 |
Claims  |
|
|
What is claimed is:
1. A system for electronic distribution of postage, comprising:
a secure computer for generating postage indicia on behalf of a plurality of user accounts, the secure computer including:
a communications port for receiving postage requests from end user computers, each received postage requests having request data defining a postage indicium to be created, including user account data;
a database of information concerning user accounts of users authorized to request postal indicia from the secure computer;
a request validation mechanism for authenticating each received postage request with respect to the user account information in the database; and
a postal indicia creation and distribution mechanism for applying a secret encryption key to information in each authenticated postage request so as to generate a digital postage indicium that is at least partially encrypted with the secret
encryption key, and for securely transmitting the generated digital postage indicium to the end user computer that sent a corresponding one of the postage requests;
wherein
the postal indicia creation procedure applies one of a plurality of secret encryption keys to each authenticated postage request in accordance with predefined key assignment criteria;
the digital postage indicium includes a first portion, not encrypted with the secret encryption key, that includes information sufficient to enable a postal indicium validation procedure to identify the secret encryption key used to encrypt the
encrypted portion of the digital postage indicium, and to decrypt the encrypted portion of the digital postage indicium; and
the generated digital postage indicium is formatted in a manner suitable for printing on a mail piece or mailing label by the end user computer in a predefined bar code format.
2. A system for electronic distribution of postage, comprising:
at least one secure central computer for generating postage indicia in response to postage requests submitted by end user computers, the secure central computer including:
a data processor;
a database of information concerning user accounts of users authorized to request postal indicia from the secure central computer;
a request validation procedure, executable by the data processor, for authenticating each received postage request with respect to the user account information in the database;
a postal indicia creation procedure, executable by the data processor, for applying a secret encryption key to information in each authenticated postage request so as to generate a digital signature and for combining the information in each
authenticated postage request with the corresponding generated digital signature so as to generate a digital postage indicium in accordance with a predefined postage indicium data format; and
a communication procedure, executable by the data processor, for securely transmitting the generated digital postage indicium to the end user computer that sent a corresponding one of the postage requests;
wherein
the postal indicia creation procedure applies one of a plurality of secret encryption keys to each authenticated postage request in accordance with predefined kev assignment criteria; and
the digital postage indicium generated by the postal indicia creation procedure includes a first portion, not encrypted with the secret encryption key, that includes information sufficient to enable a postal indicium validation procedure to
identify the secret encryption key used to generate the digital signature of the digital postage indicium and to decrypt the digital signature of the digital postage indicium;
each of the end user computers including:
a data processor;
a communication procedure for sending postage requests to one of the at least one secure central computers at which a user account has been established, and for receiving from the one secure central computer a corresponding digital postage
indicium; and
a postage indicium printing procedure for printing a postage indicium in accordance with the received digital postage indicium.
3. The system of claim 2,
at least a subset of the postage requests each including: a user account identifier that identifies a previously established user account, a source address identifier indicating where a mail piece is to be mailed from, a destination address
identifier indicating where the mail piece is to be mailed to, authentication information for authenticating that the postage request is from an end user associated with the specified user account identifier, and data concerning the package size and/or
weight sufficient to determine an amount of postage required for the mail piece;
wherein at least a subset of the generated digital postal indicia each include data representing the user account identifier, source address identifier, and destination address identifier in a corresponding on of the postage requests.
4. The system of claim 2, wherein
the secret encryption key used to create the digital signature in each secure central computer is one of a plurality of secret encryption keys, each of which is assigned a corresponding unique key identifier; and
each generated digital postal indicium includes data representing the key identifier of the secret encryption key used to generate the digital signature in that digital postal indicium.
5. The system of claim 4, further including
at least one postal authority subsystem that includes:
a data processor;
a database of information concerning the user accounts;
a postal indicium validation procedure, executable by the data processor, for authenticating the postal indicium on a mail piece, including instructions for decrypting the digital signature in the postal indicium using a decryption key
corresponding to the key identifier in the postal indicium.
