unauthorized, and thus there is no new code word to replace the erased code word, the machine is automatically placed in a first mode, which prevents operation of the machine.

Citations

82 Claims

1. A method for improving the security of a postage meter machine which is capable of communication with a remote central data station, said postage meter machine being openable and containing a microprocessor which controls the execution of a system routine, said method comprising the steps of:
- establishing a first communication link between a user and said central data station;
  
  establishing a second communication link between said postage meter machine and said central data station and communicating data between said central data station and said postage meter machine which permits said postage meter machine to determine if a subsequent opening of said machine is authorized or unauthorized;
  
  upon any opening of said housing of said postage meter machine, automatically causing said microprocessor to conduct a routine, employing said data communicated to said postage meter machine from said central data station, to determine whether said opening is authorized or unauthorized;
  
  if said opening was authorized and said housing is closed, permitting said system routine to enter into said franking mode;
  
  if said opening was unauthorized and said housing is closed, preventing said system routine from entering into said franking modereporting an intent to conduct an authorized opening of said postage meter machine by making a request for opening at said central data station after establishment of said communication link;
  
  communicating a new code word to said postage meter machine from said central data station upon approval of said request for opening, as part of said data communicated between said postage meter machine and said central data station; and
  
  automatically transferring said postage meter machine into a first mode for effectively shutting said postage meter machine off if said postage meter machine is opened and said new code word is absent from said postage meter machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method as claimed in claim 1 wherein the step of automatically erasing said current code word upon any opening of said postage meter machine is further defined by the steps of:
    - storing said current code word in said microprocessor;
      
      maintaining a closed sensor connection when said housing of said postage meter machine is closed;
      
      arranging said sensor connection so that said sensor connection is interrupted upon any opening of said housing and thereby generating a signal indicating said housing has been opened; and
      
      supplying said signal to said microprocessor and erasing said current code word in said microprocessor upon receipt of said signal.
  - 3. A method as claimed in claim 1 wherein said postage meter machine has a telephone number associated therewith, which can be changed, and wherein the step of communicating data between said postage meter machine and said central data station includes the step of transmitting data in unencoded form from said central data station to said postage meter machine to load a new telephone number into said postage meter machine.
  - 4. A method as claimed in claim 1 wherein the step of communicating data between said central data station and said postage meter machine is further defined by serially communicating all data via said communication link protected by a message authentification code (MAC).
  - 5. A method as claimed in claim 1 comprising the additional steps of:
    - storing a current code word in said postage meter machine, the presence of which is necessary to prevent said postage meter machine from automatically transferring into said first mode when said postage meter machine is opened;
      
      automatically erasing said current code word upon any opening of said postage meter machine;
      
      automatically substituting said new code word, if present in said postage meter machine, for the erased current code word upon opening of said postage meter machine;
      
      preventing said postage meter machine from automatically transferring into said first mode if said new code word has been substituted for the erased current code word; and
      
      automatically transferring said postage meter machine into said first mode if said current code word is erased and no new code word is present to substitute for the erased current code word.
  - 6. A method as claimed in claim 5 wherein the step of communicating said new code word to said postage meter machine from said central data station is further defined by communicating a new code word in encoded form to said postage meter machine from said central data station.
  - 7. A method as claimed in claim 1 wherein the step of communicating data between said postage meter machine and said central data station includes communicating a credit reloading value, and wherein said credit reloading value is communicated in encoded form.
  - 8. A method as claimed in claim 7 comprising the additional steps of:
    - transmitting a request in encoded form from said postage meter machine to said central data station to transmit a prescribed amount of a credit reloading value from said central data station to said postage meter machine.

