POSTAGE EVIDENCING SYSTEM WITHSECURE SUMMARY REPORTSThe present invention relates to funding apparatus such as postage evidencing devices and, more particularly, to postage meters having an accounting system and means for communicating account records.
Conventional postage meters utilize letter press techniques to print a postage payment indicia on an envelope as evidence of postage payment and a secure accounting system for recording postage dispensed. A number of security methods have been devised over time to protect against fraudulent printing of postage indicia with respect to letter press type postage meters. For example, special inks are used, and the indicia plate and postage value print wheels are physically secured to prevent an unauthorized indicia impression from being taken. As noted, the conventional postage meter accounts for the postage printed by the postage meter and a number of methods have been devised to protect the postage accounting system within the meter, e.g., tamper proof housings.
Postage evidencing devices, such as the conventional postage meters, are now being developed utilizing digital printing techniques, such as thermal transfer printing.
Digital printing techniques employ bit map addressable printing which differs significantly from traditional letter press printing. The critical security provision for digitally printed indicia is by encrypted information such as digital tokens, for example, as described in detail in US Patent No. 5,448,641, entitled POSTALRATING SYSTEM WITH VERIFIABLE INTEGRITY, which describes a procedure for providing postal rate security. Encrypted information verification requires either a secret key or a public key encryption system. It has been concluded that a secret key system is more advantageous for the mailer-post communication. Any secret key cryptographic system assumes the presence of a secret key shared by the particular postage meter provided and the verification authority, usually the Postal Service.
A potential benefit of digital printing postage meter devices is the ability to utilize the digital printer for printing both the postage indicia and to use the same digital printer to print, on request, a summary report of metering activities during some pre-specified accounting period.
The summary report preferably would contain a table of data including number of mailpieces in different rate categories and associated postage, plus a total postage printed during the accounting period. The summary report can be printed preferably by the postage meter digital printer which is used to print the postage indicia or by any other printer attached to a computer (PC) equipped with a standard serial interface, e.g., RS 242. In the latter case, the summary data is passed to the PC through the RS 242 interface of the postage meter.
The summary report can be audited by the Postal Service in order to compare their records of mailing activities of the postage meter by serial number or other identifying number and mailer's records. The total postage spent is usually stored in a protected tamper resistant memory of the postage meter and it would be detectable if the mailer would try to alter this number. However, the other parts of the report can be easily altered without changing the total postage spent. Because of the characteristics of the postal rating structure, the total number of pieces as well as the number of pieces by class/weight can be fraudulently decreased in the report thus misleading the auditing authority of the Postal Service to the benefit of the mailer.
Summary of the InventionIt is the objective of the present invention to provide a method such that unauthorized alteration of the summary mail report is detectable by the postal auditing authority using cryptography means.
The summary report data is subjected to a conventional cryptographic hash function. The value of the hash function represents a "fingerprint" of the summary report. Thus, any attempt to alter any character in the summary report would result in a change in the value of the hash function. Once a hash value of the summary report file is computed, it can be encrypted with the same secret key which the postage evidencing device utilizes for encrypting information printed in the indicia (i.e., digital tokens). Then the encrypted value of the hash function is printed together with the summary report, in effect providing a digital signature that authenticates the summary report information. In this case, the summary report could have the appearance as represented in Table 1.
Table 1 - Signed Summary ReportPostage Evidencing Device ID: 12345678Accounting Period: June 1, 1994 -- July 1, 1994
Mail Category/Weight Number of Pieces T PostagelPiece Postage Class l-loz 10 $0.29 $2.9 Class 1-2Oz 7 $0.52 $3.64 Class 3-loz 20 $0.19 $3.80 Class 4-6Ooz 5 $1.07 $5.35 Total 42 N/A $15.69 Digital Signature: 12309876552344567890998776654233445.
The relevant for summary report data should be stored in a protected tamper resistant memory. This data includes number of pieces in each category that were imprinted by the postage evidencing device. Once this data is properly stored, the summary report is generated with this data and digitally signed in a manner which cannot be altered undetectably.
Brief Description of the DrawingsFig. 1 is a schematic of a micro control system for driving a thermal transfer digital printing postage meter and a computer base system in accordance with the present invention.
Fig. 2 is a flow chart illustrating an activity report generation process in accordance with the present invention.
Fig. 3 is a flow chart illustrating the auditing process for verifying the activity report generated in accordance with the present invention.
Detailed Description of the Preferred EmbodimentReferring to Fig. 1, a postage meter 11 is comprised of a microcontroller 13 in bus 15 communication with memory units 17, address decoder 19, encryption and decryption module (DES) 21 and a printer controller/buffer unit 23, all of any suitable design. The printer controller/buffer unit 23 is in bus 25 communication with any suitable thermal print driver and suitable print head 27. It is intended that the postage meter be of any suitable design for employing digital printing techniques, such as ink jet, laser or thermal transfer.
A postal audit unit 30 is comprised of a scanner/optical character reader 32 of any suitable conventional design to provide input to the postal audit system 30.
Alternatively, a keyboard input unit (not shown) may be used. Preferably, the scanner 32 is in bus 34 communication with a processor unit 36 and encryption and decryption unit (DES) 38. The processor unit 36 and encryption and decryption unit (DES) 38, respectively, provide input to a comparator 40. The output from the comparator 40 is directed to a conventional display/alarm unit 42.
