Note : Les descriptions sont présentées dans la langue officielle dans laquelle elles ont été soumises.
CA 02263246 1999-02-26
POSTAGE PRINTING SYSTEM
HAVING SECURE REPORTING OF
PRINTER ERRORS
Cross Reference to Related Applications
E-708
This application is related to concurrently filed copending Canadian Patent
Application No. xxxxxxx entitled POSTAGE PRINTING SYSTEM INCLUDING
PREVENTION OF TAMPERING WITH PRINT DATA SENT FROM A POSTAGE
METER TO A PRINTER.
Field of the Invention
This invention relates to value dispensing systems. More particularly, this
invention is directed to a postage printing system comprising a mailing
machine
base, a secure accounting meter detachably mounted to the base and a printer
also detachably mounted to the base wherein the meter and the printer are
manufactured to be interchangeable while still providing for secure mutual
authentication.
Background of the Invention
One example of a value printing system is a postage printing system
including an electronic postage meter and a printer for printing a postal
indicia on
an envelope or other mailpiece. Electronic postage meters for dispensing
postage and accounting for the amount of postage used are well known in the
art.
The postage printing system supplies proof of the postage dispensed by
printing a
postal indicia which indicates the value of the postage on an envelope or the
like.
The typical postage meter stores accounting information concerning its usage
in a
variety of registers. An ascending register tracks the total amount of postage
dispensed by the meter over its lifetime. That is, the ascending register is
incremented by the amount of postage dispensed after each transaction. A
descending register tracks the amount of postage available for use. Thus, the
descending register is decremented by the amount of postage dispensed after
each transaction. When the descending register has been decremented to some
CA 02263246 1999-02-26
value insufficient for dispensing postage, then the postage meter inhibits
further
printing of indicia until the descending register is resupplied with funds.
Traditionally, the accounting module and the printer portion of a postage
printing system have been located within a single secure housing. Examples of
this type of postage printing systems are PostPerfect~ and model 6900 Postage
Meter available from Pitney Bowes, Inc. of Stamford, Connecticut) USA. In this
environment, the communications between the accounting module and the printer
may be either secure or nonsecure. However, because the accounting module
and the printer are contained within the same secure housing, they are
dedicated
to each other and are not interchangeable with other postage meters.
Recent efforts have been undertaken to a provide postage printing system
including a detachable postage meter (accounting module) and a printer which
are physically separated from each other. This configuration provides some
benefits to the customer. For example, since the printer is not incorporated
into
the postage meter, the printer may be purchased by the customer (some postal
authorities require that postage meters be rented only). As another example,
customers may use interchangeable postage meters with the same printer to
provide increased operational flexibility and advantages.
Since this type of postage printing system does not locate the postage
meter and the printer within the same secure housing, the communication lines
between the postage meter and the printer are generally nonsecure. Using
nonsecure communication lines between the postage meter and the printer
creates a risk of loss of postal funds through fraud. For example, when data
necessary to print a valid postal indicia is transferred over the nonsecure
communication lines from the postage meter to the printer, it is susceptible
to
interception, capture and analysis. If this occurs, then the data may be
retransmitted at a later time back to the printer in an attempt to fool the
printer into
believing that it is communicating with a valid postage meter. If successful,
the
result would be a fraudulent postage indicia printed on a mailpiece without
the
postage meter accounting for the value of the postage indicia.
Generally, it is known to employ secret cryptographic keys in postage
evidencing systems to prevent such fraudulent practices. This is accomplished
by
having the postage meter and the printer authenticate each other prior to any
-2-
CA 02263246 1999-02-26
printing taking place. One such system is described in US Patent No.
5,799,290,
entitled METHOD AND APPARATUS FOR SECURELY AUTHORIZING
PERFORMANCE OF A FUNCTION IN A DISTRIBUTED SYSTEM SUCH AS A
POSTAGE METER. Another such system is described in Canadian Patent
Application No. 2,238,571, filed on May 26, 1998, and entitled
SYNCHRONIZATION OF CRYPTOGRAPHIC KEYS BETWEEN TWO
MODULES OF A DISTRIBUTED SYSTEM.
