Postage meter having electronic access control security

Abstract

 A postage meter which can be accessed and reset electrically through use of a two-part coded password sent by a postal employee to a meter manufacturer and an encrypted security code sent by the meter manufacturer to the postal employee for use in putting the postal meter in a reset mode for resetting postage registers in the meter. Enhanced security is realized by the meter manufacturer validating the first part of the password as identifying an authorized postal employee and/or post office station and the second part as associated with a legitimate meter and then issuing the encrypted security code to the postal employee for resetting the meter. The encrypted security code is based on a variable amount of credit with which a register of the meter is to be reset and the security code input to the meter is compared with a corresponding code generated by the meter based on an input of the variable credit amount to ensure that the meter is reset with an authorized credit amount.

Description

[0001] This application is a continuation-in-part of U.S. Serial No. 08/091,098, filed with the United States Patent and Trademark Office on July 13, 1993.

[0002] This invention relates generally to electronic postage meters, and more particularly the invention relates to a postage meter having electronic access control for enhanced security.

[0003] A postage meter normally includes a postage selection mechanism, a postage printing mechanism, and a plurality of internal registers for maintaining accounting information. The internal registers most commonly contain numerical values representative of the total postage paid for (control total), the total postage printed (ascending balance or ascending register), and the total postage remaining (descending balance or descending register). The information contained in the internal registers is redundant, since the ascending balance and descending balance normally sum to the control total.

[0004] Prior to using the meter, a user must buy from a postal service employee a fixed amount of postage. The postal service employee accesses the internal registers through a mechanical key lock/switch and alters the contents of the internal registers to reflect the amount of postage paid by increasing the control total and the descending balance by this amount. To use the meter, the user first selects the value of postage to be printed, and then activates the printing mechanism. The meter may be used until the descending balance reaches a predetermined minimum (e.g., until the postage paid for has been exhausted or has reached a minimum threshold value).

[0005] It can be seen that postage meters are subject to stringent security requirements to insure that all postage actually printed has been paid for, and that the meter is not in the possession of an unauthorized user or a licensee in default on his license. Thus, the level of security can be measured by the difficulty of activating the meter printing mechanism without correspondingly updating the counting registers within the meter, and also by the difficulty of altering or losing the meter register values, whether intentionally, inadvertently, or accidentally. To this end, the print mechanism and the counting registers are located within a secure housing, and access thereto is restricted to the manufacture of the meter under postal service supervision, with partial access also allowed to postal service employees when they reset the meter.

[0006] The present invention provides enhanced security by replacing the mechanical key lock/switch with an electronic access control system requiring the participation of the meter manufacturer prior to resetting of the meter.

[0007] The present invention provides improved security, facilitates the administration and control of postage meters, and enhances the collection of data on the meter population. Briefly, and in accordance with the invention, a postage meter is reset by a postal service employee only after an encrypted security code is issued to the postal employee by the meter manufacturer or other authorized entity.

[0008] After the meter is delivered to the postal employee, the employee activates a Security Access mode in the meter by activating a dedicated switch in the meter or alternatively by depressing a specific combination of keys, which keys may be located on the main keyboard used for all functions in all modes or, alternatively, may be located on an auxiliary keyboard dedicated to resetting functions only. The switch and/or the auxiliary keyboard, if either or both are used, will normally be located in a chamber in the meter which is sealed by a wire and crimped lead removable by the postal employee.

[0009] Thereafter, the postal employee sends a coded two-part password to the meter manufacturer, the first part of which identifies the postal employee or the post office station and, if validated by the meter manufacturer, enables the transmittal of the second part which identifies the meter and can provide other information as prescribed by the postal authorities and the meter manufacturer. The manufacturer, through a central computer for example, verifies the password and issues an encrypted security code which is required to enable the postage reset operation. Alternatively, the password might not be correct or might identify an unauthorized meter, in which case the security code is withheld and possibly the meter is confiscated.

