EP0996097B1 - Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit - Google Patents

Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit Download PDF

Info

Publication number
EP0996097B1
EP0996097B1 EP00250033A EP00250033A EP0996097B1 EP 0996097 B1 EP0996097 B1 EP 0996097B1 EP 00250033 A EP00250033 A EP 00250033A EP 00250033 A EP00250033 A EP 00250033A EP 0996097 B1 EP0996097 B1 EP 0996097B1
Authority
EP
European Patent Office
Prior art keywords
data center
franking machine
transaction
data
franking
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
EP00250033A
Other languages
German (de)
English (en)
Other versions
EP0996097A9 (fr
EP0996097A3 (fr
EP0996097A2 (fr
Inventor
Enno Bischoff
George G. Gelfer
Wolfgang Dr. Thiel
Andreas Wagner
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Francotyp Postalia GmbH
Original Assignee
Francotyp Postalia GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Francotyp Postalia GmbH filed Critical Francotyp Postalia GmbH
Publication of EP0996097A2 publication Critical patent/EP0996097A2/fr
Publication of EP0996097A3 publication Critical patent/EP0996097A3/fr
Publication of EP0996097A9 publication Critical patent/EP0996097A9/fr
Application granted granted Critical
Publication of EP0996097B1 publication Critical patent/EP0996097B1/fr
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00185Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
    • G07B17/00362Calculation or computing within apparatus, e.g. calculation of postage value
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00016Relations between apparatus, e.g. franking machine at customer or apparatus at post office, in a franking system
    • G07B17/0008Communication details outside or between apparatus
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00016Relations between apparatus, e.g. franking machine at customer or apparatus at post office, in a franking system
    • G07B17/0008Communication details outside or between apparatus
    • G07B2017/00153Communication details outside or between apparatus for sending information
    • G07B2017/00161Communication details outside or between apparatus for sending information from a central, non-user location, e.g. for updating rates or software, or for refilling funds
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00185Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
    • G07B17/00193Constructional details of apparatus in a franking system
    • G07B2017/00241Modular design
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00185Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
    • G07B17/00193Constructional details of apparatus in a franking system
    • G07B2017/00258Electronic hardware aspects, e.g. type of circuits used
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00185Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
    • G07B17/00362Calculation or computing within apparatus, e.g. calculation of postage value
    • G07B2017/00419Software organization, e.g. separation into objects
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00733Cryptography or similar special procedures in a franking system
    • G07B2017/0079Time-dependency