Another measure utilized to defeat fraud is inspection of the postage
meter. Since postage meters are regulated by a controlling postal authority,
they
are subject to periodic inspection. During a physical inspection, the postage
meter may be scrutinized for physical evidence of tampering, such as: broken
security seals, scratches on the accounting printed circuit board, etc.
Additionally,
a remote inspection of the postage meter may be performed by having the
postage meter store fault information for subsequent uploading to a data
center.
Although these inspection techniques work well, a problem exists when the
postage meter and the printer are decoupled, as described above, in that the
printer is not subject to inspection by the postal authority. Therefore, any
fraudulent attempts to print postage with the printer would go undetected. For
example, an unscrupulous user could attempt to build a counterfeit device to
defeat the security features of the printer and supply the printer with print
data
signals in an attempt to print fraudulent postal indicias. Since such attempts
would go unrecognized by the postal authority, the unscrupulous user would
have
the advantage of unlimited time to pursue this fraudulent activity.
Therefore, there is a need for a postage printing system including a
postage meter and a printer in communication with but physically separate from
the printer that allows for the interchangeability of postage meters with
printers
and detects fraudulent attempts to print postage with the printer.
Summary of the Invention
Accordingly, it is an object of the present invention to provide a postage
printing system with improved security and interchangeability which
substantially
overcomes the problems associated with the prior art.
-3-
CA 02263246 1999-02-26
In accomplishing this and other objects there is provided a postage printing
system having an error reporting system. The postage printing system includes
a
printer and a postage meter. The printer includes a memory, a print device for
printing a postal indicia and a controller in operative communication with the
printer memory and the print device. The postage meter includes a memory and
is physically separable from and in operative communication with the printer.
The
printer controller detects a fault condition, stores a record of the fault
condition in
a history file within the printer memory and, following a successful mutual
authentication between the printer and the postage meter, uploads the history
file
from the printer memory to the postage meter memory for subsequent reporting
to
a data center.
In accomplishing this and other objects there is provided a method of
reporting error conditions in a postage printing system, the postage printing
system including a printer and a postage meter, the printer including a
memory, a
print means for printing a postal indicia and a control means in operative
communication with the printer memory and the print means, the postage meter
physically separable from and in operative communication with the printer.
Therefore, it should now be apparent that the invention substantially
achieves all the above objects and advantages. Additional objects and
advantages of the invention will be set forth in the description which
follows, and
in part will be obvious from the description, or may be learned by practice of
the
invention. Moreover, the objects and advantages of the invention may be
realized
and obtained by means of the instrumentalities and combinations particularly
pointed out in the appended claims.
Brief Description of the Drawings
The accompanying drawings, which are incorporated in and constitute a
part of the specification, illustrate presently preferred embodiments of the
invention, and together with the general description given above and the
detailed
description of the preferred embodiments given below, serve to explain the
principles of the invention. As shown through out the drawings, like reference
numerals designate like or corresponding parts.
-4-
CA 02263246 1999-02-26
Fig. 1 is a schematic representation of a postage printing system including
a postage meter and a printer in accordance with the present invention.
Fig. 2 is a flow chart summarizing the major features of an inspection
routine for identifying faults in the printer of the postage printing system
of the
present invention.
Detailed Description of the Preferred Embodiments
Referring to Fig. 1, a postage printing system 100 in accordance with the
present invention is shown. The postage evidencing system 100 includes a
mailing machine base 110, a postage meter 120 and a printer 160.
The mailing machine base 110 includes a variety of different modules (not
shown) where each module performs a different task on a mailpiece (not shown),
such as: singulating (separating the mailpieces one at a time from a stack of
mailpieces)) weighing, moistening/sealing (wetting and closing the glued flap
of an
envelope) and transporting the mailpiece through the various modules. However,
the exact configuration of each mailing machine is particular to the needs of
the
user. Since a detailed description of the mailing machine base 110 is not
necessary for an understanding of the present invention, its description will
be
limited for the sake of clarity.
