|
(11) | EP 0 388 840 A2 |
| (12) | EUROPEAN PATENT APPLICATION |
|
|
|
|
|||||||||||||||||||||||||||
| (54) | Security extension procedure for electronic remote setting meter |
| (57) A technique for securely clearing the meter after it has been disabled by a security
detection scheme without returning the meter to the factory. During this technique,
the meter generates a security lock code which is transmitted to a data center computer.
The data center computer compares the security lock code with an internally generated
security lock code. If the codes agree, the data center computer then generates a
security clear code which is transmitted to the meter. The meter then compares this
code with an internally generated security clear code. If these codes agree, then
the meter clears the security lock flag thereby enabling the meter. As a result, the
customer can subsequently remotely set the meter. |
FIELD OF THE INVENTION
[0001] This invention relates generally to postage meters, and more particularly, to electronic postage meters capable of being remotely set.
BACKGROUND OF THE INVENTION
[0002] With the advent of electronic postage meters, it has become possible to offer meter customers the feature of remotely adding postage credit (remote setting) to the postage meter. This feature enables the customer to more readily and conveniently remotely set the amount of postage in the meter. Extensive procedures and controls are used to insure that the postage meter amount is remotely set only when authorized. For example, the customer is usually required to enter a long code that varies each time the meter is remotely set. However, such procedures are not infallible, particularly when the postage meter has been stolen and in the possession of a persistent person.
[0003] As a result and of these security concerns, some meters have been designed to detect the entry of an invalid code for remote setting a predetermined consecutive number of times. Once detected, the meter is disabled and must be returned to the factory to be enabled. Although effective for preventing unauthorized remote setting of the meter, this approach also causes problems for authorized users who accidently enter an incorrect remote setting code for the predetermined number of times.
SUMMARY OF THE INVENTION
[0004] The present invention provides a technique for securely clearing the meter after it has been disabled without returning the meter to the factory. During this technique, the meter generates a security lock code which is transmitted to a data center computer. The data center computer compares the security lock code with an internally generated security lock code. If the codes agree, the data center computer then generates a security clear code which is transmitted to the meter. The meter then compares this code with an internally generated security clear code. If these codes agree, then the meter clears a security lock flag thereby enabling the meter. As a result, the customer can subsequently remotely set the meter.
[0005] A further understanding of the nature and advantages of the present invention can be realized by the reference to the remaining portions of the specification and the attached drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
[0006]
Fig. 1 is a block diagram of a preferred postage meter capable of being remotely set in the field by the customer;
Fig. 2 is a detailed flowchart of the manner in which the security lock flag is set;
Fig. 3 is a high level flowchart of the process for clearing the security lock flag;
Fig. 4 is a detailed flowchart of the procedure for the customer to obtain a security lock code generated by the meter;
Figs. 5a and 5b are detailed flowcharts of the procedure for the customer to confirm the security lock code with the data center computer; and
Fig. 6 is a detailed flowchart of the procedure for the customer to clear the security lock flag.
DESCRIPTION OF THE SPECIFIC EMBODIMENTS
Meter Overview: Structure
[0007] Fig. 1 is a block diagram of a preferred postage meter 10 that can be remotely set in the field by the customer. Meter 10 includes a print mechanism 12, accounting registers, and control electronics, all enclosed within a secure meter housing 13. A keyboard 14 and a display 16 provide the user interface. A connector 17 provides an electrical connection with a mailing machine for control of the printing process. The control electronics includes a digital microprocessor 18 which controls the operation of the meter, including the basic functions of printing and accounting for postage, and optional features such as department accounting and remote setting. The microprocessor is connected to a clock 20, a read only memory (ROM) 22, a random access memory (RAM) 24, and a battery augmented memory (BAM) 26.
[0008] ROM 22 is primarily used for storing non-volatile information such as software and data/function tables necessary to run the microprocessor. The ROM can only be changed at the factory. RAM 24 is used for intermediate storage of variables and other data during meter operation. BAM 26 is primarily used to store accounting information that must be kept when the meter is powered down. The BAM is also used for storing certain flags and other information that is necessary to the functioning of the microprocessor. Such information includes meter identifying data such as the meter serial number and BAM initialization date, and a number of parameters relevant to the remote setting of the meter.