Definitions

  • the invention relates to a method for improving the security of franking machines in the credit transfer, especially in the fund return to the data center, according to the specified in the preamble of claim 1.
  • a franking machine usually generates a print in a form agreed with the post office right-justified, parallel to the top edge of the mail starting with the content postage in the postmark, date in the day stamp and stamp imprints for advertising clichés and possibly transmission type in the Wahltikstkov.
  • the postal value, the date and the type of shipment form the variable information to be entered in accordance with the item of mail.
  • the postage value is usually the forwarding charge prepaid by the sender (Franko), which is taken from a refillable credit register and used to clear the postal consignment.
  • Franko forwarding charge prepaid by the sender
  • a register is only counted up and read at regular intervals by a postal inspector, depending on the frankings made with the postage value.
  • any franking made must be accounted for and any manipulation that leads to an unbilled franking must be prevented.
  • a known franking machine is equipped with at least one input means, an output means, an input / output control module, a program, data and in particular the billing register bearing memory device, a control device and a printer module.
  • measures must also be taken to ensure that the print mechanics can not be misused for uncalculated impressions when switched off.
  • the invention relates to a method for franking machines, which provide a fully electronic impression produced for franking mail including the imprint of an advertising cliché. This has the consequence that only when switched on a non-billed valid franking must be prevented.
  • the memory device comprises at least one non-volatile memory module which contains the remaining balance remaining, which results from the fact that the respective postage value to be printed is deducted from a credit that was previously loaded into the postage meter machine.
  • the franking machine blocks when the remaining balance is zero.
  • Known franking machines contain at least one memory three relevant postal registers for consumed sum value (increasing register), remaining balance still available (falling register) and registers for a checksum. The checksum is compared to the sum of the used totals and the available credits. Already so a check for correct billing is possible.
  • the communication of the data center with the franking machine need not be limited to a mere transfer of the credit to the franking machine. Rather, in the case of a logoff of the franking machine, the communication of the data center with the franking machine is used to transfer the remaining balance of the franking machine into the data center. The value in the falling post register of the postage meter is then zero, effectively suspending the postage meter.
  • a method of diagnosis in an electrically controlled mechanical device known from GB 22 61 748 A monitors parameters and generates an analysis histogram.
  • Akuragebäuse for franking machines which has internal sensors is known from DE 41 29 302 A1.
  • the sensors are in particular with a battery connected switches, which become active when the security case is opened in order to delete a memory storing the residual value credit (falling postal register) by interrupting the energy supply. It is known, but not predictable, which state a voltage-free memory module occupies when the voltage returns. Thus, an unpaid higher residual balance could arise.
  • the residual assets at least partially discharged.
  • the description can not be deduced how to prevent a manipulator from restoring an unpaid balance.
  • unauthorized access to use of the postage meter machine is to be prevented by blocking the postage meter machine if a predetermined password is entered incorrectly.
  • the franking machine can be set by means of a password and corresponding input via the keyboard so that franking is possible only during a predetermined time interval or times of day.
  • the password can be entered by a personal computer via MODEM, by a smart card or manually in the postage meter. After positive The franking machine is released compared with a password stored in the franking machine.
  • a security module (EPROM) is integrated in the control module of the billing unit.
  • an encryption module (separate microprocessor or program for FM CPU based on DES or RSA code) is provided which generates a postage value, the subscriber number, a transaction number and the like in the franking stamp. If enough criminal energy but also a password could be explored and brought together with franking machine in the possession of a manipulator.
  • the postage meter Upon detection of tampering, the postage meter will be disabled during remote inspection via modem by a signal originating from the data center. On the other hand, skilful manipulation could be to return the flag and registers to their original state after making unfilled franking imprints. Such manipulation would not be detectable via remote inspection by the data center if this undone manipulation was prior to the remote inspection. Also, the receipt of the postcard from the data center, on which to be carried out for inspection purposes franking should allow the manipulator to restore the postage meter in sufficient time to the original state. Thus, no higher security can be achieved yet.
  • a security print according to the FP's own European patent application EP 576 113 A2 provides symbols in a marking field in the franking stamp, which contain a cryptified information. This allows the postal authority, which interacts with the data center, to detect a manipulation of the franking machine at any time from the respective security print.
  • a current control n is such provided with a security imprint of mail ting via appropriate security markings in the stamp image technically possible, but this means an extra effort in the post office. In a sample-based control, however, a manipulation is usually detected late.
  • Another type of expected manipulation is the reloading of the postage meter registers with a non-cleared credit value. This results in the requirement of a secure recharge.
  • An additional security measure is the comparison of an internal fixed combination stored in a nonvolatile register with an input external combination, wherein after a number of failed attempts, i. Non-identity of the combinations, the franking machine is locked by means of an escapement electronics. According to US 4 835 697, in order to prevent unauthorized access to the franking machine, the combination can be changed in principle.
  • EP 388 840 A2 discloses a comparable safety technology for setting a franking machine in order to clean it of data without the franking machine having to be transported to the manufacturer. Again, security depends solely on the encryption of the transmitted code.
  • the postage meter communicates periodically with the data center.
  • a blocking means allows the postage meter to be blocked after a predetermined time or after a predetermined number of operation cycles and provides a warning to the user.
  • For unlocking an encrypted code must be entered from the outside, which is compared with an internally generated encrypted code.
  • the billing data is included in the encryption of the aforementioned code.
  • the disadvantage is that the warning takes place at the same time as blocking the franking machine, without the user having a chance of correspondingly changing his behavior in a timely manner.
  • a franking machine where the current time data supplied by the clock / date module is compared with stored shutdown time data. If the stored shutdown time is reached by the current time, the franking machine is deactivated, that is, prevents printing.
  • the franking machine is transmitted an encrypted combination value and set a new deadline, whereby the franking machine is made operational again.
  • the amount of consumption sum which sums up the spent postage and is read by the data center is also part of the encrypted transmitted combination value. After the decryption of the combination value, the consumption sum amount is separated and compared with the consumption sum amount stored in the postage meter machine.
  • the aforesaid central station is provided with information related to a desired change in order to reduce the total amount of postage available in the aforesaid mailing device and with a unique identification as to the aforesaid mailing device.
  • a third step involves receiving from the central station and inputting a first unique code into the aforesaid mailing device, wherein the inputting is operated to reduce the total amount of postal values stored in the mailing device in accordance with the aforesaid request.
  • generating a second unique code in the mailer is provided when the first unique code has been entered into the mailer, the second unique code providing an indication such that the aforesaid postal value available for printing the mail , has been reduced in the aforementioned postal device. If, however, the transmission is disturbed or interrupted, no first code is received by the data center and the funds in the franking machine remain unchanged, while a reversal has already been made in the data center. Of course, for checking, the register statuses of the franking machine could be queried in order to compare them with those stored in the data center. It is to be feared that a potential manipulator would refrain from the latter. In US Pat. No.
  • the solution according to the invention is based on the knowledge that only data stored centrally in a data center can be adequately protected against manipulation.
  • a significant increase in security and synchronicity in the stored data is achieved by data reporting prior to each predetermined action on the postage meter. It also increases in more or less large intervals reporting, in particular for reloading a credit in connection with the above-mentioned logging the security against a possible manipulation.
  • the data to be stored centrally comprise at least the date, time, identification number of the franking machine (ID number or PIN) and the type of data (eg register values, parameters) when the postage meter machine is in communication with the data center.
  • ID number or PIN identification number
  • type of data eg register values, parameters
  • predetermined actuating means a defined procedure for page entry into the special mode for negative remote value default made and a predetermined timeout was observed during the negative remote value specification, and if necessary further steps for automatically performing the communication must be performed to complete the retransmission if the previous steps to execute a negative handoff preset have been interrupted or erroneous encrypted data has been transmitted to the postage meter.
  • a communication between franking machine and data center takes place at least with encrypted messages, the DES algorithm preferably being used.
  • the franking machine thus has at least two special modes.
  • a first mode is provided to prevent fraudulent actions or manipulation of the franking machine on franking with postage values (kill mode). This inhibition may be lifted on the occasion of the next on-site inspection by a person authorized to do so.
  • the postage meter machine has another mode to cause the postage meter to automatically communicate with the data center, if necessary, upon satisfaction of selected criteria.
  • Such a further mode is according to the invention the special mode negative remote value transmission or a second (Sleeping) mode. After completing the special mode only a limited number of zero-frankings is possible in order to check the franking machine.
  • an automatic communication with the data center is forcibly triggered, which is thus informed and receives relevant register data.
  • the franking machine is inhibited in the sleeping mode.
  • the postage meter switches to the aforementioned first mode to lock the postage meter for a postage with a postage value (kill mode).
  • a page entry previously made known to the authorized operator (service technician) by the data center is changed to the special mode negative remote value default.
  • the future valid operating procedure can be at least partially transmitted in connection with at least one transaction during a positive or negative Fernwertvorgabe.
  • An authorized operator of the franking machine preferably the service technician, performs a side entry into the special mode negative remote value preset a predetermined operator action, which is known only the data center, except the service technician.
  • a special flag is set, which is considered a special transaction request.
  • Time monitoring also takes place on the part of the data center when a transaction in the special mode negative remote value default is made.
  • the Register data of the franking machine can be checked centrally when a connection is again made to carry out a remote value specification, for example, to recharge a credit. Either the franking machine automatically resumes the connection to complete the transaction if the transaction is left unfinished, or the authorized service technician gives the data center a message about the current state of the postage meter until the end of the day, in order to cancel the data transferred in special mode negative remote value mode. Otherwise, the time monitoring by the data center after expiration of the predetermined time period results in recognition of the data transmitted in the special mode of negative remote value specification.
  • the security is increased by checking the operating sequence for compliance with a predetermined operating procedure in the franking machine and by checking the default request in the data center for compliance with a code stored there for a predetermined default request. It is possible to change the operating procedure in a time-dependent manner, wherein the same calculation algorithm is used in the data center and in the postage meter machine to determine a current operating procedure. A transfer of a valid operating procedure from the data center to the franking machine is thus superfluous.
  • security is increased by a combination of a number of measures.
  • a distinctive logon occurs at the data center.
  • the latter transmits a new security flag X and / or a predetermined operating procedure for a page entry into the special mode negative remote value default to the franking machine, when the franking machine is switched on normally and the communication link is received, wherein in a first transaction, a predetermined default request has been stored in the data center and in the postage meter. In the data center, it is checked whether the transmitted default request corresponds to a predetermined default request.
  • a new code word or security flag and / or operating sequence is transmitted to the franking machine and in a second transaction, the registered transaction is performed and according to the default request a default value in the corresponding memory of the franking machine and in order to check the transaction in one corresponding memory of the data center added.
  • the reloading of the franking machine - according to the corresponding default value - takes place with a negative credit, so that the result is a residual value balance of zero.
  • the solution according to the invention further assumes that the funds stored in the franking machine must be protected from unauthorized access.
  • the falsification of data stored in the postage meter data is so far complicated that the effort for a manipulator is no longer worthwhile.
  • OTP processors can contain all safety-relevant program parts inside the processor housing, as well as the code for forming the message authentication code (MAC).
  • MAC message authentication code
