EP0717379A2 - Method for improving the security from franking machines at a credit transfer - Google Patents

Abstract

The fraud prevention system prevents manipulation of the recorded postal charges during transmission of the latter to a remote data centre, using a control device with a microprocessor which verifies the authorisation of the user via a number of given criteria and monitors the data communication between the machine and the data centre. Pref. a specific key combination for each franking machine is stored at the data centre, which is only known to an authorised person, used for verification of the user before a refund chip card is acceptable.

Description

The invention relates to a method for improving the security of franking machines in credit transfer, especially in fund transfer back to the data center, according to the type specified in the preamble of claim 1.

A franking machine generally creates an imprint in a form agreed with the post right-aligned, parallel to the upper edge of the mail item, starting with the content of the postage in the postmark, the date in the day stamp and stamp imprints for the advertising slogan and, if applicable, the type of shipment in the election print stamp. The post value, the date and the type of shipment form the variable information to be entered according to the item.

The postage value is usually the transport fee paid in advance by the sender, which is taken from a refillable credit register and used to clear the mail item. In contrast, in the current account procedure, a register is only counted up depending on the frankings made with the postage value and is read at regular intervals by a postal inspector.

In principle, every franking made must be accounted for and any manipulation that leads to franking that has not been invoiced must be prevented.

A known franking machine is equipped with at least one input means, an output means, an input / output control module, a program, data and in particular storage device carrying the accounting register, a control device and a printer module. In the case of a printer module with a printing mechanism, measures must also be taken so that the printing mechanism cannot be misused for unpredictable impressions when it is switched off.

The invention relates in particular to franking machines which provide a fully electronic impression for franking mail, including an advertisement cliché. The result of this is that a valid franking that has not been invoiced must only be prevented when it is switched on.

In the case of a franking machine known from US Pat. No. 4,746,234, fixed and variable information is stored in storage means (ROM, RAM) in order to be read out by means of a microprocessor when a letter actuates a microswitch on the transport path in front of the printing position and to send a print control signal form. Both are then electronically assembled into a print image and can be transferred using thermal transfer printing media be printed on an envelope to be franked.

A method for controlling the column-by-column printing of a postage stamp image in a franking machine has also already been proposed EP 578 042 A2, which separately and separately composes fixed and variable data converted into graphic pixel image data during column-by-column printing. It would therefore be difficult to manipulate the print control signal without high and expensive effort when printing at a high speed.

On the other hand, the memory device comprises at least one non-volatile memory module which contains the currently remaining remaining credit, which results from the fact that the respective postage value to be printed is subtracted from a credit previously loaded into the franking machine. The franking machine blocks when the remaining credit is zero.

Known franking machines contain in at least one memory three relevant post registers for the total value used (increasing register), remaining credit remaining (falling register) and registers for a checksum. The checksum is compared with the sum of the total value used and the available credit. A check for correct billing is already possible with this.

Furthermore, it is also possible to transmit recharge information to the franking machine from a data center via a remote value specification in order to reload a credit into the register for the remaining credit (residual value). It goes without saying that suitable security measures must be taken for this so that the credit stored in the franking machine cannot be replenished in an unauthorized manner. Protecting the aforementioned solutions against misuse and attempts at counterfeiting requires additional material and time.

From US 48 64 506 it is known that if the value of the credit in the falling register is below a threshold value and a predetermined time has been reached, communication with the remote data center is started by the franking machine.

From the above It is also known from the patent that the data center for receiving register data and for checking whether the franking machine is still connected to a specific telephone number - establishes a connection with the franking machine after a defined period of time and the franking machine responds only at predetermined times.

According to the above Patent also provided to query the identity number of the franking machine and the values in the falling and rising register for authorization by the data center before reloading the credit into the franking machine.

Furthermore, from the above Patent known that the communication of the data center with the franking machine need not be limited to mere transfer of credit into the franking machine. Rather, if the franking machine is deregistered, the communication between the data center and the franking machine is used to transfer the remaining credit of the franking machine to the data center. The value in the falling post register of the franking machine is then zero, which effectively puts the franking machine out of operation.

A security housing for franking machines, which has internal sensors, is known from DE 41 29 302 A1. The sensors are especially with a battery connected switches, which become active when the security housing is opened, in order to erase a memory storing the residual value credit (falling postal register) by interrupting the energy supply. As is known, however, it is not possible to predict the state of a de-energized memory chip when the voltage returns. This could result in an unpaid higher remaining balance. On the other hand, it cannot be ruled out that the residual value credit will at least partially discharge in the manner mentioned above. However, this would be disadvantageous during an inspection, since the residual value credit, which had been paid by the franking machine user, must also be reloaded, but the amount of this residual credit may be falsified by the above-mentioned influences. Finally, the description does not show how a manipulator can be prevented from restoring an unpaid remaining credit.

In known franking machines FM, further security measures such as breakaway screws and encapsulated, shielded security housing are already known. Keys and a combination lock are also common to make access to the franking machine more difficult.

In US 4,812,994, unauthorized access to use of the franking machine is also to be prevented by blocking the franking machine if a predetermined password is entered incorrectly. In addition, the franking machine can be set by means of a password and corresponding input on the keyboard so that franking is only possible during a predetermined time interval or times of day.

The password can be entered by a personal computer via MODEM, by a chip card or manually in the franking machine. After positive The franking machine is released for comparison with a password stored in the franking machine. A security module (EPROM) is integrated in the control module of the accounting unit. As a further security measure, an encryption module (separate microprocessor or program for FM-CPU based on DES or RSA code) is provided, which generates an identification number in the franking stamp that includes the postage value, the subscriber number, a transaction number and the like. If there is enough criminal energy, a password could also be researched and, together with the franking machine, brought into the possession of a manipulator.

A remote inspection system for franking machines has already been proposed in US Pat. No. 4,812,965, which is based on special messages in the printing of mail pieces that have to be sent to the central office, or on a remote query via MODEM. Sensors within the postage meter machine are to detect any counterfeiting act that has been carried out, so that a flag can be set in associated memories if the postage meter machine has been tampered with for manipulation purposes. Such an intervention could take place in order to load an unpaid credit into the register.

If tampering is detected, the franking machine is blocked by a signal from the data center during remote inspection via modem. On the other hand, a clever manipulation could consist in returning the flag and the registers to the original state after franking imprints have not been billed. Such manipulation would not be recognizable via remote inspection by the data center if this reversed manipulation was prior to the remote inspection. Also the receipt of the postcard from the data center, on which a franking to be carried out for inspection purposes is to take place, the manipulator allows the franking machine to be returned to its original state in sufficient time. This means that no higher security can be achieved.

The disadvantage of such a system is that it cannot be prevented that a sufficiently qualified manipulator who breaks into the postage meter machine subsequently removes its traces by deleting the flags. It also cannot prevent the impression itself from being manipulated, which is produced by a properly operated machine. In known machines there is the possibility of producing impressions with the postage value zero. Zero frankings of this kind are required for test purposes and could also be falsified subsequently by simulating a postage value greater than zero.

A security imprint in accordance with FP's own European patent application EP 576 113 A2 provides symbols in a marking field in the franking stamp which contain cryptified information. This allows the postal authority, which interacts with the data center, to identify manipulation of the franking machine at any point in time from the respective security imprint. It is technically possible to continuously check such pieces of mail provided with a security imprint by means of appropriate security markings in the stamp image, but this means additional effort in the post office. In the case of a control based on random samples, however, manipulation is usually only detected late.

On the other hand, an additional evaluation regarding a user of a franking machine can be carried out in the data center by the user beyond the inspection date continued to operate. However, it has not yet been possible to conclude from this information that manipulation was carried out with the intention of forgery.

In US 4,251,874, a mechanical printing unit that must be preset for printing is used with a detector device to monitor the preset. Means are also provided in the electronic accounting system for determining errors in data and control signals. If this number of errors reaches a predetermined value, the further operation of the franking machine is interrupted. However, the sudden failure of the franking machine is disadvantageous for the franking machine user. With a non-mechanical printing principle, on the other hand, such internal errors are hardly to be expected, and in the case of a serious error, the franking machine must be switched off immediately anyway. In addition, the security against manipulation of the postage meter machine is hardly increased by the postage meter machine being switched off after a predetermined number of errors.

A franking machine with program sequence monitoring is known from US Pat. No. 4,785,417. The correct execution of a larger program section is checked by means of a special code assigned to each program section, which code is stored in a specific memory cell in RAM when the program section is called up. It is now checked whether the code stored in the aforementioned memory cell is still present in the program section currently running. If, during manipulation, one part of the program was interrupted and another part of the program was running, an error can be determined by such a control question. The comparison can only be carried out in the main process. Secondary processes, for example safety-relevant calculations, which are used by several main processes, can be carried out by such monitoring However, the execution of the program section cannot be checked because the program control takes place independently of the program sequence. If manipulations were made on the basis of permitted program parts and secondary processes in such a way that secondary processes were additionally integrated into main processes or omitted from the latter or branched to secondary processes, then no error would be determined, since neither the length of the program part can be determined nor which one Program branch how often was run.

Another type of expected manipulation is the reloading of the franking machine registers with a credit value that has not been invoiced. This results in the need for secure reloading. An additional security measure according to US 4,549,281 is the comparison of an internal fixed combination stored in a non-volatile register with an external combination entered, after a number of failed attempts, i.e. Non-identity of the combinations, the franking machine is locked by means of escapement electronics. According to US 4,835,697, the combination can be changed in principle to prevent unauthorized access to the franking machine.

A method for changing the configuration of the franking machine is also known from US Pat. No. 5,077,660, wherein the franking machine can be switched from the operating mode to a configuration mode by means of a suitable input via a keyboard and a new meter type number can be entered which corresponds to the desired number of features. The franking machine generates a code for communication with the computer of the data center and the input of the identification data and the new meter type number in the aforementioned computer, which also generates a corresponding code for transmission and input into the franking machine, in which the two codes are compared. If they match Both codes are used to configure the franking machine and switch to the operating mode. As a result, the data center always has precise records of the meter type set for the corresponding franking machine. However, security depends solely on the encryption of the transmitted code.

In addition, EP 388 840 A2 discloses a comparable security technique for setting a franking machine in order to clean it of data without the franking machine having to be transported to the manufacturer. Here too, security depends solely on the encryption of the transmitted code.

In US 3,255,439, the secure reloading of a franking machine with a credit was on the one hand associated with an automatic signal transmission from the franking machine to the data center whenever a predetermined sum of funds which was franked or the number of processed mail pieces or a predetermined time period was reached. Alternatively, a signal corresponding to the sum of funds, number of pieces or time period can be transmitted. Communication takes place by means of binary signals via converters connected to one another via a telephone line. The machine receives an equally secured reload in accordance with the credit balance and blocks if no credit is replenished.

From US 4,811,234 it is known to carry out the transactions in encrypted form and in the process to query the registers of the postage meter machine and to transmit the register data to the data center in order to indicate a temporal reference to the reduction in the amount authorized to dispose stored in the register. On the one hand, the franking machine identifies itself at the data center when a presettable threshold value is reached is by means of its encrypted register content. On the other hand, the data center modifies the desired franking amount up to which franking can be carried out by means of corresponding authorization signals. Encryption is therefore the only security against manipulation of the register status. If a manipulator always loads the same amount at the same time intervals, but in the meantime franked a much higher amount with the manipulated franking machine than he paid, the data center cannot detect any manipulation.

From EP 516 403 A2 it is known to regularly transmit the errors of the franking machine that have been logged in the past and stored in a memory to a remote error analysis computer for evaluation. Such a remote inspection allows an early warning of an occurring error and enables further measures (service) to be taken. This alone does not offer a sufficient criterion for manipulation.

According to GB 22 33 937 A and US 5 181 245, the franking machine periodically communicates with the data center. A blocking means allows the franking machine to block after a predetermined time or after a predetermined number of operation cycles and provides a warning to the user. To unlock an encrypted code must be entered from the outside, which is compared with an internally generated encrypted code. In order to prevent incorrect billing data from being delivered to the data center, the billing data are included in the encryption of the aforementioned code. It is disadvantageous that the warning occurs at the same time as the franking machine is blocked, without the user being able to change his behavior accordingly in good time.

