|
(11) | EP 0 939 384 A2 |
| (12) | EUROPEAN PATENT APPLICATION |
|
|
|
|
|||||||||||||||||||||||
| (54) | Postage printing system having secure reporting of printer errors |
| (57) A postage printing system (100) includes a printer (160) and a postage meter (120).
The printer (160) includes a memory (164), a print device (166) for printing a postal
indicia and a controller in operative communication with the printer memory (164)
and the print device (166). The postage meter (120) includes a memory (132, 142)and
is physically separable from and in operative communication with the printer (120).
The printer controller (162) detects a fault condition, stores a record of the fault
condition in a history file within the printer memory (164) and, following a successful
mutual authentication between the printer (160) and the postage meter (120), uploads
the history file from the printer memory (164) to the postage meter memory for subsequent
reporting to a data center (50). |
[0001] This application is related to concurrently filed copending European Patent Application No. xx/xxx,xxx entitled POSTAGE PRINTING SYSTEM INCLUDING PREVENTION OF TAMPERING WITH PRINT DATA SENT FROM A POSTAGE METER TO A PRINTER (client reference E-709)
[0002] This invention relates to value dispensing systems, such as postage printing systems. The invention is applicable to a postage printing system comprising a mailing machine base, a secure accounting meter detachably mounted to the base and a printer also detachably mounted to the base wherein the meter and the printer are manufactured to be interchangeable while still providing for secure mutual authentication.
[0003] One example of a value printing system is a postage printing system including an electronic postage meter and a printer for printing a postal indicia on an envelope or other mailpiece. Electronic postage meters for dispensing postage and accounting for the amount of postage used are well known in the art. The postage printing system supplies proof of the postage dispensed by printing a postal indicia which indicates the value of the postage on an envelope or the like. The typical postage meter stores accounting information concerning its usage in a variety of registers. An ascending register tracks the total amount of postage dispensed by the meter over its lifetime. That is, the ascending register 15 incremented by the amount of postage dispensed after each transaction. A descending register tracks the amount of postage available for use. Thus, the descending register is decremented by the amount of postage dispensed after each transaction. When the descending register has been decremented to some value insufficient for dispensing postage, then the postage meter inhibits further printing of indicia until the descending register is resupplied with funds.
[0004] Traditionally, the accounting module and the printer portion of a postage printing system have been located within a single secure housing. Examples of this type of postage printing systems are PostPerfect® and model 6900 Postage Meter available from Pitney Bowes, Inc. of Stamford, Connecticut, USA. In this environment, the communications between the accounting module and the printer may be either secure or nonsecure. However, because the accounting module and the printer are contained within the same secure housing, they are dedicated to each other and are not interchangeable with other postage meters.
Recent efforts have been undertaken to a provide postage printing system including a detachable postage meter (accounting module) and a printer which are physically separated from each other. This configuration provides some benefits to the customer. For example, since the printer is not incorporated into the postage meter, the printer may be purchased by the customer (some postal authorities require that postage meters be rented only). As another example, customers may use interchangeable postage meters with the same printer to provide increased operational flexibility and advantages.
Since this type of postage printing system does not locate the postage meter and the printer within the same secure housing, the communication lines between the postage meter and the printer are generally nonsecure. Using nonsecure communication lines between the postage meter and the printer creates a risk of loss of postal funds through fraud. For example, when data necessary to print a valid postal indicia is transferred over the nonsecure communication lines from the postage meter to the printer, it is susceptible to interception, capture and analysis. If this occurs, then the data may be retransmitted at a later time back to the printer in an attempt to fool the printer into believing that it is communicating with a valid postage meter. If successful, the result would be a fraudulent postage indicia printed on a mailpiece without the postage meter accounting for the value of the postage indicia.
[0005] Generally, it is known to employ secret cryptographic keys in postage evidencing systems to prevent such fraudulent practices. This is accomplished by having the postage meter and the printer authenticate each other prior to any printing taking place. One such system is described in US Patent No. 5,799,290, entitled METHOD AND APPARATUS FOR SECURELY AUTHORIZING PERFORMANCE OF A FUNCTION IN A DISTRIBUTED SYSTEM SUCH AS A POSTAGE METER. Another such system is described in European Patent Publication No. 0,881,600, published on December 2, 1998, and entitled SYNCHRONIZATION OF CRYPTOGRAPHIC KEYS BETWEEN TWO MODULES OF A DISTRIBUTED SYSTEM.