  • the latter is an encrypted checksum attached to information.
  • a crypto algorithm for example, Data Encryption Standard (DES) is suitable.
  • DES Data Encryption Standard
  • MAC information can be attached to the relevant security and special flags or to the register data, thus maximally increasing the difficulty of manipulating the aforementioned flags or postal registers.
  • the method of enhancing the security of a postage meter capable of communicating with a remote data center and having a microprocessor in a controller of the postage meter further comprises forming a checksum in the OTP processor over the contents of the external program memory and comparing the result with a postage meter in the OTP processor stored predetermined value before and / or after expiration of the franking mode or operating mode, in particular during initialization (ie, when the postage meter is started), or in times in which is not printed (ie when the postage meter in standby mode is operated). In the event of an error, logging and subsequent blocking of the franking machine takes place.
  • the period of time from the sending of a third encrypted message by the postage meter machine to the receipt of the fourth encrypted message sent by the data center to the postage meter machine in the postage meter machine, which triggers a zeroing of the credit value upon verification, is monitored. It is contemplated that a decremental counter or an incremental counter will be used to detect exceeding the time t1 in the special mode as a safe indication of an unsuccessful transmission and that a special subprogram will be called which will prepare a re-execution of the special mode negative remote value preset and automatically triggers, so that the first and second transactions are automatically repeated.
  • security is increased by additional input security means which is brought into contact with the postage meter to transfer a remaining balance from an authorized person back to the data center.
  • FIG. 1 shows a block diagram of the franking machine according to the invention with a printer module 1 for a fully electronically generated franking image, with at least one plurality of actuating elements having input means 2, a display unit 3, and a communicating with a data center producing MODEM 23, which via an input / output Control module 4 are coupled to a control device 6 and a non-volatile memory 5 and 11 for the variable or the constant parts of the franking image.
  • a character memory 9 supplies the necessary pressure data for a volatile random access memory 7.
  • the control device 6 has a microprocessor ⁇ P connected to the input / output control module 4, to the character memory 9, to the volatile random access memory 7 and to the nonvolatile working memory 5, with a cost center memory 10, with a program memory 11, with the motor of a transport or feed device optionally with strip trigger 12, an encoder (encoder disk) 13 and with a clock / date module 8 communicates.
  • the individual memory can be realized in several physically separate or not shown combined in a few modules, which are secured against removal by at least one additional measure, such as sticking on the circuit board, sealing or casting with epoxy resin.
  • FIG. 2 shows a flowchart for a franking machine with a security system according to a preferred variant of the solution according to the invention.
  • a functional test with subsequent initialization is then carried out within a start routine 101.
  • This step also includes a plurality of sub-steps 102 to 105 for storing a security flag or codeword-shown in greater detail in FIG.
  • a new security flag X ' exists in another predetermined memory location E of the non-volatile memory 5 according to step 102, this new security flag X' is copied to the memory location of the old security flag X, if there is none valid security flag X more stored.
  • the latter equally concerns the case of authorized and unauthorized intervention, because with each intervention the old security flag X is deleted. Likewise, in another unauthorized action the security flag X can be deleted (kill mode). If there is no more valid security flag X stored, no postage value can be printed in franking mode 400. In case of non-intervention, no new code word has been transmitted. In this case, it does not copy and after step 104, the old security flag X remains in Memory received. Finally, the system routine 200 is reached with point s.
  • the system routine 200 includes several steps 201 to 220 of the security system.
  • step 201 the call of current data takes place, which is carried out below in connection with the invention for a second mode, namely for the sleeping mode.
  • step 202 it is checked in step 202 whether the criteria for entering the sleeping mode are met. If this is the case, a branch is made to step 203 in order to display at least one warning by means of the display unit 3. After the o.g. In any case, steps t will be reached.
  • the aforementioned security flag X is deleted.
  • the security flag X can also be a MAC-secured security flag, as well as an encrypted code.
  • the checking for validity of the security flag X is carried out, for example, in step 409 of a franking mode 400 by means of a selected checksum method within an ONE TIME PROGRAMMABLE (OTP) processor which internally contains the corresponding program parts and also the code for forming a MAC (MESSAGE AUTHENTIFICATION CODE ), which is why the manipulator can not understand the nature of the checksum method.
  • OTP ONE TIME PROGRAMMABLE
  • Other security-related key data and processes are stored exclusively inside the OTP processor, for example to supplement key data with the transferred from the data center to the postage meter new key so that with the key information so supplemented an encryption of messages can be made, which transmits to the data center become.
  • the same security-relevant ones allow Key data or procedures to provide a hedge on the post office.
  • Another security variant which does not require an OTP processor, is to make it more difficult to find the keys by coding them and storing them in different memory areas.
  • MACs are appended to each piece of information in the security-relevant registers.
  • a manipulation of the register data can be detected by control over the MAC. This routine is performed in step 406 in the franking mode, which is shown in FIG. Thus, the difficulty of manipulating the postal registers can be maximized.
  • step 217 Upon a check in step 217, where a relevant defect has been detected and the security flag X cleared in step 209, the point e, i. reached the beginning of a communication mode 300 and in a - shown in Figures 2 and 3a - step 301 queried whether a transaction request exists. If this is not the case, the communication mode 300 is exited and the point f, i. the operating mode reaches 290. If relevant data has been transmitted in communication mode, branch to step 213 for data evaluation. Or else, if non-transmission is determined in step 211, step 212 is to be branched. It is then checked whether appropriate inputs have been made to enter test mode 216 at test request 212, otherwise to enter display mode 215 at intended register level check 214. If this is not the case, the point d, i. the franking mode 400 is reached.
  • step 213 for statistics and error evaluation is achieved.
  • the display mode 215 is reached and then branched back to the system routine.
  • the blocking can thus be advantageously carried out by the branching on the franking mode 400 is no longer executed.
  • step 213 a statistical and error evaluation is carried out in order to obtain further actual data which can also be called after branching to the system routine 200 in step 201, for example for an aforementioned second mode or another special mode.
  • a plurality of further queries may be after fulfillment of further criteria for further modes.
  • Further details regarding a query for a first mode which serves to prevent the printing or to lock the postage meter, can be found in the German application P 43 44 476.8, methods for improving the safety of franking machines.
  • a written possibly telephone notification in the data center for authorized opening has been proposed, which notifies the opening date and time for the approximate beginning of opening.
  • communication with the data center must be received via MODEM to request the opening authority and to load a new future code Y 'which can replace the old one.
  • the presence of the security flag X is not interrogated between the points s and t but only in step 409 in the franking mode. This allows the service technician by loading the new security flag X 'yet after deletion of the aforementioned flag then the restore full functionality of the franking machine. This now also makes it possible, for example, to carry out a check as to whether an unauthorized action actually leads to the deletion of the security flag or codeword, or whether the deletion by manipulation has been prevented.
  • step 217 shown in FIG. 2 it is recognized in step 217 shown in FIG. 2 that no prohibited page entry has been made.
  • a permitted page entry which was carried out for another input, has not been shown in detail in FIG.
  • a query criterion is also provided to detect, for example, in step 212 whether an operator action has been taken to enter a test mode.
  • the system routine 200 is branched to the point e. Otherwise, at the correct page entry, a branch is made to step 220 to set a special mode entry flag.
  • a further query step 219 may be provided before step 220 in order to further increase the security against unauthorized calling of the special mode with a further criterion, in which case the system routine 200 is branched to the point e if the criterion is not met.
  • the interrogation step 219 shown in Figure 2 may query such another criterion as to whether the identification number (ID number or PIN) has been input. By the side entrance the security is already sufficiently high, so that in the interest of a simpler handling on such additional further Kriterinabw can be waived also.
  • the special mode flag N set in step 220 is also a MAC-secured flag N.
  • the security is additionally increased by a check in the data center, whether a predetermined default request has been transmitted by the franking machine. It is envisaged that the transmitted default request in the data center is interpreted as a code to perform a very specific transaction.
  • the submitted default request can be coded in the data center as a code to allow fund redemption. Otherwise, the transmitted default request in the data center can be interpreted as a code to allow transmission for a security flag X or for an X codeword.
  • FIGS. 3 a and 3 b show a representation of the safety sequences of the franking machine in communication mode on the one hand and the safety sequences of the data center in communication mode on the other hand.
  • FIGS. 2 and 3a 301 queried whether a transaction request exists. Such can, for example, to the credit balance, telephone number change, etc. are provided.
  • the user selects the communication or remote value default mode of the postage meter machine by entering the identification number (eight-digit postage code number). It is now assumed, for example, that the funds return transfer should take place at the level of the residual value remaining in the franking machine. In this case, first a register query of the Descendingregisters R1, which contains the residual stored. After switching off the franking machine, a page entry into the special mode is made when switching on again. After entering the identification number, the entry is confirmed with the teleset key and the default request is entered in the amount of the previously requested residual value. By entering the page, the default request is automatically evaluated as the default value to be subtracted. The default request is confirmed by pressing the Teleset button (T button).
  • T button Teleset button
  • the residual value is also requested by the data center in every communication, a comparison can be made in the data center of both, i. of residual value and default request. Otherwise, in the special mode, the above-mentioned inputs for a preferred variant can also be automatically executed by the franking machine in order to simplify the operation.
  • a communication should take place in order to load a new security flag X 'which can replace the old security flag X. If only such a transaction request is made, the default amount must be changed, because in this case, the credit in the postage meter, of course, must not be increased. On the other hand, another value other than zero can be agreed, in particular a Value that corresponds to only a minimum amount by which the descending register value would need to be increased.
  • FIG. 3 a shows that part of the communication of a transaction which is carried out with unencrypted messages. Nevertheless, these messages may contain data which are MAC-secured, for example the identification number of the franking machine.
  • step 302 input of the identification number (ID No.) and the intended input parameters may be made in the following manner.
  • ID no. it may be the serial number of the postage meter, a PIN or PAN (postage code number), which is acknowledged by actuation by means of a predetermined T key of the input means 2.
  • PIN or PAN postage code number
  • the input parameter (default value) used in the last remote value specification (recharge) appears, which is now overwritten or retained by the input of the desired input parameter.
  • the input parameter is a combination of numbers, which is understood in the data center as a request, for example, to transmit a new security flag or code word X ', if an intervention authority has previously been obtained. If the aforementioned input parameter is entered incorrectly, the display can be cleared by pressing a C key.
  • a change is entered to load a zero credit on a transaction, but no intervention authority is previously obtained.
  • the input parameter serves only as a new default value.
  • neither the credit for frankings is increased in value, if the input parameter has the value zero, nor loaded a new security flag.
  • the data center is informed that a new security flag X 'is to be transmitted to the franking machine, if subsequently within a predetermined period of time by the postage meter a transaction for the value zero is started.
  • the request for intervention is only deemed to be made if, after the registration of an authorized intervention, the franking machine enters the communication mode agreed in this way.
  • the desired input parameter is displayed correctly, this is confirmed by re-pressing the predetermined T-key of the input means 2.
  • the display unit 3 then appears a representation according to an input parameter change or according to the non-change (old default value).
  • the change of the input parameter via MODEM connection is started.
  • the input is checked (step 303) and the rest of the process is performed automatically, the process being accompanied by a corresponding indication.
  • the franking machine checks whether a MODEM is connected and ready for operation. If this is not the case, a branch is made to step 310 in order to indicate that the transaction request must be repeated. Otherwise, the postage meter reads the dialing parameters consisting of the outdialing parameters (main / extension, etc.) and the telephone number from the NVRAM memory area F and sends them to the modem 23 with a dial request command MODEM 23 with the data center in a step 304.
  • step 501 it is constantly checked whether a call has been made in the data center. If this is the case, and the MODEM 23 has dialed the opposite side, the connection is also established in the data center in step 502. And in step 503 is constantly monitored whether the connection to the data center has been solved. If this is the case, after an error message in step 513, a branch back to step 501.