The postage meter 120 (smart card, housing containing a circuit board, or
the like) is detachably mounted to the mailing machine base 110 by any
conventional structure (not shown) and includes a microprocessor 130 having a
memory 132, a clock 122 and a vault or accounting unit 140 having a non-
volatile
memory (NVM) 142. The clock 122 is in communication with the microprocessor
130 for providing real time clock data. The vault 140 holds various accounting
and postal information (not shown), such as: an ascending register, a
descending
register, a control sum register and a postal identification serial number in
the
NVM 142. The vault 140 is also in communication with the microprocessor 130
for receiving appropriate read and write commands from the microprocessor 130.
The microprocessor 130 is in operative communication with the mailing machine
base 110 over suitable communication lines (not shown). Additionally, the
microprocessor 130 of the postage meter 120 is in operative communication with
a remote data center 50 over suitable communication lines, such as a telephone
-5-
CA 02263246 1999-02-26
line 70. The data center 50 communicates with the postage meter 120 for the
purposes of remote inspection, downloading of postal funds to the vault 140
and
other purposes described in more detail below.
The printer 160 is also detachably mounted to the mailing machine base
110 by any conventional structure (not shown) and includes a controller 162
having a memory 164, a print mechanism 166 and a clock 168. The controller
162 is in operative communication with the microprocessor 130 of the postage
meter 120 and the print mechanism 166 over suitable communication lines. The
memory 164 has stored therein an identification serial number that is unique
to
the printer 160. The clock 168 is in communication with the controller 162 for
providing real time clock data. The print mechanism 166 prints a postal
indicia
(not shown) on a mailpiece (not shown) in response to instructions from the
postage meter 120 which accounts for the value of the postage dispensed in
conventional fashion. The print mechanism 166 may be of any suitable design,
such as: rotary drum, flat impression die, thermal transfer, ink jet,
electrophotographic or the like.
To provide for security of postal funds and to prevent fraud, the postage
meter 120 and the printer 160 are provided with secret cryptographic keys
which
are necessary for mutual authentication to ensure that: (i) the postage meter
120
will only transmit postal indicia print information to a valid printer 160;
and (ii) the
printer 160 will only execute postal indicia print information received from a
valid
postage meter 120. Generally, a mutual authentication routine involves the
encryption and decryption of secret messages transmitted between the postage
meter 120 and the printer 160. An example of such a routine can be found in
the
aforementioned Canadian Patent Application No. 2,238,571, filed on May 26,
1998, and entitled SYNCHRONIZATION OF CRYPTOGRAPHIC KEYS
BETWEEN TWO MODULES OF A DISTRIBUTED SYSTEM. However, since the
exact routine for mutual authentication is not necessary for an understanding
of
the present invention, no further description is necessary. Once mutual
authentication is successful, the postage meter 120 is enabled to transmit
postal
indicia print information and the printer 160 is enabled to print a valid
postal
indicia. As an additional measure, the postal indicia print information may
also be
encrypted or subject to error checking so as to discourage fraudulent attempts
to
-6-
CA 02263246 1999-02-26
manipulate the information, such as: printing a higher value postal indicia
than
was authorized by the postage meter 120.
With the structure of the postage printing system 100 described as above,
the operational characteristics will now be described. Referring to Fig. 2 in
view
of the structure of Fig. 1, an inspection routine 200 for identifying faults
in the
printer 160 of the postage printing system 100 of the present invention is
shown.