[0010] The security code can be a changing code which is operable only once, or a fixed code which can be used repeatedly. The security code is entered into the meter by the main or auxiliary keyboard, and when the meter verifies the code, the meter is placed in a post office reset (PO) mode which enables the reset of revenue registers. After reset of the registers, the meter is returned to a standard operating mode by the postal employee using keyboard entries.

[0011] The invention and objects and features thereof will be more readily apparent from the following detailed description and dependent claims when taken with the drawing.

Fig. 1 is a functional block diagram of an electronic postage meter in which the present invention is employed; and

Figs. 2a and 2b are a flow diagram of the process in resetting a postage meter in accordance with the invention.

Figs. 3a and 3b are a flow diagram of a modified process in resetting a postage meter in accordance with the invention.

[0012] Referring now to the drawing, Fig. 1 is a block diagram of a postage meter 10 in which the present invention is employed. Meter 10 includes a print mechanism 12, accounting registers, and control electronics, all enclosed within a secure meter housing 13. A keyboard 14 and a display 16 provide the user interface. A connector 17 provides an electrical connection with a mailing machine for control of the printing process. The control electronics includes a digital microprocessor 18 which controls the operation of the meter, including the basic functions of printing and accounting for postage, and optional features such as department accounting. The microprocessor is connected to a clock 20, a read only memory (ROM) 22, a random access memory (RAM) 24, and a battery-augmented memory (BAM) 26.

[0013] ROM 22 is primarily used for storing nonvolatile information such as software and data/function tables necessary to run the microprocessor. The ROM can only be changed at the factory. RAM 24 is used for intermediate storage of variables and other data during meter operation. BAM 26 is primarily used to store accounting information that must be kept when the meter is powered down. The BAM is also used for storing certain flags and certain information that is necessary to the functioning of the microprocessor. Such information includes meter identifying data such as the meter serial number and the BAM initialization date, a control total (CT) register, a descending register (DR), an ascending (AR), and an encrypted security code. A sealed switch or an auxiliary keyboard 28, if either or both are provided, will be located within the secure meter housing 13.

[0014] The postage meter is delivered to a post office employee for resetting the descending register. The postal employee must place the meter into a Security Access mode as a prerequisite to setting the registers; in this operating mode, the meter can receive an encrypted security code which will be provided by the meter manufacturer's central office computer. In one implementation, neither the sealed switch 28 or the auxiliary keyboard 28 are provided: Security Access and PO modes are both set through the main keyboard 14 alone. In a second implementation, auxiliary keyboard 28 is not provided; Security Access mode is set using the sealed switch 28, and PO mode is set using main keyboard 14. In a third implementation, Security Access mode is set by sealed switch 28, and PO mode is set using auxiliary keyboard 28 within the secure meter housing. In a fourth implementation, sealed switch 28 is not provided, and Security Access and PO modes are set by means of auxiliary keyboard 28 alone within the secure meter housing.

[0015] A postal identification password is then transmitted to the meter manufacturer's central office computer by the postal employee at 33, which identifies either the employee of the post office. If this identification is recognized, the employee then transmits the meter identification password, and the computer sends back an encrypted security code which will enable the employee to place the meter into PO mode for accessing the descending register. The postal employee then enters the encrypted security code through the keyboard on the meter or through the auxiliary keyboard to put the meter into a reset mode. The meter can be made resistant to trial-and-error experimentation or hacking by requiring that the code must be entered correctly within a specified number of attempts. Exceeding the retry limit puts the meter into a lockout mode where the meter can be neither reset nor operated to print postage. The meter manufacturer must then be contacted for additional specific procedures for clearing the lockout.

[0016] The encryption algorithm can produce a changing code which is unique to an individual meter and valid for a single postage value reset transaction. In this version, each change from the PO mode to reset mode requires a complete new cycle of communication with the manufacturer's central computer. In another software version, the encrypted security code issued by the central office computer is unique to the individual meter, but may be used as many times as desired to switch the meter from Security Access mode to PO mode with no further access to the manufacturer's central computer.