6. A method of generating and distributing digital postage indicia, comprising:
at a secure computer,
storing a database of information concerning user accounts of users authorized to request postal indicia from the secure computer;
receiving postage requests from end user computers, each received postage request having request data defining a postage indicium to be created, including user account data;
authenticating each received postage request with respect to the user account information in the database;
applying a secret encryption key to information in each authenticated postage request so as to generate a digital postage indicium that is at least partially encrypted with the secret encryption key; and
securely transmitting the generated digital postage indicium to the end user computer that sent a corresponding one of the postage requests;
wherein
the applying step applies one of a plurality of secret encryption keys, the secret encryption key applied to each particular authenticated postage request being determined in accordance with predefined key assignment criteria;
the digital postage indicium generated by the applying step includes a first portion, not encrypted with the secret encryption key, that includes information sufficient to enable a postal indicium validation procedure to identify the secret
encryption key used to generate the digital postage indicium and to decrypt a second, encrypted, portion of the digital postage indicium; and
the generated digital postage indicium is formatted in a manner suitable for printing on a mail piece or mailing label by the end user computer in a predefined bar code format.
7. The method of claim 6, at least a subset of the postage requests each including: a user account identifier that identifies a previously established user account, a source address identifier indicating where a mail piece is to be mailed from,
a destination address identifier indicating where the mail piece is to be mailed to, authentication information for authenticating that the postage request is from an end user associated with the specified user account identifier, and data concerning the
package size and/or weight sufficient to determine an amount of postage required for the mail piece;
wherein at least a subset of the generated digital postal indicia each include data representing the user account identifier, source address identifier, and destination address identifier in a corresponding on of the postage requests.
8. The method of claim 7, wherein
each of the plurality of secret encryption keys is assigned a corresponding unique key identifier; and
each generated digital postal indicium includes data representing the key identifier of the secret encryption key used to generate the second, encrypted, portion of that digital postal indicium.
9. The method of claim 8, further including
at a postal authority system,
receiving a mail piece having a digital postal indicium printed thereon;
authenticating the digital postal indicium on the received mail piece, including decrypting the second, encrypted, portion of the postal indicium using a decryption key corresponding to the key identifier in the digital postal indicium.
10. The method of claim 9, wherein the second, encrypted, portion of the digital postal indicium includes a digital signature of at least a portion of the digital postal indicium.
11. The method of claim 8, wherein the second, encrypted, portion of the digital postal indicium includes a digital signature of at least a portion of the digital postal indicium.
12. The method of claim 8, wherein the encrypted portion of the digital postal indicium includes a digital signature of at least a portion of the digital postal indicium. |
|
 |
|
 |
Claims |
|
|
|
Description |
|
|
The present
invention relates generally to electronic postage metering systems, and particularly to a system and method for securely dispensing postage using telephone and/or network based communication mechanisms.
BACKGROUND OF THE INVENTION
U.S. Pat. No. 5,319,562, entitled "System and Method for Purchase and Application of Postage Using Personal Computer," describes a cost-effective alternative to the classic mechanical or electromechanical postage metering devices used in the
commercial business environment for the past 50 years.
The rental cost of conventional meters has impeded their widespread adoption. By way of example in the US market, as of 1997 there are only about 1.6 million postage meters in service. When compared to an estimated 20 million small businesses
in the US, it is clear that conventional meters have never achieved the mass penetration that copy machines, FAX machines or PC's have. The primary reason is a perceived high (and recurring) cost which outweighs the convenience in the eyes of potential
users.
In 1996 the US Postal Service published in the Federal Register draft specification for a system (coined the IBIP or Information Based Indicia Program) using the same basic concepts presented in U.S. Pat. No. 5,319,562. However, the USPS added
a number of security and operational requirements that add substantially to the initial and ongoing cost of fielding a PC-based postage meter. The added USPS requirements have essentially priced the technology out of the reach of the small PC-based
mailer, with monthly costs estimated to be more than a conventional entry-level mechanical or electro-mechanical meter.
This document describes a method of electronically dispensing postage using PC-based system that retains the cost viability of the original PC-based postage application system disclosed in U.S. Pat. No. 5,319,562, while simultaneously meeting
the host of additional requirements imposed by the USPS. The present invention also provides the technical means for postal agencies such as the USPS, UK's Royal Mail, or France's La Poste, or the newly-formed Postage Fee-For-Service bureaus, to compete
with conventional meter vendors by directly dispensing postage with integral, digitally signed indicia data to end users electronically on a mail piece-by-mail piece basis. The mail piece-by-mail piece disbursement approach has strong parallels to
so-called "micro-transactions" or "milli-payments," which are the subject of considerable focus for Internet applications.