9. A method for improving the security of a postage meter machine which is capable of communication with a remote central data station, said postage meter machine being openable and containing a microprocessor which controls the execution of a start and initialization routine followed by a system routine, said system routine including a franking mode, said method comprising the steps of:
- storing a current code word in said postage meter machine;
  
  establishing a communication link between said postage meter machine and said central data station;
  
  reporting an intent to conduct an authorized opening of said postage meter machine by making a request for opening at said central data station after establishment of said communication link;
  
  communicating a new code word to said postage meter machine from said central data station upon approval of said request for opening and storing said new code word in said postage meter machine at a different memory location from said current code word, said current code word and said new code word exclusively comprising valid code words;
  
  automatically erasing said current code word upon any opening of said housing of said postage meter machine;
  
  automatically substituting said new code word, if present in said postage meter machine, for the erased current code word upon opening of said postage meter machine;
  
  automatically transferring said postage meter machine into a first mode for effectively shutting said postage meter machine off if said current code word is erased and no new code word is present to substitute for the erased current word and thus no valid code word is present in said postage meter machine;
  
  preventing said postage meter machine from automatically transferring into said first mode if said new code word has been substituted for the erased current code word and thus a valid code word is present in said postage meter machine;
  
  conducting said start and initialization routine followed by said system routine and conducting a periodic interrogation during said start and initialization routine and during said system routine to confirm the continued presence of new code word in said postage meter machine; and
  
  in said start and initialization routine, before conducting a first periodic interrogation, calling in current data to determine whether said postage meter machine satisfies a specified criterion to conduct a franking and, if said specified criterion is not satisfied, causing said postage meter machine to enter into a second mode which displays a notification of a need to communicate with said central data station and which prevents said postage meter machine from entering into said franking mode.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 10. A method as claimed in claim 9 wherein the step of communicating said new code word to said postage meter machine from said central data station is further defined by communicating a new code word in encoded form to said postage meter machine from said central data station.
  - 11. A method as claimed in claim 9 wherein said postage meter machine has a telephone number associated therewith, which can be changed, and comprising the additional step of transmitting data in unencoded form from said central data station to said postage meter machine via said communication link to load a new telephone number into said postage meter machine.
  - 12. A method as claimed in claim 9 comprising the additional step of serially communicating all data via said communication link protected by a message authentification code (MAC).
  - 13. A method as claimed in claim 9 comprising the additional steps of:
    - setting a specified number S'"'"' of frankings which can be conducted by said postage meter machine in said franking mode given an amount of funds which are present in said postage meter machine;
      
      causing said system routine to enter into a sleeping mode, wherein a franking procedure is altered, when a number of frankings conducted by said postage meter machine in said franking mode approaches S; and
      
      calling in said number S as part of said current data which is called-in in said start and initialization routine.
  - 14. A method as claimed in claim 9 comprising the additional steps of:
    - setting a flag which inhibits said postage meter machine if said postage meter machine enters into said second mode;
      
      interrogating said flag upon any attempt by said postage meter machine to communicate via said communication link with said central data station; and
      
      resetting said flag if a successful communication between said postage meter machine and said central data station via said communication link ensues.
  - 15. A method as claimed in claim 9 comprising the additional step of:
    - determining whether a valid code word is present in said postage meter machine by interrogating a predetermined memory location to obtain the contents of the predetermined memory location, storing a coded key having parts thereof stored in respectively different memory locations, and analyzing the contents of said predetermined memory location using a checksum analysis and said coded key.
  - 16. A method as claimed in claim 9 wherein said system routine includes a routine branch into said franking mode, and wherein the step of automatically transferring said postage meter machine into said first mode for effectively shutting said postage meter machine off is further defined by inhibiting branching in said system routine into said franking mode.
  - 17. A method as claimed in claim 9 comprising the additional steps of:
    - in response to said display of said notification, making a request for a credit reloading value from said postage meter machine to said central data station via said communication link; and
      
      transmitting a credit reloading value from said central data station to said postage meter machine via said communication link to re-fund said postage meter machine.
  - 18. A method as claimed in claim 17 wherein the step of transmitting said credit reloading value is further defined by transmitting said credit reloading value in encoded form.
  - 19. A method as claimed in claim 9 comprising the additional steps of:
    - in response said display of said notification, transmitting a request for a predetermined amount of a credit reloading value from said postage meter machine to said central data station via said communication link; and
      
      transmitting said predetermined amount of a credit reloading value from said central data station to said postage meter machine via said communication link to re-fund said postage meter machine.
  - 20. A method as claimed in claim 19 wherein the step of transmitting said predetermined amount of a credit reloading value is further defined by transmitting said predetermined amount of a credit reloading value in encoded form.
  - 21. A method as claimed in claim 9 comprising the additional steps of:
    - calculating in said postage meter machine a specific number of frankings which is permitted given a current amount of funds stored in said postage meter machine; and
      