[0017] The dedicated switch or auxiliary keyboard may be located inside a door in the meter cover which can be secured by sealing with a wire and crimped lead as required by postal regulations for physical security of the key lock/switch. Once the encrypted security code has been entered, the meter can be designed to allow the remainder of the transaction to be done through the auxiliary keyboard or the main keyboard.

[0018] Figs. 2a and 2b are a flow diagram of the resetting process. The meter as delivered to the post office by the user or meter manufacturer's representative at 30 for reset is in a standard operating mode. The postal employee puts the meter in the Security Access mode at 32 using the sealed switch or auxiliary keyboard 28 in Fig. 1. The postal employee then sends a coded password to the meter manufacturer's central computer by telephone line from a computer terminal with modem in the post office or by voice communication using the telephone either via an audio response unit or through an intermediary operator. The postal identification password contains identifying information as prescribed by the postal authorities, which may include any or all of the following:
   Post office station identity code
   Postal employee identity code
If the postal identification password is not recognized by the meter manufacturer's computer at 35, the computer aborts the procedure and defaults to a live operator at 38, who can then take action appropriate to the circumstances. If the postal identification password is recognized by the computer, the computer then accepts the entry of the meter identification password at 34; content of the meter identification password is determined by the meter manufacturer and may include any or all of the following:
   Post office station identity
   Postal employee identity
   Meter serial number
   User's meter license number (unique to user)
   Meter status: "In Service,"
   "New Installation," or "Withdrawal"
   Revenue register contents (DR, AR and CT)

[0019] The manufacturer's computer then validates the password at 36. If the password is not recognized or if the meter license number has been flagged in the computer as being invalid, the computer aborts the procedure and defaults to a live computer operator at 38 who can then take action appropriate to the circumstances.

[0020] If the password is recognized but the user has a delinquent account as noted at 40, the live operator again takes over at 38. If the account is not delinquent, then the central computer issues an encrypted security code to the postal employee at 42. The encrypted security code can be used to enable the postage reset operation if correctly entered in a specified number of tries. The encrypted security code will appear on the post office video display terminal, VDT, screen, if used, or else will be heard by the postal employee over the telephone, either synthesized through the audio response unit, ARU, or spoken by the meter manufacturer's operator.

[0021] The security code in accordance with one embodiment is encrypted as a changing code which works only once in enabling the meter. Alternatively, the security code can be encrypted as a fixed code which works repeatedly with the meter without further communication with the central processor. The encrypted security code can also contain other identifying information as prescribed by postal authorities including any or all of the following:
   Meter serial number
   User's meter license number
   Meter status, "In Service,"
   "New Installation," or "Withdrawal"

[0022] The postal employee then enters the encrypted security data into the meter by means of the main keyboard or by the auxiliary keyboard as shown at 44. If the meter verifies the encrypted security code at 46, then the meter moves from the Security Access mode to the PO mode at 48 which enables the reset of the descending registers. However, if the password verification at 46 is unsuccessful and the maximum retries has not been reached as determined at 48, then an error message instructing try again is noted at 50. If the password verification is unsuccessful within a predetermined number of attempts, the meter goes into a lockout mode at 52 and the manufacturer must be contacted for specific additional procedures to clear the lockout and allow the resetting process to continue.

[0023] If the code is validated by the meter at 46, the meter then goes to the reset mode at 54 which enables the reset of the descending register. The postal employee then resets the meter registers using either the main or auxiliary keyboards at 56. Thereafter, the meter is returned to the standard operating mode by the postal employee through use of keyboard entries at 58, and the meter is returned to the user or to the meter manufacturer's representative at 60.