In addition to serving end user mailers, the present invention can be used to dispense postage strips at postal agency retail sites (e.g., Post Office counters). This technology could replace the expensive, non-IBIP meter strip technology which
is currently in use at such locations.
Referring to FIG. 1, U.S. Pat. No. 5,319,562 describes a postage management and printing system using common personal computer components, including a printer 11b, modem 11c, and non-volatile local memory to store balance and other key data.
U.S. Pat. No. 5,319,562 also presented a proposed postage mark of simple design that expressed the fundamental information required by the USPS--city and state of origin, date of issue, amount of postage and meter number. The '562 patent also proposed
that each mail piece be assigned a unique serial number, and barcode representations of the postage amount and numerical identifiers.
The mail pieces produced by the system of the '562 patent would contain a complete and verified delivery address, a barcode for facilitating automated routing and sorting of mail pieces, and a postal indicium (i.e., a stamp or postal mark) that
contains, at minimum, the following information:
Postage Amount
Date
City of Origin
Postage Meter Number
Piece Serial Number
The postal indicium information could take the form of human-readable text and/or a barcoded representation.
The fundamental anti-fraud mechanism taught in the '562 patent was premised on the mailing authority (e.g., the USPS) checking for uniqueness of the meter/serial number combination during automated processing of the mail. If a duplicate
meter/serial number combination was detected, the mail piece could easily be intercepted, or at minimum, a graphic image of the mail piece could be captured.
The ultimate reliance on the aforementioned anti-fraud approach is mandated by the way in which indicia are created in this new venue--using commonly available desktop printers (e.g., with laser, inkjet, or matrix printers) using standard
(typically black) inks. This type of mark is very easily replicated (e.g., by a conventional photocopier). In contrast, conventional postage meters produce a phosphor traced, red ink mark. In addition, conventional meters are required to slightly
"emboss" the material on which they print. As a result, it is reasonably difficult to replicate the imprint of a conventional postage meter.
A facsimile of a test mail piece created on a personal computer and mailed by officials of the USPS on Sep. 12, 1996 appears in FIG. 2. The indicium includes all of the information discussed in U.S. Pat. No. 5,319,562, some in human readable
form and some represented in a PDF-417 two dimensional barcode. The barcode contains a host of information, including the meter number and a unique serial number for the mail piece, as taught in U.S. Pat. No. 5,319,562.
The USPS specifications require use of the PDF417 indicium barcode, although other two dimensional barcodes such as the DataMatrix are also under consideration. The USPS is currently requiring that the barcode contain nearly 500 characters of
information. Some of this data are attributable to an attempt to incorporate letter/parcel tracking information, and part is to accommodate an encryption signature and accompanying public key information which is used in combination to provide a
"self-authenticating" feature to the mail piece.
The indicium encryption signature (and more specifically the associated FIPS-140-level secure hardware required to generate this signature at the user's PC), along with the USPS requirement to have a local CD-ROM subscription containing all USPS
ZIP+4 address information, has driven the costs of a PC-based metering system beyond what can be reasonably tolerated by the marketplace.
The encryption signature in the proposed USPS IBIP indicium barcode can not prevent counterfeiting by simple duplication, and that fact is recognized by the USPS. The USPS states that the goal of using the IBIP indicium barcode is to produce an
"indicium whose origin cannot be repudiated". It's intended use is for manual spot sampling of pieces in the mail stream for a period of up to 5 years. During this 5 year period, the USPS plans to simultaneously ramp up the necessary equipment to
provide for 100% automatic scanning of these mail pieces.
Ironically, when the USPS achieves the 100 percent scanning capability, they will no longer need an encryption signature, because capturing the unique meter number and piece serial number and comparing that to a national database will immediately
identify counterfeit or suspect pieces.
Following the "interim logic" of the USPS, using a barcode reader and a public decryption key, a Postal Inspector could examine a given mail piece and compare the printed destination address with the ZIP+4 embedded in the PDF417 barcode. This
would insure, at minimum, that the indicia was properly synchronized with the actual delivery address printed on the mail piece. It would prevent counterfeiters from simply scanning (copying) an otherwise valid barcode and placing it on another mail
piece which has a different destination ZIP+4.
However, until scanning and verification of the postal indicia on all mail pieces is available, the "interim logic" will not capture duplicate counterfeits which simply have the same destination address or even the same ZIP+4.