      displaying said specific number of frankings at said postage meter machine at a beginning of said start and initialization routine.
  - 22. A method as claimed in claim 21 comprising the additional steps of:
    - transmitting funding and franking data for said postage meter machine from said postage meter machine to said central data station; and
      
      calculating said specific number of frankings, from said funding and flanking data, at said central data station in parallel with the calculation of said specific number at said postage meter machine.
  - 23. A method as claimed in claim 9 comprising the additional step of:
    - determining whether a valid code word is present in said postage meter machine by interrogating a predetermined memory location to obtain the contents of said predetermined memory location, and subjecting said contents of said predetermined memory location to a checksum analysis in a one-time programmable processor.
  - 24. A method as claimed in claim 23 wherein said valid code word is stored in said predetermined memory location protected by a message authentification code, and wherein said one-time programmable processor includes means for detecting and decoding said message authentification code.
  - 25. A method as claimed in claim 9 comprising the additional steps of:
    - storing accounting data regarding funding of said postage meter machine in a plurality of postal registers;
      
      causing said system routine to place said postage meter machine in a kill mode, inhibiting any franking, in the absence of a valid code word in said postage meter machine;
      
      in said kill mode, partially erasing the contents of said postal registers in a predetermined manner; and
      
      causing said postage meter machine to enter into a display mode after conducting a statistical error evaluation.
  - 26. A method as claimed in claim 25 comprising the additional steps of:
    - appending a message authentification code to all data in said postal registers and to said valid code word; and
      
      in said franking mode, checking for a manipulation of the data of said postal registers by checking said message authentification code in an accounting and priming routine in said franking mode.
  - 27. A method as claimed in claim 25 wherein the step of storing said accounting data in said postal registers is further defined by storing said accounting data redundantly in said postal registers, and wherein the step of partially erasing said postal registers in a predetermined manner in said kill mode is further defined by reducing the redundancy of the contents of said postal registers in a predetermined manner in said kill mode and thereby producing a type of error which cannot be independently corrected by said postage meter machine.
  - 28. A method as claimed in claim 9 comprising the additional steps of:
    - allotting an allotted number of frankings which can be conducted by said postage meter machine in said franking mode given an amount of funds which are present in said postage meter machine; and
      
      causing said system routine to enter into a sleeping mode, wherein a franking procedure is altered, when a number of frankings conducted by said postage meter machine in said franking mode approaches said allotted number.
  - 29. A method as claimed in claim 28 comprising the additional step of:
    - if said postage meter machine enters into said sleeping mode, displaying a warning at said postage meter machine and imposing a franking delay for a predetermined chronological duration.
  - 30. A method as claimed in claim 28 comprising the additional steps of:
    - maintaining an ascending register in said postage meter machine having a register value which changes upon each flanking by said postage meter machine;
      
      periodically interrogating said ascending register to obtain an interrogated register value R2_old ;
      
      said system routine causing said postage meter machine to conduct a printing impression in said franking mode, and maintaining a count R8_old of all impressions made by said postage meter machine;
      
      calculating, in said postage meter machine, a calculated number S'"'"' as said allotted number by adding an average number S₀ of items to a disposition number S_x of items;
      calculating S₀ according to the equation ##EQU4## wherein R2_new is a requested, future value of said ascending register; and
      
      calculating S_x according to the equation
      
      space="preserve" listing-type="equation">S.sub.x=α
      
      .sub.x ·
      
      R8.sub.old ·
      
      R1.sub.old /R2.sub.oldwherein α
      
      _x identifies a classification of a user of said postage meter machine as an A, B or C customer.
  - 31. A method as claimed in claim 28 comprising the additional steps of:
    - maintaining an ascending register in said postage meter machine having a register value which changes upon each franking by said postage meter machine;
      
      periodically interrogating said ascending register to obtain an interrogated register value R2_old ;
      