  • the franking machine monitors in step 305 whether communication errors have occurred and if necessary branches back to step 304 in order to reestablish the connection from the postage meter machine. After a predetermined number n inconclusive redial attempts to establish a connection is branched back to the point e via a display step 310. If there was no detectable error in step 305, it is determined in step 306 by the postage meter machine that the connection is established and a transaction is yet to take place, is branched to step 307 to an opening message or to identification, Vorspann- or To send register data. In subsequent step 308, the same check as performed in step 305, i.
  • step 304 if a communication error has occurred, a branch is made back to step 304. Otherwise, an opening message was sent from the postage meter machine to the data center. In it is u.a. the postage number for the notice of the caller, i. the postage meter, at the data center included.
  • step 504 This opening message is checked for plausibility in the data center in step 504 and further evaluated by subsequently checking again in step 505 whether the data has been transmitted without errors. If this is not the case, a branch back to the error message to step 513. If, on the other hand, the data is error-free and in the data center is recognized that the postage meter has made a recharge search, so in step 506 a reply message to the postage meter is sent as a header. In step 507, it is checked whether the preamble message including preamble end has been sent in step 506. Is not that If so, then branch back to step 513.
  • step 309 it is checked in step 309 whether a header has now been sent or received as a reply message by the data center. If this is not the case, the program branches back to step 310 and then a transaction request is queried again in step 301. If a header has been received and the postage meter machine has received an OK message, a check of the preamble parameters with respect to a telephone number change takes place in step 311. If an encrypted parameter has been transmitted, there is no telephone number change and a branch is made to step 313 in FIG. 3b.
  • FIG. 3b shows the safety sequences of the franking machine in communication mode and, in parallel, those in the data center.
  • step 313 a start message is sent in encrypted form from the postage meter machine to the data center.
  • step 314 the message is checked for communication errors. If there is a communication error, the program branches back to step 304 and another attempt is made to establish the connection to the data center in order to send the start message in encrypted form.
  • this encrypted start message is received if in step 506 the preamble message has been completely sent and in step 507 the preamble end has been transmitted.
  • step 508 it is checked in the data center whether it has received the start message and the data in Order are. If this is not the case, it is checked in step 509 whether the error can be corrected. If the error can not be corrected, branching is made to step 513 after an error message has been transmitted from the data center DZ to the franking machine FM in step 511. Otherwise, an error handling is performed in step 510 and branched to step 507. If the reception of proper data is detected in step 508, the data center begins to perform a transaction in step 511. In the aforementioned example, at least the identification number is transmitted by means of an encrypted message to the franking machine, which receives the transaction data in step 315.
  • step 316 the data is checked. If there is an error, branch back to step 310. Otherwise, in the data center, a storage of the same aforementioned data takes place in step 512, as in the postage meter machine. In step 318, therefore, the transaction with the data storage is completed in the franking machine. Subsequently, a branch is made back to step 305. If no further transaction takes place, step 310 and then step 301 are reached for display.
  • step 211 If now no transaction request is made, it is checked in step 211 according to Figure 2, whether data has been transmitted. If data has been transmitted, step 213 is reached. According to the input request, the franking machine places the current default request or the new code word Y 'or other transaction data, for example, in the memory area E of the nonvolatile memory 5.
  • Step 304 If, however, a different number combination than zero is entered as the input parameter in step 302 and the input was correct (step 303), a connection is established (Step 304). And if a connection is established without error (step 305) (step 306), an identification and preamble message is sent to the data center.
  • the postage request number PAN for identifying the postage meter machine at the data center is also included.
  • the data center recognizes from the entered combination of numbers, if the data is error-free (step 505), that for example a credit with a default value is to be increased in the franking machine.
  • step 506 a reply message is then sent, unencrypted, from the data center with the elements of change of telephone number and current telephone number.
  • the postage meter machine receiving this message recognizes in step 311 that the telephone number is to be changed.
  • step 312 is branched to store the current telephone number. Subsequently, branching back to the step 304. If the connection is still established and there is no communication error (305), then in step 306 it is checked whether another transaction should take place. If this is not the case, a branch is made via step 310 to step 301.
  • the transmission of the telephone number can also be MAC-secured.
  • the franking machine After the current telephone number has been stored, the franking machine automatically establishes a new connection to the data center with the aid of the new telephone number.
  • the actual, user-intended transaction, remote value specification of the new security flag X 'or transmission of a suitable encrypted message for verification to recharge the residual value credit according to a default request is thus automatically, ie without further intervention by the user of the franking machine performed.
  • a message appears in the display saying that the connection is automatically rebuilt due to the change in the telephone number.
  • the franking machine is controlled in the communication mode 300.
  • the authorized person can also inform the data center of the completed check afterwards.
  • Communication may include phone number storage, as well as a credit recharge. Without interrupting the communication so several transactions can be performed.
  • a successful transaction proceeds as follows: The franking machine sends its ID number and a default value for the amount of the desired Nachladegutschis possibly together with a MAC to the data center. The latter checks such a transmitted message against the MAC in order then to send an likewise MAC-secured OK message to the franking machine. The OK message no longer contains the default value.
  • step 503 If it is determined in the data center that the connection to the franking machine has been released (step 503), or if erroneous data (505) or unrecoverable errors (509) are present or no end of bias has been sent (507), the communication is terminated. After an error message, the communication connection is released, the stored data is stored and evaluated by the data center in step 513.
  • At least one encrypted message is transmitted to the data center as well as to the franking machine.
  • the default request is included only in the encrypted message of the first transaction.
  • Each submitted message containing security-related transaction data is encrypted.
  • encryption algorithm for the encrypted messages for example, the DES algorithm is provided.
  • a transaction request leads to a specially secured credit recharge in the franking machine.
  • the post registers outside the processor in the cost center memory 10 are also secured during the credit recharge by means of a time control. For example, if the postage meter is being observed with an emulator / debugger, then the communication and billing routines are unlikely to expire within a predetermined time. If this is the case, ie the routines take considerably longer, a part of the DES key is changed. The data center may detect this modified key during a register polled communication routine and then report the postage meter as suspect as soon as Step 313, a start message is sent encrypted.
  • step 509 it is determined in step 509 that the error is not recoverable.
  • the data center can then not perform a transaction (step 511) because it has branched back to step 513. Since no data was received in the meter at step 315, the transaction was not done correctly (step 316). Then, it is then branched back via step 310 to step 301 in order to recheck after an indication whether a transaction request is still made.
  • the communication mode 300 is exited and the point f, i. the operating mode reaches 290.
  • the point f i. the operating mode reaches 290.
  • no data could be transmitted (step 211).
  • the security presupposes in case of an authorized intervention, the reliability of the authorized person (service, inspector) and the possibility to check their presence.
  • the control of the seal and the control of the registers in an inspection of the franking machine and independent of the data in the data center then provides the verification security.
  • the control of the postage stamped postage including a security imprint provides an additional verification security.
  • the postage meter performs the register check regularly and / or at power up and thus can detect the missing information if in the machine unauthorized intervention or if it had been operated unauthorized.
  • the franking machine is then blocked. Without the invention in conjunction with a security flag X, the manipulator would easily overcome the blockage. However, the security flag X is lost and it would cost the manipulator too much time and effort to determine the valid MAC-secured security flag X or codeword by experiments. In the meantime, the franking machine would have long since been registered as suspect in the data center.
  • a suitable processor type is, for example, the TMS 370 C010 from Texas Instruments, which has a 256 bytes E 2 PROM.
  • security-relevant data keys, flags, etc.
  • the postage meter machine is moved by transferring into the first mode is effectively prevented from franking with a postage value.
  • the potential manipulator of a franking machine must overcome several thresholds, which of course takes a certain amount of time. If there is no connection from the franking machine to the data center at certain intervals, the franking machine is already suspect. It is assumed that the one who commits a manipulation of the franking machine, will hardly report back to the data center.
  • the seal of the franking machine is checked for integrity and then the register statuses. If necessary, a test print with the value 0 can be made. In the event of a repair by the on-site service, it may be necessary to intervene in the franking machine.
  • the error registers can be read, for example, with the aid of a special service EPROM, which is plugged into place of the advert EPROM. When this EPROM slot is not accessed by the processor, access to the data lines is usually prevented by special driver circuitry (not shown in FIG. 1). The data lines, which can be reached here by a sealed housing door, thus can not be contacted without authorization.
  • Another variant is the reading out of error register data by a service computer connected via an interface.
  • the registers of the franking machine are queried to determine the type of intervention required. Before intervening in the franking machine and the housing is opened, there is a separate call to the data center. If then within a predetermined period of time, the default value is changed to zero and the data center in the context of a transaction transmitted, ie the type of intervention and the register data has been communicated to the data center, there is a transfer of data from a data center to the postage meter according to a requested authorized intervention in the postage meter, which is logged as a permitted intervention.
  • the franking machine is able to distinguish between requested authorized and unauthorized intervention in the franking machine by means of the control unit of the franking machine in conjunction with the data transmitted from the data center, wherein in unauthorized intervention in the postage meter this action is logged as an error case, but after authorized intervention the original operating state is restored to the franking machine by means of the aforementioned transmitted data.
  • the explanation of the processes according to the franking mode shown in FIG. 4 takes place in conjunction with the flowchart shown in FIG. It is also in times in which is not printed (standby mode) provided that a query is made regarding manipulation attempts and / or the checksum of the register states and / or on the contents of the program memory PSP 11 is formed.
  • the aforesaid check sum is MAC-backed by the franking machine manufacturer in the non-volatile memory 5 (Memory area E of the NV-RAM).
  • the checksum is again determined and formed using a stored key remained unchanged a MAC.
  • the aforementioned key is a tamper-proof (non-readable) subkey.
  • the old MAC-secured is loaded from the NV-RAM 5 and compared with the newly determined MAC-secured checksum in the OTP.
  • the checksum is formed in the processor via the content of the external program memory PSP 11 and the result is compared with a predetermined value stored in the processor. This is preferably done in step 101 when the postage meter machine is started or in step 213 when the postage meter machine is operating in standby mode.
  • the standby mode is reached when no input or print request is made for a predetermined time. The latter is the case when a ansich known - not shown - letter sensor determines no next envelope, which should be franked.
  • the step 405 in the franking mode 400, shown in FIG. 4, therefore includes yet another interrogation after a time lapse or after the number of passes through the program loop, which ultimately leads back to the input routine according to step 401. If the query criterion is met, a standby flag is set in step 408 and branched back directly to the point s to the system routine 200, without the billing and printing routine in step 406 is traversed. The standby flag is retrieved later in step 211 and reset after the checksum check in step 213, if no tampering attempt is detected.
  • the query criterion in step 211 is extended by the question whether the standby flag is set, ie whether the standby mode is reached. In this case, a branch is also made to step 213.
  • a preferred variant is to delete the security flag X in the manner already described if a manipulation attempt has been detected in the standby mode in the aforementioned manner in step 213.
  • the specially saved special flag N can also be checked in step 213, in particular if it is MAC-secured, by comparing the flag content with the MAC content.
  • the absence of the safety flag X is recognized in the query step 409 and then branched to the step 213.
  • the advantage of this method in conjunction with the first mode is that the manipulation attempt is statistically detected in step 213.
  • FIG. 4 shows the flow chart for the franking mode according to a preferred variant.
  • the invention is based on the fact that, after switching on, the postage value in the value impression corresponding to the last input before switching off the franking machine and the date in the day stamp are preset according to the current date, that for the impression the variable data is stored in the fixed data for the frame and be electronically embedded for any related data that remains unchanged.