How the Security Lock Flag is Set
[0009] Fig. 2 is a detailed flowchart of the manner in which the security lock flag is set. Once the customer has a remote setting code for remotely setting the meter (or is attempting to remotely set the meter without the remote setting code), the customer puts the meter in a remote setting mode (step 40) by pressing a certain key sequence. The meter enters the remote setting mode by setting a mode register located in BAM (step 42). This prevents the meter from being used for printing purposes while being remotely set. The meter then determines whether the security lock flag has already been set (step 44). If so, the meter then displays a message and other needed information such as the security lock code and prompts for the security clear code (step 46). The customer is then unable to continue the remote setting process until the security lock flag has been cleared by the procedure shown in Figs. 3-6.
[0010] If the security lock flag has not already been set, the customer may then continue the remote setting procedure. The customer enters the remote setting code (step 48). The meter then checks whether the security lock flag has already been set (step 50). If so, then the customer is returned to step 48 as if the remote setting code were incorrect. If the security lock flag has not been set, then the meter determines whether the remote setting code is correct (step 52). If the code is correct, then the meter resets the counter to zero (step 53) and the customer may continue the remote setting procedure (which is not shown as it does not directly relate to the present procedure). If the code is not correct, then the meter then checks to see whether the customer has already attempted over a predetermined number of allowed attempts (step 56). If the customer has attempted less than the predetermined number of allowed attempts, then the meter returns the customer to the step of entering the remote setting code. If the customer has attempted over the predetermined number of allowed attempts then the security lock flag in BAM in set and the meter returns the customer to the step of entering the remote setting code.
Method for Clearing the Meter Security Lock Flag
[0011] Fig. 3 is a high level flow chart of the process necessary for clearing the security lock flag in the meter. In a first stage 60, the customer obtains a security lock code generated by the meter. This security lock code is essentially a password to the data center computer, and is based upon a combination of factors, the combination of which only the data center computer would know. In a second stage 61, the customer confirms the security lock code with the data center computer. Upon confirmation from the computer, the computer provides a security clear code back to the customer. The security clear code is essentially a password from the data center computer to the meter stating that it is permissible to clear the security lock flag. In a third stage 62, the customer enters the security clear code to the meter. The meter confirms the security clear code and clears the security lock flag.
[0012] Fig. 4 is a detailed flowchart of stage 60 as shown in Fig. 3. In a first step 40′ (corresponding to step 40 of Figure 2), the customer presses a certain key sequence, causing the meter to enter a remote setting mode. The meter enters the remote setting mode by setting a mode register located in BAM (step 42′).
[0013] The meter then determines whether the security lock flag has been set (step 44′). If so, the meter then displays a message and other needed information and prompts for the security clear code (step 46′). In a first embodiment, the meter displays the meter serial number, the meter BAM initialization date, and the encrypted security lock code. The BAM initialization date is preferably a four digit number wherein the four digits YDDD express the date in which the meter was last initialized. The DDD stands for the number of days since December 31, and Y is the least significant digit of the year in which the meter was initialized. In a second embodiment, the meter displays the above numbers and the Control Register amount or some other meter specific identifying information. The Control Register contains the amount of postage the meter has printed since the meter has been initialized plus the amount the meter is currently authorized to print. The customer should write these numbers down on a separate piece of paper for later use in the method.
[0014] Two input numbers used by the meter and the computer to generate encrypted codes are the configuration transaction identifier ("CTID") and the setting transaction identifier ("STID"). They are both specific to the meter and dependent upon the meter serial number. They may also be incremented after each use. The CTID is normally used for reconfiguring the meter functions and clearing the security lock flag and the STID is normally used for resetting the meter postage. Separate numbers are used for the separate procedures in order to maximize security and minimize complexity caused by interdependence. The encryption routine is described in greater detail.
[0015] Figs. 5a and 5b are detailed flowcharts of stage 61 as shown in Fig. 3. The customer establishes communication with the data center computer over a standard telephone. In the first and second embodiments, the customer may communicate to the data center computer on a touch tone telephone by pressing the key. Alternative embodiments may utilize a telephone communications device that includes a user or meter interface and a modem, or by voice recognition over the telephone.