      said system routine causing said postage meter machine to conduct a printing impression in said franking mode, and maintaining a count R4_old of valid impressions respectively made for authorized frankings;
      
      calculating, in said postage meter machine, a calculated number S'"'"' as said allotted number by adding an average number S₀ of items to a disposition number S_x of items;
      calculating S₀ according to the equation ##EQU5## wherein R2_new is a requested, future value of said ascending register; and
      
      calculating S_x according to the equation
      
      space="preserve" listing-type="equation">S.sub.x =α
      
      .sub.x ·
      
      R4.sub.old ·
      
      R1.sub.old /R2.sub.oldwherein α
      
      _x identifies a classification of a user of said postage meter machine as an A, B or C customer.
  - 32. A method as claimed in claim 28 comprising the additional steps of:
    - following each communication between said central data station and said postage meter machine wherein said postage meter machine is re-funded, setting a sleeping mode counter to a count corresponding to said allotted number of frankings; and
      
      decrementing said count of said sleeping mode counter upon each franking until said count of said sleeping mode counter reaches zero.
  - 33. A method as claimed in claim 28 comprising the additional steps of:
    - setting, in said postage meter machine, a specified number S as said allotted number;
      
      setting a reference number S_ref of frankings;
      
      decrementing S upon each franking;
      
      after each franking, comparing S to S_ref ;
      
      causing said postage meter machine to enter into said sleeping mode when S is less than S_ref ;
      
      in said sleeping mode, continuing to decrement S upon each franking and also decrementing S_ref upon each franking and, as long as S is less than S_ref, lengthening said chronological duration of said franking delay by a predetermined lengthening amount following each franking; and
      
      when S=0, checking for the presence of one of said current code word or said new code word in said postage meter machine.
  - 34. A method as claimed in claim 33 comprising the additional steps of:
    - displaying said warning for the duration of each franking delay.
  - 35. A method as claimed in claim 33 comprising the additional step of:
    - following each franking after which S is less than S_ref, calculating a new value for S_ref by dividing a predetermined maximum number of frankings by a predetermined number and thereafter using said new value as the "value for S_ref for comparing with S until a next flanking after which S is less than S_ref, then repeating this step with said predetermined number incremented.
  - 36. A method as claimed in claim 9 comprising the additional steps of:
    - for conducting a franking in said franking mode, conveying an item at a conveying speed beneath a printing head and making a franking impression on said item; and
      
      monitoring said conveying speed of said item as indicative of the occurrence of each franking impression.
  - 37. A method as claimed in claim 36 comprising the additional step of displaying a warning if said limit for said conveying speed is exceeded;
    - andinhibiting said postage meter machine if no response is made to adjust said conveying speed below said value following said display.
  - 38. A method as claimed in claim 37 wherein the step of monitoring said conveying speed of said item is further defined by the steps of:
    - measuring said conveying speed with an encoder which produced encoder pulses indicative of said conveying speed; and
      
      measuring a number of said encoder pulses occurring during a time window and adjusting said conveying speed if said number of encoder pulses in said time window deviates from a specified number of encoded pulses.
  - 39. A method as claimed in claim 38 comprising the additional step of defining said time window by a crystal-controlled clock generator in said postage meter machine.
  - 40. A method as claimed in claim 38 comprising the additional steps of:
    - logging an error if said number of encoder pulses within said time window deviates from said specified number of encoder pulses by a specified deviation; and
      
      accumulating a count of said errors and disabling said postage meter machine if said count of said errors exceeds a predetermined count value.
  - 41. A method as claimed in claim 9 comprising the additional steps of:
    - for conducting a franking in said franking mode, making a franking impression on an item by moving an inking ribbon at a ribbon speed beneath a thermal transfer printer;
      
      measuring said ribbon speed with an encoder which produces encoder pulses indicative of said ribbon speed; and
      
      measuring a number of said encoder pulses occurring during a time window and adjusting said ribbon speed if said number of encoder pulses in said time window deviates from a specified number of encoded pulses.
  - 42. A method as claimed in claim 41 comprising the additional step of defining said time window by a crystal-controlled clock generator in said postage meter machine.
  - 43. A method as claimed in claim 41 comprising the additional steps of:
    - logging an error if said number of encoder pulses within said time window deviates from said specified number of encoder pulses by a specified deviation; and
      
