The present disclosure relates to postal security devices, such as used in conjunction with franking machines and other devices that are used to generate postal indicia and other similar value-bearing items.
Typical postage evidencing systems use a postal security device (PSD), which is a dedicated secure computing device and/or environment. The PSD performs financial accounting of postage funds, as well as any cryptographic operations required to sign the postal indicia. Conventional PSDs commonly maintain registers to track the amount of funds available to generate postage; log activity of the PSD; sign indicia generated by the device; manage cryptographic keys used to sign register values and indicia; and monitor the device for tampering. Typically each physical mailing machine has an embedded or associated PSD. Some systems, such as Internet postage systems, incorporate a remote PSD which is able to provide PSD-type services to multiple clients, which may have been previously described in the art as a “virtual PSD” because the device is not resident at the same location where postage is requested. For example, some Internet-based postage systems use a fixed number of physical PSDs that may be virtualized in a remote server and shared across multiple customers, with the service provider managing accounts between the customers and the PSDs. Such devices typically have a limit on the number of clients they can host due to storage and bandwidth limitations.
Methods, systems, and computer-readable media are disclosed for providing a postage indicia, by receiving a request to generate an indicia; obtaining a VPSD record from a VPSD database which stores records for multiple VPSDs; extracting register information from the VPSD record; updating register values in the VPSD record based on the request; processing, via a HSM, the VPSD record and the first request to generate the indicia, by cryptographically signing a generated indicia that includes a fund amount corresponding to updates made to the register values; storing the updated register values in the VPSD record in the VPSD database; and providing the generated indicia.
Conventional PSDs provide the secure functionality, such as tracking available funds and related operations, that are necessary for franking machines and other postage systems to operate effectively. The PSD typically is physically integrated with the device that provides postage or franking services. Some systems use a “virtual PSD,” which usually refers to a remote device which may include a conventional PSD or equivalent. The functionality of the PSD is provided via a network interface such as over the Internet to end users. In some cases the remote PSDs are associated with and/or owned by individual customers. In other arrangements, a service provider may own the PSDs and be responsible for managing funds within them. The service provider may then provide postage to its own end users based on operations performed on its own PSDs, without the end users needing to have an account with the PSD. Conventional PSDs and prior “virtual PSDs” often suffer from scalability issues. For conventional PSDs, the only way to add additional throughput is to use additional PSDs or devices containing them. Similarly, virtual PSD systems are limited by the throughput of the backend PSDs used by the intervening service provider. Conventional and prior so-called “virtual” PSDs also suffer from significant recovery issues in the event of a physical hardware failure, since the PSD stores all register values internally. If a PSD fails, it can be difficult and time consuming to recover the last known-good register values, which store the postage value stored in the PSD, from the failed device.
Embodiments disclosed herein provide virtual PSDs based on hardware security modules (HSMs) that provide improved security, efficiency, and scalability. As used herein, a “hardware security module” refers to a device as is known in the cryptographic art, which provides management of digital cryptographic keys, cryptographic signing functions, and the like. Typically, an HSM is a limited-purpose Secure Computing Platform device that performs only those functions that are defined in executable code stored in the HSM. HSMs typically include a dedicated hardware cryptographic processor. An example of a suitable hardware HSM for use with embodiments disclosed herein is the IBM 4767, which is a Federal Information Processing Standard (FIPS) 140-2 Level 4 Certified HSM. It may be preferred to use HSMs that meet at least the FIPS 140-2 standard, and operations performed by, and only accessible by, such devices may be referred to as being performed within a “FIPS boundary,” i.e., within a cryptographically-secure computing environment.
In general, embodiments disclosed herein use HSMs and HSM-based systems to provide “virtual PSDs” (VPSDs), i.e., remote systems that are configured to provide the functions conventionally provided by the PSDs resident in franking machines and the like. Virtual PSDs as used herein may differ from other prior “virtual” devices, such as those used for Internet-based postage systems, in that they effectively and efficiently separate the secure functions, such as updating of registers, signing indicia, and the like, from other operations, and allow for greater scalability. A VPSD in this context and as used herein is represented by a database record that stores register values and other identifying information for the VPSD, but unlike conventional systems or prior “virtual” systems, there is no need for each stored VPSD record to be associated on a one-to-one basis with the HSM that provides the secure functions for the system, or for the VPSD to be permanently embodied in a specific hardware device. That is, each HSM may handle secure operations for any number of virtual PSDs by processing requests based on the VPSD record stored in the database, and each VPSD may be considered the combination of the stored VPSD record and whichever HSM device is used temporarily to process the VPSD record at the time that the VPSD is used to generate a postage indicia. Notably, due to this split data/secure operation structure, embodiments disclosed herein can also support an unlimited number of VPSDs without suffering from any of the scaling issues associated with conventional PSD-based systems or prior virtual PSD systems such as Internet postage systems. Embodiments disclosed herein also provide more robust protection from hardware failure; if an HSM device fails, the register values for the virtual PSD are still available within a VPSD database as disclosed herein, making access and recovery of those values possible through a database query. In contrast, prior devices and systems would need to recover the register values from a failed PSD itself, which may be difficult, expensive, and/or time-consuming depending on the state of the failed PSD. In conventional systems, a failed PSD also may require temporarily shutting down any associated systems that relied on the PSD to generate postal indicia. In contrast, a failure of one or even many HSMs does not require any stoppage of associated systems as disclosed herein, since the failed HSM(s) can be replaced at the same time that other fully-functional HSMs are used to perform any of the secure operations disclosed herein.
