The present invention relates to the securing of postage value, and in particular to a method of securing postage data records stored in a postage printing device that represent such postage value when the postage printing device is transferred from one user to another.
Postage metering systems are well known in the art. A postage metering system applies evidence of postage, commonly referred to as postal indicium, to an envelope or other mailpiece (directly or on a label to be applied thereto) and accounts for the value of the postage dispensed.
Presently, there are two basic postage metering system types: closed systems and open systems. In a closed system, the system functionality is solely dedicated to postage metering activity. Examples of closed metering systems include conventional digital and analog (mechanical and electronic) postage meters wherein a dedicated printer is securely coupled to a metering or accounting function. In a closed system, since the printer is securely coupled and dedicated to the meter, printing evidence of postage cannot take place without accounting for the evidence of postage. In an open system, the printer is not dedicated to the metering activity, freeing system functionality for multiple and diverse uses in addition to the metering activity. Examples of open metering systems include personal computer (PC) based devices with single/multi-tasking operating systems, multi-user applications and digital printers. Open system indicia printed by the non-dedicated printer are made secure by including addressee information in the encrypted evidence of postage printed on the mailpiece for subsequent verification.
Conventional analog closed system postage meters (both mechanical and electronic) have heretofore physically secured the link between printing and accounting. The integrity of the physical meter box has been monitored by periodic inspections of the meters. Digital closed system postage meters typically include a dedicated digital printer coupled to a device that provides metering (accounting) functionality. Digital printing postage meters have removed the need for the physical inspection that was required with analog systems by cryptographically securing the link between the accounting and printing mechanisms.
In such digital closed systems, the dedicated printer and the metering (accounting) device may be located in the same device and/or at the same location when placed in operation. Alternatively, the dedicated printer may be located in a first location (i.e., the local location where indicia are to be printed), and the metering (accounting) device may be located in a remote location, such as a provider's data center. In the latter situation, it is still necessary for the dedicated printer to be a secure device having cryptographic capabilities so that postage printing information, such as an indicium, received from the metering (accounting) device, and the metering (accounting) device itself, can be authenticated.
One particular implementation of a closed system includes a secure postage printing device that stores and prints indicia for specific postage denominations that were previously dispensed by an approved postal security device (PSD) associated with a data center. In operation, a user sends a request to purchase postage to the data center in the form of a request for a particular number of indicia for one or more particular postage denominations (e.g., twenty $0.37 indicia and twenty $0.74 indicia). In response, the data center generates an appropriate number of postage data records (one for each requested indicium) and transmits them to the postage printing device where they are stored until printed, refunded or erased at a refurbishment facility. In addition, for data integrity and/or security reasons, the postage requests are digitally signed and the postage downloads are encrypted and digitally signed using symmetric cryptography and secret encryption keys that are associated with the particular postage printing device (i.e., a particular user account) and known to the postage printing device and the data center. This type of postage printing device may also be freely and independently (i.e., without the participation of or the need to get authorization from the postage provider) transferred to a new user, in which case the new user is able to use any postage data records that are stored at the time of the transfer. However, as will be appreciated, if the encryption keys are left unchanged after the transfer, the old user may be susceptible to and/or blamed for fraudulent acts committed by the new user. Thus, there is a need for a method for securing a postage printing device and an inventory of postage data records held thereby when the device is transferred among users.
The present invention relates to a method for use in a system that includes a postage printing device and a data center, wherein postage value may be downloaded to the postage printing device from the data center and wherein the postage printing device may be transferred among users. The postage printing device uses a first key to digitally sign one or more first requests for a plurality of first data records from the data center. Each of the first data records includes indicium information for enabling the postage printing device to print a postal indicium. The data center: (i) uses a second key to encrypt at least the indicium information of each of the first data records to generate a plurality of encrypted indicium information portions, (ii) uses each of the encrypted indicium information portions to form a plurality of encrypted first data records, and (iii) uses a third key to digitally sign each of the encrypted first data records to generate a plurality of data record digital signatures. The data center transmits the encrypted first data records and the data record digital signatures to the postage printing device. The postage printing device stores the third key for authenticating each of the first data records using a corresponding one of the data record digital signatures and the second key for decrypting each of the encrypted indicium information portions of each of the encrypted first data records.
The method of the present invention may be used to secure the postage printing device, and any stored postage data records, when the postage printing device is transferred from a first user to a second user. The method includes zeroing the first key in the postage printing device, and generating at the postage printing device and the data center a fourth key, a fifth key and a sixth key. The postage printing device uses the fourth key to digitally sign one or more second requests for a plurality of second data records from the data center. Each of the second data records include second indicium information for enabling the postage printing device to print a postal indicium. The data center: (i) uses the fifth key to encrypt at least the second indicium information of each of the second data records to generate a plurality of encrypted second indicium information portions, (ii) uses each of the encrypted second indicium information portions to form a plurality of encrypted second data records, and (iii) uses the sixth key to digitally sign each of the encrypted second data records.
The method further includes authenticating each of the first data records using the third key and a corresponding one of the data record digital signatures, decrypting each of the encrypted indicium information portions of each of the encrypted first data records using the second key, encrypting at least the indicium information of each of the first data records using the fifth key to generate a plurality of re-encrypted indicium information portions, and using each of the re-encrypted indicium information portions to form a plurality of re-encrypted first data records. In addition, the method includes digitally signing each of the re-encrypted first data records using the sixth key, and zeroing the second and third keys in the postage printing device.