      accumulating a count of said errors and disabling said postage mater machine if said count of said errors exceeds a predetermined count value.
  - 44. A method as claimed in claim 41 comprising the additional step of displaying a warning if said limit for said ribbon speed is exceeded;
    - andinhibiting said postage meter machine if no response is made to adjust said ribbon speed below said value following said display.
  - 45. A method as claimed in claim 41 comprising the additional steps of:
    - making said franking impression with said thermal transfer printer by column-by-column printing;
      
      comparing a chronological duration for printing each column in which variable data are present to a specified chronological duration; and
      
      inhibiting said postage meter machine dependent on a number of times for which said specified chronological duration is exceeded.

46. A method for improving the security of a postage meter machine which is capable of communication with a remote central data station, said postage meter machine containing a microprocessor which controls the execution of a start and initialization routine followed by a system routine, said system routine including a franking mode, said method comprising the steps of:
- establishing a first criterion indicative of whether the security of said postage meter machine has been breached;
  
  if said first criterion is not satisfied, placing said postage meter machine in a first mode which prevents said postage meter machine from conducting a franking;
  
  requiring specific measures to be undertaken before said postage meter machine is again capable of franking following entry of said postage meter machine into said first mode;
  
  if said first criterion is satisfied, calling in current data from said microprocessor to conduct a flanking;
  
  establishing a second security-related criterion;
  
  if said second security-related criterion is not satisfied after said current data are called in, causing said postage meter machine to enter into a second mode; and
  
  in said second mode, displaying a warning of impending disablement of said postage meter machine.
- View Dependent Claims (47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61)
- - 47. A method as claimed in claim 46 comprising the additional step of, in said second mode, additionally displaying a request to initiate a communication from the postage meter machine to said central data station.
  - 48. A method as claimed in claim 46 comprising the additional step of maintaining a count of each time each of said first or second security-related criterion is not satisfied;
    - andanalyzing said count as a basis for determining a level of security of said postage meter machine.
  - 49. A method as claimed in claim 46 comprising the additional steps of:
    - inhibiting said postage meter machine if said second security-related criterion is not satisfied, by setting a flag;
      
      undertaking preparatory steps for communicating with said central data station including interrogating said postage meter machine for the presence of said flag; and
      
      resetting said flag when communication with said central data station is established.
  - 50. A method as claimed in claim 46 wherein the step of establishing said second security-related criterion comprises establishing a maximum number of frankings which can be conducted by said postage meter machine and continuously comparing, upon each flanking, said maximum number against a running count of the number of items flanked by said postage meter machine.
  - 51. A method as claimed in claim 50 wherein the step of establishing a maximum number of flankings comprises the steps of:
    - calculating a maximum piece number; and
      
      dividing said maximum piece number by a predetermined number to obtain said maximum number of frankings.
  - 52. A method as claimed in claim 50 wherein the step of establishing a maximum number of frankings comprises the steps of:
    - obtaining a maximum piece number from said central data station in a communication between said postage meter machine and said central data station; and
      
      dividing said maximum piece number by a predetermined number to obtain said maximum number of frankings.
  - 53. A method as claimed in claim 50 comprising the additional steps, in said second mode, of:
    - comparing said running count of the number of items franked by said postage meter machine to a further franking number criterion;
      
      if said further franking number criterion is not satisfied, automatically requesting communication from said postage meter machine to said central data station and conducting a transaction between said postage meter machine and said central data station including the transmission from said postage meter machine to said central data station of at least one decision criterion protected by a MAC; and
      
      cancelling the automatic communication request if said transaction is successfully completed.
  - 54. A method as claimed in claim 53 comprising the additional steps of:
    - repeatedly interrogating, in said franking mode, whether said further franking number criterion has been satisfied; and
      
      automatically branching from said franking mode to a communication mode for communicating between said postage meter machine and said central data station if said further franking number criterion is satisfied.
  - 55. A method as claimed in claim 53 comprising the additional step of:
    - employing the number zero as said further franking number criterion.
  - 56. A method as claimed in claim 53 comprising the additional step of:
    - distinguishing whether said transaction has been requested manually or automatically.
  - 57. A method as claimed in claim 46 comprising the additional steps of:
    - logging all errors arising in the operation of said postage meter machine;
      