From the standpoint of the USPS, each VPSD disclosed herein is inactive while stored in the database. It becomes active when its associated data is loaded into an HSM and an operation performed.
Embodiments disclosed herein also may use a database to store information, potentially in clear text, for a PSD, along with encrypted data including cryptographic keys both to (1) secure the clear text data from being modified, and (2) sign postal indicia generated by the system.
Both arrangements include a client app 110, which is any client application that may submit requests to generate postal indicia. The request may be made, for example, through an HTTP REST call, though more generally any suitable communication may be used.
The VPSD server 120 orchestrates calls for PSD-type functions across different components within the system. Any PSD operation may be performed, such as loading funds, creating indicia, re-keying a PSD signature key, and the like, including any function performed by a conventional PSD. As disclosed in further detail below, the VPSD server 120 may obtain and save PSD state data in a VPSD database 130. Data in each VPSD record may be encrypted and/or cryptographically signed to allow for verification of the data when used by an HSM, as disclosed herein. In some cases, it may be preferred for the data to be stored in cleartext but cryptographically signed to allow for verification; in such an arrangement it is simple to obtain the register values for an individual VPSD from the VPSD database 130, but the cryptographic signature ensures that the values cannot be easily changed. The VPSD server 120 also invokes the HSM agent 140 or the virtual cryptography module (VCM) 260 to process PSD operations. The VPSD server 120 is also responsible for invoking a reset via a service provider (not shown), for example if an associated client does not have sufficient funds available to generate the requested indicia.
The VPSD database 120 stores the state of VPSD devices for persistence, allowing for a chain of cryptographically-verified state changes for any PSD. Some data in the VPSD database 120 may be stored in plain text, though it is preferred that all cryptographic keys used to create indicia and update VPSD state may be stored in the VPSD database 120 in an encrypted state, for example in a security package as described with respect to
In an on-premise system, or a similar system that uses HSM agent 150 manages requests to HSM devices 150. For example, the HSM agent 150 may queue any requests for cryptographic functions and forward them serially to the HSM. The HSM agent 150 also may monitor the availability and health of HSM devices 150 and report when they are not available. In an arrangement as shown in
It may be preferred to use a master key (MK) to secure the VPSDs. Generally each HSM 150 has the same firmware but different public/private key pairs that uniquely identify the physical HSM device. That is, each HSM 150 is not an identical clone, the physical devices have cryptographically unique identities. The MK provides a common denominator that allows any of the physical HSMs 150 to decrypt the information coming from the VPSD database 130. The VPSD data is loaded into the HSM 150, which then uses the MK to access the VPSD state data.
Notably, because the HSM 150 does not permanently store individual PSD data, the HSM 150 can perform operations for any number of VPSDs. The VPSD data simply needs to be loaded into the HSM 150, such as from the VPSD database 130 as disclosed herein, for the VPSD operations to be performed. In some embodiments, the HSM 150 may have multiple simultaneous VPSDs handled concurrently. Alternatively or in addition, the HSM 150 may have redundant hardware elements and a multi-threaded kernel that allow the HSM to manage several parallel VPSD operations. Such a configuration may be useful for an on-premise/non-cloud-based arrangement as disclosed herein.
The arrangement shown in
The cloud HSM 270 typically will be accessed as a service provided by a cloud infrastructure, for example Microsoft Azure, Amazon Web Services, or the like. The cloud software may use the physical HSMs which are hosted in a service provider's distributed data centers which may, for example, be the HSMs 150 shown in
Referring again to
At 122, the VPSD server 120 sends a request to the HSM agent 140 (
After receiving the request at 141, the HSM 150 verifies VPSD state data that was previously obtained from the VPSD database 130, for example by verifying a cryptographic signature of the VPSD state data as disclosed herein. In a system as shown in
At 142, the HSM agent 140 (
At 124, the requested indicia is returned to the client application 110.