A franking machine is known from US Pat. No. 5,243,654, where the current time data supplied by the clock / date module are compared with stored decommissioning time data. If the stored shutdown time is reached by the current time, the franking machine is deactivated, that is to say printing is prevented. When a connection is established with a data center that reads the accounting data from the rising register, the franking machine is transmitted an encrypted combination value and a new period is set, which makes the franking machine operational again. The total amount of consumption, which contains the total postage used and is read by the data center, is also part of the encrypted combination value. After decoding the combination value, the amount of consumption sum is separated and compared with the amount of consumption amount stored in the franking machine. If the comparison is positive, the franking machine is automatically blocked. This solution ensures that the franking machine periodically reports to the data center in order to transmit accounting data. However, use cases are quite conceivable where the amount of mail to be franked fluctuates (seasonal operation). In these cases, the franking machine would disadvantageously be blocked unnecessarily often.

From US 4,760,532 a postal handling system with postage transfer and billing capability is known. Information is transmitted to the data center via telephone using the touch-tone process that is common in the USA. The operator can transmit a number by pressing a corresponding key on the telephone. Information from the data center is sent to the operator using a computer voice transmitted, which must enter the transmitted values in the franking machine. For fund retransfer, the transfer of a negative postal find to a postal device is provided in a first step for establishing communication with a central station. The central station monitors the total amount of mail (residual value credit) that is stored in the mail device. In a second step, the aforementioned central station is supplied with information relating to a desired change in order to reduce the total amount of postal values available in the aforementioned postal device and with a clear identification regarding the aforementioned postal device. A third step includes receiving from the central station and inputting a first unique code into the aforementioned postal device, the input being operated to reduce the total amount of postal values stored in the postal device in accordance with the aforementioned request. And in the fourth step, a generation of a second unique code is provided in the postal device when the first unique code has been entered into the postal device, the second unique code providing an indication such that the aforementioned postage value is available for printing on the mail , has been reduced in the aforementioned postal device.
However, if the transmission is disturbed or interrupted, no first code is received from the data center and the fund in the franking machine would remain unchanged, while a chargeback has already been made in the data center. For checking purposes, the register statuses of the franking machine could of course be queried in order to compare them with those stored in the data center. It is feared that a potential manipulator would fail to do so. In US 4,760,532 the final method step is the transmission of the aforementioned second unique code to the central station intended. Under the conditions of the touch-tone process, it is again necessary to press numeric keys, which is cumbersome with multi-digit codes and usually does not result in input errors. There is also provision for the data center to generate a third unique code in order to transfer the retransferred credit to another franking machine. The responsible authority can thus be damaged by errors during the transmission. Thus, the same question arises in the case of positive and negative remote value specification, namely how to synchronize the data in the central and franking machine in a simple manner.

The task was to solve the disadvantages of the prior art and to ensure a significant increase in security when transferring credit.

A distinction should be made between authorized action (service technician) and unauthorized action (intention to manipulate) and the security against manipulation should be increased. Another task is to improve security when communicating with the data center when data is transmitted in both directions.

The object is achieved with the features of claims 1, 9, 18, 21 and 23.

The solution according to the invention is based on the one hand on the knowledge that only data stored centrally in a data center can be adequately protected against manipulation. A significant increase in security and synchronicity in the stored data is achieved by reporting data on the franking machine before each predetermined action. Also increases the reporting in more or less large intervals, especially for reloading a credit in connection with the above logging, the security against any manipulation. The data to be stored centrally include at least the date, time, identification number of the franking machine (ID number or PIN) and the type of data (for example register values, parameters) when the franking machine starts communication with the data center. In order to pre-synchronize the data of the franking machine with the data of the data center, a specific default request can be used for a first transaction.

On the other hand, to increase security, a distinction is made between authorized action (service technician) and unauthorized action (intention to manipulate) by means of the control unit of the franking machine in conjunction with steps for executing a negative remote value specification for the retransfer of a credit value to the data center, whereby on the part of the franking machine The default request is transmitted to the data center and stored there and in the franking machine.

The control unit of the postage meter machine checks whether a defined sequence for entering the side into the special mode for negative remote value specification has been carried out with predetermined actuating means and whether a predetermined period of time has been observed during the negative remote value specification and whether further steps for the automatic implementation of the communication have to be carried out if necessary, to complete the retransmission if the previous steps for executing a negative remote value specification were interrupted or incorrect encrypted data were transmitted to the franking machine.

According to the invention, communication between the franking machine and the data center takes place at least with encrypted messages, the DES algorithm preferably being used.

The franking machine thus has at least two special modes for solving the task. A first mode is provided in order to prevent the franking machine from franking with postage values in the case of fraudulent actions or in the event of manipulation (kill mode). This inhibition can be removed by an authorized person on the next inspection on site. The franking machine has a further mode in order, if selected criteria are met, to cause the franking machine to automatically communicate with the data center, if necessary. According to the invention, such a further mode is the special mode of negative remote value transmission or a second (sleeping) mode. After completion of the special mode, only a limited number of ZERO frankings is possible for the purpose of checking the franking machine. If the intended number of pieces has been used up, automatic communication with the data center is inevitably triggered, which is thus informed and relevant register data is learned. The franking machine is inhibited in sleeping mode. The interaction of at least two aforementioned modes increases the security when handling credit which is to be loaded into the franking machine or which is to be retransferred therefrom to the data center, in relation to fraudulent manipulation.

In a first variant, security is achieved by a predetermined operating sequence while switching on the franking machine for a side entry into the special mode, negative remote value specification and later, when the franking machine has started the communication connection, by encrypted transmission Messages during two transactions. As a result of a first transaction, a predetermined default request is stored in the data center and in the franking machine. It is therefore no longer necessary to retransmit the preset request already saved during a second transaction. As a result of the second transaction, a corresponding default value is subtracted from the content of the DescendingRegister or a negative value is added, so that a zero credit is stored in the franking machine.

However, if a negative remote value specification other than the predetermined operating sequence is selected for switching on the franking machine for a side entry into the special mode, which is prohibited, the franking machine switches to the aforementioned first mode in order to lock the franking machine for franking with a postage value ( Kill mode).

If necessary, in order to increase the security against manipulation, the authorized operator (service technician) from the data center changes a previously entered side entry into the special mode negative remote value specification. The operating sequence that will be valid in the future can at least partially be transmitted in connection with at least one transaction during a positive or negative remote value specification.

An authorized operator of the franking machine, preferably the service technician, carries out a predetermined operating action for entering the special remote negative value setting mode, which apart from the service technician is only known to the data center. A special flag is set, which is evaluated as a special transaction request.

Monitoring by the control unit of the franking machine during the execution of a transaction in special mode ensures that if the transaction remains incomplete, the transactions in special mode negative remote value specification are carried out until the end. When the transaction in special mode is completed, the special flag is reset.

In addition, there is time monitoring by the control unit of the franking machine during the execution of a transaction in special mode, which take effect when the time is exceeded or when the transaction has remained incomplete in order to complete the transaction.

The data center also monitors the time when a transaction in the special mode negative remote value specification is carried out. The register data of the franking machine can be checked centrally when a connection is established again to carry out a remote value specification, for example to top up a credit. Either if the transaction remains incomplete, the franking machine automatically reconnects to complete the transaction or the authorized service technician provides the data center with a message about the current state of the franking machine by the end of the day in order to cancel the data transmitted in the special mode, negative remote mode. Otherwise, the time monitoring on the part of the data center after the end of the predetermined period of time results in an acknowledgment of the data transmitted in the special mode, negative remote value specification.

In a second variant, security is checked by checking the operating sequence for agreement with a predetermined operating sequence in the franking machine and by checking the desired request in the data center for agreement with one stored there Code for a predetermined default request increased. It is possible to change the operating sequence as a function of time, the same calculation algorithm being used in the data center and in the franking machine in order to determine a current operating sequence. This makes it unnecessary to transfer a valid operating sequence from the data center to the franking machine.

In a third variant, security is increased by a combination of a number of measures. In a first transaction, a distinguishable logon to the data center takes place. In response to this, this transmits a new security flag X and / or a predetermined operating sequence for a page entry into the special mode negative remote value specification to the franking machine if the franking machine was switched on normally and establishes the communication connection, a predetermined transaction request being made in a first transaction the data center and in the franking machine. A check is carried out in the data center as to whether the transmitted default request corresponds to a predetermined default request. In the first transaction, for example, a new code word or security flag and / or operating sequence is transmitted to the franking machine, and in a second transaction the registered transaction is carried out and, in accordance with the desired request, a default value in the corresponding memory of the franking machine and also for checking the transaction added in a corresponding memory of the data center.

For a page entry into the special mode negative remote value specification, the service technician must carry out the operating sequence while switching on the franking machine as it was transmitted by the data center, that is to say pressing a certain key combination at the same time as switching on.

In the second transaction, the franking machine is reloaded with a negative credit, in accordance with the corresponding default value, so that the result is a residual value credit of NULL.

The solution according to the invention also assumes that the funds stored in the franking machine must be protected against unauthorized access. The falsification of data stored in the franking machine is made so difficult that the effort for a manipulator is no longer worthwhile.

Commercial OTP processors (ONE TIME PROGRAMMABLE) can contain all security-relevant program parts inside the processor housing, as well as the code for forming the message authentication code (MAC). The latter is an encrypted checksum that is attached to information. Data encryption standard (DES), for example, is suitable as the crypto-algorithm. This means that MAC information can be attached to the relevant security and special flags or to the register data, thus increasing the difficulty of manipulating the aforementioned flags or postal registers to a maximum.

The method for improving the security of a postage meter machine which is capable of communicating with a remote data center and has a microprocessor in a control device of the postage meter machine also comprises forming a checksum in the OTP processor about the content of the external program memory and comparing the result with one Predetermined value stored in the OTP processor before and / or after expiry of the franking mode or operating mode, in particular during initialization (ie when the franking machine is started) or at times in which printing is not carried out (ie when the franking machine is in standby mode is operated).

In the event of an error, the franking machine is then logged and subsequently blocked.

In order to improve the security of postage meter machines against manipulation, a distinction is made between non-manipulated and manipulated operation of a postage meter machine by means of the control device by monitoring the duration of the run of programs, program parts or security-relevant routines during an operating mode and by running after programs, Program parts or safety-relevant routines, then comparing the measured transit time with a predefined transit time. Even during communication, manipulation in the interest of fraud is to be prevented, in particular by monitoring the compliance with a certain time sequence in the special mode, negative remote value specification, in the communication mode. The time period from the sending of a third encrypted message on the part of the franking machine to the receipt of the fourth encrypted message sent from the data center to the franking machine, which triggers a zeroing of the credit value upon verification, is monitored. It is envisaged that a decremental counter or an incremental counter is used to detect that the time tl has been exceeded in the special mode as a sure indication of a failed transmission and that a special subroutine is called which prepares the special mode to carry out the negative remote value specification again and automatically triggers so that the first and second transactions are automatically repeated.

In a fourth variant, security is increased by an additional input security means, which is brought into contact with the franking machine, in order to return a remaining credit from an authorized person to transfer to the data center.

Figur 1,

Blockschaltbild einer Frankiermaschine,

Figur 2,

Ablaufplan nach der erfindungsgemäßen Lösung,

Figur 3a und 3b,

Darstellung der Sicherheitsabläufe der im Kommunikationsmodus befindlichen Frankiermaschine und Datenzentrum,

Figur 4,

Ablaufplan für den Frankiermodus nach einer bevorzugten Variante,

Figur 5,

allgemene Blockdarstellung eines Ablaufes mit zwei Transaktionen für das Nachladen mit einem Null-Guthabenwert,

Figur 6,

Blockdarstellung eines Ablaufes mit zwei Transaktionen für das Nachladen mit einem negativen-Guthabenwert,

Figur 7,

Ablaufplan zur Einspeicherung eines Sicherheits-Flags bzw. Codewortes nach der erfindungsgemäßen Lösung

Advantageous developments of the invention are characterized in the subclaims or are shown in more detail below together with the description of the preferred embodiment of the invention with reference to the figures. Show it:

Figure 1,

Block diagram of a franking machine,

Figure 2,

Flow chart according to the solution according to the invention,

3a and 3b,

Representation of the security processes of the franking machine and data center in communication mode,

Figure 4,

Flow chart for the franking mode according to a preferred variant,

Figure 5,

general block diagram of a process with two transactions for reloading with a zero credit value,

Figure 6,

Block representation of a process with two transactions for reloading with a negative credit value,

Figure 7,

Flow chart for storing a security flag or code word according to the solution according to the invention

FIG. 1 each shows a block diagram of the franking machine according to the invention with a printer module 1 for a fully electronically generated franking image, with at least one input means 2 having several actuating elements, a display unit 3, and one for communicating with a data center Manufacturing MODEM 23, which are coupled via an input / output control module 4 with a control device 6 and with a non-volatile memory 5 or 11 for the variable or the constant parts of the franking image.