[0006] Another measure utilized to defeat fraud is inspection of the postage meter. Since postage meters are regulated by a controlling postal authority, they are subject to periodic inspection. During a physical inspection, the postage meter may be scrutinized for physical evidence of tampering, such as: broken security seals, scratches on the accounting printed circuit board, etc. Additionally, a remote inspection of the postage meter may be performed by having the postage meter store fault information for subsequent uploading to a data center.
[0007] Although these inspection techniques work well, a problem exists when the postage meter and the printer are decoupled, as described above, in that the printer is not subject to inspection by the postal authority. Therefore, any fraudulent attempts to print postage with the printer would go undetected. For example, an unscrupulous user could attempt to build a counterfeit device to defeat the security features of the printer and supply the printer with print data signals in an attempt to print fraudulent postal indicias. Since such attempts would go unrecognized by the postal authority, the unscrupulous user would have the advantage of unlimited time to pursue this fraudulent activity.
[0008] Therefore, there is a need for a postage printing system including a postage meter and a printer in communication with but physically separate from the printer that allows for the interchangeability of postage meters with printers and detects fraudulent attempts to print postage with the printer.
[0009] Accordingly, it is an object of the present invention to provide a postage printing system with improved security and interchangeability which substantially overcomes the problems associated with the prior art.
In accomplishing this and other objects there is provided a postage printing system having an error reporting system. The postage printing system includes a printer and a postage meter. The printer includes a memory, a print device for printing a postal indicia and a controller in operative communication with the printer memory and the print device. The postage meter includes a memory and is physically separable from and in operative communication with the printer. The printer controller detects a fault condition, stores a record of the fault condition in a history file within the printer memory and, following a successful mutual authentication between the printer and the postage meter, uploads the history file from the printer memory to the postage meter memory for subsequent reporting to a data center.
[0010] In accomplishing this and other objects there is provided a method of reporting error conditions in a postage printing system, the postage printing system including a printer and a postage meter, the printer including a memory, a print means for printing a postal indicia and a control means in operative communication with the printer memory and the print means, the postage meter physically separable from and in operative communication with the printer.
[0011] Therefore, it should now be apparent that the invention substantially achieves all the above objects and advantages. Additional objects and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. Moreover, the objects and advantages of the invention may be realized and obtained by means of the instrumentalities and combinations particularly pointed out in the appended claims.
[0012] The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate presently preferred embodiments of the invention, and together with the general description given above and the detailed description of the preferred embodiments given below, serve to explain the principles of the invention. As shown through out the drawings, like reference numerals designate like or corresponding parts. In the drawings:
Fig. 1 is a schematic representation of a postage printing system including a postage meter and a printer in accordance with an embodiment of the present invention; and
Fig. 2 is a flow chart summarizing the major features of an inspection routine for identifying faults in the printer of the postage printing system according to an embodiment of the present invention.
[0013] Referring to Fig. 1, a postage printing system 100 in accordance with an embodiment of the present invention is shown. The postage evidencing system 100 includes a mailing machine base 110, a postage meter 120 and a printer 160.
[0014] The mailing machine base 110 includes a variety of different modules (not shown) where each module performs a different task on a mailpiece (not shown), such as: singulating (separating the mailpieces one at a time from a stack of mailpieces), weighing, moistening/sealing (wetting and closing the glued flap of an envelope) and transporting the mailpiece through the various modules. However, the exact configuration of each mailing machine is particular to the needs of the user. Since a detailed description of the mailing machine base 110 is not necessary for an understanding of the present invention, its description will be limited for the sake of clarity.
[0015] The postage meter 120 (smart card, housing containing a circuit board, or the like) is detachably mounted to the mailing machine base 110 by any conventional structure (not shown) and includes a microprocessor 130 having a memory 132, a clock 122 and a vault or accounting unit 140 having a non-volatile memory (NVM) 142. The clock 122 is in communication with the microprocessor 130 for providing real time clock data. The vault 140 holds various accounting and postal information (not shown), such as: an ascending register, a descending register, a control sum register and a postal identification serial number in the NVM 142. The vault 140 is also in communication with the microprocessor 130 for receiving appropriate read and write commands from the microprocessor 130. The microprocessor 130 is in operative communication with the mailing machine base 110 over suitable communication lines (not shown). Additionally, the microprocessor 130 of the postage meter 120 is in operative communication with a remote data center 50 over suitable communication lines, such as a telephone line 70. The data center 50 communicates with the postage meter 120 for the purposes of remote inspection, downloading of postal funds to the vault 140 and other purposes described in more detail below.