At 202, the controller 162 monitors the activity of the printer 160 and
detects when
a fault occurs in the printer 160. A fault may be any unanticipated or
undesireable
event, such as: the printer 160 being unable to authentic a postage meter 120
during a communication session (due to a fraudulent postage meter) or
differences between the print information sent by the postage meter 120 and
what
was received by the printer 160. A suitable technique is described in
concurrently
filed copending Canadian Patent Application No. xxxxxxxx entitled POSTAGE
PRINTING SYSTEM INCLUDING PREVENTION OF TAMPERING WITH PRINT
DATA SENT FROM A POSTAGE METER TO A PRINTER. Next, at 204, the
controller 162 stores a record in memory 164 indicative of the fault.
Preferably,
the record contains: (i) a date/time stamp obtained from the clock 168
indicating
when the fault occurred; (ii) an indication of the type of fault encountered;
and (iii)
the identification serial number of the printer 160. As faults occur, the
associated
records accumulate in a file so that a historical log of faults is kept by the
printer
160. Preferably, the records are stored in encrypted form or in protected
memory
to prevent tampering. Next, at 206, the historical file is uploaded from the
printer
160 to the postage meter 120 and stored in the NVM 142 at the occurrence of a
predetermined event, such as: system initialization after successful mutual
authentication, or a given time of the day or week. In this manner, the
historical
file is only uploaded to a valid postage meter 120. In the preferred
embodiment,
the NVM 142 is structured to accumulate multiple historical files from a
plurality of
different printers. Next, at 208, the historical file in the printer 160 is
erased. This
may be achieved either by the postage meter 120 issuing an appropriate
command or by the printer controller 162 itself. Next, at 210, the postage
meter
120 uploads the historical file to the data center 50 at the occurrence of a
predetermined event, such as: downloading of postal funds or remote
inspections.
Once the data center 50 interrogates the historical file, appropriate action,
if
_7_
CA 02263246 1999-02-26
necessary, can be taken, such as: reporting the historical file to the postal
authority, sending a representative to perform a physical inspection at the
customer's location, mailing a warning to the customer's location, or
communicating to the population of postage meters that the identification
serial
number of the printer is no longer a valid printer so that any subsequent
attempts
at mutual authentication with the offending printer fail.
Those skilled in the art will recognize that various modifications can be
made without departing from the spirit of the present invention. For example,
as
an alternative, clearing the historical file in the printer 160 could be
delayed until
after the postage meter 120 has uploaded the historical log. Therefore, the
postage meter 120 will wait until the next successful mutual authentication
with
the printer 160 before authorizing the printer 160 to clear its historical
file. In this
manner, it is assured that the historical file is reported to the data center
50
before being cleared. However, it is important that the postage meter 120 only
authorize clearing of that portion of the historical file that has been
uploaded to
the data center 50. Thus, if additional records have been created, such as by
use
with another postage meter 120, then these records are not cleared. Those
skilled in the art will recognize that in this embodiment, it is possible that
the
history file may be reported to more than one postage meter 120.
As another example, the records stored within the printer 160 need not
contain the indentification serial number of the printer 160 because the
postage
meter 120 knowns the indentification serial number of the printer 160 through
the
mutual authentication process. Thus, the postage meter 120 could attached the
printer indentification serial number to the historical file when received.
As yet another example, those skilled in the art will recognize that the
postage meter processor 130 and the printer controller 162 can be of any
conventional design incorporating appropriate electronic hardware components
and software.
Many features of the preferred embodiment represent design choices
selected to best exploit the inventive concept as implemented in a postage
printing system having a postage meter, base and a printer. However, those
skilled in the art will recognize that the concepts of the present invention
can be
applied to other postage printing system configurations that do not include a
base,
_g_
CA 02263246 1999-02-26
such as where the postage meter is a stand alone unit in operative
communication with a printer. That is, the present invention is applicable to
any
postage printing system where the postage metering portion is remotely located
from the printing portion. In this context, remote may mean adjacent, but not
co-
y located within the same secure structure, or physically spaced apart.
Therefore, the inventive concept in its broader aspects is not limited to the
specific details of the preferred embodiment but is defined by the appended
claims and their equivalents.
_g_