A character memory 9 supplies the necessary print data for a volatile working memory 7. The control device 6 has a microprocessor μP, which with the input / output control module 4, with the character memory 9, with the volatile working memory 7 and with the non-volatile working memory 5 a cost center memory 10, with a program memory 11, with the motor of a transport or feed device, possibly with a strip release 12, an encoder (coding disk) 13 and with a clock / date module 8. The individual memories can be implemented in several physically separate or combined, in a manner not shown, in a few building blocks, which are secured against removal by at least one additional measure, for example gluing on the circuit board, sealing or potting with epoxy resin.

FIG. 2 shows a flow chart for a franking machine with a security system according to a preferred variant of the solution according to the invention.

After the franking machine has been switched on in step 100, a function test with subsequent initialization is then carried out within a start routine 101.

This step also includes several sub-steps 102 to 105 - shown in more detail in FIG. 7 - for storing a security flag or code word. With step 103, if, according to step 102, a new security flag X ′ is predetermined in another Memory location E of the non-volatile memory 5 exists, this new security flag X 'is copied into the memory location of the old security flag X if there is no longer a valid security flag X stored there. The latter applies equally to the case of an authorized as well as an unauthorized intervention, because the old security flag X is deleted with each intervention. In the case of another unauthorized action, the security flag X can also be deleted (kill mode). If there is no longer a valid security flag X stored, postage value 400 can no longer be printed in franking mode 400. If no action is taken, no new code word has been transmitted. In this case, no copying takes place and after step 104 the old security flag X is retained in the memory. Finally, the system routine 200 is reached with point s.

The system routine 200 comprises several steps 201 to 220 of the security system. Current data is called in step 201, which is carried out further below in connection with the invention for a second mode, namely for the sleeping mode. As shown in FIG. 2, it is checked in step 202 whether the criteria for entering the sleeping mode are met. If this is the case, a branch is made to step 203 in order to display at least one warning by means of the display unit 3. According to the above In every case point t is reached.

If a forbidden side entry is determined (step 217), the aforementioned safety flag X is cleared. The security flag X can be a MAC-secured security flag as well as an encrypted code. The validity of the security flag X is checked, for example, in step 409 of a franking mode 400 by means of a selected checksum method within one OTP processor (ONE TIME PROGRAMMABLE) carried out, which internally contains the corresponding program parts and also the code for forming a MAC (MESSAGE AUTHENTIFICATION CODE), which is why the manipulator cannot understand the type of checksum procedure. Other security-relevant key data and processes are also stored exclusively in the interior of the OTP processor, for example to supplement key data with the new key transmitted from the data center to the franking machine, so that the key data thus supplemented can be used to encrypt messages that are transmitted to the data center become. On the other hand, the same security-relevant key data or processes allow security to be placed in the postal register.

A further security variant which does not require an OTP processor consists in making it difficult to find the key by coding it and partially storing it in different memory areas. Again, MACs are appended to every piece of information in the security-related registers. Manipulation of the register data can be detected by checking the MAC. This routine takes place in step 406 in the franking mode, which is shown in FIG. This increases the difficulty of manipulating the postal registers as much as possible.

When the check in step 217 has been carried out, a relevant defect having been found and the security flag X having been deleted in step 209, the point e, ie the start of a communication mode 300, is reached and in a step 301 - shown in FIGS. 2 and 3a asked whether there was a transaction request. If this is not the case, communication mode 300 is exited and point f, ie operating mode 290, is reached. Have relevant data transmitted in communication mode, then branching to step 213 for data evaluation. Or otherwise, if the non-transmission is determined in step 211, branch to step 212. It is now checked whether corresponding entries have been made in order to go to test mode 216 when test request 212 is made, otherwise to go to display mode 215 when register status check 214 is intended. If this is not the case, point d, ie franking mode 400, is reached automatically.

In the event of manipulation, step 213 for statistical and error evaluation is reached. The display mode 215 is reached via step 213 and then branched back to the system routine. The blocking can therefore advantageously take place in that the branching to the franking mode 400 is no longer carried out. According to the invention, it is further provided that a statistical and error evaluation is carried out in step 213 in order to obtain further current data which, after branching to the system routine 200, can also be called up in step 201, for example for a aforementioned second mode or another special mode.

Between the points s and t of the system routine 200 there can be a large number of further queries for fulfilling further criteria for further modes. More detailed explanations regarding a query for a first mode, which is used to prevent printing or to block the franking machine, can be found in German application P 43 44 476.8, method for improving the security of franking machines. In the event that the franking machine housing is opened by authorized persons, written or telephone registration in the data center for authorized opening has been proposed, which tells the opening date and time for the approximate opening. Before the franking machine can then actually be opened, communication with the data center must be established via MODEM in order to request authorization to open it and to load a new future code Y 'which can replace the old one.

In contrast to this, however, the presence of the security flag X is not queried between the points s and t but only in step 409 in the franking mode. As a result, the service technician can still restore the full functionality of the franking machine by loading the new security flag X 'even after deleting the aforementioned flag. This now allows, for example, a check to be carried out to determine whether an unauthorized action actually leads to the deletion of the security flag or code word, or whether deletion has been prevented by manipulation.

If the operation is authorized, step 217 - shown in FIG. 2 - recognizes that no prohibited side entry has been carried out. An allowed side entry, which was carried out for another input, has not been shown in FIG. 2. However, such a query criterion is also provided, for example in order to recognize in step 212 whether an operating action has been carried out in order to enter a test mode. When the side entry is permitted, which is not the correct side entry for the special mode of a negative remote value specification for the purpose of transferring funds back from the franking machine to the data center, the system routine 200 branches to point e. Otherwise, branching to step 220 takes place at the correct side entry in order to set a special flag for entering the special mode. It is in a further form possibly a further query step 219 is provided before step 220 in order to further increase the security against unauthorized calling of the special mode with a further criterion, with branching to point e of the system routine 200 if the criterion is not met. For example, query step 219 shown in FIG. 2 can query such a further criterion as to whether the identification number (ID number or PIN) has been entered. Security is already sufficiently high as a result of the side entry so that, in the interest of simpler operation, such additional additional criteria queries can also be dispensed with. Another possibility in query step 219 shown in FIG. 2 is to query such a further criterion as to whether the same predetermined default request has been made at least n times and whether a corresponding default value has been added to the remaining credit value is also only optional and therefore shown in dashed lines in FIG. 2. This can be a NULL default request, which leads to the transfer of a NULL default value and can be added to the residual value without changing the amount of the stored credit.

In order to further increase security against manipulation, it is provided that the special flag N set in step 220 for the special mode is also a MAC-secured flag N.

Security is additionally increased by a check in the data center as to whether a predetermined specification has been transmitted by the franking machine. It is provided that the transmitted request for specification is evaluated in the data center as a code to carry out a very specific transaction. The transmitted default request can be evaluated as a code in the data center to allow a fund retransfer. Otherwise, the transmitted The default request in the data center can be evaluated as a code to allow transmission for a security flag X or for an X code word.

FIGS. 3a and 3b show the security processes of the franking machine in communication mode on the one hand and the security processes of the data center in communication mode on the other hand.

If the point e, i.e. the beginning of the communication mode 300 explained below is queried in a step 301 - shown in FIGS. 2 and 3a - whether there is a transaction request. This can be used, for example, to top up your credit, change your phone number, etc. be put.

The user selects the communication or remote value default mode of the franking machine by entering the identification number (eight-digit postage request number). It is now assumed, for example, that the fund is to be transferred back in the amount of the residual value remaining in the franking machine. A register query of the descending register R1, which contains the residual value, is first carried out. After the franking machine is switched off, a side entry into the special mode is carried out when the franking machine is switched on again. After entering the identification number, the entry is confirmed with the Teleset button and the default request is entered in the amount of the previously requested residual value. By entering the page, the default request is automatically evaluated as the default value to be subtracted. The default request is confirmed by pressing the Teleset button (T button). Since the data center also queries the residual value for each communication, a comparison in the data center of both, ie of residual value and default request. Otherwise, the above-mentioned entries for a preferred variant can also be carried out automatically by the franking machine in special mode in order to simplify operation.

Otherwise, for example, communication should take place in order to load a new security flag X ', which can replace the old security flag X. If only such a transaction request is made, the default amount must be changed, because in this case the credit in the franking machine does not of course have to be increased. On the other hand, a value other than zero can also be agreed, in particular a value to which only a minimal amount corresponds, by which the descending register value would have to be increased.

FIG. 3a shows that part of the communication of a transaction that is carried out with unencrypted messages. Nevertheless, these messages can contain data that are MAC-secured, for example the identification number of the franking machine.

In step 302, the identification number (ID number) and the intended input parameters can be entered in the following manner. With the ID no. it can be the serial number of the franking machine, a PIN or PAN (postage call-off number), which is acknowledged by actuation by means of a predetermined T key on the input means 2. The input parameter (default value) used in the last remote value specification (reloading) appears in the display unit 3 and is now overwritten or maintained by the input of the desired input parameter. The input parameter is a combination of numbers which is understood as a request in the data center, for example a new security flag or code word X 'to be transmitted if an authorization to intervene has previously been obtained. If the aforementioned input parameter is entered incorrectly, the display can be deleted by pressing a C key.

For example, a change is entered to load a zero-value credit in a transaction, but no authorization is obtained beforehand. The input parameter therefore only serves as a new default value. However, the value for franking is not increased in value if the input parameter has the value zero, nor is a new security flag loaded. However, a number of items S 'can be transmitted for each communication, as can also be seen from German application P 43 44 476.8, method for improving the security of franking machines.

Only through the previous notification, for example by means of a separate call to the data center or another form of communication, is the data center informed that a new security flag X 'is to be transmitted to the franking machine if the franking machine subsequently carries out a transaction within a predetermined period of time the value zero is started. The request for intervention is only deemed to have been made if, after the registration of an authorized intervention, the franking machine enters the communication mode agreed in this way.

If, however, any other input parameter is previously agreed with the data center, when this input parameter is entered, in addition to the transmission of a new security flag X 'according to the pre-agreed code, which is formed by the predetermined default request, the credit is also reloaded as a result of a second one according to the entered default value Transaction.

If an input parameter other than the agreed one is entered, the result is only a reload in the amount of the selected new default amount, where, in contrast to the other transaction data, the default amount does not need to be transmitted to the franking machine. Rather, the fact that a valid transaction has been verified is sufficient for the franking machine to increase or decrease the content of the descending register by the amount specified in accordance with the stored request.

If the desired input parameter is displayed correctly, this is confirmed by pressing the predetermined T key of the input means 2 again. A display corresponding to an input parameter change or to the non-change (old default value) then appears in the display unit 3.

By pressing the predetermined T key, the change of the input parameter is started via the MODEM connection. The input is checked (step 303) and the further process runs automatically, the process being accompanied by a corresponding display.

To do this, the franking machine checks whether a MODEM is connected and ready for operation. If this is not the case, the process branches to step 310 to indicate that the transaction request must be repeated. Otherwise, the franking machine reads the dialing parameters, consisting of the dialing-out parameters (main / extension, etc.) and the telephone number from the NVRAM memory area F and sends them to the modem 23 with a dial request command. The connection required for communication is then established via the MODEM 23 with the data center in a step 304.