[0024] The invention provides a number of advantages as compared to the existing system of mechanically locked key switch located behind a sealed door including greatly improved security, better protection of postal service revenues, easier and more effective administration and control of postage meters, real time control of meters, and enhanced collection of data on the meter population. The electronic key aspect of the system provides access via encrypted security codes that are unique to a single meter as opposed to the present key lock system in which many meters are keyed alike with a single key. Thus, in the fixed code software version, a stolen code would allow ongoing illegal access but only to one particular meter. Further, in the changing code software version, a stolen code cannot provide any illegal access since each encrypted security code can be used only once.

[0025] Better administration and control of meters is provided since a meter manufacturer can request the post office to cancel a meter license for nonpayment of rental fees. If the company is not successful in retrieving a meter after the license has been cancelled for nonpayment, the meter's serial number and use status in the password can be flagged so that the meter is identified when the password is transmitted. The meter manufacturer can then prevent the reset by programming its computer to refuse an encrypted security code to specified passwords, and if desired, may also telephone the postal employee to request confiscation of the meter thus realizing real time control of meters. Further, the password can be used for data collection which is useful to the meter manufacturer and the postal service in maintaining real time control of the meters and for determining revenue usage patterns and meter inspection data. By including this data as part of the password, automatic and accurate reporting of the information in a standardized format to the central computer system is provided.

[0026] The resetting process described hereinbefore provides security in permitting access to the postage meter fro resetting the value of credit only to an authorized postal employee. In a modification of the process, increased security in respect of the variable amount of credit entered into the meter is provided such that only a variable amount of credit authorized by the manufacturer's central computer can be entered into the postage meter and hence the central computer can maintain a record of the amount of credit with which a postage meter is reset in each resetting transaction. Accordingly even if a resetting transaction is carried in an unauthorized and possibly fraudulent manner, the post office can be provided with a copy of the record of resetting transactions from the central computer to enable verification of each resetting transaction and hence of proper accounting for the credit values entered into the meter. Figs. 3a and 3b are a flow diagram of the modified resetting process. Steps in the flow chart of Figs. 3a and 3b which correspond to an are the same as those of the flow chart of Figs. 2a and 2b are referenced with the same reference numerals. After the meter is delivered to the post office by the user or meter manufacturer's representative at 30, the postal employee puts the meter into the Security Access mode at 32 by opening a post office seal on the meter and using the sealed switch or auxiliary keyboard 29 in Fig. 1 and the postal employee sends a post office identification code at 33 to the meter manufacturer's central computer by telephone line from a computer terminal in the post office or by voice communication using the telephone either via an audio response unit or through an intermediary operator at the location of the central computer. If the post office identification code is recognized by the central computer the post office employee then sends a meter password at 61 relating to the specific postage meter to be reset and to a variable credit amount (ΔC) by which the amount in the descending register of that meter is to be incremented in the resetting process to the meter manufacturer's computer. Accordingly the meter identification password includes any or all of the information items set out hereinbefore in relation to Fig. 2a and 34 and also includes the selected variable credit amount (ΔC). Also values stored in other registers of the meter may be required to be sent. The central computer carries out a validation routine at 61 in respect of the information sent by the postal employee. If the received information is valid and if the user does not have a delinquent account as determined at 40, the central computer generates an encrypted security code and this security code is transmitted at 62 to the postal employee. If the computer does not recognize the post office identification at 35, the information sent to the computer is not validated at 61 or the account is delinquent at 40, the procedures as shown in Fig. 2a and described hereinbefore are carried out.

[0027] The encrypted security code generated by the central computer and transmitted to the postal employee is generated using the variable amount of credit (ΔC). In addition it is preferred that apart from being based on the amount of credit (ΔC), the security code changes for each resetting transaction and works only once for permitting resetting of the postage meter. Accordingly in addition to being based on the variable credit amount (ΔC), the code is preferably based on a pseudo-random number generated by a pseudo-random number generator in the central computer which is incremented for each resetting transaction. The pseudo-random number generator may be implemented by a microprocessor of the central computer and an algorithm.