  • the number strings (sTrings), which are input for generating the input data with a keyboard 2 or via an electronic balance 22 which calculates the postage value and is connected to the input / output device 4, are automatically stored in the memory area D of the non-volatile main memory 5.
  • data sets of the sub-memory areas, for example Bj, C, etc. are also retained. This ensures that the last input variables are retained even when the franking machine is switched off, so that after switching on, the postage value in the value impression automatically corresponds the last entry before turning off the franking machine and the date in the day stamp is given according to the current date.
  • the postage value is taken from the storage area D. In step 404, it waits until one is currently stored.
  • step 404 branching back to step 401 is again effected. Otherwise, a branch is made to step 405 to await the print output request.
  • step 405 By a letter sensor, the letter to be franked is detected and thus triggered a print request.
  • the billing and printing routine may be branched in step 406. If there is no print output request (step 405), it branches back to step 301 (point e).
  • a communication request can be made at any time or another input can be made according to the steps test request 212, register check 214, input routine 401.
  • Another query criterion may be queried in step 405 to set a standby flag in step 408 if there is no print output request after a predetermined time.
  • the standby flag can be interrogated in step 211 following the communication mode 300. This does not branch to the franking mode 400 until the checksum check has given the fullness of all or at least selected programs.
  • step 405 If a print output request is detected in step 405, further queries are made in subsequent steps 409 and 410 as well as in step 406 made. For example, in step 409, the presence of a valid security flag X or a corresponding MAC-secured flag X, the reaching of a further piece number criterion and / or in step 406 the registered in a known manner for billing register data queried. If the number of items predetermined for franking has been used up in the preceding franking, ie number of items equal to zero, the system automatically branches to the point e in order to enter the communication mode 300, so that a new predetermined number S is again credited by the data center. However, if the predetermined number of items has not yet been consumed, the process branches from step 410 to the billing and printing routine in step 406.
  • the number of printed letters, and the current values in the postal registers are registered according to the entered cost center in the non-volatile memory 10 of the franking machine in a billing routine 406 and are available for later evaluation.
  • a special Sleeping Mode counter is caused to count on a count step during the billing routine immediately before printing.
  • the register values can be queried in display mode 215. It is also provided to print the register values with the printhead of the postage meter machine for billing purposes. This can be done, for example, as already explained in more detail in German Patent Application P 42 24 955 A1.
  • variable pixel image data are also embedded in the remaining pixel image data during printing.
  • the pixel memory area in the pixel memory 7c is thus provided for the selected decompressed data of the fixed parts of the franking image and for the selected decompressed data of the variable parts of the franking image.
  • the actual print routine is performed (at step 406).
  • the main memory 7b and the pixel memory 7c communicate with the printer module 1 via a printer controller 14 having a print register (DR) 15 and an output logic.
  • the pixel memory 7c is connected on the output side to a first input of the printer controller 14, at the other control inputs output signals of the microprocessor control device 6 abut. If all columns of a printed image have been printed, the system routine 200 branches back again.
  • the first transaction of communication with the data center DZ involves the communication of a predetermined default request.
  • a NULL default request is suitable. Such, during a second transaction, results in a NULL default value that can be added to the Descending Register value without changing the value of the remaining credit.
  • step 218 the system routine 200 shown in FIG. 2 is queried as to whether the user has made a correct page entry. If this is not the case, the system routine 200 is branched to the point e. A message will appear on the display informing you if the PIN is entered and the Teleset key (T key) is pressed. In addition, the previous default value is displayed, which can be overwritten by the new default request NULL. After the zero entry, the T key is pressed again. Now there is a transaction request and the communication can be done.
  • T key Teleset key
  • the first step during a first transaction includes after entering the communication mode (positive remote value default or Teleset mode) one Sub-step 301 for checking for a submitted transaction request and further sub-steps 302 to 308 for entering the identification and other data to establish the communication connection and for communicating with unencrypted data to transmit at least identification and transaction type data to the data center.
  • the communication mode positive remote value default or Teleset mode
  • a first step of the first transaction includes sub-steps 301-308 of the meter to establish the connection, communicate with unencrypted data, and transmit at least identification, transaction type, and other data to the data center.
  • the transaction type data (1 byte), the message to the data center DZ subsequent to the teleset mode for a desired positive Fernwertvorgabe with the identified postage meter to perform.
  • a second step of the first transaction comprises sub-steps 501 to 506 in the data center, to receive the data and to check the identification of the franking machine and to transmit an unencrypted o.K. Message to postage meter.
  • the second step of the first transaction also includes sub-steps to branch to a quiescent state point q in sub-step 501 in the data center in case of erroneous unencrypted messages 505 via an error message sub-step 513 until the communication by a postage meter machine is resumed.
  • a third step of the first transaction comprises sub-steps 309 to 314 of the franking machine, for forming a first encrypted message Crypto cv by means of a first key Kn stored in the postage meter and for transmitting encrypted data to the data center, comprising at least the default, identification and postregister data.
  • this encrypted message also includes data in the form of CRC (Cyclic Redundancy Check) data.
  • CRC Cyclic Redundancy Check
  • the default request, the identification, postal register and other data, such as a checksum (CRC data) are transmitted in a message encrypted with the DES algorithm.
  • a fourth step of the first transaction which includes sub-steps 507 through 511 in the data center, is for receiving and decrypting the first encrypted message.
  • a test for decryptability is performed by means of a key stored in the data center. If successful, a calculation is made in the data center to form a second key Kn + 1 corresponding to the key used by the postage meter. Subsequently, a second encrypted message crypto Cv + 1 is formed which contains at least the aforementioned second key Kn + 1, the identification and the transaction data, wherein the encryption is again used the DES algorithm. Finally, a transfer of the second encrypted message crypto Cv + 1 to the franking machine is provided.
  • sub-steps are used to branch to a hibernation state 501 in the data center upon detection of irrecoverably erroneous encrypted messages in sub-step 509 via a sub-step 513 until the communication is resumed by a postage meter machine.
  • Substeps are also provided to correct erroneous encrypted messages found in sub-step 509 but with recoverable errors, to a sub-step 510 for canceling the previous transaction, and then to sub-step 511 in FIG Branch data center.
  • This sub-step is for forming a second key Kn + 1 to be transmitted encrypted to the postage meter, for forming a second encrypted message crypto Cv + 1, and for transmitting the encrypted message to the postage meter.
  • the fourth step of the first transaction includes a sub-step 512 of the data center for storing the default request, from which the first sub-step 701 of the second step of the second transaction is branched to the first key Kn as the predecessor key and the second key Kn + 1 as Successor key to save.
  • a fifth step of the first transaction is for receiving and decrypting the second encrypted message, extracting at least the identification data and the transmitted second key Kn + 1 Cv + 1 , and verifying the received encrypted ones Message based on the extracted identification data. Upon verification, the transmitted second key Kn + 1 Cv + 1 and the default request are stored in the postage meter machine. Otherwise, if not verified, the first step of the first transaction is branched back.
  • a second transaction which is preferably triggered by an additional manual input in step 602.
  • the second transaction is triggered or the second transaction is left in communication mode when the input time is exceeded.
  • the T key must be pressed within 30 seconds, or the input time is exceeded, and it branches back to the first step of the first transaction.
  • the Communication can now be omitted or repeated as needed.
  • a first step of the second transaction comprises sub-steps 602-608 of the franking machine for communicating with unencrypted data to establish the connection and to transmit at least identification and transaction type data to the data center.
  • a second step of the second transaction comprising sub-steps 701-706 of the data center, is to receive the data and to check the identification of the postage meter and to transmit an unencrypted o.K. Message intended for franking machine. It is further contemplated that the second step of the second transaction comprises sub-steps to branch to a hibernation state 501 in the data center in the case of erroneous unencrypted messages 705 via a sub-step 513 for the error message, until the communication by a postage meter machine is resumed.
  • a third step of the second transaction comprises sub-steps 609-614 of the postage meter to form a third encrypted message crypto cv + 2 using the aforementioned second key Kn + 1 stored in the postage meter and transmitting the third encrypted message crypto cv + 2 to the data center at least identification and post-register data, but without data for a default value.
  • a fourth step of the second transaction which includes sub-steps 707 through 711 of the data center for receiving and decrypting the third encrypted message crypto Cv + 2, performs its decryptability check by means of a key stored in the data center. Then there is a Forming a third key Kn + 2 to be transmitted encrypted to the postage meter, forming a fourth encrypted message crypto Cv + 3 containing at least the aforementioned third key Kn + 2, the identification and the transaction data and transmitting the fourth encrypted message Message crypto Cv + 3 to the postage meter.
  • the fourth step of the second transaction includes sub-steps to branch to an idle state 501 in the data center for a non-recoverable encrypted message (sub-step 709) via an error message sub-step 513 until communication from a postage meter machine is resumed.
  • a branch is made to step 710 to cancel the previous transaction.
  • a third key Kn + 2 is formed, which is to be transmitted encrypted to the postage meter machine.
  • DES algorithm is used. Subsequently, the encrypted message is transmitted to the franking machine.
  • the fourth step of the second transaction to store the default value comprises a sub-step 712 of the data center branching to the first sub-step 501 of the second step of the first transaction to obtain the second key Kn + 1 as the predecessor keys Kn-1 and store the third key Kn + 2 as successor key Kn for further first and second transactions.
  • a fifth step of the second transaction comprising sub-steps 615-618 of the postage meter is used for receiving and decrypting the fourth encrypted message, for extracting at least the identification data and the transmitted third key Kn + 2 Cv + 3 and the transaction data, as well as for verifying the received encrypted message from the extracted identification data.
  • the transmitted second key Kn + 2 Cv + 3 and the default value in the meter are added in accordance with the descending register value R1 and the resulting balance stored or otherwise, if not verified, is branched back to the first step of the first transaction.
  • a negative distance value specification in the special mode differs above all by special tamper-proof flags and a time monitoring.
  • Such tamper-resistant flags are, in particular, a MAC-secured security flag X and a MAC-secured special flag N.
  • the transaction is with two transactions for reloading with a negative credit value, i. a negative fair value default for fund reverse transfer to the data center is shown.
  • a negative distance value specification comprises at least two transactions.
  • the first transaction of communication with the data center DZ involves the communication of a predetermined default request, preferably a NULL default request, to the consistency of the Register states between the data center DZ and the franking machine FM produce.
  • a predetermined default request preferably a NULL default request
  • the first step during a first transaction includes after a defined page entry into the special mode negative Fernwertvorgabe compared to a normal entry into the communication mode (Teleset mode) after the start of the meter a sub-step 301 for checking for a given transaction request and further sub-steps 302 to 308 to Inputting the identification and other data to establish the communication link and for communicating with an unencrypted message to transmit at least identification and transaction type data to the data center.
  • a protection of individual data in the message can be achieved again by a MAC or CRC data in the aforementioned manner.
  • the defined page entry is achieved by pressing a secret predetermined key combination while turning on the postage meter.
  • the control unit of the franking machine in conjunction with the data previously transmitted by the data center, and an input procedure between authorized action (service technician) and unauthorized action (intent to manipulate) may differ.
  • a special flag N is set in step 220, because if the franking machine FM is switched off, the continuation of the transactions must be ensured after the franking machine has been switched on again.
  • the special flag N is also stored non-volatile MAC-secured.
  • a tamper-resistant flag N is set in step 220 if a specific criterion is met, the specific criterion for the special mode negative handoff being at least the use of the predetermined shortcut to enter the special mode during turn on Postage meter machine covers.
  • the communication with the data center comprises at least two transactions which are repeatedly executed in the event of an error, the communication being automatically resumed after interruption and / or as long as the aforementioned special flag N is set for the special mode, by which an automatic Transaction request is made to complete the return of the balance.
  • a first step of the first transaction sub-steps 301 to 308 of the franking machine To establish the connection, to communicate with unencrypted data and to transmit at least identification, transaction type and other data to the data center.