Therefore, it should now be apparent that the invention substantially achieves all the above aspects and advantages. Additional aspects and advantages of the invention will be set forth in the description that follows, and in part will be obvious from the description, or may be learned by practice of the invention. Moreover, the aspects and advantages of the invention may be realized and obtained by means of the instrumentalities and combinations particularly pointed out in the appended claims.
The accompanying drawings illustrate presently preferred embodiments of the invention, and together with the general description given above and the detailed description given below, serve to explain the principles of the invention. As shown throughout the drawings, like reference numerals designate like or corresponding parts.
As seen in
In the particular embodiment shown in
In operation, a user sends a request to purchase postage from printer 25 and computing device 15 to data center 10 through communication network 20. Specifically, printer 25 generates a request for a particular number of indicia for one or more particular postage denominations (e.g., twenty $0.37 indicia and twenty $0.74 indicia). The request, before being sent to the data center 10, is digitally signed using a symmetric encryption scheme such as one using, for example and without limitation, a keyed-hash message authentication code (HMAC), using a secret key known to both printer 25 and data center 10. This key is known as a request authentication key, and enables the request for postage to be authenticated by the data center 10 (as described below, the data center also possesses the request authentication key). In response, the data center 10 generates an appropriate number of postage data records (one for each requested indicium) and securely transmits them to computing device 15 over communication network 20 (the postage data records consist of data records that include at least the data that is necessary to print a valid indicium). In particular, at least the indicium printing data of each of the postage data records are first encrypted by the data center 10 using a symmetric encryption scheme such as, for example and without limitation, 3DES2, using a secret key known to both printer 25 and data center 10. In the preferred embodiment, only the indicium printing data is encrypted. Alternatively, the entirety of each postage data record may be encrypted. The encryption key that is used is known as a response privacy key and is used to protect and secure the postage data records (in particular, the indicium printing data). Next, each of the encrypted portions of the postage data records (e.g., the indicium printing data or possibly more) along with the remaining (clear text) portions, if any, of each of the postage data records are digitally signed by the data center 10 using a symmetric encryption scheme such as one using, for example and without limitation, an HMAC, using a secret key known to both printer 25 and data center 10. This key is known as a response authentication key, and enables the postage download to be authenticated by the printer 25. As described below, the printer 25 possesses both the response privacy key and the response authentication key. By encrypting and signing the postage data records, data center 10 is able to ensure that only the particular requesting printer 25 may ultimately use the postage data records that were sent.
When received, the encrypted and signed postage data records are downloaded from the computing device 15 to the printer 25 where they are stored in memory 35 until used by the user to create an indicium that is printed on a mailpiece or a label. In one embodiment, each of the postage data records is authenticated by the printer using the digital signature and the response authentication key at the time of download. Alternatively, each postage data record may be authenticated when the indicia associated with it is printed. Once the postage data records are stored in memory 35, printer 25 may be detached from computing device 15 and used as a stand alone postage dispensing device. Preferably, the encrypted indicium data of each postage printing record is decrypted, using the response privacy key, at the time of printing. Thus, in the mail processing system 5 shown in
As seen in step 50 in
Referring to
At step 90, the printer 25 uses the response authentication key AK2 (that it still has stored in memory) to authenticate and the response privacy key AK3 to decrypt the encrypted portions of postage data records that are currently stored by the printer in memory 35 (these records were downloaded previously by user U1). Next, at step 95, the printer 25 uses the response privacy key BK3 to encrypt at least a portion (e.g., the indicium printing data) of each of the decrypted (clear-text) postage data records and the response authentication key BK2 to digitally sign each of the encrypted portions and any remaining portions of the postage data records. Finally, at step 100, the second shared secret value A′, the response authentication key AK2, and the response privacy key AK3 are zeroed in the printer 25, i.e., scrubbed from the memory 35. Thus, as a result of these operations, all information relating to the previous user U1 is removed from the memory 35, thereby protecting the user U1 from theft and/or fraud on the part of user U2.
While preferred embodiments of the invention have been described and illustrated above, it should be understood that these are exemplary of the invention and are not to be considered as limiting. Additions, deletions, substitutions, and other modifications can be made without departing from the spirit or scope of the present invention. Accordingly, the invention is not to be considered as limited by the foregoing description but is only limited by the scope of the appended claims.
Number | Name | Date | Kind |
---|---|---|---|
4760532 | Sansone et al. | Jul 1988 | A |
5666421 | Pastor et al. | Sep 1997 | A |
5892900 | Ginter et al. | Apr 1999 | A |
6009177 | Sudia | Dec 1999 | A |
6041317 | Brookner | Mar 2000 | A |
6252959 | Paar et al. | Jun 2001 | B1 |
6466921 | Cordery et al. | Oct 2002 | B1 |
6868407 | Pierce | Mar 2005 | B1 |
6973191 | Audebert et al. | Dec 2005 | B2 |
20020018569 | Panjwani et al. | Feb 2002 | A1 |
20050123142 | Freeman et al. | Jun 2005 | A1 |
20070071237 | Brown et al. | Mar 2007 | A1 |
20080031460 | Brookner et al. | Feb 2008 | A1 |
Number | Date | Country |
---|---|---|
0237736 | May 2002 | WO |
03081549 | Oct 2003 | WO |
Entry |
---|
Bruce Schneier, “Applied Cryptography”, Copyright 1996, Jonhn Wiley & Sons, Inc., section 2.6 Digital Signatures, pp. 34-41. |
Number | Date | Country | |
---|---|---|---|
20070073628 A1 | Mar 2007 | US |