[0028] Upon receipt of the encrypted security code transmitted from the central computer, the postal employee enters into the meter at 63 by means of the main keyboard or the auxiliary keyboard the received encrypted security code together with the variable amount of credit (ΔC). The microprocessor 18 of the postage meter operates in conjunction with an algorithm to generate an internal code based on the entered variable amount of credit (ΔC) in the same manner as the central computer and compares the encrypted security code input by the postal employee with the internal code generated in the meter to validate at 64 the entered encrypted security code. If the comparison is successful the microprocessor 18 of the meter resets the credit in the meter by incrementing the descending register of the meter by the amount of credit (ΔC). If the comparison is unsuccessful, the meter carries out the procedure as shown at 48, 50 and 52 as described hereinbefore in relation to Fig. 2b. The postal employee verifies at 65 the setting of the registers to verify that the resetting procedure has been carried out satisfactorily and restores the meter to standard operating mode by entry on the keyboard, either main or auxiliary. If the post office seal has been opened for the resetting procedure, the meter is resealed and the meter is released by the post office at 60 and returned to the user or manufacturer's representative.

[0029] It is envisaged that the central computer is located at a meter manufacturer's premises and is operated by the meter manufacturer. However, if desired the central computer may be located in post office premises and be operated by the post office. The computer may be a central installation or may be a distributed system located in the post office.

[0030] While the invention has been described with reference to a specific embodiment, the description is illustrative of the invention and is not to be construed as limiting the invention. Various modifications and applications may occur to those skilled in the art without departing from the true spirit and scope of the invention as defined by the appended claims.

Claims

1. A method of electronically accessing and resetting a postage meter by a postal employee with enhanced security comprising the steps of

(a) delivering said postage meter to said postal employee,

(b) accessing a meter manufacturer's computer with a coded password identifying said postal employee and/or a post office station,

(c) accessing a meter manufacturer's computer with a coded password identifying said postage meter,

(d) transmitting an encrypted security code to said postal employee after verification of said coded password by said meter manufacturer,

(e) entering said encrypted security code into said postal meter, and

(f) resetting postage registers in said postal meter.

2. The method as defined by claim 1 wherein step (a) further includes putting said postal meter in a post office (PO) mode by said postal employee.

3. The method as defined by claim 2 wherein said post office mode is entered by a dedicated switch sealed in said postage meter.

4. The method as defined by claim 2 wherein said post office mode is entered by an auxiliary keyboard sealed in said postage meter.

5. The method as defined in Claim 1 wherein said post office mode is entered by the non-sealed main keyboard of the postage meter.

6. The method as defined by claim 1 wherein step (b) is performed over a telephone line.

7. The method as defined by claim 6 wherein step (b) accesses a computer of said meter manufacturer.

8. The method as defined by claim 1 wherein step (d) includes transmitting a changing code which is unique to one postage meter and valid for a single transaction.

9. The method as defined by claim 1 wherein step (d) includes transmitting a code which is unique to one postage meter and is valid for a plurality of transactions.

10. The method as defined by claim 1 wherein step (e) requires correct entry of a valid encrypted security code within a specific number of attempts.

11. The method as defined by claim 10 wherein failure to enter a valid encrypted security code within said specific number of attempts puts said postage meter in a lockout mode in which said postage meter cannot be reset or operated to print postage.

12. The method as defined by claim 1 wherein step (f) includes accessing registers in said postage meter through a keyboard of said postage meter.

13. The method as defined by claim 1 and further including
   (g) manually switching said postage meter to a standard operating mode.

14. The method as defined by claim 13 wherein said standard operating mode is entered through a keyboard of said postage meter.

15. A postage meter which can be accessed and reset electrically comprising
   an operating keyboard,
   a memory,
   a plurality of registers including a control total register, a descending register of unused prepaid postage, and an ascending register of printed postage,
   a microprocessor, and
   means for placing said postage meter in a standard operating mode for printing postage, a Security Access mode for entering an encrypted security code, and a post office mode for resetting at least one of said plurality of registers.