In FIG. 3a, the parallel process in the data center, which is necessary for communication, is also shown on the left half. Step 501 continuously checks whether a call has been made to the data center. If this is the case and the MODEM 23 has dialed the opposite side, the connection is established in parallel in the data center in step 502. And in step 503, it is constantly monitored whether the connection to the data center has been released. If this is the case, an error message in step 513 branches back to step 501.

In parallel, the franking machine monitors in step 305 whether communication errors have occurred and, if necessary, branches back to step 304 in order to be re-established by the franking machine. After a predetermined number n of unsuccessful redials for the purpose of establishing a connection, a branch is made back to point e via a display step 310. If there was no error that could be determined in step 305, the franking machine determines in step 306 that the connection has been established and that a transaction is still to take place, branching to step 307 in order to receive an opening message or identification, pretensioning or To send register data. In the following step 308, the same check as in step 305 is carried out, i.e. if a communication error has occurred, the method branches back to step 304. Otherwise, an opening message was sent from the franking machine to the data center. Among other things, the postage call number to announce the caller, i.e. the franking machine included in the data center.

This opening message is in the data center in Step 504 is checked for plausibility and further evaluated by subsequently checking in step 505 whether the data has been transmitted without errors. If this is not the case, the error message is branched back to step 513. On the other hand, if the data are error-free and it is recognized in the data center that the franking machine has made a request for reloading, then in step 506 a reply message is sent to the franking machine as the header. In step 507 it is checked whether in step 506 the leader message including the end of the leader has been sent. If this is not the case, the process branches back to step 513.

In the franking machine it is checked in step 309 whether a header has now been sent or received as a reply message by the data center. If this is not the case, the method branches back to step 310 and a transaction request is then queried again in step 301. If a header has been received and the franking machine has received an OK message, the header parameters are checked in step 311 with regard to a telephone number change. If an encrypted parameter has been transmitted, there is no change in the telephone number and a branch is made to step 313 in FIG. 3b.

FIG. 3b shows the security processes of the franking machine in communication mode and, in parallel, that of the data center.

In step 313, the franking machine sends an encrypted start message to the data center. In step 314, the communication error message checked. If there is a communication error, the method branches back to step 304 and an attempt is made again to establish the connection to the data center in order to send the start message encrypted.

This encrypted start message is received by the data center when the header message was sent completely in step 506 and the header end was transmitted in step 507. In step 508 it is checked in the data center whether it has received the start message and whether the data is OK. If this is not the case, step 509 checks whether the error can be remedied. If the error cannot be remedied, a branch is made to step 513 after an error message has been transmitted from the data center DZ to the franking machine FM in step 511. Otherwise, error handling is carried out in step 510 and branching to step 507. If the receipt of correct data is determined in step 508, the data center begins a transaction in step 511. In the aforementioned example, at least the identification number is transmitted to the franking machine by means of an encrypted message, which receives the transaction data in step 315.

In the following step 316, the data is checked. If there is an error, the method branches back to step 310. Otherwise, the same data mentioned above is stored in the data center in step 512 as in the franking machine. In step 318, the transaction with the data storage is thus completed in the franking machine. The method then branches back to step 305. If no further transaction is to take place, step 310 and then step 301 are reached for display.

If no transaction request is made, step 211 in FIG. 2 checks whether data have been transmitted. If data has been transmitted, step 213 is reached. In accordance with the input request, the franking machine places the current default request or the new code word Y ′ or other transaction data, for example in the memory area E of the non-volatile memory 5.

If, however, a number combination other than zero is entered as input parameter in step 302 and the input was OK (step 303), a connection is established (step 304). And if a connection is established (step 305) without an error (step 306), an identification and header message is sent to the data center. In this opening message, also contain the postage call-off number PAN for identifying the franking machine at the data center. If the data is correct (step 505), the data center recognizes from the combination of numbers entered that, for example, a credit with a default value is to be added to the franking machine.

If the current telephone number of the data center has changed in the meantime, measures must be taken to save it in the franking machine. In step 506, the data center then sends a reply message with the elements change of the telephone number and current telephone number in unencrypted form. The franking machine that receives this message recognizes in step 311 that the telephone number should be changed. The process now branches to step 312 in order to save the current telephone number. The method then branches back to step 304. If the connection is still established and there is no communication error (305), a check is then made in step 306 to determine whether there is another Transaction should take place. If this is not the case, step 310 branches to step 301. The transmission of the telephone number can also be MAC-secured.

After the current telephone number has been saved, the franking machine automatically establishes a new connection to the data center with the aid of the new telephone number. The actual transaction intended by the user, a remote value specification of the new security flag X 'or a transmission of an encrypted message suitable for verification for reloading the residual value credit in accordance with a specification request is thus automatic, i.e. carried out without further intervention by the user of the franking machine. A corresponding message appears in the display that the connection is automatically re-established due to the change in the telephone number.

It is provided that after an intervention, the franking machine is controlled in communication mode 300. The authorized person can then also inform the data center of the completed check. A communication can include a telephone number storage as well as a credit reload or fund retransfer. This means that several transactions can be carried out without interrupting communication.

If the amount of the credit to be topped up remains the same as for the last credit reload, only one transaction is necessary.

If the amount of the credit to be reloaded is to be changed, two transactions are required. Both transactions are carried out in a comparable way.

A successful transaction runs as follows:

The franking machine sends its ID number and a default value for the amount of the reload credit desired, possibly together with a MAC, to the data center. The latter checks such a transmitted message against the MAC in order to then send an OK message, likewise MAC-secured, to the franking machine. The OK message no longer contains the default value.

It is provided that the transmission of a new security flag X 'or of relevant data for a change in the credit balance in the franking machine is in encrypted form, but the transmission of telephone number is in unencrypted form. However, MAC protection is also possible. If it is determined in the data center that the connection to the postage meter machine has been terminated (step 503) or that there are faulty data (505) or unrecoverable errors (509) or that no leader has been sent (507), communication is ended. After an error message, the communication connection is released, the transmitted data is saved and evaluated in step 513 by the data center.

At least one encrypted message is transmitted to the data center and to the franking machine during a first transaction. The default request is only contained in the encrypted message of the first transaction. Every transmitted message, which contains security-relevant transaction data, is encrypted. The DES algorithm, for example, is provided as the encryption algorithm for the encrypted messages.

A transaction request results in a specially secured credit reload in the franking machine. The outside of the processor is preferably protected in the cost center memory 10 postal register also during the credit reloading by means of a time control. If the franking machine is observed with an emulator / debugger, for example, then it is likely that the communication and accounting routines will not run within a predetermined time. If this is the case, ie the routines take considerably more time, part of the DES key is changed. The data center can determine this modified key during a communication routine with a register query and then report the franking machine as suspect as soon as a start message is encrypted in accordance with step 313.

The data center determines in step 509 that the error cannot be remedied. The data center cannot then carry out a transaction (step 511) because the process branches back to step 513. Since no data was received in the franking machine in step 315, the transaction was not carried out without errors (step 316). The system then branches back to step 301 via step 310 in order to check again after a display whether a transaction request is still being made.

If this is not the case, communication mode 300 is exited and point f, i. operating mode 290 reached. Thus, in the case discussed above, no data could be transmitted using modified DES keys (step 211). It is also assumed that neither a test request (step 212) nor a register call (step 214) has been initiated in order to check the remaining credit. But then the franking mode 400 is reached.

In the case of an authorized intervention, security requires the reliability of the authorized person (Service, inspector) and the possibility to check their presence. The inspection of the seal and the inspection of the register status during an inspection of the franking machine and regardless of the data in the data center then results in the security of the inspection. The control of the franked mail, including a security imprint, provides additional security for verification.

The franking machine performs the register check regularly and / or when it is switched on and can thus recognize the missing information if the machine has been tampered with or if it has been operated without authorization. The franking machine is then blocked. Without the invention in connection with a security flag X, the manipulator would easily overcome the blockage. However, the security flag X is lost and it would take too much time and effort for the manipulator to try to determine the valid MAC-secured security flag X or code word. In the meantime, the franking machine would have long been registered as suspect in the data center.

Other variants or a combination with other variants, such as, for example, deleting a part of the DES key or the redundant register status or deleting other data or keys which are important for the data center in a transaction, are included in the inventive concept. It is essential that critical program parts are stored in the OTP and that the program runtime monitoring means are software and / or hardware components of the OTP. With these program parts, the critical programs stored externally by the OTP in the program memory PSP 11 can be monitored. The advantage is that the monitoring program itself does not observe or manipulate can be because it remains in the OTP and cannot be read out.

A suitable processor type is, for example, the TMS 370 C010 from Texas Instruments, which has a 256 bytes E ² PROM. This allows security-relevant data (keys, flags, etc.) to be stored in the processor in a tamper-proof manner.

If a manipulator carries out an unauthorized intervention, the franking machine is effectively prevented from franking with a postage value by switching to the first mode.

The potential manipulator of a franking machine has to overcome several thresholds, which of course takes a certain amount of time. If there is no connection from the franking machine to the data center at certain time intervals, the franking machine becomes suspect. It can be assumed that anyone who tampering with the franking machine will hardly report back to the data center.

During an inspection, the seal of the franking machine is first checked for integrity and then the register status. If necessary, a test impression with the value 0 can be made. In the event of a repair by the on-site service, the franking machine may have to be accessed. The error registers can be read out, for example, with the help of a special service EPROM, which is inserted in the place of the advert EPROM. If the processor does not access this EPROM slot, access to the data lines is usually prevented by special driver circuits (not shown in FIG. 1). The data lines, which can be reached through a sealed housing door cannot be contacted without authorization. Another variant is the reading out of error register data by a service computer connected via an interface. To prepare for the intervention, the registers of the franking machine are queried in order to determine the type of intervention required. Before intervening in the franking machine and opening the housing, a separate call is made to the data center. If the default value is then changed to zero within a predetermined period of time and transmitted to the data center as part of a transaction, i.e. the type of intervention and the register data have been communicated to the data center, data is transmitted from a data center to the franking machine in accordance with an authorized intervention requested in the Franking machine, which is logged as an allowed intervention.

However, if the default value is changed to a value other than zero within a predetermined period of time and transmitted to the data center as part of a transaction, a separate call to the data center that has previously taken place has no consequences, i.e. an intervention request is deemed not to have been made and no authorization to intervene in the franking machine is being issued, and consequently no new security flag or code word X 'is transmitted.

The franking machine is able to distinguish between requested and unauthorized intervention in the franking machine by means of the control unit of the franking machine in connection with the data transmitted by the data center, this intervention being logged as an error in the case of unauthorized intervention in the franking machine, but after the authorized intervention has taken place the original operating state is restored into the franking machine by means of the aforementioned transmitted data.

The processes according to the franking mode shown in FIG. 4 are explained in connection with the flow chart shown in FIG. It is also provided at times when there is no printing (standby mode) that a query regarding manipulation attempts is made and / or the checksum of the register statuses and / or the content of the program memory PSP 11 is formed. The aforementioned checksum is stored by the franking machine manufacturer in a MAC-secured manner in the non-volatile memory 5 (memory area E of the NV-RAM). To check the content of the program memory PSP 11, the checksum is determined again and a MAC is formed using a stored key that has remained unchanged. The aforementioned key is a tamper-proof (non-readable) partial key. Now the old MAC-secured from NV-RAM 5 is loaded and compared with the newly determined MAC-secured checksum in the OTP. To improve the security against manipulation, in another variant for a kill mode 2, the checksum is formed in the processor via the content of the external program memory PSP 11 and the result is compared with a predetermined value stored in the processor. This is preferably done in step 101 when the postage meter machine is started, or in step 213 when the postage meter machine is operated in standby mode. The standby mode is reached when there is no input or print request for a predetermined time. The latter is the case if a letter sensor known per se - not shown in detail - does not determine the next envelope to be franked. The step 405 in the franking mode 400, shown in FIG. 4, therefore includes a further query for a time lapse or for the number of passes through the program loop, which ultimately corresponds to the input routine Step 401 leads. If the query criterion is met, a standby flag is set in step 408 and a branch is made back directly to the point s to the system routine 200, without the billing and printing routine being executed in step 406. The standby flag is queried later in step 211 and reset after the checksum check in step 213 if no attempted manipulation is detected.