      entering into said second mode if a total of said logged errors exceeds an error overflow limit; and
      
      requiring a communication with said central data station or inspection of said postage meter machine by authorized personnel in order to reset said log of errors to remove said postage meter machine from said second mode.
  - 58. A method as claimed in claim 57 comprising the additional step, in said second mode, of:
    - retarding a time required by said postage meter machine to conduct a franking when in said second mode.
  - 59. A method as claimed in claim 58 wherein the step of retarding the time required to conduct a franking is further defined by increasingly retarding the time required to conduct a franking as the number of logged errors increases.
  - 60. A method as claimed in claim 58 wherein the step of retarding the time required to conduct a franking is further defined by increasing the time required to conduct a franking by a specified time step as each additional error is logged.
  - 61. A method as claimed in claim 58 comprising the additional steps of:
    - identifying an error as an error arising due to operator mistake; and
      
      actuating an electronic time lock of said postage meter machine which increases the time required to conduct a franking upon each error identified as an operator mistake.

62. A method for improving the security of a postage meter machine which is capable of communication with a remote central data station, said postage meter machine containing a microprocessor which controls the execution of a start and initialization routine followed by a system routine, said system routine including a franking mode, said method comprising the steps of:
- internally distinguishing within said postage meter machine between non-manipulated and manipulated operation of said postage meter machine by supervising a chronological duration of the execution of programs or program sub-routines in said postage meter machine by comparing a measured running time of a program or sub-routine to a predetermined running time; and
  
  initiating measures to ensure the security of said postage meter machine if said predetermined running time is not equal to said measured running time, including placing said postage meter machine in a first mode wherein franking is prevented, and requiring establishment of a first security criterion to exit said first mode.
- View Dependent Claims (63)
- - 63. A method as claimed in claim 62 wherein the steps of supervising said chronological duration and comparing said running time are further defined by supervising said chronological duration and comparing said running time in an OTP.

64. A method for improving the security of a postage meter machine which is capable of communication with a remote central data station, said postage meter machine containing a microprocessor which controls the execution of a start and initialization routine followed by a system routine, said system routine including a franking mode, said method comprising the steps of:
- varying a count value during execution of a program routine in said postage meter machine;
  
  comparing said count value to a predetermined count value after the execution of said program routine; and
  
  initiating steps to ensure the security of said postage meter machine if said count value is not equal to said predetermined count value including placing said postage meter machine in first mode wherein franking is prevented, requiring establishment of a first security criterion to exit said first mode.
- View Dependent Claims (65)
- - 65. A method as claimed in claim 64 wherein said program routine includes a plurality of branches, and wherein the step of varying a count value is further defined by varying a count value in a memory at at least one point during the execution of said program routine at which a branch takes place by multiplying said count value by a specified prime number allocated to said branch, and wherein the step of comparing said count value is further defined by identifying which branch exceeded said predetermined count value by conducting a prime number resolution of any count value which exceeds said predetermined count value.

66. A method for improving the security of a postage meter machine which is capable of communication with a remote central data station, said postage meter machine containing a microprocessor, under the supervision of an OTP, for executing a start and initialization routine followed by a system routine, said system routine including a franking mode, said method comprising the steps of:
- forming a checksum in said OTP for a content of an external program memory;
  
  comparing said checksum to a predetermined value stored in said OTP at a specified point in the operation of said postage meter machine; and
  
  inhibiting said postage meter machine if said predetermined value and said checksum do not coincide including placing said postage meter machine in first mode wherein franking is prevented, requiring establishment of a first security criterion to exit said first mode.
- View Dependent Claims (67, 68, 69, 70, 71, 72, 73)
- - 67. A method as claimed in claim 66 wherein said predetermined time is before execution of said flanking mode.
  - 68. A method as claimed in claim 66 wherein said predetermined time is after execution of said flanking mode.
  - 69. A method as claimed in claim 66 wherein said predetermined time is during said start and initialization routine.
  - 70. A method as claimed in claim 66 wherein said postage meter machine has a standby mode wherein flankings are not conducted, and wherein said predetermined time is during said standby mode.
  - 71. A method as claimed in claim 70 comprising the additional steps of:
    - forming a checksum of accounting register readings during said standby mode; and
      