In some embodiments, the VCM 260 may provide an interface to a cloud-based management system that interfaces with HSMs 150 as in
It will be apparent from the above description that more than one cryptographic key may be used in systems disclosed herein. For example, it may be preferred to use a different key to generate indicia by the HSMs than is used to sign and verify the VPSD state information stored in the VPSD database. Furthermore, although not described in detail for purposes of clarity, it may be desirable to also sign various messages used in the system, such as those sent to the HSMs. As previously disclosed, each HSM also may have a unique cryptographic identity, suggesting that it may be desirable for each HSM to use its own key to sign data and messages generated by that HSM. As non-limiting examples, the following keys may be used:
Each key may be “re-keyed”, i.e., a new key of that type may be generated, on a periodic or recurring schedule, for example, 1, 2, 5, 10 years, or any intervening or desired period. Keys may be generated, for example, AES 256, ECC 521 (ESDSA and/or ECCDH), PBKDF2, or any other desired algorithm.
At 320, the encrypted PSDSVK and IK keys 312 may be decrypted using a master key 314, to obtain the corresponding keys 315, 316. In some embodiments, the PSDSVK and IK keys may be stored in a “security package” 312, which is encrypted by the master key 314. Alternatively, the keys may be encrypted and stored separately in the VPSD database 130.
Notably, the master key 314 may be used across the system, thereby allowing any HSM device to perform the VPSD functions as disclosed herein for any VPSD record stored in the VPSD database. That is, unlike conventional systems where a specific hardware device is associated with a specific user or user account, in embodiments disclosed herein, only the VPSD record is associated with a specific user. The HSM hardware devices are user-agnostic and any HSM hardware device can be used to process a request associated with any VPSD record, thereby providing greatly improved scalability and reliability. At 330, VPSD record 311 may then be verified using the PSD SVK 316 and the signature included in the VPSD record 311. An indicia 317 may be generated using the indicia key 315 at 340.
At 350, the VPSD registered may be updated, similar to the process used with conventional PSDs. Typically the VPSD will include an ascending register (AR), a descending register (DR), and a control total (CT) used as a checksum for the AR and DR values. The ascending register continuously increases by the value of each indicia created. The descending register only increments on a reset operation, i.e., when more value is added to the VPSD by the owner; otherwise it continuously decreases in decrements of the value of each indicia generated. The control total typically is the sum of the ascending and descending registers and is used as a check of those registers to make sure the stored values have not been corrupted. The register operations at 350 may be performed directly by an on-premise HSM or by a cloud-based HSM system as previously disclosed.
At 360, a new signature for the updated VPSD record 311 is generated using the VPSDK 316, which is then stored in the VPSD database 130 at 370.
Notably, conventional HSMs typically store only a root key and self-signed certificate (or equivalent keys to the root key as disclosed herein). In contrast, embodiments disclosed herein may store the master key, HSM identifier key, HSM IK certificate, and the root key certificate.
Notably, the processes described with respect to
A VPSD server 120 may provide access to the VPSD database 130, which stores VPSD records as previously disclosed herein. The HSM agent 140 (or, in some embodiments, a VCM 260) provides access to the appropriate HSM(s) 150 based upon the requests 111 and the VPSD records stored in the VPSD database 130. An administration module 850 may provide other backend services, such as a management user interface, HSM re-key functionality, and the like. The services provider infrastructure may include other components common to such systems, such as a reset service 860 for adding funds to VPSDs or other PSD management and administrative functions, such as managing “short pay” events in which indicia are requested and/or generated for more than the available amount in the descending register of the associated VPSD.
Embodiments disclosed herein may be implemented on a range of computer systems.
The bus 21 allows data communication between the central processor 24 and one or more memory components 25, 27, which may include RAM, ROM, and other memory, as previously noted. Applications resident with the computer 20 are generally stored on and accessed via a computer readable storage medium.
More generally, embodiments disclosed herein may include or be embodied in the form of computer-implemented processes and apparatuses for practicing those processes. Embodiments also may be embodied in the form of a computer program product having computer program code containing instructions embodied in non-transitory and/or tangible media, such as hard drives, solid state drives, or any other machine readable storage medium, such that when the computer program code is executed by a computer processor, the processor becomes an apparatus for practicing the embodiments. When implemented on a general-purpose microprocessor, the computer program code may configure the microprocessor to become a special-purpose device, such as by creation of specific logic circuits as specified by the instructions.
Embodiments may be implemented using hardware that may include a processor, such as a general-purpose microprocessor and/or an Application Specific Integrated Circuit (ASIC) that embodies all or part of the techniques according to embodiments of the disclosed subject matter in hardware and/or firmware. The processor may be coupled to memory, such as RAM, ROM, flash memory, a hard disk or any other device capable of storing electronic information. The memory may store instructions adapted to be executed by the processor to perform the techniques according to embodiments of the disclosed subject matter.
The foregoing description, for purpose of explanation, has been described with reference to specific embodiments. However, the descriptions provided herein are not intended to be exhaustive or to limit embodiments of the disclosed subject matter to the precise forms disclosed. The illustrative embodiments were chosen and described in order to explain the principles of embodiments of the disclosed subject matter and their practical applications, to thereby enable others skilled in the art to utilize those embodiments as well as various embodiments with various modifications as may be suited to the particular use contemplated.