WO1999048055A1 - Tamper resistant postal security device with long battery life - Google Patents
Tamper resistant postal security device with long battery life Download PDFInfo
- Publication number
- WO1999048055A1 WO1999048055A1 PCT/US1999/005891 US9905891W WO9948055A1 WO 1999048055 A1 WO1999048055 A1 WO 1999048055A1 US 9905891 W US9905891 W US 9905891W WO 9948055 A1 WO9948055 A1 WO 9948055A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- memory
- data
- security device
- postal security
- secure housing
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00733—Cryptography or similar special procedures in a franking system
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00185—Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
- G07B17/00193—Constructional details of apparatus in a franking system
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00185—Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
- G07B17/00362—Calculation or computing within apparatus, e.g. calculation of postage value
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00185—Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
- G07B17/00193—Constructional details of apparatus in a franking system
- G07B2017/00233—Housing, e.g. lock or hardened casing
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00185—Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
- G07B17/00193—Constructional details of apparatus in a franking system
- G07B2017/00258—Electronic hardware aspects, e.g. type of circuits used
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00185—Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
- G07B17/00314—Communication within apparatus, personal computer [PC] system, or server, e.g. between printhead and central unit in a franking machine
- G07B2017/00346—Power handling, e.g. power-down routine
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00185—Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
- G07B17/00362—Calculation or computing within apparatus, e.g. calculation of postage value
- G07B2017/00395—Memory organization
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00185—Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
- G07B17/00362—Calculation or computing within apparatus, e.g. calculation of postage value
- G07B2017/00395—Memory organization
- G07B2017/00403—Memory zones protected from unauthorized reading or writing
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00733—Cryptography or similar special procedures in a franking system
- G07B2017/00846—Key management
- G07B2017/00862—Key storage, e.g. escrowing by trusted third party
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B17/00—Franking apparatus
- G07B17/00733—Cryptography or similar special procedures in a franking system
- G07B2017/00959—Cryptographic modules, e.g. a PC encryption board
- G07B2017/00967—PSD [Postal Security Device] as defined by the USPS [US Postal Service]
Definitions
- the invention relates generally to postage meters (franking machines), and relates particularly to systems in which postage value is stored in a postal security device (PSD) so as to be protected against undetected tampering.
- PSD postal security device
- nonsecure printers such as laser printers, ink-jet printers, and thermal transfer printers.
- Such printers are termed “nonsecure” because the printer itself is not in a secure housing and because the communications channel linking the printer to other apparatus is nonsecure.
- nonsecure printers because the printer itself is not in a secure housing and because the communications channel linking the printer to other apparatus is nonsecure.
- the proposed anti-fraud measure is to store information within the indicia which would permit detecting fraud.
- the indicium would include not only human-readable text such as a date and a postage amount, but would also include machine- readable information, for example by means of a two-dimensional bar code.
- the machine- readable information would be cryptographically signed, and would include within it some information intended to make fraud more difficult.
- the information would typically include an identification of the postage meter license (granted by the meter manufacturer or by the postal authorities, depending on the country), an indication of the number of mail pieces franked, the postage amount, a postal security device identifier about which more will be said later, the date and time, and a zip code or post code of the mail piece addressee.
- the typical apparatus for printing such "encrypted indicia" postage includes what is called a postal security device or PSD.
- PSD has a secure housing, and within the secure housing are the accounting registers as well as a cryptographic engine.
- the engine permits cryptographic authentication and signing for communication with an external device such as the computer of the meter manufacturer or of the post office.
- the engine also permits creation of postal indicia which contain specified information and which are cryptographically signed.
- the PSD may well be physically small as compared to traditional postage meters.
- the PSD may be the size of a PCMCIA card or the size of a smart card.
- the memory must be protected against inadvertent damage due to malfunction of the processor of the PSD, for example as set forth in US Pat. No. 5668973, Protection system for critical memory information owned by the same assignee as the assignee of the present application.
- the PSD must handle power failure in a graceful fashion, for example as set forth in US Pat. No. 5712542, Postage meter with improved handling of power failure, also owned by the same assignee as the assignee of the present application.
- the printer may preferably be that described in PCT publication no. 97-46389, Printing apparatus, also owned by the same assignee as the assignee of the present application. While it has been proposed that the PSD contain a real-time clock which is keeping time continuously, desirably this requirement may be avoided as described in PCT publication no. 98-08325, Printing postage with cryptographic clocking security, also owned by the same assignee as the assignee of the present application. PSDs can form part of a network with multiple printers as described in PCT publication no. 98-13790, Proof of postage digital franking, also owned by the same assignee as the assignee of the present application.
- the entire system of PSDs depends on the use of cryptographic keys.
- the keys are used for authenticating communications between the PSD and the manufacturer's system or the postal authority's system. Such communications are used to set up and maintain the PSDs, and are used to refill or "reset” the PSDs to reflect the ability to print more postage.