The postage meter is intended to print postage payment indicia 51 on an envelope 53 in any one of known methods. In a manner to be described in greater detail subsequently, the meter is programmed to maintain a record of the posting characteristics, such as, class, weight and amount of postage dispensed per mailpiece in the memory units in any suitable known manner.
The microcontroller 13 of the postage meter 11 is further programmed in any suitable conventional manner to generate account reports pursuant to the posting characteristics information stored in memory and to print a report 55 utilizing the meter print head 27. The report will also include a digital signature derived in a manner subsequently described. It should also be appreciated that alternatively by utilizing a communication port of the postage meter (not shown), a conventional computer may be interfaced to the postage meter in a conventional manner such that the report, along with the digital signature, can be electronically transferred to the computer for printing under the control of the computer (not shown).
In the preferred embodiment, the report 55 is printed under the control of the postage meter microcontroller 13 and transferred to the postal service postal audit unit 30. The information from the report 55 may be keyed in from a keyboard (not shown) or, preferably, placed under a scanner 32 containing an optical character reader (OCR). The scanner 32 then transfers the information derived from scanning the report 55 to the processor 36 and DES unit 38 along a bus 34. The information processed in the processor 36 and the DES unit 38, in a manner subsequently described, and is compared by a comparator 40 with the information printed in the report. The output from the comparator 40 is directed to the display 42 which may include an alarm for actuation depending on the output of the comparator 40.
The microprocessor 13 is programmed to apply a hash function to the account information data to produce a hash value which is indicative of the content of the summary report and yet may be considerably reduced in data size. As used herein, hash function is a well-known function which possesses at least two properties. It is computationally difficult to (i) recover a message corresponding to a given message digest and (ii) to find two different messages which produce the same hash value (message digest). Some well-known hash functions are described in AmericanNational Standard X9.30 - 1993, Public Key Cryptography Using IrreversibleAlgorithms For The Financial Services Industry: Part 2: The Secure Hash Algorithm (SHA). It should be noted that there are other publicly available hash functions that can be implemented for the purpose of the present invention.As for example, one formal definition is set forth in Contemporary Cryptology by G. Simmons, IEEEPress 1992 at page 345, and yet another definition is that a hash function is a function that satisfies the following properties:1) it is capable of converting a file F of arbitrary length into a fixed-lengthdigest h (F);2) h must be "one way", that is, given an arbitrary value y in the domainof h, it must be computationally infeasible to find file F such that h (F)= y; and3) h must be "collision free", that is, it must be computationally infeasibleto construct two different files F1 and F2 such that h(F1),=h(F2) If the data (the summary report data) being transmitted to the postal audit unit 42 is not private, it is not necessary to encrypt the information and prevent unauthorized decryption i.e., it is not important to protect secrecy of the information itself otherwise this information can be suitably encrypted. Upon calculation of the hash value of the summary report data, the postage evidencing device encrypts the hash value, with its secret key and prints the encrypted message in the report. The postal audit unit 30 receives the encrypted hash value ("signature") (e.g. by OCR scanning), and decrypts it with a secret key shared with the postage evidencing device, thus obtaining the plain text hash value.The postage audit unit 30 then independently computes the hash value of the received summary report data using the same hash function as was used by the postage evidencing device. The hash algorithm employed may be one in the public domain. However, the algorithm resides both at the postage evidencing device 11 and at the postal audit unit 30. If the two hash values, namely the hash value computed in the postage evidencing device 11 and audit unit 30 match each other, the integrity of the summary report data 55 is assured.
Alternatively, you can generate just the digital signature and compare. Whether the alternative is preferred depends on whether the encryption/decryption is symmetrical or not.
Referring now to Fig. 2, the microcontroller 13 is programmed to generate summary report by entering a report routine. The report routine, at process block 60, retrieves from the protected memory for each postal rate used during the accounting period, the number of pieces imprinted with this postal rate. At process block 62, a summary report file is generated and the hash value of this file is calculated. At process block 64, this hash value is passed to a secure encryption module 21 of the postage evidencing device micro control system. At process block 65, using secret encryption key of the postage evidencing device, the hash value of the summary report is encrypted and the encrypted hash value (digital signature) is prepared for printing. Finally, at logic block 67, the summary report with digital signature is printed.
Auditing of the summary report can be done by essentially repeating the same steps, namely computing the hash value of the summary report as printed using the same hashing algorithm as was used to create the digital signature by the postage evidencing device. Then the hash value is encrypted with the same secret key which is shared between the post office audit system and the postage meter. Finally, the resulting encrypted value is compared with the digital signature printed in the summary report. A mismatch indicates alteration of the summary report. A match assures that the report has not been altered.
The auditing process is depicted in the following Fig. 3. At process block 70, information from the summary report including digital signature is entered by either scanning or keying the information into the audit unit 30. At process block 72, summary report file is generated and the hash value of that summary report is computed and passed to a secure processor 38 for encryption. At process block 74, the secret key matching the secret key of the postage meter is retrieved by using the postage meter ID and the encrypted hash value using retrieved secret key produces a verification digital signature. At decision process block 76, the digital signature printed in the summary report and the verifying digital signature are compared. If they match at process block 78, then the process terminates at process block 80. If they do not match at process block 78, then the auditor is alerted to investigate mailer at process block 82.