[0016] The customer first enters a request code for clearing the security extension flag (step 70). The customer then enters the customer account number (step 72) and the meter serial number which was given above can be found on the exterior of the meter (step 74).
[0017] The data center computer then determines whether the serial number is valid given the customer account number (step 76). If the serial number is valid then the customer may continue, otherwise the customer is notified (step 78) and is given the opportunity to decide whether to try again (step 80). If the customer does not decide to try again, the customer should then contact his agent in order to determine how to clear up this problem.
[0018] If the serial number is valid, then the customer enters the amount of the Control Register (step 84) obtained earlier in the procedure. The customer then enters the security lock code which was also obtained from the meter in the procedure above (step 86). The computer then generates a security lock code in a like manner (step 88) and compares that code to that entered by the customer (step 90). If the codes are not equal, then the customer is notified (step 92) and is given the opportunity to try again.
[0019] If the codes are equal, then the computer determines whether the Control Register amount is valid (step 96). The Control Register amount is valid if the amount is equal to any prior Control Register amounts stored on the computer. The Control Register amount is not valid if it is greater than or equal to the present computer Control Register amount. If the Control Register amount is not valid, then the customer is notified and the occurrence of the invalid Control Register amount is logged in the computer (step 98).
[0020] If the Control Register amount is valid, then the customer enters the current remote setting code (step 100). The computer then determines whether it is a valid code (step 102). If the remote setting code is not valid, then the computer passes the customer to a live operator for assistance (step 104). If the remote setting code is valid, then the computer generates a security extension code (step 106), increments the CTID (step 108), flags that this event has occurred (step 110), and displays or returns the security extension code to the customer for use further in this method (step 112).
[0021] Fig. 6 is a detailed flowchart of stage 62 shown above in Fig. 3. The customer enters the security clear code obtained from the computer into the meter (step 120). The meter then generates its own security clear code (step 122) and compares the computer generated code with the meter generated code (step 124). If the codes are not equal, then the customer is notified (step 126) and the customer is given an opportunity to try again or contact an agent (step 130). If the codes are equal, then the meter increments the CTID such that it is equal to the CTID stored in the computer (step 132), the meter clears the security lock flag (step 134) and the meter enters the remote setting mode by changing the mode register in BAM (step 136).
Encryption Technique
[0022] In order to perform the above procedure in the secure manner and to confirm certain data, the security lock code and the security clear code are generated by an encryption routine, stored both in the meter ROM and in the data center computer. The encryption routine is a nonlinear algorithm that generates a number that is apparently random to an outside person. The encryption routine is performed by an encryption program in combination with a permanent encryption table. In the first and second embodiments, encryption routine uses a 16 digit (or 64 bit) key and a 16 digit input number.
[0023] In the first embodiment, the security lock code is generated by the encryption routine performed on the CTID as the key and a combination of the STID and Control Register amount as the input number. In the second embodiment, the key is composed of the serial number and the BAM initialization and the input number is composed of the STID and the Control Register.
[0024] In the preferred and second embodiments, the security clear flag is generated by the encryption routine performed on the CTID as the key and a combination of the meter serial number and the STID as the input number.
[0025] The CTID is a 16 digit number that is stored in BAM. The initial value of the CTID is obtained by performing an algorithm upon the BAM initialization date in combination with the meter serial number. The BAM initialization date is used to prevent starting with the same CTID everytime the meter is initialized. The algorithm is not stored in the meter for security reasons. The initial CTID is stored in BAM during the initialization process at the factory. The CTID is incremented by a non-linear algorithm within the meter after the security lock flag is cleared.
[0026] The codes generated by the encryption routine are 16-digits long. The lower digits of the codes are then communicated to the customer by the meter or the data center computer. The number of lower digits that are communicated is determined by the HSL value (see Appendix A for details).
Conclusion
[0027] It can be seen that the present invention provides a secure and efficient technique for allowing the meter to be cleared in the field.