The query criterion in step 211 is expanded to include the question of whether the standby flag is set, i.e. whether the standby mode is reached. In this case, step 213 is also branched to. A preferred variant is to delete the security flag X in the manner already described if a manipulation attempt in standby mode has been determined in step 213 in the aforementioned manner. The specially secured special flag N can also be checked in step 213, in particular if it is MAC-secured by comparing the flag content with the MAC content. The absence of the security flag X is recognized in query step 409 and then branched to step 213. The advantage of this method in connection with the first mode is that the manipulation attempt is statistically recorded in step 213.

FIG. 4 shows the flow chart for the franking mode according to a preferred variant. The invention is based on the fact that after switching on, the postage value in the value print corresponding to the last entry before switching off the franking machine and the date in the day stamp corresponding to the current date are automatically specified that the variable data in the fixed data for the frame for the print and be electronically embedded for all associated data that remain unchanged.

The number strings (sTrings), which are entered for the generation of the input data with a keyboard 2 or via an electronic balance 22 connected to the input / output device 4 and calculating the postage value, are automatically stored in the memory area D of the non-volatile working memory 5. In addition, data records of the sub memory areas, for example Bj, C etc., are also retained. This ensures that the last input values are retained even when the franking machine is switched off, so that after switching on the postage value in the value print is automatically specified in accordance with the last entry before the franking machine was switched off and the date in the day stamp is specified in accordance with the current date.
If a scale 22 is connected, the postage value is taken from the storage area D. In step 404, it is waited until there is one currently stored. If a new input request is made in step 404, the process branches back to step 401. Otherwise, the process branches to step 405 to wait for the print output request. The letter to be franked is detected by a letter sensor and thus a print request is triggered. It is thus possible to branch to the accounting and printing routine in step 406. If there is no print output request (step 405), the process branches back to step 301 (point e).

Since, according to the variant shown in FIG. 4, branching back to point e and step 301 is reached, a communication request can be made at any time or another input can be made in accordance with the steps test request 212, register check 214, input routine 401.

A further query criterion can be queried in step 405 in order to set a standby flag in step 408 if none after a predetermined time Print request is pending. As already explained above, the standby flag can be queried in step 211 following communication mode 300. This does not branch to franking mode 400 until the checksum check has shown that all or at least selected programs are complete.

If a print output request is recognized in step 405, further queries are made in subsequent steps 409 and 410 and in step 406. For example, in step 409 the presence of a valid security flag X or a corresponding MAC-secured flag X, the achievement of a further quantity criterion and / or in step 406 the register data collected in known manner for billing are queried. Was the number of pieces predetermined for franking used up in the previous franking, i.e. Number of pieces equal to zero, the system automatically branches to point e in order to enter communication mode 300 so that a new predetermined number of pieces S is again credited by the data center. However, if the predetermined number of pieces had not yet been used, the process branches from step 410 to the billing and printing routine in step 406.

The number of printed letters and the current values in the mail registers are registered in a non-volatile memory 10 of the franking machine in a billing routine 406 in accordance with the entered cost center and are available for later evaluation. A special sleeping mode counter is caused to continue counting during the accounting routine which takes place immediately before printing.

If necessary, the register values can be queried in display mode 215. It is also provided that Print out register values with the print head of the franking machine for billing purposes. This can be done, for example, in the same way as is already explained in more detail in German Offenlegungsschrift P 42 24 955 A1.

In another variant, provision is also made for variable pixel image data to be embedded in the remaining pixel image data during printing. Corresponding to the position report provided by the encoder 13 about the advance of the postal matter or paper strip in relation to the printer module 1, the compressed data are read from the working memory 5 and converted with the help of the character memory 9 into a printed image having binary pixel data, which is also in such a decompressed form in the volatile memory 7 is stored. Further details can be found in European applications EP 576 113 A2 and EP 578 042 A2.

The pixel memory area in the pixel memory 7c is therefore provided for the selected decompressed data of the fixed parts of the franking image and for the selected decompressed data of the variable parts of the franking image. After billing, the actual printing routine takes place (in step 406). As can be seen from FIG. 1, the main memory 7b and the pixel memory 7c are connected to the printer module 1 via a printer controller 14 having a print register (DR) 15 and an output logic. The pixel memory 7c is connected on the output side to a first input of the printer controller 14, at whose further control inputs there are output signals from the microprocessor control device 6. If all columns of a print image have been printed, the system branches back to the system routine 200.

The transmission of a new number of items S 'can then the same way as that already explained in connection with the transmission of the new security flag X '. In the case of communication according to FIGS. 3a and 3b, a new predetermined number of items S 'is then transmitted and decremented as number of items S while the franking is running. The comparison piece number S _{ref is} calculated internally from the new predetermined piece number S '(step 213). In step 203, a warning "CALL FP" can thus be issued before the number of pieces reaches zero. The user of the franking machine is thus asked to carry out communication with the data center in order to carry out at least one zero remote value specification for subsequent accreditation of at least the number of items S.

FIG. 5 shows the process with two transactions for reloading with a credit value, preferably with a zero credit value, in simplified form. Such a NULL remote value specification always comprises two transactions.

The first transaction of communication with the data center DZ comprises the notification of a predetermined default request. In order to establish the consistency of the register status between the data center DZ and the franking machine FM, a ZERO default request is suitable. During a second transaction, this leads to a NULL default value which can be added to the descending register value without changing the value of the remaining credit.

When entering the communication mode normally, after starting the franking machine, the system routine 200 - shown in FIG. 2 - is queried in step 218 as to whether the user has correctly entered the page. If this is not the case, the system branches to point e in system routine 200. A message about the opening of the appears on the display Communication when the PIN is entered and the Teleset key (T key) is pressed. In addition, the previous default value is displayed, which can be overwritten by the new default request NULL. After entering zero, the T key is pressed again. Now there is a transaction request and the communication can be carried out.

After entering the communication mode (positive remote value specification or teleset mode), the first step during a first transaction comprises a sub-step 301 for checking whether a transaction request has been made and further sub-steps 302 to 308 for entering the identification and other data relating to the communication connection and to communicate with unencrypted data in order to transmit at least identification and transaction type data to the data center.

It is envisaged that a first step of the first transaction comprises sub-steps 301 to 308 of the postage meter machine in order to establish the connection, for communication with unencrypted data and to transmit at least identification, transaction type and other data to the data center. The transaction type data (1 byte) includes the message to the data center DZ to subsequently carry out the teleset mode for a desired positive remote value specification with the franking machine identified.

A second step of the first transaction comprises sub-steps 501 to 506 in the data center, for receiving the data and for checking the identification of the postage meter machine and for transmitting an unencrypted OK message to the postage meter machine. The second step of the first transaction also includes sub-steps to step through a sub-step 513 in the event of incorrect unencrypted messages 505 Error message to branch to an idle point q in sub-step 501 in the data center until communication is resumed by a franking machine.

A third step of the first transaction comprises sub-steps 309 to 314 of the franking machine, for forming a first encrypted message Crypto cv by means of a first key Kn stored in the franking machine and for transmitting encrypted data to the data center, comprising at least the default request, identification and postal register. Data. In a further embodiment of the security measures, this encrypted message also includes data in the form of CRC data (cyclic redundancy check data). The default request, the identification, postal register and other data such as a checksum (CRC data) are transmitted in a message encrypted with the DES algorithm.

A fourth step of the first transaction, which comprises sub-steps 507 to 511 in the data center, is provided for receiving and decrypting the first encrypted message. A check for decryptibility is carried out using a key stored in the data center. If successful, a calculation is made in the data center to form a second key Kn + 1, corresponding to the key used by the franking machine. A second encrypted message crypto Cv + 1 is then formed, which contains at least the aforementioned second key Kn + 1, the identification and the transaction data, the DES algorithm again being used for the encryption. Finally, the second encrypted message crypto Cv + 1 is transmitted to the franking machine.

Further sub-steps serve to branch to an idle state 501 in the data center in the event of unrecoverable incorrectly encrypted messages in sub-step 509 via a sub-step 513 until communication is resumed by a franking machine. Sub-steps are also provided in order to branch to sub-step 510 for canceling the previous transaction in the case of incorrectly encrypted messages found in sub-step 509 but with correctable errors, and then to branch to sub-step 511 in the data center. This sub-step serves to form a second key Kn + 1, which is to be transmitted in encrypted form to the franking machine, to form a second encrypted message crypto Cv + 1 and to transmit the encrypted message to the franking machine. In addition, the fourth step of the first transaction includes a sub-step 512 of the data center for storing the default request, from which a branch is made to the first sub-step 701 of the second step of the second transaction in order to have the first key Kn as the predecessor key and the second key Kn + 1 as Store successor key.

A fifth step of the first transaction, which comprises sub-steps 315 to 318 of the postage meter machine, serves to receive and to decrypt the second encrypted message, to extract at least the identification data and the transmitted second key Kn + 1 _{Cv + 1} , and to verify the encrypted received Notification based on the extracted identification data. Upon verification, the transmitted second key Kn + 1 _{Cv + 1} and the default _request are stored in the franking machine. Otherwise, if not verified, the process branches back to the first step of the first transaction.

After this pre-synchronization of the data center by the franking machine, a second transaction begins, which is preferably triggered by an additional manual entry in step 602. As a result of this temporary entry, the second transaction is triggered or the second transaction is left in communication mode if the entry time is exceeded. The T key must preferably be pressed within 30 seconds or the entry time has been exceeded and the process branches back to the first step of the first transaction. Communication can now be omitted or repeated as required.

A first step of the second transaction comprises substeps 602 to 608 of the franking machine for communicating with unencrypted data, for establishing the connection and for at least transmitting identification and transaction type data to the data center.

A second step of the second transaction, which includes sub-steps 701 to 706 of the data center, is provided for receiving the data and for checking the identification of the postage meter machine and for transmitting an unencrypted OK message to the postage meter machine. It is further provided that the second step of the second transaction comprises sub-steps in order to branch to an idle state 501 in the data center in the event of faulty unencrypted messages 705 via a sub-step 513 until the communication is resumed by a franking machine.

A third step of the second transaction comprises sub-steps 609 to 614 of the franking machine for forming a third encrypted message crypto cv + 2 by means of the aforementioned second key Kn + 1 and for Transmission of the third encrypted message crypto cv + 2 to the data center, comprising at least identification and postal register data, but without data for a default value.

A fourth step of the second transaction, which contains sub-steps 707 to 711 of the data center for receiving and decrypting the third encrypted message crypto Cv + 2, carries out its check for decryptibility by means of a key stored in the data center. Then a third key Kn + 2 is formed, which is to be transmitted in encrypted form to the franking machine, a fourth encrypted message crypto Cv + 3 is formed, which contains at least the aforementioned third key Kn + 2, the identification and transaction data and the transmission the fourth encrypted message crypto Cv + 3 to the franking machine.

The fourth step of the second transaction includes sub-steps in order to branch to an idle state 501 in the data center in the event of an unrecoverable incorrectly encrypted messages (sub-step 709) via a sub-step 513 until the communication is resumed by a franking machine. If erroneous encrypted messages with correctable errors are found in step 709, a branch is made to step 710 for canceling the previous transaction. A third key Kn + 2 is then formed in sub-step 711 in the data center, which is to be transmitted in encrypted form to the franking machine. The DES algorithm is used again to form a fourth encrypted message crypto Cv + 3. The encrypted message is then transmitted to the franking machine.

It is also envisaged that the fourth step of the second transaction for storing the default value comprises a sub-step 712 of the data center, which branches to the first sub-step 501 of the second step of the first transaction by the second key Kn + 1 as the previous key Kn-1 and store the third key Kn + 2 as successor key Kn for further first and second transactions.

A fifth step of the second transaction, which includes sub-steps 615 to 618 of the postage meter machine, serves to receive and decrypt the fourth encrypted message, to extract at least the identification data and the transmitted third key Kn + 2 _{Cv + 3} and the transaction data, and to verify the received encrypted message based on the extracted identification data. In the case of verification, the transmitted second key Kn + 2 _{Cv + 3} and the default value in the postage meter machine are correspondingly added to the descending register value R1 and the resulting credit is stored or, if not _{verified, the process branches} back to the first step of the first transaction.