      comparing said checksum of said accounting register readings to a further predetermined value and inhibiting said postage meter machine if said checksum of said accounting register readings is not equal to said further predetermined value.
  - 72. A method as claimed in claim 66 comprising the additional steps of:
    - in said flanking mode, initiating a print output request each time a flanking image is to be primed and, after printing, repeating a program loop to determine if a further print output request exists and, if so, repeating said program loop including a printing;
      
      monitoring whether a print output request is absent for a predetermined time;
      
      if said predetermined time is exceeded without a print output request, setting a flag and returning a beginning of said system routine;
      
      interrogating said postage meter machine for the presence of said flag and, if said flag is present, placing said postage meter machine in a standby mode;
      
      in said standby mode, forming said checksum of the content of said program memory and comparing said checksum; and
      
      if said checksum comparison is acceptable, resetting said flag, and if said checksum comparison is unfavorable, inhibiting said postage meter machine.
  - 73. A method as claimed in claim 72 comprising the additional step of requiring the presence of a valid code word to be stored in said postage meter machine in order for said postage meter machine to operate, and wherein the step of inhibiting said postage meter machine is further defined by erasing said valid code word.

74. Method for improving the security of a postage meter machine containing a control unit, said method comprising the steps of:
- (a) communicating data from a data central to the postage meter machine corresponding to a requested, authorized operation performed on the postage meter machine and logging said operation as an allowed operation in the control unit;
  
  (b) distinguishing in said control unit among requested, authorized and unauthorized operations performed on the postage meter machine using the data communicated from the data central, and logging an operation as an error given unauthorized operation performed on the postage meter machine and, after the conclusion of an authorized operation performed on the postage meter machine, restoring said postage meter machine to its original operating condition using said data communicated from the data central;
  
  (c) switching the postage meter machine into a first mode and thereby disabling said postage meter machine when the correct data are absent because an unauthorized operation was performed on the postage meter machine; and
  
  (d) placing said postage meter machine in a second mode and displaying a warning indicating an imminent automatic communication from said postage meter machine to said data central.
- View Dependent Claims (75, 76, 77, 78, 79, 80, 81)
- - 75. A method as claimed in claim 74 wherein said postage meter machine has an openable housing, and said method comprising the additional steps of:
    - providing a sensor which generates a signal upon the opening of said housing;
      
      supplying said signal to said control unit; and
      
      employing the presence of said signal in said control unit in combination with said data communicated from said data central for distinguishing among requested, authorized and unauthorized operations performed on said postage meter machine.
  - 76. A method as claimed in claim 74 comprising the additional step of operating said postage meter machine using a program having a plurality of program parts, each program part having a specified time for executing said program part, and wherein the step (b) is further defined by monitoring said time for a selected program part, setting a flag in a memory in said postage meter machine if said measured time is not equal to said specified time, repeatedly interrogating said memory to determine the presence of said flag therein, and given the presence of said flag in said memory, executing (c).
  - 77. A method as claimed in claim 76 comprising the additional steps of:
    - storing a codeword in a memory of said postage meter machine and requiring the continued presence of said codeword in said memory in order to prevent said postage meter machine from automatically transferring into said first mode when said postage meter machine is opened;
      
      erasing said codeword in said memory if said time associated with said selected program part is exceeded and overwriting said codeword in said memory with a predetermined different word and repeatedly interrogating said memory for the presence of said codeword, and switching said postage meter machine in step (c) into said first mode given the absence of said codeword in said memory.
  - 78. A method as claimed in claim 77 wherein said postage meter machine contains a plurality of stored security-related data in addition to said codeword, and comprising the additional steps of:
    - erasing at least a portion of said security-relevant data if said time for said selected program part is exceeded;
      
      repeatedly interrogating memory locations at which said additional security-relevant data are stored to determine the complete presence of said security-relevant data; and
      