[0028] While the above is a complete description of the specific embodiments of the invention, various modifications, alternative constructions, and equivalents may be used. For example, the electronics of the resettable meter may be structured differently. In addition, the security lock flag or another flag can be used to prevent other forms of memory modification when an improper code is entered a predetermined number of times. Furthermore, the encryption key used to generate the request codes could be composed of a meter cycle counter instead of the meter serial number. Other security measures may be implemented such as requiring periodic inspection of the meter.
[0029] Therefore, the above description and illustration should not be taken as limiting the scope of the present invention, which is defined by the appended claims.
APPENDIX A
VARIABLE LENGTH SECURITY CODES
[0030] An algorithm is used to generate an apparently random code with multiple digits. However, only a selected number of digits (usually the lower digits) of this code needs to be used in most applications. The number of digits needed depends upon the level of security needed. It is preferred to use as few digits as possible to decrease the number of keystrokes that must be entered, thereby increasing convenience and decreasing the potential for error.
[0031] As a result, a variable has been created which defines the overall level of security required by the meter or data center computer. This variable is called the high security length (HSL) value.
[0032] Each code generated by the meter or data center computer has a variable length of digits used depending upon the HSL value. That is, if the HSL value is 1, then the security lock code should have 6 digits. If the HSL value is higher, then the security lock code should be longer. Other codes may have different lengths for a given HSL value, but each code will increase or decrease in length if the HSL value is increased or decreased.
[0033] This predetermined relationship between code length and the HSL value allows the meter manufacturer to increase or decrease security for the meter without having to recover and initialize each meter. Changes in the HSL value are communicated to the meter when performing a remote meter configuration.
1. An electronic postage meter having memory capable of being modified by entry of
a remote setting code, the meter comprising:
(a) detection means for detecting the entry of an invalid remote setting code a predetermined number of times;
(b) prevention means, responsive to the detection means, for selectively preventing the modification of memory upon the entry of an invalid code the predetermined number of times;
(c) generating means for generating a meter code;
(d) entry means for entering a non-meter code;
(e) comparison means, coupled to the generating means and the entry means, for comparing the meter and non-meter codes; and
(f) enabling means, responsive to the comparison means, for disabling the prevention means upon the meter and non-meter codes being equal.
2. The electronic postage meter of claim 1 further comprises;
(a) second generating means for generating a second meter code; and
(b) display means, coupled to the second generating means, for displaying the second meter code.
3. An electronic postage meter having a postage amount that can be remotely set by
entry of a remote setting code, the meter comprising:
(a) detection means for detecting the entry of an invalid remote setting code a predetermined number at times;
(b) prevention means, responsive to the detection means for selectively preventing the postage amount from being remotely set upon the entry of an invalid code the predetermined number of times;
(c) generating means for generating a meter code;
(d) entry means for entering a non-meter code;
(e) comparison means coupled to the generating means and the entry means for comparing the meter and non-meter codes; and
(f) enabling means responsive to the comparison means, for disabling the prevention means upon the meter and non-meter codes being equal.
4. The electronic postage meter of claim 3 further comprising:
(a) second generating means for generating a second meter code; and
(b) display means, coupled to the second generating means, for displaying the second meter code.
5. The electronic postage meter of claim 3 further comprising a print means for printing
postage not greater than the postage amount.
6. The electronic postage meter of claim 5 wherein the prevention means further prevents
the print means from printing postage upon the entry of an invalid remote setting
code the predetermined number of times.
7. The electronic postage meter of claim 3 further comprising enabling means for enabling
the postage amount to be remotely set upon the entry of a second non-meter code.
8. An electronic postage meter having a postage amount that can be remotely set by
the entry of a remote setting code, the meter comprising:
(a) detection means for detecting the entry of an invalid remote setting code a predetermined consecutive number of times;
(b) prevention means, responsive to the detection means, for selectively preventing the postage amount from being remotely set upon the entry of an invalid remote setting code the predetermined consecutive number of times;
(c) generating means for generating a first meter code and a second meter code;
(d) display means, coupled to the generating means, for displaying the first meter code;
(e) entry means for entering a non-meter code;
(f) comparison means, coupled to the generating means and the entry means, for comparing the second meter and non-meter codes; and
(g) enabling means, responsive to the comparison means, for disabling the prevention means upon the second meter and non-meter codes being equal.