Either there is a return to the first step in order to effect a further triggering of the transactions, or in the fifth step of the second transaction the aforementioned transaction request is canceled again.

A negative remote value specification in special mode differs from this ZERO remote value specification in communication mode primarily by special tamper-proof flags and time monitoring. Such tamper-proof flags are, in particular, a MAC-secured security flag X and a MAC-secured special flag N.

In Figure 6, the process is with two transactions for reloading with a negative credit value, i.e. a negative remote value specification for fund retransfer to the data center is shown. Such a negative remote value specification comprises at least two transactions.

The first transaction of communication with the data center DZ comprises the notification of a predetermined default request, preferably a ZERO default request, in order to establish the consistency of the register statuses between the data center DZ and the franking machine FM.

The first step during a first transaction, after a defined page entry into the special mode negative remote value specification compared to a normal entry into the communication mode (teleset mode) after the start of the franking machine, comprises a sub-step 301 for checking for a transaction request and further sub-steps 302 to 308 Input of the identification and other data to establish the communication connection and for communication with an unencrypted message to transmit at least identification and transaction type data to the data center. Individual data in the message can again be secured by a MAC or by means of CRC data in the aforementioned manner.

The defined side entry is achieved by pressing a secret predetermined key combination while switching on the franking machine. According to the invention, the control unit of the franking machine can distinguish between authorized actions (service technician) and unauthorized actions (intention to manipulate) in connection with the data previously transmitted by the data center and an input process.

In authorized action, a special flag N is set in step 220, because if the franking machine FM is switched off, the continuation of the transactions must be ensured after the franking machine is switched on again. To protect against possible manipulation, the special flag N is also stored in a non-volatile MAC-protected manner.

If an unsuccessful attempt is made or another key combination is entered to enter the page, this is evaluated as unauthorized action or as an intention to manipulate (error message) and saved, and a step 209 is initiated to prevent further franking.
It is provided that a predetermined key combination for each franking machine is stored in the data center and only the authorized person (service technician) is informed in order to achieve a predetermined operating sequence on the franking machine. The correct side entry causes a message on the display about the opening of the communication.

In order to convert the franking machine into a special mode, a flag N secured against manipulation is set in step 220 if a specific criterion is met, the specific criterion for the negative remote value specification for the special mode being at least the use of the predetermined key combination for entering the special mode when switching on the Franking machine includes.

In one variant, as with the positive remote value specification, the PIN is entered and the Teleset key (T key) is pressed, then the zero is entered and the T key is pressed before the communication is carried out.

Communication with the data center comprises at least two transactions, which are repeated in the event of an error, the communication being automatically resumed after an interruption and / or being carried out for as long as the aforementioned special flag N is set for the special mode, by means of which an automatic transaction request is made for the retransmission to complete the credit.

It is envisaged that a first step of the first transaction comprises sub-steps 301 to 308 of the postage meter machine in order to establish the connection, for communication with unencrypted data and to transmit at least identification, transaction type and other data to the data center. The transaction type data (1 byte) includes the message to the data center DZ to subsequently carry out the special mode of a desired negative remote value specification with the franking machine identified.

A second step of the first transaction comprises sub-steps 501 to 506 in the data center, for receiving the data and for checking the identification of the franking machine and for transmitting an unencrypted OK message to the franking machine. The second step of the first transaction also includes sub-steps in order to branch to an idle state 501 in the data center in the event of faulty unencrypted messages 505 via a sub-step 513 until the communication is resumed by a franking machine.

A third step of the first transaction comprises sub-steps 309 to 314 of the franking machine, for forming a first encrypted message Crypto cv by means of a first key Kn stored in the franking machine and for transmitting encrypted data to the data center, comprising at least the default request, identification and postal register. Data. In a further embodiment of the security measures, this encrypted message in the form of CRC data (cyclic redundancy check data) includes the message to the data center DZ to subsequently carry out the special mode of a desired negative remote value specification. The two-byte cyclic redundancy check is a checksum that reveals tampering with individual data processed for the checksum. This checksum can include individual data or the components of all messages (transaction type) on the part of the franking machine. The default request, the identification, postal register and CRC data are transmitted in a message encrypted with the DES algorithm. It is therefore not necessary to transmit MAC-encrypted or encrypted data to the data center in the first step.

A fourth step of the first transaction, which comprises sub-steps 507 to 511 in the data center, is corresponding to receiving and decrypting the first encrypted message or checking its decryptibility by means of a key stored in the data center, to form a second key Kn + 1 the key used by the franking machine to form a second encrypted message crypto Cv + 1, which contains at least the aforementioned second key Kn + 1, the identification and transaction data, and to transmit the second encrypted message crypto Cv + 1 to the franking machine.

It is envisaged that the fourth step of the first transaction also comprises sub-steps in order to branch to an idle state 501 in the data center in the event of unrecoverable incorrectly encrypted messages 509 via a sub-step 513 until the communication on the part of a postage meter machine again is recorded. Sub-steps are also provided in order to branch to erroneous encrypted messages 509 with correctable errors, to a step 510 to cancel the previous transaction and then to branch to sub-step 511 in the data center. This sub-step is used to form a second or third key Kn + 1, which is to be transmitted in encrypted form to the franking machine, to form a second encrypted message crypto Cv + 1 and to transmit the encrypted message to the franking machine. In addition, the fourth step of the first transaction includes a sub-step 512 of the data center for storing the default request, from which the first sub-step 701 of the second step of the second transaction is branched, with the first key Kn as the preceding key and the second key Kn + 1 as the successor key save.

A fifth step of the first transaction, which comprises sub-steps 315 to 318 of the postage meter machine, serves to receive and to decrypt the second encrypted message, to extract at least the identification data and the transmitted second key Kn + 1 _{Cv + 1} , and to verify the encrypted received Notification based on the extracted identification data. Upon verification, the transmitted second key Kn + 1 _{Cv + 1} and the default _request are stored in the franking machine. Otherwise, if not verified, the process branches back to the first step of the first transaction.

After this pre-synchronization of the data center by the franking machine, a second transaction takes place. A first step of the second transaction comprises sub-steps 602 to 608 of the franking machine for communication with unencrypted data in order to establish the connection and to at least identify and transfer transaction type data to the data center.

A second step of the second transaction, which includes sub-steps 701 to 706 of the data center, is provided for receiving the data and for checking the identification of the postage meter machine and for transmitting an unencrypted OK message to the postage meter machine. It is further provided that the second step of the second transaction comprises sub-steps in order to branch to an idle state 501 in the data center in the event of faulty unencrypted messages 705 via a sub-step 513 until the communication is resumed by a franking machine.

A third step of the second transaction comprises sub-steps 609 to 614 of the franking machine for forming a third encrypted message crypto cv + 2 by means of the aforementioned second key Kn + 1 stored in the franking machine and for transmitting the third encrypted message crypto cv + 2 to the data center at least identification and postal register data, but without data for a default value.

A fourth step of the second transaction, which contains sub-steps 707 to 711 of the data center for receiving and decrypting the third encrypted message crypto Cv + 2, carries out its check for decryptibility by means of a key stored in the data center. Then a third key Kn + 2 is formed, which is to be transmitted in encrypted form to the franking machine, a fourth encrypted message crypto Cv + 3 is formed, which contains at least the aforementioned third key Kn + 2, the identification and transaction data and the transmission the fourth encrypted Message crypto Cv + 3 to the franking machine.

The fourth step of the second transaction includes sub-steps in order to branch to an idle state 501 in the data center in the event of an unrecoverable incorrectly encrypted messages 709 via a sub-step 513 until the communication is resumed by a franking machine. If erroneous encrypted messages with correctable errors are found in step 709, a branch is made to step 710 for canceling the previous transaction. A third key Kn + 2 is then formed in sub-step 711 in the data center, which is to be transmitted in encrypted form to the franking machine. The DES algorithm is used again to form a fourth encrypted message crypto Cv + 3. The encrypted message is then transmitted to the franking machine.

It is also envisaged that the fourth step of the second transaction for storing the default value comprises a sub-step 712 of the data center, which branches to the first sub-step 501 of the second step of the first transaction by the second key Kn + 1 as the previous key Kn-1 and store the third key Kn + 2 as successor key Kn for further first and second transactions.

A fifth step of the second transaction, which includes sub-steps 615 to 618 of the postage meter machine, serves to receive and decrypt the fourth encrypted message, to extract at least the identification data and the transmitted third key Kn + 2 _{Cv + 3} and the transaction data, and to verify the received encrypted message based on the extracted identification data. The above step points to the identification of the completed implementation, in contrast to the positive remote value specification, a further query criterion. The franking machine FM is to receive the fourth crypto message within a predetermined time from the sending of the third crypto message. If the connection was free of interruption, the reception would take place in the predetermined time t1.

In the preferred embodiment, the last and particularly critical section of the second transaction is monitored for the time t1 being exceeded. The possible manipulation time is thus severely limited. For this purpose, a time count is started in the processor (control unit 6) of the franking machine during the second to last message to be transmitted, after the third crypto message has been sent. This is preferably solved in such a way that the corresponding program section activates a routine which sets a counter, which in turn is decremented by the system clock or its multiple. In order to monitor a larger period of time, for example in the order of 10 seconds, several counters are cascaded. If the fourth crypto message from the data center reaches the franking machine within the critical time period, the counter is deactivated. However, if this last crypto message is not received, the counter set is decremented further. When the counter passes zero, a program interrupt signal (interrupt) is triggered. This signal causes a special subroutine to be called which prepares and triggers a new transaction. Part of this renewed transaction is again the transmission of the contents of the postal register. A consistency check taking place in the data center then leads to the result that an unfinished transaction in special mode was preceded by negative remote value specification. The inconsistent data records are corrected and the negative remote value specification is completed.

A further variant of the invention results if an incremental counter is used instead of a decremental counter. After each counting cycle, the comparison with the number that corresponds to the monitored period must be carried out.

Exceeding the time t1 is a sure sign of a failed transmission and causes a special subroutine to be called which prepares and automatically triggers a new execution of the negative remote value specification. In this case, the first and second transactions are repeated automatically with key Kn + 2.

After a successful query or verification in the fifth step of the second transaction, the transmitted second key Kn + 2 _{Cv + 3} and the default value in the franking machine are added to the descending register value R1 and the resulting credit is saved or, if it is not verified or times out, becomes the first Branched back step of the first transaction.

The fifth step of the second transaction includes a sub-step (620) of the postage meter machine for resetting the aforementioned special flag N or for returning to the normal mode of the postage meter machine, whereby the aforementioned automatic transaction request is canceled again when the execution of the second transaction has been completed is.

The service technician present ensures the continued trouble-free process until the negative remote value specification is completed.

Is the completion due to a long or constant interruption of the connection between the franking machine and data center is not possible, the service technician must take the franking machine to the dealer's office and continue with the completion from there. Otherwise there would be a credit in the franking machine which, according to information in the data center, is already considered to be retransmitted. The successful completion of the negative remote value specification, ie the fund retransfer, can be checked by querying the register values R1 = 0 or R2 = R3 and R3 = R2 + R1.

• R1 (descending register) vorrätige Restbetrag in der Frankiermaschine,
• R2 (ascending register) Verbrauchssummenbetrag in der Frankiermaschine,
• R3 (total resetting) die bisherige Gesamtvorgabesumme aller Fernwertvorgaben,
• R4 (piece count Σprinting with value ≠ O) Anzahl gültiger Drucke,
• R8 (R4 + piece count Σprinting with value =O) Anzahl aller Drucke

The franking machine can transmit register values to the data center, for example, before reloading with a zero default value. Here are:

• R1 (descending register) remaining amount in the franking machine,
• R2 (ascending register) amount of consumption in the franking machine,
• R3 (total resetting) the previous total of all remote values,
• R4 (piece count Σprinting with value ≠ O) number of valid prints,
• R8 (R4 + piece count Σprinting with value = O) Number of all prints

With every remote value specification, at least R1 can be queried and statistically evaluated.