- the keys are also used to cryptographically "sign" information printed in the postal indicia. If the cryptographic keys were compromised, a user might be able to defraud the post office or the PSD manufacturer or both. Many approaches have been proposed for protection of such cryptographic keys from compromise.
- the usual approach is to place the cryptographic keys in a RAM (random access memory) of a type which keeps its contents only so long as the RAM receives power from a battery.
- the secure housing of the PSD is designed to include a tamper switch, so that if the secure housing is tampered with, the switch opens. The switch interrupts power to the
- RAM random access memory
- RAM random access memory
- its contents are lost.
- the information in the RAM for example, the cryptographic keys
- Another proposed approach is to employ commercial memory chips (such as the Dallas Semiconductor DS1283 and Benchmarq bq3283) offer a pin on the package which will clear the memory based on a predetermined input voltage level.
- the tamper switch is set up to apply the predetermined voltage upon detection of tampering.
- EP 820 041 it is suggested that the secure housing of an old-style mechanical or electromechanical postage meter be set up to contain an air pressure that is distinctively higher than or lower than normal atmospheric pressure. If the secure housing is violated, the pressure within the secure housing changes to match the ambient pressure. A sensor within the housing detects the pressure change and thus the violation. The sensor disables further function of the postage meter.
- the approach of cutting power to a volatile memory such as the RAM discussed above has a drawback in that during periods of power-down, the RAM depends on an internal battery to avoid loss of the information in the RAM.
- the data to be protected may include cryptographic keys used for PSD configuration, keys used for remote resetting (refilling), keys used for signing postal indicia, and keys used for the management of the other keys.
- a RAM big enough to hold all of these important items of data will also draw a non-negligible current from the internal battery. This may lead to a limited and commercially unacceptable battery life. It would thus be desirable to have a PSD design which protects the many important items of data stored within, and yet which does not draw very much battery power and so permits a commercially acceptable battery life.
- a postal security device contains a nonvolatile memory which does not depend on battery power, such as an EEPROM, and contains a nonvolatile memory which does depend on battery power, such as a static RAM.
- the PSD also contains an encryption engine.
- An encryption key is developed and is stored in the static RAM, which is sized to be only large enough to contain the encryption key.
- a large body of data, too large to fit in the static RAM, is encrypted by means of the encryption engine and with reference to the encryption key, and is stored in the EEPROM. This body of data typically includes cryptographic keys and sensitive bit-images.
- a large RAM typically a dynamic RAM
- a tamper switch cuts power to both RAMs in the event of tampering. In this way, the battery power required to maintain the PSD during power-off periods is minimal, and yet the large body of data will be inaccessible in the event of tampering.
- Fig. 1 is a schematic functional block diagram of a system according to the invention.
- Fig. 1 shows a postal security device (PSD) in accordance with the invention.
- PSD postal security device
- the PSD has a microprocessor 12 which communicates on a bus 22 with an input/output (I/O) device 18, a memory which does not require battery backup 13 which may be for example an EEPROM or flash memory, a relatively small RAM 14, a ROM 22, and a larger RAM 16.
- the I/O device 18 communicates with external apparatus by means of communications channel 19 which may be a serial asynchronous data line. External power 21 and ground 20 are also defined.
- the larger RAM 16, and most of the other active components, receive external power.
- the smaller RAM 14 is additionally able to receive power from a backup battery 15, preferably a lithium cell with a very long (e.g. ten year) life.
- a tamper switch 17 is provided which, when triggered, can cut power to both the small RAM 14 and the large RAM 16.
- a large body of data is assumed to require protection from a tampering user.
- the EEPROM is selected to be large enough to hold this body of data after it has been encrypted.
- the body of data (or selected portions thereof) is decrypted and transferred to RAM 16.
- This decryption is performed by the microprocessor 12 executing a decryption routine stored in the ROM 22, and the decryption is done with respect to a decryption key in the RAM 14.
- the decryption may be performed by an optional engine omitted for clarity in Fig. 1.
- the decrypted data in RAM 16 are used as needed for the ordinary functions of the PSD, which include communicating via the communications channel 19 with a user computer, with a manufacturer's system, or with a postal authority system, and can include generating postal indicia which are to be printed by means of a printer.
- the body of data that requires protection from a tampering user may be located "in the clear", that is, unencrypted, in the RAM 16.
- This encryption is performed by the processor 12 executing encryption software in the ROM 22, or may optionally be performed by an encryption engine omitted for clarity in Fig. 1.
- the power-down condition for the PSD 10 assumes that no power is present at line 21. In that event, the only powered device is RAM 14.
- RAM 14 was purposefully selected to be large enough to hold the encryption key but not much larger, and in any event is smaller than the large body of data that is understood to require protection from a tampering user.