16. The postage meter as defined by claim 15 wherein said encrypted security code is stored in said memory, said microprocessor compares the stored encrypted security code with the entered encrypted security code before said reset mode can be entered.

17. The postage meter as defined by claim 15 and further including a sealed auxiliary keyboard for entering said encrypted security code during said Security Access mode.

18. The postage meter as defined by claim 15 and further including a sealed switch in said postage meter for entering said Security Access mode.

19. The postage meter as defined by claim 15 and further including a means for entering said post office mode through manipulation of one or a combination of two or more keys of the meter's main keyboard, which main keyboard is not sealed and is accessible at all times to all users of the meter and is the same keyboard used to control all other functions of the meter in all of its operating modes.

20. A method of electronically accessing and resetting values in a postage accounting register of a postage meter at a post office location by a postal employee comprising the steps of

(a) delivering said postage meter to said postal employee at said post office location,

(b) accessing a computer with a first coded password identifying at least one of said post office location and said post office employee, with a second coded password identifying said postage meter and with a selected variable amount of credit by which said postage accounting register of said meter is to be incremented,

(c) verifying at said computer said coded passwords,

(d) after said verification of said coded password, transmitting an encrypted security code base on said selected variable amount of credit to said postal employee,

(e) entering said encrypted security code and said selected variable amount of credit into said postage meter,

(f) in said postage meter generating an internal code based on said selected variable amount of credit and comparing said internal code with said encrypted security code entered into said postage meter,

(g) in response to said comparing being successful resetting the postage accounting register by incrementing said postage accounting register by said selected variable amount of credit.

21. The method as defined in claim 20.wherein accessing the computer in step (b) includes sending accounting information stored in at least the accounting register of the postage meter to the computer and wherein step (c) includes verifying the accounting information sent to the computer.

22. The method as defined in claim 20 wherein the computer is operated by a meter manufacturer and wherein step (e) is performed by the post office employee.

23. The method as defined in claim 20 wherein the computer is operated by the post office and wherein step (e) is performed by the post office employee.

24. The method as defined in claim 20 including the step, prior to entering the encrypted security code into the postage meter, of the post office employee putting the postage meter into a post office security access mode.

25. The method as defined in claim 24 wherein the postage meter is put into the security access mode by operation of a dedicated switch accessible only by breaking a seal in the postage meter.

26. The method as defined in claim 24 wherein the postage meter is put into the security access mode by entry of a code on an auxiliary keyboard accessible only by breaking a seal in the postage meter.

27. The method as defined in claim 24 wherein the postage meter includes a non-secure keyboard for entry of data to the postage meter by a user of the postage meter and wherein the postage meter is put into the security access mode by entry of a code on the non-secure keyboard.

28. The method as defined in claim 20 wherein the encrypted security code is based on the selected variable amount of credit and on a changing number unique to the postage meter and to only one resetting of the postage meter.

29. The method as defined in claim 28 including the step of putting the meter into a lock-out mode in which the postage meter cannot be reset on failure to enter a valid encrypted security code within a predetermined number of attempts to enter the encrypted security code.

30. A postage meter including an electronic circuit for carrying out accounting and control functions, said circuit including a non-secure keyboard for use operating the postage meter to print postage, an accounting register for storing accounting data; mode switching means operable to put the postage meter selectively into an operating mode for printing postage and into a secure access mode for resetting the accounting data in said accounting register; said circuit being operative when in said secure access mode in response to input of an accounting value for use in resetting the accounting register to generate an internal code based on said accounting value and in response to input of said encrypted security code to compare said internal code and said encrypted security code and if the comparison is successful to reset the accounting register in accordance with the accounting value.

31. A postage meter as defined in claim 30 wherein the mode switching means is operable to put the postage meter into the secure access mode only in response to input to the electronic circuit of a secure access code.

32. A postage meter as defined in claim 31 including a sealed auxiliary keyboard for input of said secure access code.

33. A postage meter as defined in claim 30 wherein input of the secure access code is by means of the non-secure keyboard.

Drawing