At the end of the day, the data center decides on the validity of the fund retransfer as a result of the special remote value setting. If no event is reported by the service technician, for example that the negative remote value specification could not be carried out, or if the same franking machine makes no request to reload a positive credit, the validity is assumed.

The special flag N set when entering the special mode negative remote value specification was reset when the transaction was successful. The franking machine prevents all frankings with values greater than zero because no more credit is loaded. The franking machine is still ready for frankings with values equal to zero and other operating modes as long as they do not require a credit or as long as no postage is franked and the quantity limit is not reached.

Either, as in the one variant, the predetermined side entry triggers the transactions in the special mode, or in another variant at least one manual step 302 in the special mode is negative remote value specification after a side entry to enter an identification number (PIN) and to enter the predetermined default request as provided for the positive remote value specification, which is queried in step 303. An additional manual step for temporary entry, which is queried in step 603, triggers the second transaction and exits or repeats the first transaction in communication mode or in special mode if the entry time is exceeded. The T key must preferably be pressed within 30 seconds or the entry time has been exceeded.

A number of variants with different security levels can also be implemented. In this way, a check for transmission of a predetermined default request can be carried out in the data center. In the simplest case, the default request - analogous to the remaining amount R1 still available in the descending register in display mode 215 - must be entered and transmitted to the data center. Since the postal register content, but at least R1, is automatically transmitted to the data center for every transaction a negative remote value target for fund retransfer is achieved if the target amount corresponds to the remaining amount.

In a second variant, any desired request is agreed as a code with the data center. A zero default request is preferably agreed. If the special mode negative remote value specification is called up within a certain time after the agreement and the ZERO specification request is entered or confirmed as the specification request, the remaining amount R1 is automatically reset to ZERO in the franking machine. A corresponding query step 219 for such a further specific criterion for the franking machine was shown in dashed lines in FIG. This branches to step 220 for setting the special flag N. In a further embodiment, the operation can be simplified if a zero remote value specification has already been made as the last transaction. Then all that is left to do is to operate the side entry in order to carry out the negative remote value specification fully automatically or to achieve a ZERO residual value R1 = 0.

Manipulation is limited in time by starting time monitoring from sub-step 613 of sending the third crypto message to the data center until the fourth crypto message is received by the franking machine. If the fourth crypto message could not be received within a predetermined time t1, a special subroutine is called which prepares a new execution of the special mode negative remote value specification and triggers it automatically. By further sub-steps 615, 616, 301 for automatically resuming communication after the communication link between the data center and Postage meter machine or after the postage meter machine has been switched off and on again, the communication continues as long as the aforementioned special flag N is set. The special flag N, evaluated as a transaction request, is non-volatile and is stored in a MAC-secured manner against manipulation. The special flag N is only reset in step 620 after the retransfer of the credit has been completed.

In a third variant, security is increased by a combination of different measures. Regardless of the franking machine, a first communication link is established between the authorized user and the data center for storing a code for registering an authorized action on the franking machine by means of a default request that is transmitted later. The franking machine can now be switched on to carry out an authorized predetermined operating sequence in order to enter a negative remote value specification via a side entry into a special mode. Thereupon a second communication connection is established between the franking machine and the data center and the input of a default request. In a first transaction, a distinguishable logon to the data center takes place if the transmitted request matches a corresponding code. In the first transaction, for example, a new code word or security flag and / or operating sequence is transmitted to the franking machine. By carrying out at least one further transaction and automatically carrying out the aforementioned communication, the security-relevant data is transmitted and its storage in the franking machine is completed. In accordance with the specification request, the specification value is added to the remaining credit in the corresponding memory of the franking machine and, in order to check the transaction, in an appropriate memory of the data center.

Otherwise, execution of a step 209 for deleting a tamper-proof stored security flag X as a result of at least one unauthorized deviation from the predetermined operating sequence or because the franking machine has been tampered with is provided. The franking machine is thus transferred to a first mode in order to effectively put it out of operation for franking (franking mode 400) (step 409), in contrast to the authorized action or intervention.

A transfer of a valid operating sequence from the data center to the franking machine becomes superfluous if the operating sequence is changed depending on the time. The same calculation algorithm is used in the data center and in the franking machine to determine a current operating sequence. Another variant is based on the storage of the current operating sequence in the franking machine by means of a special reset E ² PROM by the service technician.

In a further variant, the security is increased by an authorized person by means of an additional input security means which is brought into contact with the franking machine in order to transfer a remaining credit back to the data center. First of all, the data center ensures that it is up-to-date by reporting the register status using a zero remote value specification. The service technician then uses a reset read-only memory module (refund EPROM) as input security means in a predetermined base of the at least partially opened franking machine. After switching on or entering the program of the franking machine, it is checked whether a refund EPROM has been used. This can advantageously be carried out in step 219 - shown in FIG. 2 - for checking a further criterion. A correct side entry with a non-available refund EPROM leads to point e or, in a variant not shown, a step to abort the routine. For example, a step 209 can be branched to delete a flag X, which would be noticed in step 409 of the franking mode (FIG. 4) and leads to statistics and error evaluation or registration in step 213. Otherwise, with the correct side entry and with the refund EPROM inserted, a special flag N is set, which automatically triggers the transfer of the remaining credit to the data center in communication mode.

In a sub-variant, steps 218 and 219 according to FIG. 2 can be reversed in their sequence, so that only after the plugged-in refund EPROM has been asked and only then has the correct side entry been asked for. Such a sub-variant has the advantage that the information about the correct page entry can also be stored in the refund EPROM instead of in the franking machine. This further increases the security against tampering with the intention of forgery.

The status of the franking machine (out of service) is stored in the data center. The authorized person removes the input security device from the base and closes the housing of the franking machine. In the data center, as in the franking machine, the postal registers registering the credit for available remaining credit R1, the total amount of consumption R2 and the total amount R3 are set to zero (R1 = 0; R2 = 0; R3 = R1 + R2 = 0). The customer's remaining balance is returned to the customer's corresponding account.

In the case of a chip card read / write unit in the franking machine, the input security means can of course also be implemented as a chip card.

The invention is not limited to the present embodiments. Rather, a number of variants are conceivable which make use of the solution shown, even in the case of fundamentally different types.

Claims (23)