- the battery life is optimized, especially as compared with the shorter battery life that would result if the large body of data were all in battery-backed-up RAM.
- Tampering may happen during a time when external power 21 is present.
- the tamper switch should cut power to the RAM 14. (Or, alternatively, the tamper switch should apply to RAM 14 the predetermined voltage that clears the RAM.)
- the tamper switch will also cut power to the RAM 16 (or clear the RAM 16), for the reason that some of the body of sensitive data may be present "in the clear" in the RAM 16, and should not fall into the hands of the tampering user.
- the tamper switch might trigger an interrupt in the processor 12 which would cause the processor 12 to clear the sensitive portions of the RAM 16.
- Tampering may also happen during a time when external power 21 is absent.
- the RAM 16 is already, by definition, empty, as it is unpowered.
- the tamper switch causes the RAM 14 to be cleared. If the tampering user extracts the contents of the memory 13, this is of little significance, because the contents are useless unless decrypted with the assistance of the key that is no longer present in the RAM 14. If the PSD 10 is powered up again after the tampering, the decryption routine will not work because the key of RAM 14 is gone.
- the processor 12 under program control, will note the fact that RAM 14 is empty and will immediately attempt to send a message via communications channel 19 to the manufacturer or to the postal authority.
Abstract
Description
Claims
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AT99912648T ATE300069T1 (en) | 1998-03-18 | 1999-03-18 | FRAUD-PROOF FALLING MACHINE DEVICE WITH LONG BATTERY LIFE |
US09/646,489 US7028014B1 (en) | 1998-03-18 | 1999-03-18 | Tamper resistant postal security device with long battery life |
JP2000537179A JP2002507802A (en) | 1998-03-18 | 1999-03-18 | Tamper proof postal security with long life battery |
EP99912648A EP1064622B1 (en) | 1998-03-18 | 1999-03-18 | Tamper resistant postal security device with long battery life |
DE69926222T DE69926222T2 (en) | 1998-03-18 | 1999-03-18 | FATHER-FREE FRANKING MACHINE WITH LONG USE OF THE BATTERY |
CA002324100A CA2324100C (en) | 1998-03-18 | 1999-03-18 | Tamper resistant postal security device with long battery life |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US7848998P | 1998-03-18 | 1998-03-18 | |
US60/078,489 | 1998-03-18 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO1999048055A1 true WO1999048055A1 (en) | 1999-09-23 |
Family
ID=22144347
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US1999/005891 WO1999048055A1 (en) | 1998-03-18 | 1999-03-18 | Tamper resistant postal security device with long battery life |
Country Status (6)
Country | Link |
---|---|
EP (1) | EP1064622B1 (en) |
JP (1) | JP2002507802A (en) |
AT (1) | ATE300069T1 (en) |
CA (1) | CA2324100C (en) |
DE (1) | DE69926222T2 (en) |
WO (1) | WO1999048055A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1209631A1 (en) * | 2000-11-28 | 2002-05-29 | Francotyp-Postalia AG & Co. KG | Power supply arrangement for a security part of an apparatus |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4575621A (en) * | 1984-03-07 | 1986-03-11 | Corpra Research, Inc. | Portable electronic transaction device and system therefor |
US4882752A (en) * | 1986-06-25 | 1989-11-21 | Lindman Richard S | Computer security system |
US5097253A (en) * | 1989-01-06 | 1992-03-17 | Battelle Memorial Institute | Electronic security device |
US5249227A (en) * | 1992-11-30 | 1993-09-28 | Motorola, Inc. | Method and apparatus of controlling processing devices during power transition |
US5668973A (en) | 1995-04-14 | 1997-09-16 | Ascom Hasler Mailing Systems Ag | Protection system for critical memory information |
EP0820041A2 (en) | 1996-07-19 | 1998-01-21 | Neopost Limited | Metering apparatus with tamper detector |
US5712542A (en) | 1995-05-25 | 1998-01-27 | Ascom Hasler Mailing Systems Ag | Postage meter with improved handling of power failure |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0128672A1 (en) * | 1983-05-13 | 1984-12-19 | Ira Dennis Gale | Data security device |
US4809185A (en) * | 1986-09-02 | 1989-02-28 | Pitney Bowes Inc. | Secure metering device storage vault for a value printing system |
CA2067331A1 (en) * | 1989-10-03 | 1991-04-04 | Joseph Unsworth | Electro-active cradle circuits for the detection of access or penetration |
-
1999
- 1999-03-18 JP JP2000537179A patent/JP2002507802A/en active Pending
- 1999-03-18 CA CA002324100A patent/CA2324100C/en not_active Expired - Fee Related
- 1999-03-18 WO PCT/US1999/005891 patent/WO1999048055A1/en active IP Right Grant
- 1999-03-18 EP EP99912648A patent/EP1064622B1/en not_active Expired - Lifetime
- 1999-03-18 AT AT99912648T patent/ATE300069T1/en not_active IP Right Cessation
- 1999-03-18 DE DE69926222T patent/DE69926222T2/en not_active Expired - Lifetime