  • the transaction type data (1 byte), the message to the data center DZ below the special mode of a desired negative Fernwertvorgabe with the identified postage meter to perform.
  • a second step of the first transaction comprises sub-steps 501 to 506 in the data center, for receiving the data and for checking the identification of the franking machine and for transmitting an unencrypted or no-message to the franking machine.
  • the second step of the first transaction also includes sub-steps to branch to a quiescent state 501 in the data center in case of erroneous unencrypted messages 505 via a sub-step 513 for the error message until the communication by a postage meter machine is resumed.
  • a third step of the first transaction comprises sub-steps 309 to 314 of the franking machine, for forming a first encrypted message Crypto cv by means of a first key Kn stored in the franking machine and for transmitting encrypted data to the data center, comprising at least the default request, identification and postal register Dates.
  • this encrypted message in the form of CRC data (cyclic redundancy check data) comprises the message to the data center DZ subsequently to carry out the special mode of a desired negative distance value specification.
  • the two-byte Cyclic Redundancyy Check is a checksum that identifies a manipulation of each of the checksumed data.
  • This checksum can be individual data or the components of all messages (Transaction type) on the part of the franking machine.
  • the default request, identification, postal register and CRC data are transmitted in a message encrypted with the DES algorithm. Thus, it is not necessary to transfer data in the first step MAC-secured or encrypted to the data center.
  • a fourth step of the first transaction which includes sub-steps 507 to 511 in the data center, is to receive and decrypt the first encrypted message or its decryptifiability check by means of a key stored in the data center, to form a second key Kn + 1 the key used by the postage meter, for forming a second encrypted message crypto Cv + 1, which contains at least the aforementioned second key Kn + 1, the identification and the transaction data and for transmitting the second encrypted message crypto Cv + 1 to the postage meter.
  • the fourth step of the first transaction also includes sub-steps to branch to an idle state 501 in the data center in the event of irrecoverably erroneous encrypted messages 509 via a sub-step 513 for the error message, until the communication by a postage meter machine is resumed.
  • Sub-steps are further provided for branching to faulty encrypted messages 509 with recoverable errors, to a step 510 for canceling the previous transaction, and then to sub-step 511 in the data center.
  • This sub-step is used to form a second or third key Kn + 1, which is to be transmitted encrypted to the franking machine, to form a second encrypted message crypto Cv + 1 and to transmit the encrypted message to postage meter.
  • the fourth step of the first transaction includes a sub-step 512 of the data center for storing the default request from which the first sub-step 701 of the second step of the second transaction is branched to the first key Kn as a predecessor key and the second key Kn + 1 as a successor key save.
  • a fifth step of the first transaction is for receiving and decrypting the second encrypted message, extracting at least the identification data and the transmitted second key Kn + 1 CV + 1 , and verifying the received encrypted ones Message based on the extracted identification data. Upon verification, the transmitted second key Kn + 1 CV + 1 and the default request are stored in the postage meter machine. Otherwise, if not verified, the first step of the first transaction is branched back.
  • a second transaction takes place.
  • a first step of the second transaction comprises sub-steps 602-608 of the franking machine for communicating with unencrypted data to establish the connection and to transmit at least identification and transaction type data to the data center.
  • a second step of the second transaction which comprises sub-steps 701 to 706 of the data center, is provided for receiving the data and for checking the identification of the franking machine and for transmitting an unencrypted OK message to the franking machine. It is further contemplated that the second step of the second transaction includes sub-steps to in the case of erroneous unencrypted messages 705, branching to a quiescent state 501 in the data center via a sub-step 513 for the error message until the communication by a postage meter machine is resumed.
  • a third step of the second transaction comprises sub-steps 609-614 of the postage meter to form a third encrypted message crypto cv + 2 using the aforementioned second key Kn + 1 stored in the postage meter and transmitting the third encrypted message crypto cv + 2 to the data center at least identification and post-register data, but without data for a default value.
  • a fourth step of the second transaction which includes sub-steps 707 through 711 of the data center for receiving and decrypting the third encrypted message crypto Cv + 2, performs its decryptability check by means of a key stored in the data center. Then, forming a third key Kn + 2 to be transmitted encrypted to the postage meter, forming a fourth encrypted message crypto Cv + 3 containing at least the aforementioned third key Kn + 2, the identification and the transaction data, and transmitting the fourth encrypted message crypto Cv + 3 to the postage meter.
  • the fourth step of the second transaction includes sub-steps to branch to an idle state 501 in the data center in the event of irrecoverably erroneous encrypted messages 709 via a sub-step 513 for the error message, until the communication by a postage meter machine is resumed. If erroneous encrypted messages with recoverable errors are found in step 709 branched to a step 710 to cancel the previous transaction. Thereafter, in the data center in sub-step 711, a third key Kn + 2 is formed, which is to be transmitted encrypted to the postage meter machine. To form a fourth encrypted message crypto Cv + 3 again the DES algorithm is used. Subsequently, the encrypted message is transmitted to the franking machine.
  • the fourth step of the second transaction to store the default value comprises a sub-step 712 of the data center branching to the first sub-step 501 of the second step of the first transaction to obtain the second key Kn + 1 as the predecessor keys Kn-1 and store the third key Kn + 2 as successor key Kn for further first and second transactions.
  • a fifth step of the second transaction comprising sub-steps 615-618 of the postage meter, is for receiving and decrypting the fourth encrypted message, extracting at least the identification data and the transmitted third key Kn + 2 Cv + 3, and the transaction data, as well as for verification the received encrypted message based on the extracted identification data.
  • the aforementioned step has to identify the completed implementation in contrast to the positive remote value default on another query criterion.
  • the fourth crypto message is to be received by the franking machine FM. If the connection was uninterrupted, the reception would take place in the predetermined time t1.
  • the last and most critical portion of the second transaction becomes monitored for exceeding time t1.
  • a time count is started during the penultimate message to be transmitted, starting from the dispatch of the third crypto message in the processor (control unit 6) of the franking machine.
  • the corresponding program section activates a routine which sets a counter, which in turn is decremented by the system clock or its multiple.
  • a larger period of time for example of the order of 10 seconds, several meters are cascaded. If the fourth crypto message from the data center reaches the franking machine within the critical time period, the counter is deactivated.
  • a further variant of the invention results when an incremental is used instead of a decremental counter. In this case, the comparison with the number corresponding to the monitored period of time must be carried out after each count clock.
  • Exceeding the time t1 is a sure indication of an unsuccessful transmission and causes the call of a special subprogram, which a renewed Carrying out the special mode prepares the negative value for the remote value and triggers it automatically.
  • the first and second transactions are automatically repeated in this case with key Kn + 2.
  • the transmitted second key Kn + 2 Cv + 3 and the default value in the postage meter are added in accordance with the descending register value R1 and the resulting balance is stored or otherwise at non-verification or timeout becomes the first one Step of the first transaction branched back.
  • the fifth step of the second transaction includes a sub-step (620) of the postage meter for resetting the aforementioned special flag N or for returning to the normal mode of the postage meter, whereby the aforementioned automatic transaction request is canceled when the execution of the second transaction has been completed is.
  • the present service technician secures the further trouble-free expiration until the completion of the negative remote value specification.
  • At least R1 can be queried and statistically evaluated.
  • the validity of the fund retransfer as a result of the special mode is decided on the basis of a negative fair value. If no incident is reported by the service technician that, for example, the negative remote value specification was not feasible, or if no request for reloading a positive credit from the same franking machine, the validity is assumed.
  • the special flag N set on entry into the special mode negative distance value specification was reset on successful transaction.
  • the franking machine prevents all frankings with values greater than zero, because no more credit is loaded.
  • the franking machine is still ready for franking with values equal to zero and other modes, as long as they do not require a credit or as long as no postage is franked and the piece number limit is not reached.
  • Either the triggering of the transactions in the special mode is effected as in the one variant by the predetermined page entry or in another variant at least one manual step 302 in the special mode is negative remote value specification after a page entry for entering an identification number (PIN) and for entering the predetermined default desired as provided in the positive remote value default, which is queried in step 303.
  • An additional manual step for temporary input which is requested in step 603, triggers the second transaction and exits or repeats the first transaction in communication mode or in special mode if the input time is exceeded.
  • the T key must be pressed within 30 seconds or the input time is exceeded.
  • a check for transmission of a predetermined default request can be performed in the data center.
  • the default request - analogous to the rest in the display mode 215 in Descendingregister still in stock remaining amount R1 - must be entered and transmitted to the data center. Since the post office content is automatically transmitted to the data center for each transaction, but at least R1, a negative remittance default is made for fund repayment if the default amount matches the balance.
  • an arbitrary default request is agreed as code with the data center.
  • a NULL default request is agreed. If, within a certain time after the agreement, the special mode negative remote value default is called and the NULL default request is entered or confirmed as a default request, the remaining amount R1 is automatically reset to zero in the franking machine.
  • a corresponding query step 219 according to such a further specific criterion for the franking machine has been shown in dashed lines in FIG. From this, a branch is made to step 220 for setting the special flag N.
  • a third variant safety is increased by a combination of different measures.
  • a first communication connection between the authorized user and the data center for storing a code for registering an authorized action on the postage meter machine is established by a later-transmitted default request.
  • a turning on the postage meter for making an authorized predetermined operation can be done to enter via a page entry into a special mode negative Fernwertvorgabe.
  • a second communication connection between postage meter and the data center and input of a default request is made.
  • a distinctive log on to the data center occurs when the submitted default request matches a corresponding code.
  • the first transaction for example, a new code word or security flag and / or operating sequence is transmitted to the franking machine.
  • the security-relevant data are transmitted and their storage in the postage meter machine is completed.
  • the default value in the corresponding memory of the franking machine and for the purpose of checking the transaction is also added to the remaining balance in a corresponding memory of the data center.
  • the postage meter machine is transferred to a first mode, thereby effectively putting it out of commission for franking (franking mode 400) (Step 409), in contrast to the authorized action or intervention.
  • a transmission of a valid operating procedure from the data center to the franking machine becomes superfluous if the operating sequence is changed over time.
  • the same calculation algorithm is used to determine a current operating procedure.
  • Another variant is based on the storage of the current operating procedure in the franking machine by means of a special reset E 2 PROM by the service technician.
  • the security is increased by an authorized person by means of an additional input security means, which is brought into contact with the franking machine, in order to transfer a remaining balance back to the data center.
  • an additional input security means which is brought into contact with the franking machine, in order to transfer a remaining balance back to the data center.
  • the actuality is established at the data center by reporting the register statuses by means of a zero remote value specification.
  • a reset read-only memory module is inserted as input safety means by the service technician into a predetermined socket of the at least partially opened franking machine. After switching on or a side entry into the program of the franking machine, it is checked whether a reset read-only memory device (Refunds-EPROM) has been used. This can advantageously take place in step 219 shown in FIG. 2 for checking a further criterion.
  • Refunds-EPROM reset read-only memory device
  • a correct page entry in the absence of Refunds EPROM leads to the point e or in a variant not shown a step to abort the routine. For example, it is possible to branch to a step 209 for deleting a flag X, which would be noticed in step 409 of the franking mode (FIG. 4) and for statistics and error evaluation or registration in step 213 leads. Otherwise, with the correct page entry and with the Refunds EPROM plugged in, a special flag N is set, which in the communication mode automatically triggers the return of the remaining credit to the data center.
  • steps 218 and 219 according to FIG. 2 can be reversed in their order, so that only with regard to the inserted Refunds EPROM and only after that is the correct page entry requested.
  • Such a sub-variant has the advantage that the information about the correct page entry can also be stored in the Refunds EPROM, rather than in the postage meter machine. Thus, the security against manipulation in the intention to counterfeit is further increased.
  • the status of the franking machine (out of service) is stored in the data center.
  • the authorized person removes the input security device from the socket and closes the housing of the postage meter machine.
  • the input security means can of course also be realized as a chip card.