[0016] The printer 160 is also detachably mounted to the mailing machine base 110 by any conventional structure (not shown) and includes a controller 162 having a memory 164, a print mechanism 166 and a clock 168. The controller 162 is in operative communication with the microprocessor 130 of the postage meter 120 and the print mechanism 166 over suitable communication lines. The memory 164 has stored therein an identification serial number that is unique to the printer 160. The clock 168 is in communication with the controller 162 for providing real time clock data. The print mechanism 166 prints a postal indicia (not shown) on a mailpiece (not shown) in response to instructions from the postage meter 120 which accounts for the value of the postage dispensed in conventional fashion. The print mechanism 166 may be of any suitable design, such as: rotary drum, flat impression die, thermal transfer, ink jet, electrophotographic or the like.
[0017] To provide for security of postal funds and to prevent fraud, the postage meter 120 and the printer 160 are provided with secret cryptographic keys which are necessary for mutual authentication to ensure that: (i) the postage meter 120 will only transmit postal indicia print information to a valid printer 160; and (ii) the printer 160 will only execute postal indicia print information received from a valid postage meter 120. Generally, a mutual authentication routine involves the encryption and decryption of secret messages transmitted between the postage meter 120 and the printer 160. An example of such a routine can be found in aforementioned European Patent Publication No. 0881600, published on December 2, 1998, and entitled SYNCHRONIZATION OF CRYPTOGRAPHIC KEYS BETWEEN TWO MODULES OF A DISTRIBUTED SYSTEM. However, since the exact routine for mutual authentication is not necessary for an understanding of the present invention, no further description is necessary. Once mutual authentication is successful, the postage meter 120 is enabled to transmit postal indicia print information and the printer 160 is enabled to print a valid postal indicia. As an additional measure, the postal indicia print information may also be encrypted or subject to error checking so as to discourage fraudulent attempts to manipulate the information, such as: printing a higher value postal indicia than was authorized by the postage meter 120.
[0018] With the structure of the postage printing system 100 described as above, the operational characteristics will now be described. Referring to Fig. 2 in view of the structure of Fig. 1, an inspection routine 200 for identifying faults in the printer 160 of the postage printing system 100 of the present invention is shown. At 202, the controller 162 monitors the activity of the printer 160 and detects when a fault occurs in the printer 160. A fault may be any unanticipated or undesireable event, such as: the printer 160 being unable to authentic a postage meter 120 during a communication session (due to a fraudulent postage meter) or differences between the print information sent by the postage meter 120 and what was received by the printer 160. A suitable technique is described in concurrently filed copending European Patent Application No. xx/xxx,xxx entitled POSTAGE PRINTING SYSTEM INCLUDING PREVENTION OF TAMPERING WITH PRINT DATA SENT FROM A POSTAGE METER TO A PRINTER. (client reference E-709) Next, at 204, the controller 162 stores a record in memory 164 indicative of the fault. Preferably, the record contains: (i) a date/time stamp obtained from the clock 168 indicating when the fault occurred; (ii) an indication of the type of fault encountered; and (iii) the identification serial number of the printer 160. As faults occur, the associated records accumulate in a file so that a historical log of faults is kept by the printer 160. Preferably, the records are stored in encrypted form or in protected memory to prevent tampering. Next, at 206, the historical file is uploaded from the printer 160 to the postage meter 120 and stored in the NVM 142 at the occurrence of a predetermined event such as: system initialization after successful mutual authentication, or a given time of the day or week. In this manner, the historical file is only uploaded to a valid postage meter 120. In the preferred embodiment, the NVM 142 is structured to accumulate multiple historical files from a plurality of different printers. Next, at 208, the historical file in the printer 160 is erased. This may be achieved either by the postage meter 120 issuing an appropriate command or by the printer controller 162 itself. Next, at 210, the postage meter 120 uploads the historical file to the data center 50 at the occurrence of a predetermined event, such as: downloading of postal funds or remote inspections. Once the data center 50 interrogates the historical file, appropriate action, if necessary, can be taken, such as: reporting the historical file to the postal authority, sending a representative to perform a physical inspection at the customer's location, mailing a warning to the customer's location, or communicating to the population of postage meters that the identification serial number of the printer is no longer a valid printer so that any subsequent attempts at mutual authentication with the offending printer fail.