      executing step (c) if an interrogation of said memory location indicates that any of said security-relevant data has been erased.
  - 79. A method as claimed in claim 74 comprising the additional step of operating said postage meter machine using a program having a plurality of program parts, each program part having a specified number of repetitions for executing said program part, and wherein the step (b) is further defined by monitoring said number of repetitions for a selected program part, setting a flag in a memory in said postage meter machine if said number of repetitions is exceeded, repeatedly interrogating said memory to determine the presence of said flag therein, and given the presence of said flag in said memory, executing (c).
  - 80. A method as claimed in claim 79 comprising the additional steps of:
    - storing a codeword in a memory of said postage meter machine and requiring the continued presence of said codeword in said memory in order to prevent said postage meter machine from automatically transferring into said first mode when said postage meter machine is opened;
      
      erasing said codeword in said memory if said number of repetitions associated with said selected program part is exceeded and overwriting said codeword in said memory with a predetermined different word and repeatedly interrogating said memory for the presence of said codeword, and switching said postage meter machine in step (c) into said first mode given the absence of said codeword in said memory.
  - 81. A method as claimed in claim 80 wherein said postage meter machine contains a plurality of stored security-related data in addition to said codeword, and comprising the additional steps of:
    - erasing at least a portion of said security-related data if said number of repetitions for said selected program part is exceeded;
      
      repeatedly interrogating memory locations at which said additional security-relevant data are stored to determine the complete presence of said security-relevant data;
      
      andexecuting step (c) if an interrogation of said memory location indicates that any of said security-relevant data has been erased.

82. A method for improving security of a postage meter machine containing a control unit, said method comprising the steps of:
- franking postal items in said postage meter machine using a printing head, said items being conveyed beneath said printing head at a conveying speed and said franking taking place at a printing speed;
  
  executing programs in said postage meter machine for franking items, said programs having an execution time associated therewith and having a count value associated therewith which is varied during execution of a program;
  
  selecting at least one of said conveying speed, said printing speed, said program execution time or said count value as a first security indicator and comparing said first security indicator to a first security criterion; and
  
  placing said postage meter machine in a first mode if said first security indicator does not satisfy said first security criterion and preventing further franking by said postage meter machine in said first mode and requiring establishment of said first security criterion to exit said first mode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Francotyp-Postalia GmbH (Francotyp-Postalia Holding AG)
Original Assignee
Francotyp-Postalia GmbH (Francotyp-Postalia Holding AG)
Inventors
Wagner, Andreas, Reisinger, Frank, Rieckhoff, Peter, Gunther, Stephan, Windel, Harald, Kubatzki, Ralf, Bischoff, Enno, Freytag, Claus, Hansel, Marcus
Primary Examiner(s)
Cosimano, Edward R.

Application Number

US08/346,909
Time in Patent Office

1,028 Days
Field of Search

235/375, 324/110, 340/572, 340/687, 340/825.33, 340/825.34, 364/464.02, 364/464.03, 364/550
US Class Current

705/410
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/575   Secure boot

G06F 21/64   Protecting data integrity, ...

G07B 17/00   Franking apparatus printing...

G07B 17/0008   Communication details outsi...

G07B 17/00193   Constructional details of a...

G07B 17/00733   Cryptography or similar spe...

G07B 2017/00096   via phone lines

G07B 2017/00169   from a franking apparatus, ...

G07B 2017/00233   Housing, e.g. lock or harde...

G07B 2017/00258   Electronic hardware aspects...

G07B 2017/0033   Communication with software...

G07B 2017/00338   Error detection or handling

G07B 2017/00346   Power handling, e.g. power-...

G07B 2017/00403   Memory zones protected from...

G07B 2017/00419   Software organization, e.g....

G07B 2017/00427   Special accounting procedur...

G07B 2017/0075   Symmetric, secret-key algor...

G07B 2017/00774   MAC (Message Authentication...

G07B 2017/00935   Passwords

G07B 2017/00951 : Error handling, e.g. EDC (E...

View All

Method for improving the security of postage meter machines

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

82 Claims

Specification

Solutions

Use Cases

Quick Links

Method for improving the security of postage meter machines

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

82 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links