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Theoretical Computer Science (AREA)
  • Devices For Checking Fares Or Tickets At Control Points (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Detection And Prevention Of Errors In Transmission (AREA)

Claims (2)

  1. Procédé pour améliorer la sécurité de machines à affranchir contre une manipulation, avec un microprocesseur dans une unité de commande de la machine à affranchir en vue de l'exécution d'étapes pour une routine de démarrage et d'initialisation et routine système subséquente, avec une possibilité d'entrer dans un mode de communication avec une centrale de données distante afin de charger une valeur d'avoir ou de la retransmettre à la centrale de données, ainsi qu'avec une nouvelle étape de saisie permettant d'entrer dans un mode d'affranchissement, à partir duquel il est procédé au réaiguillage après exécution d'une routine de comptabilisation et d'impression dans la routine système, caractérisé par une distinction entre une exploitation non manipulée et manipulée d'une machine à affranchir au moyen du dispositif de commande (6), grâce à un contrôle du respect d'un laps de temps défini, ledit contrôle étant opéré au cours d'une communication en mode de communication (300), une retransmission de l'avoir enregistré dans la machine à affranchir opérée en mode spécial pour spécification de valeur à distance négative jusqu'à la centrale de données étant sécurisée et une première et une seconde transactions étant effectuées dans le mode spécial susmentionné afin d'échanger des informations codées, via émission d'une première information codée de la part de la machine à affranchir et réception d'une deuxième information codée envoyée par la centrale de données à la machine à affranchir au cours de la première transaction et via émission d'une troisième information codée de la part de la machine à affranchir et réception d'une quatrième information codée envoyée par la centrale de données à la machine à affranchir au cours de la seconde transaction, un contrôle du respect de la durée entre l'émission de la troisième information codée de la part de la machine à affranchir et la réception de la quatrième information codée envoyée par la centrale de données à la machine à affranchir étant effectué dans la machine à affranchir, laquelle déclenche une mise à zéro de la valeur de l'avoir lors de la vérification de la quatrième information codée.
  2. Procédé selon la revendication 1, caractérisé en ce qu'un compteur décrémental ou un compteur incrémental est utilisé afin de détecter un dépassement du temps t1 en mode spécial sous la forme d'un indice sûr pour une transmission ratée et en ce qu'un sous-programme spécial est appelé, lequel prépare et déclenche automatiquement une nouvelle exécution du mode spécial de spécification de valeur à distance négative de manière à ce que la première et la seconde transaction soient réitérées automatiquement.
EP00250033A 1994-12-15 1995-11-21 Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit Expired - Lifetime EP0996097B1 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
DE4446667A DE4446667C2 (de) 1994-12-15 1994-12-15 Verfahren zur Verbesserung der Sicherheit von Frankiermaschinen bei der Guthabenübertragung
DE4446667 1994-12-15
EP95250286A EP0717379B1 (fr) 1994-12-15 1995-11-21 Procédé pour l'amélioration de la sécurité des machines à timbrer pendant le transfert du crédit

Related Parent Applications (2)

Application Number Title Priority Date Filing Date
EP95250286.2 Division 1995-11-21
EP95250286A Division EP0717379B1 (fr) 1994-12-15 1995-11-21 Procédé pour l'amélioration de la sécurité des machines à timbrer pendant le transfert du crédit

Publications (4)

Publication Number Publication Date
EP0996097A2 EP0996097A2 (fr) 2000-04-26
EP0996097A3 EP0996097A3 (fr) 2004-06-16
EP0996097A9 EP0996097A9 (fr) 2005-06-22
EP0996097B1 true EP0996097B1 (fr) 2006-05-03

Family

ID=6537174

Family Applications (3)

Application Number Title Priority Date Filing Date
EP00250033A Expired - Lifetime EP0996097B1 (fr) 1994-12-15 1995-11-21 Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit
EP95250286A Expired - Lifetime EP0717379B1 (fr) 1994-12-15 1995-11-21 Procédé pour l'amélioration de la sécurité des machines à timbrer pendant le transfert du crédit
EP00250032A Expired - Lifetime EP0996096B1 (fr) 1994-12-15 1995-11-21 Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit et dispositif pour la mise en oeuvre du procédé

Family Applications After (2)

Application Number Title Priority Date Filing Date
EP95250286A Expired - Lifetime EP0717379B1 (fr) 1994-12-15 1995-11-21 Procédé pour l'amélioration de la sécurité des machines à timbrer pendant le transfert du crédit
EP00250032A Expired - Lifetime EP0996096B1 (fr) 1994-12-15 1995-11-21 Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit et dispositif pour la mise en oeuvre du procédé

Country Status (2)

Country Link
EP (3) EP0996097B1 (fr)
DE (4) DE4446667C2 (fr)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19731304B4 (de) * 1997-07-14 2005-02-24 Francotyp-Postalia Ag & Co. Kg Verfahren zur Statistikmodusnachladung und zur statistischen Erfassung nach Statistikklassen bei der Speicherung eines Datensatzes
US6058384A (en) * 1997-12-23 2000-05-02 Pitney Bowes Inc. Method for removing funds from a postal security device
DE19818708A1 (de) * 1998-04-21 1999-11-04 Francotyp Postalia Gmbh Verfahren zum Nachladen eines Portoguthabens in eine elektronische Frankiereinrichtung
US12581600B2 (en) 2023-09-08 2026-03-17 International Business Machines Corporation Generation of random security circuit patterns for in-situ fabrication of tamper-respondent sensors