[0019] Those skilled in the art will recognize that various modifications can be made without departing from the spirit of the present invention. For example, as an alternative, clearing the historical file in the printer 160 could be delayed until after the postage meter 120 has uploaded the historical log. Therefore, the postage meter 120 will wait until the next successful mutual authentication with the printer 160 before authorizing the printer 160 to clear its historical file. In this manner, it is assured that the historical file is reported to the data center 50 before being cleared. However, it is important that the postage meter 120 only authorize clearing of that portion of the historical file that has been uploaded to the data center 50. Thus, if additional records have been created, such as by use with another postage meter 120, then these records are not cleared. Those skilled in the art will recognize that in this embodiment, it is possible that the history file may be reported to more than one postage meter 120. As another example, the records stored within the printer 160 need not contain the indentification serial number of the printer 160 because the postage meter 120 knowns the indentification serial number of the printer 160 through the mutual authentication process. Thus, the postage meter 120 could attached the printer indentification serial number to the historical file when received.
[0020] As yet another example, those skilled in the art will recognize that the postage meter processor 130 and the printer controller 162 can be of any conventional design incorporating appropriate electronic hardware components and software.
[0021] Many features of the preferred embodiment represent design choices selected to best exploit the inventive concept as implemented in a postage printing system having a postage meter, base and a printer. However, those skilled in the art will recognize that the concepts of the present invention can be applied to other postage printing system configurations that do not include a base, such as where the postage meter is a stand alone unit in operative communication with a printer. That is, the present invention is applicable to any postage printing system where the postage metering portion is remotely located from the printing portion. In this context, remote may mean adjacent, but not co-located within the same secure structure, or physically spaced apart.
1. A postage printing system, comprising:
a printer (160) including a memory (164), a print means (166) for printing a postal indicia and
a control means (162) in operative communication with the printer memory and the print means; and
a postage meter (120) physically separable from and in operative communication with the printer (160), the postage meter including a memory (132; 142); and the printer control means (162) for:
detecting a fault condition;
storing a record of the fault condition in a history file within the printer memory (164); and
following a successful mutual authentication between the printer (160) and the postage meter (120), uploading the history file from the printer memory to the postage meter memory.
2. The postage printing system of claim 1, further comprising:
a data center (50) in operative communication with the postage meter (120); and wherein:
after establishing secure communications between the data center (50) and the postage meter (120), the postage meter being operable to upload the history file from the postage meter memory (132, 142) to the data center (50).
3. The postage printing system of claim 1 or 2, wherein:
the fault condition is a failed mutual authentication between the postage meter and the printer.
4. The postage printing system of claim 3, wherein:
following successful uploading of the history file from the postage meter memory to the data center, the postage meter authorizes clearing of the history file after a subsequent successful mutual authentication between the postage meter (120) and the printer (160).
5. The postage printing system of claim 4, wherein:
only a portion of the history file located within the printer (160) corresponding to the history filed that was previously uploaded to the data center (50) is cleared.
6. A method of reporting fault conditions in a postage printing system, the postage printing
system (100) including a printer (160) and a postage meter (120), the printer including
a memory (164), a print means (166) for printing a postal indicia and a control means
(162) in operative communication with the printer memory (164) and the print means
(166), the postage meter (120) physically separable from and in operative communication
with the printer (160), the postage meter including a memory (132, 142), the method
comprising the step(s) of:
detecting a fault condition;
storing a record of the fault condition in a history file within the printer memory (164); and
following a successful mutual authentication between the printer (160) and the postage meter (120), uploading the history file from the printer memory to the postage meter memory.
7. The method of claim 6, wherein:
the postage printing system includes a data center (50) in operative communication with the postage meter (120); and further comprising the step of:
after establishing secure communications between the data center (50) and the postage meter, uploading the history file from the postage meter (120) memory to the data center (50).
8. The method of claim 6 or 7, wherein:
the fault condition is a failed mutual authentication between the postage meter (120) and the printer (160).
9. The method of claim 8, further comprising the step of:
following successful uploading of the history file from the postage meter memory to the data center (50), authorizing clearing of the history file after a subsequent successful mutual authentication between the postage meter (120) and the printer (160).
10. The method of claim 9, further comprising the step of:
clearing only a portion of the history file that was previously uploaded to the postage meter (120) from the printer (160).