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4575621A (en) * | 1984-03-07 | 1986-03-11 | Corpra Research, Inc. | Portable electronic transaction device and system therefor |
US4882752A (en) * | 1986-06-25 | 1989-11-21 | Lindman Richard S | Computer security system |
US5097253A (en) * | 1989-01-06 | 1992-03-17 | Battelle Memorial Institute | Electronic security device |
US5249227A (en) * | 1992-11-30 | 1993-09-28 | Motorola, Inc. | Method and apparatus of controlling processing devices during power transition |
US5668973A (en) | 1995-04-14 | 1997-09-16 | Ascom Hasler Mailing Systems Ag | Protection system for critical memory information |
US5712542A (en) | 1995-05-25 | 1998-01-27 | Ascom Hasler Mailing Systems Ag | Postage meter with improved handling of power failure |
EP0820041A2 (en) | 1996-07-19 | 1998-01-21 | Neopost Limited | Metering apparatus with tamper detector |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1209631A1 (en) * | 2000-11-28 | 2002-05-29 | Francotyp-Postalia AG & Co. KG | Power supply arrangement for a security part of an apparatus |
US7610501B2 (en) | 2000-11-28 | 2009-10-27 | Francotyp-Postalia Ag & Co. Kg | Arrangement for the power supply for a security domain of a device |
Also Published As
Publication number | Publication date |
---|---|
CA2324100A1 (en) | 1999-09-23 |
EP1064622A4 (en) | 2001-07-18 |
CA2324100C (en) | 2009-08-04 |
EP1064622B1 (en) | 2005-07-20 |
JP2002507802A (en) | 2002-03-12 |
DE69926222D1 (en) | 2005-08-25 |
EP1064622A1 (en) | 2001-01-03 |
DE69926222T2 (en) | 2006-05-24 |
ATE300069T1 (en) | 2005-08-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7028014B1 (en) | Tamper resistant postal security device with long battery life | |
US5805711A (en) | Method of improving the security of postage meter machines | |
US4813912A (en) | Secured printer for a value printing system | |
EP0958674B1 (en) | System for protecting cryptographic processing and memory resources for postal franking machines | |
EP0825565B1 (en) | Electronic postage meter system separable printer and accounting arrangement incorporating partition of indicia and accounting information | |
CA2291999C (en) | System and method for suppressing conducted emissions by a cryptographic device | |
CA1258916A (en) | System for detecting unaccounted for printing in a value printing system | |
CA1267221A (en) | Unsecured postage applying system | |
EP0825561B1 (en) | Electronic postage meter system having internal accounting system and removable external accounting system | |
AU762710B2 (en) | Postage printing system including prevention of tampering with print data sent from a postage meter to a printer | |
EP0875863B2 (en) | Electronic postage meter system having plural clock systems providing enhanced security | |
EP2180451B1 (en) | Cryptographic device having active clearing of memory regardless of state of external power | |
EP0862142A2 (en) | Franking machine | |
CA2327974A1 (en) | System and method for preventing differential power analysis attacks (dpa) on a cryptographic device | |
EP1770650A2 (en) | Method of securing postage data records in a postage printing device | |
US7319989B2 (en) | Method and system for protection against replay of an indicium message in a closed system meter | |
US6986053B1 (en) | System for protecting cryptographic processing and memory resources for postal franking machines | |
EP1064622B1 (en) | Tamper resistant postal security device with long battery life | |
US6466922B1 (en) | Postage meter with removable print head and having means to control access to the print head | |
WO2001020559A1 (en) | Method and apparatus for user-sealing of secured postage printing equipment | |
US5613007A (en) | Portable thermal printing apparatus including a security device for detecting attempted unauthorized access | |
AU750360B2 (en) | Postage printing system having secure reporting of printer errors | |
US20040177049A1 (en) | Method and system for protection against parallel printing of an indicium message in a closed system meter |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): CA JP US |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
ENP | Entry into the national phase |
Ref document number: 2324100 Country of ref document: CA Ref country code: CA Ref document number: 2324100 Kind code of ref document: A Format of ref document f/p: F |
|
ENP | Entry into the national phase |
Ref country code: JP Ref document number: 2000 537179 Kind code of ref document: A Format of ref document f/p: F |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1999912648 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 09646489 Country of ref document: US |
|
WWP | Wipo information: published in national office |
Ref document number: 1999912648 Country of ref document: EP |
|
WWG | Wipo information: grant in national office |
Ref document number: 1999912648 Country of ref document: EP |