Family Cites Families (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3255439A (en) 1961-07-13 1966-06-07 Gen Res Inc Postage metering system
US4251874A (en) 1978-10-16 1981-02-17 Pitney Bowes Inc. Electronic postal meter system
GB2144081B (en) 1983-07-23 1987-10-28 Pa Consulting Services Postal franking machines
US4835697A (en) 1984-04-02 1989-05-30 Pitney Bowes Inc. Combination generator for an electronic postage meter
US4549281A (en) 1985-02-21 1985-10-22 Pitney Bowes, Inc. Electronic postage meter having keyboard entered combination for recharging
US4812965A (en) 1985-08-06 1989-03-14 Pitney Bowes Inc. Remote postage meter insepction system
CA1263752A (fr) * 1985-08-06 1989-12-05 Michael P. Taylor Dispositif de verrouillage pour compteur postal
US4812994A (en) 1985-08-06 1989-03-14 Pitney Bowes Inc. Postage meter locking system
US4760532A (en) 1985-12-26 1988-07-26 Pitney Bowes Inc. Mailing system with postage value transfer and accounting capability
US4811234A (en) * 1986-04-10 1989-03-07 Pitney Bowes Inc. Postage meter recharging system
US4864506A (en) * 1986-04-10 1989-09-05 Pitney Bowes Inc. Postage meter recharging system
US4785417A (en) 1986-04-28 1988-11-15 Pitney Bowes Inc. Electronic postage meter having an out of sequence checking arrangement
US4846506A (en) 1987-09-04 1989-07-11 U.S. Plastics Corporation Quick connect coupling
DE69014361T2 (de) 1989-03-23 1995-04-27 Neopost Ind Verfahren zur Erhöhung der Sicherheit einer elektronischen Frankiermaschine mit Fernaufwertung.
US5077660A (en) 1989-03-23 1991-12-31 F.M.E. Corporation Remote meter configuration
CH678368A5 (fr) * 1989-03-29 1991-08-30 Frama Ag
GB2233937B (en) 1989-07-13 1993-10-06 Pitney Bowes Plc A machine incorporating an accounts verification system
US5237506A (en) * 1990-02-16 1993-08-17 Ascom Autelca Ag Remote resetting postage meter
US5243654A (en) * 1991-03-18 1993-09-07 Pitney Bowes Inc. Metering system with remotely resettable time lockout
GB2256396B (en) 1991-05-29 1995-03-29 Alcatel Business Systems Method of remote diagnostics for franking machines
DE4129302A1 (de) 1991-09-03 1993-03-04 Helmut Lembens Frankiermaschine
CA2082919C (fr) * 1991-11-22 1997-03-18 Cheryl P. Cochran Methode diagnostique pour dispositif mecanique a commande electrique
US5309363A (en) * 1992-03-05 1994-05-03 Frank M. Graves Remotely rechargeable postage meter
DE4221270A1 (de) 1992-06-26 1994-01-05 Francotyp Postalia Gmbh Anordnung und Verfahren zur Klischeetextteiländerung für Frankiermaschinen
DE4224955C2 (de) 1992-07-24 1998-11-26 Francotyp Postalia Gmbh Anordnung und Verfahren für einen internen Kostenstellendruck

Also Published As

Publication number Publication date
EP0717379A2 (fr) 1996-06-19
EP0996096A2 (fr) 2000-04-26
DE59508807D1 (de) 2000-11-30
EP0996096A3 (fr) 2004-06-16
EP0717379B1 (fr) 2000-10-25
EP0996096B1 (fr) 2006-05-10
DE59511048D1 (de) 2006-06-14
EP0717379A3 (fr) 1998-04-15
EP0996097A3 (fr) 2004-06-16
DE4446667A1 (de) 1996-06-20
DE59511045D1 (de) 2006-06-08
EP0996097A2 (fr) 2000-04-26
DE4446667C2 (de) 1998-09-17

Similar Documents

Publication Publication Date Title
EP0969421B1 (fr) Procédé pour l'amélioration de la sécurité des machines à affranchir
EP0762337A2 (fr) Procédé et dispositif pour augmenter la protection contre la manipulation de données critiques
EP0660270B1 (fr) Procédé et dispositif pour générer et vérifier un motif destiné à la sécurité
DE69631025T2 (de) System und Verfahren zur Wiederherstellung im Falle einer Katastrophe in einem offenen Zählsystem
EP0944027B1 (fr) Machine à affranchir et un procédé pour générer des données valables pour affranchir
DE69434621T2 (de) Postgebührensystem mit nachprüfbarer Unversehrtheit
CH675496A5 (fr)
EP0892368B1 (fr) Procédé pour le téléchargement de données statistiques et de recensement en ensembles statistiques lors du chargement des données
EP1035517B1 (fr) Procédé de protection d'un module de sécurité et ensemble pour mettre en oeuvre ledit procédé
US6587843B1 (en) Method for improving the security of postage meter machines in the transfer of credit
EP1035516B1 (fr) Système pour un module de sécurité
EP0762335A2 (fr) Procédé pour changer les données chargées dans des cellules de stockage d'une machine d'affranchissement
EP1035518B1 (fr) Ensemble de protection d'un module de sécurité
DE19534530A1 (de) Verfahren zur Absicherung von Daten und Programmcode einer elektronischen Frankiermaschine
DE19757653C2 (de) Verfahren und postalisches Gerät mit einer Chipkarten-Schreib/Leseeinheit zum Nachladen von Änderungsdaten per Chipkarte
EP0996097B1 (fr) Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit
DE10305730B4 (de) Verfahren zum Überprüfen der Gültigkeit von digitalen Freimachungsvermerken
DE60015907T2 (de) Verfahren und Vorrichtung zur Erzeugung von Nachrichten welche eine prüfbare Behauptung enthalten dass eine Veränderliche sich innerhalb bestimmter Grenzwerte befindet
EP0996097A9 (fr) Procédé pour améliorer la sécurité de machines à affranchir pendant le transfert du crédit
EP1061479A2 (fr) Dispositif et procédé pour générer un motif destiné à la sécurité
DE19534527C2 (de) Verfahren zur Erhöhung der Manipulationssicherheit von kritischen Daten
DE19534529C2 (de) Verfahren zur Erhöhung der Manipulationssicherheit von kritischen Daten
EP1619630A2 (fr) Procédé et dispositif pour rembourser des frais d'affranchissement
DE69926222T2 (de) Betrugssichere frankiermaschinenvorrichtung mit langer nutzungsdauer der batterie
DE29522056U1 (de) Anordnung zur Erhöhung der Manipulationssicherheit von kritischen Daten

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AC Divisional application: reference to earlier application

Ref document number: 717379

Country of ref document: EP

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE CH DE DK ES FR GB GR IE IT LI LU MC NL PT SE

AX Request for extension of the european patent

Free format text: LT;LV;SI

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: FRANCOTYP-POSTALIA AG & CO. KG

PUAL Search report despatched

Free format text: ORIGINAL CODE: 0009013

AK Designated contracting states

Kind code of ref document: A3

Designated state(s): AT BE CH DE DK ES FR GB GR IE IT LI LU MC NL PT SE

AX Request for extension of the european patent

Extension state: LT LV SI

17P Request for examination filed

Effective date: 20040630

AKX Designation fees paid

Designated state(s): CH DE FR GB IT LI

17Q First examination report despatched

Effective date: 20050222

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: FRANCOTYP-POSTALIA GMBH

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AC Divisional application: reference to earlier application

Ref document number: 0717379

Country of ref document: EP

Kind code of ref document: P

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): CH DE FR GB IT LI

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT;WARNING: LAPSES OF ITALIAN PATENTS WITH EFFECTIVE DATE BEFORE 2007 MAY HAVE OCCURRED AT ANY TIME BEFORE 2007. THE CORRECT EFFECTIVE DATE MAY BE DIFFERENT FROM THE ONE RECORDED.

Effective date: 20060503

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

Free format text: NOT ENGLISH

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: CH

Ref legal event code: NV

Representative=s name: ROTTMANN, ZIMMERMANN + PARTNER AG

REF Corresponds to:

Ref document number: 59511045

Country of ref document: DE

Date of ref document: 20060608

Kind code of ref document: P

GBT Gb: translation of ep patent filed (gb section 77(6)(a)/1977)

Effective date: 20060817

ET Fr: translation filed
PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

26N No opposition filed

Effective date: 20070206

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20090916

Year of fee payment: 15

Ref country code: CH

Payment date: 20091124

Year of fee payment: 15

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20091201

Year of fee payment: 15

Ref country code: GB

Payment date: 20091119

Year of fee payment: 15

Ref country code: IT

Payment date: 20091121

Year of fee payment: 15

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

GBPC Gb: european patent ceased through non-payment of renewal fee

Effective date: 20101121

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20101130

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20101130

REG Reference to a national code

Ref country code: FR

Ref legal event code: ST

Effective date: 20110801

REG Reference to a national code

Ref country code: DE

Ref legal event code: R119

Ref document number: 59511045

Country of ref document: DE

Effective date: 20110601

Ref country code: DE

Ref legal event code: R119

Ref document number: 59511045

Country of ref document: DE

Effective date: 20110531

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110531

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20101130

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GB

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20101121

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20101121