Method for improving the security of postage meter machines against manipulation, with a microprocessor in a control unit of the postage meter machine for executing steps for a start and initialization routine and subsequent system routine with the possibility of entering a communication mode with a remote data center in order to add a credit value load or transfer back to the data center and further input steps in order to enter a franking mode, which branches back into the system routine after execution of a billing and printing routine, characterized by Side entry by performing an authorized predetermined operating sequence while switching on the franking machine (steps 100 to 105), - Calling up of currently valid data (step 201) which identify authorized action, Monitoring (steps 217, 218, 219) by means of the microprocessor (6) by distinguishing between authorized and unauthorized action, - Transferring the franking machine to a special mode for negative remote value specification with a step (220) which was evaluated as a transaction request in the query step (301) of the communication mode if a number of specific criteria (217, 218, 219) are met, - Transfer to a first mode (209) in order to effectively prevent the franking machine from franking postage values (step 409) if the operating sequence does not correspond to a permitted predetermined operating sequence, - Establishing a communication connection (sub-steps 301 to 308) and carrying out encrypted communication (sub-steps 313, 511, 613 and 711) with the data center in said special mode, and - Monitoring by microprocessor (6) for the completion of said special mode (sub-step 616). Method according to Claim 1, characterized in that the operation of the franking machine is monitored, comprising a query for the correct page entry and comprising a distinction between the completed and incomplete execution of the special mode of negative remote value specification by means of a microprocessor (6), the incomplete execution of the Special mode of negative remote value specification at least one further step for automatically continuing communication by means of further transactions is provided in order to complete the retransmission if the previous steps for executing a negative remote value specification were interrupted or incorrectly encrypted data was transmitted to the franking machine. Method according to claims 1 to 2, characterized in that a predetermined key combination for each franking machine is stored in the data center and only the authorized person (service technician) is informed in order to achieve a predetermined operating sequence on the franking machine and that the aforementioned specific criterion for the special mode negative remote value specification is the use of the predetermined key combination while switching on the franking machine (side entry). Method according to claims 1 to 2, characterized in that a query for the correct page entry (218) after a check (219) with regard to an inserted one Input security means takes place, the information about the correct page entry also being stored in the input security means. Method according to claims 1 to 4, characterized in that the input security means is a refund EPROM or the input security means is implemented as a chip card in the case of a chip card read / write unit in the franking machine, and that the input security means (refund EPROM or Chip card) is brought into contact with the franking machine in order to transfer a remaining credit back to the data center. Method according to one of claims 1 to 5, characterized by at least one manual step (302) in the special mode negative remote value specification after a page entry for entering an identification number (PIN) and for entering the predetermined default request and / or by one in the first query step (602) the second transaction requested manual step for temporary entry to trigger the second transaction and for exiting or repeating the first transaction in communication mode or in special mode if the entry time is exceeded. Method according to one of claims 1 to 6, characterized in that - That if a specific criterion is met, a sleeping flag Z in a step (411) of the franking mode (400) and / or for transferring the franking machine into a second mode in a special mode, a special flag N secured against manipulation is set in a step (220) of the system routine (200), the specific criterion for the negative remote value specification for the special mode being at least the use of the predetermined key combination for entering the special mode while the franking machine is switched on includes - That communication with the data center comprises at least two transactions, which are repeated in the event of an error, the communication being automatically resumed after an interruption and / or being carried out for as long as the aforementioned special flag N is set for the special mode, by which an automatic transaction request is made to complete the retransfer of the balance, whereby: a) a first step of the first transaction comprises sub-steps (301 to 308) of the postage meter machine in order to set up the connection, for communication with unencrypted data and to transmit at least identification, transaction type and other data to the data center, b) a second step of the first transaction comprises sub-steps (501 to 506) of the data center, for receiving the data and for checking the identification of the postage meter machine and for transmitting an unencrypted OK message to the postage meter machine, c) a third step of the first transaction comprises sub-steps (309 to 314) of the franking machine, for forming a first encrypted message Crypto cv by means of a first key Kn stored in the franking machine and for transmitting encrypted data to the data center, comprising at least the default request, identification - and postal register data, d) a fourth step of the first transaction comprises sub-steps (507 to 511) of the data center for receiving and decrypting the first encrypted Notification or its check for decryptibility by means of a key stored in the data center, for forming a second key Kn + 1 corresponding to the key used by the franking machine, for forming a second encrypted message crypto Cv + 1, which contains at least the aforementioned second key Kn + 1, which contains identification and transaction data and for transmitting the second encrypted message crypto Cv + 1 to the franking machine, e) a fifth step of the first transaction comprises sub-steps (315 to 318) of the postage meter machine, for receiving and decrypting the second encrypted message, for extracting at least the identification data and the transmitted second key Kn + 1 _{Cv + 1} , and for verifying the received _ones encrypted message based on the extracted identification data, with the verified second key Kn + 1 _{Cv + 1} and the default _{request being} stored in the franking machine during verification or otherwise _branching back to the first step of the first transaction in the event of non-verification, as well as being f) a first step of the second transaction comprises sub-steps (602 to 608) of the postage meter machine, for communication with unencrypted data, for establishing the connection and for at least transmitting identification and transaction type data to the data center, g) a second step of the second transaction comprises sub-steps (701 to 706) of the data center, for receiving the data and for checking the identification of the franking machine and for transmitting an unencrypted OK message to the franking machine, h) a third step of the second transaction comprises sub-steps (609 to 614) of the franking machine to form a third encrypted message crypto cv + 2 by means of the aforementioned in the franking machine stored second key Kn + 1 and for transmitting the third encrypted message crypto cv + 2 to the data center, comprising at least identification and postal register data, without a default value, i) a fourth step of the second transaction comprises sub-steps (707 to 711) of the data center, for receiving and decrypting the third encrypted message crypto Cv + 2 or checking its decryptibility by means of a key stored in the data center, to form a third key Kn + 2 corresponding to the key used by the franking machine, to form a third key Kn + 2, which is to be transmitted to the franking machine in encrypted form, to form a fourth encrypted message crypto Cv + 3, which contains at least the aforementioned third key Kn + 2, the Contains identification and transaction data and for transmitting the fourth encrypted message crypto Cv + 3 to the franking machine, j) a fifth step of the second transaction comprises sub-steps (615 to 618) of the franking machine, for receiving and decrypting the fourth encrypted message, for extracting at least the identification data and the transmitted third key Kn + 2 _{Cv + 3} and the transaction data, and for Verification of the received encrypted message on the basis of the extracted identification data, wherein the verified second key Kn + 2 _{Cv + 3} and the default value in the franking machine are added accordingly to the descending register value R1 and the resulting credit is stored or otherwise branched back to the first step of the first transaction , and k) the fourth step of the first transaction for storing the default request comprises a sub-step (512) of the data center, which is based on the first sub-step (701) of the second step of the second transaction branches in order to store the first key Kn as the preceding key and the second key Kn + 1 as the successor key, l) the second step of the first transaction and the second step of the second transaction comprises sub-steps in order to branch to an idle state (501) in the data center in the event of faulty unencrypted messages (505) or (705) via a sub-step (513) for error messages until communication is resumed by a franking machine, m) the fourth step of the first transaction and the fourth step of the second transaction comprises sub-steps in order to branch to an idle state (501) in the data center in the event of unrecoverable incorrectly encrypted messages (509, 709) via a sub-step (513) until an error message is reached communication is resumed on the part of a franking machine and, in the case of incorrectly encrypted messages (509, 709) with correctable errors, to a step (510, 710) for canceling the previous transaction and then to the sub-step (511, 711) in the To branch data center, further sub-steps to form a second or third key Kn + 1 or Kn + 2, which is to be transmitted encrypted to the franking machine, to form a second or fourth encrypted message crypto Cv + 1 or crypto Cv + 3 , and to transmit the encrypted message to the franking machine, n) the fourth step of the second transaction for storing the default value comprises a sub-step (712) of the data center, which branches to the first sub-step (501) of the second step of the first transaction by the second key Kn + 1 as the previous key Kn-1 and save the third key Kn + 2 as successor key Kn for further first and second transactions, o) the fifth step of the second transaction is a sub-step (620) of the franking machine for resetting of the aforementioned special flag N or to return to the normal mode of the franking machine, whereby the aforementioned automatic transaction request is canceled again. Method according to one of Claims 1 to 7, characterized by starting time monitoring from sub-step (613) of sending the third crypto message to the data center until the fourth crypto message is received by the franking machine, wherein if the fourth crypto message Message could not be received within a predetermined time tl, a special subroutine is called, which prepares a new execution of the special mode negative remote value specification and automatically triggers it, and by further steps (615, 616, 301) for automatic resumption of communication after an interruption of the communication link between Data center and franking machine or after the franking machine has been switched off and on again, the special flag N, evaluated as a transaction request, being stored in a non-volatile manner and being MAC-secured against manipulation, and the communication w. As long as the aforementioned special flag N has been set continued and the special flag N (in step 620) is only reset after completion of the retransfer of the credit. Method for improving the security of postage meter machines against manipulation, with a microprocessor in a control unit of the postage meter machine for executing steps for a start and initialization routine and subsequent system routine with the possibility of entering a communication mode with a remote data center in order to add a credit value load or transfer back to the data center and further input steps in order to enter a franking mode, which branches back into the system routine after execution of a billing and printing routine, characterized by the steps a) Establishing a first communication link between the authorized user and the data center and storing a code for registering an authorized action on the franking machine by means of a default request transmitted later, b) switching on the franking machine to carry out an authorized predetermined operating sequence in order to enter a negative remote value specification via a side entry into a special mode, c) Establishing a second communication connection between the franking machine and the data center and entering a default request, wherein after the franking machine enters the communication mode (300) and after establishing a connection to a remote data center, a first transaction for setting a default request is carried out in accordance with the remaining credit value to be retransmitted if the operating sequence corresponds to a permitted predetermined operating sequence, in contrast to unauthorized action, and if the default value transmitted to the data center matches the code stored there for the previously agreed predetermined default value, d) performing at least one further transaction for automatically carrying out the aforementioned communication in order to transmit the security-relevant data and to complete their storage in the franking machine or e) Execution of a step (209) for deleting a tamper-proof stored security flag X as a result of at least one unauthorized deviation from the predetermined operating sequence or because the franking machine was intervened, and transferring the Franking machine in a first mode in order to effectively put it out of operation for franking (400) (step 409), in contrast to the authorized action or intervention. Method according to claim 9, characterized in that after the franking machine is switched on or after the side entry, a start and initialization routine (101-105) is run through and a starting point s of a system routine (200) is reached, within which at least one query of criteria for individual modes and a point e is reached, after which the franking machine can enter a communication mode (300) and / or then at least branches to a franking mode (400), in which criteria are also queried and in communication mode (300) during communication transactions are carried out with encrypted messages in order to load at least one default request and / or further current data into the franking machine. Method according to claims 9 to 10, characterized in that before the authorized action is registered on the franking machine, a predetermined key combination is stored in the data center,
which is required to achieve a predetermined operating sequence, that the franking machine is switched on by an authorized person (service technician) by pressing the predetermined key combination to carry out a special mode negative remote value specification, and that the communication is carried out automatically in order to retransfer the credit to accomplish. Method according to claims 9 to 11, characterized in that a storage of a predetermined code in the data center is carried out during a first communication for an agreement on an authorized action or intervention on the franking machine and that when the code is recognized from the default request in the Data center, a transaction for transmitting a future predetermined operating sequence and / or a new security flag X 'from the data center to the franking machine is carried out during the aforementioned second communication with encrypted messages, in response to the request made in accordance with the code of the default request. Method according to claims 9 to 12, characterized in that the transfer of the franking machine into the first mode for preventing franking comprises the following steps: Carrying out a transaction which comprises a new security flag X 'which was transmitted from the remote data center to the franking machine, Deleting the security flag X if the franking machine intervenes and / or if the negative remote value specification is manipulated fraudulently, - Further use of an existing new security flag X 'as a valid security flag X after initialization (101-105) and - ongoing query in step (409) to check for the presence of the valid security flag X, during the operation of the franking machine before an accounting and printing routine (406) within the franking mode (400), - Execution of the accounting and printing routine (406) or if it is determined that a valid one is missing Security flags X in step (409) or in the event that no new valid security flag X 'has been transmitted, branching to the statistics and error evaluation mode (213) and from there to the display mode (215), wherein the aforementioned steps are carried out in order to ensure the maintenance, evaluation and display of the aforementioned first mode and then to branch back again to the starting point s of the system routine (200). Method according to claims 9 to 13, characterized in that in the event that a specific criterion is met, the franking machine is converted into the special mode for negative remote value specification by steps (217 to 220) which take place after a starting point s of the system routine (200) and a step (201) for calling up current data before point e, comprising: a step (217) in order to determine a forbidden side entry from the comparison with the stored permitted operating processes, a step (209) to delete the security flag X in the event of a prohibited side entry and to prevent the franking machine from being refilled, - A step (218) to check the correct page entry by comparing with the decision criterion transmitted during a transaction and - A step (219) for checking by means of a further decision criterion and - The steps (218 and 219) branch to a step (220) when the decision criterion is met in order to set a special flag N and to automatically enter a communication mode for communication with the data center via point e, and - Otherwise, if the respective decision criterion is not met, the system branches to point e and to the franking mode or other modes branching if the check (in step 301) shows that there is no communication request. Method according to claim 10, characterized in that the transfer of the franking machine into a second mode, if a specific criterion is fulfilled, is carried out by steps (201 to 203) which take place after the start point s of the system routine (200) and after step ( 201) for accessing current data before point e, which include: - A step (202) for checking the data by means of a decision criterion and entering the second mode when the criterion is met (step 203) in order to issue a warning and request to the user of the franking machine to communicate with the data center, the communication being encrypted Messages are provided in order to carry out a transaction with a specific quantity S ', which is transmitted from the remote data center to the franking machine. Method according to Claim 15, characterized in that if a further decision criterion is not met in step (410), when the loaded number of pieces has been used, a flag Z is set in step (411) to automatically enter the communication mode (300) execute the point e in order to carry out a transaction of the specific number of items S ', which is transmitted from the remote data center to the franking machine. Method according to claim 16, characterized in that step (203) for displaying a warning or step (411) for setting of a Z-FLAG for a communication request additionally comprises a sub-step for error statistics and the Z-FLAG is reset (211) by establishing communication with the transmission of data. Method for improving the security of postage meter machines against manipulation with a microprocessor in a control unit of the postage meter machine for executing steps for a start and initialization routine and subsequent system routine with a possibility of entering a communication mode with a remote data center in order to load a credit value or to the Transfer back to the data center and further input steps in order to enter a franking mode, from which the system routine branches back after execution of a billing and printing routine, characterized by communication between the franking machine and the data center, comprising at least encrypted messages,
by distinguishing between authorized action (service technician) and unauthorized action (intention to manipulate) by means of the control unit of the franking machine in connection with steps for executing a remote value specification for transferring a credit value to the data center, the franking machine making a specification request during a first transaction the data center is transmitted and after a second transaction there and in the franking machine, a corresponding default value is added to the value of the descending register and stored, and
by switching the franking machine off and on again, a defined sequence having been carried out with predetermined actuating means in order to carry out a further first and second transaction and
wherein the control unit mentioned checks whether a positive default request or whether a negative default request is to be carried out according to the amount of the remaining credit value stored in the descending register,
by monitoring the transactions, the franking machine checking whether a predetermined time period has been observed during the aforementioned further second transaction, further steps for automatically continuing the communication are carried out in order to complete the transmission if the previous steps for executing a negative remote value specification interrupted or if incorrect encrypted data was transmitted to the franking machine. Method according to Claim 18, characterized in that transactions with encrypted messages are carried out during the communication in order to load at least one credit reload value and / or further current data into the franking machine. Method according to claims 18 to 19, characterized in that a first transaction carried out during the communication with encrypted messages comprises a default request for a default value for reloading which is transmitted to the remote data center and that a second transaction carried out during the communication with encrypted messages includes a new key and identification data, which are transmitted to the franking machine. Method for improving the security of postage meter machines against manipulation with a microprocessor in a control unit of the postage meter machine for executing steps for a start and initialization routine and subsequent system routine with a possibility of entering a communication mode with a remote data center in order to load a credit value or to the Transfer back to the data center and further input steps in order to enter a franking mode, from which the system routine branches back after execution of a billing and printing routine, characterized by distinguishing between non-manipulated and manipulated operation of a franking machine by means of the control device (6), during an operating mode ( 290) the duration of the execution of programs, program parts or security-relevant routines is monitored and by one after the end of programs, program parts or safe Routine-relevant routines, then comparing the measured transit time with a predetermined transit time and / or by monitoring the compliance with a specific time sequence in special mode during a communication in communication mode (300), negative remote value specification, in particular the time period from the sending of a third encrypted message from the franking machine to receipt the fourth encrypted message in the franking machine sent from the data center to the franking machine, which triggers a zeroing of the credit value upon verification. Method according to claim 21, characterized in that a decremental counter or an incremental counter is used to indicate that the time tl has been exceeded in the special mode as a reliable indication of a failed transmission detect and that a special subroutine is called, which prepares a new execution of the special mode negative remote value specification and triggers automatically, so that the first and second transactions are repeated automatically. Method for improving the security of postage meter machines in the transfer of credit against manipulation, with a microprocessor in a control unit of the postage meter machine for executing steps for a start and initialization routine and subsequent system routine with a possibility of entering a communication mode with a remote data center in order to add a credit value load or transfer back to the data center and further input steps in order to enter a franking mode, which branches back into the system routine after execution of a billing and printing routine, characterized by the steps Establishing a first communication link between an authorized person and the data center independent of the franking machine for storing a predetermined code (default value), - switching on the franking machine, - Registration of an authorized action on the franking machine if the preset value corresponds to the predetermined code, a predetermined key combination being stored in the franking machine during a first transaction and / or the intervention in the franking machine being registered at the data center if the preset value is a predetermined one Code corresponds, with a new security flag X being stored in the franking machine during a first transaction. - Execution of a second transaction to change the remaining credit of the franking machine.

Images