The Proposed USPS IBIP Open System
FIG. 3 is derived from a Oct. 8, 1996 USPS Publication entitled "Information Based Indicia Program--Host System Specification". The sole amendment to the original USPS figure is the box labeled "Address Verification". This element does not
appear in the original USPS figure, but it's function and relative location were described in the accompanying USPS text. Basically, this figure outlines the current USPS concept of a PC-based metering system. It is important to note that the diagram
shown in FIG. 3 is quite generalized because the USPS wants to consider this approach for.
an entirely new generation of PC-based metering systems; as well as
a technology replacement for conventional mail room electro-mechanical postage meters.
In particular, the representation in FIG. 3 or a "customer provided input" is generalized to cover a standard PC keyboard/mouse as well as a postage meter keypad, scanner, PC-based controller, or other device.
The block labeled "Host System" is simply, in the case of a PC-based metering system, a standard desktop PC with printer. The host system in postage meter configuration might be a complex electro-mechanical device (including a print engine) for
intensive mail room metering operations.
The block labeled PSD (for Postal Secure Device) is viewed as an external, active processing device with an integral non-volatile storage whose mission is multifaceted. The PSD functions include secure storage of local postage balances, creation
of digitally signed indicia information, and the support of secure transmission capabilities between the user and the Vendor (e.g., the Postage Meter Manufacturer such as Pitney Bowes, Neopost, etc.) and/or the user and the USPS (or similar postal
agencies in other countries).
A final block, Address Verification, is a CD-ROM containing an address lookup engine and a national ZIP+4 directory, which must be incorporated into the USPS IBIP System. The USPS Oct. 8, 1996 specification explicitly states that "Section 3
required that the host system developers use the USPS-developed Address Matching Systems (AMS) software and the USPS ZIP+4 National Directory". This is an annual CD subscription which is updated 6 times per year and sold for $120/yr to $600/yr depending
upon the vendor.
The PSD is a significantly more aggressive and complex component than originally described in US Pat. No. 5,319,562, where a secure, non-volatile memory was use to store and securely maintain balance information. It evolved from the USPS's
imposed requirement that virtually every transaction undertaken by the IBIP system be digitally encrypted.
Some of the stated missions of the PSD are:
secure balance storage;
secure date/time maintenance (using an on board clock);
creation of digitally signed indicia messages (to be represented in a 2-D barcode);
management of secure transmissions between the user and the Vendor and/or USPS;
multi-year battery lifetime;
secure storage of encryption keys;
storage of X.509 data certificates;
a communications mechanism to interact with the host, and in turn with the USPS and Vendor; and
compliance with FIPS-140 cryptographic and physical security standards.
The digital encryption specified by the USPS is based on the Public/Private key concept introduced by Stanford University Professor Martin Hellman and his graduate student, Mr. Whitfield Diffie, in 1976. Data messages can encrypted and decrypted
using a combination of these keys. The keys may also be used to "digitally sign" messages in such a way that the recipient is confident of the origin and authenticity of the content of the message.
While the users PC could perform the necessary digital encryption process, it is well known that the standard PC environment can be monitored, and encryption computations that can be monitored can eventually be deciphered by an attacker.
Therefore, the USPS has firmly rejected the use of the user's PC to perform encryption tasks. Instead, the USPS has specified that any PC performing postage metering and postage acquisition function will have use a PSD that meets FIPS-140 standards.
This secure device would interact with the user's PC (or the more general Host System) via a serial cable (for instance). The Host System would remain completely ignorant of the message content, and would pass this message either to a printer (for mail
piece creation) or to the USPS/Vendor for some type of transaction (such as a postage purchase).
Of course, if the postal service were to scan the digitally metered postage of all postage items, such a high level of security is likely not needed, since virtually all types of fraudulent postage metering would be automatically detected during
the postage scanning process. The simple presence of a unique Meter and Serial number (in a barcode or in OCR readable form) on every digitally metered mail piece would provide an absolutely secure system.
In essence, the PSD is simply a replica of the "heart" of a conventional electro-mechanical postage meter. Conceptually, the PSD has done away with the direct user interface and printing capability in a conventional meter, and replaced this with
communications mechanisms so that other devices can accomplish these tasks. The PSD is simply a reflection of the long standing industry understanding of "what a meter is".
Like conventional meters, the USPS mandates that the PSD be tracked from "cradle to grave". Tracking requirements for conventional postage meters are complex, bureaucratic and expensive. Postal Agencies worldwide are gravely concerned about
"rogue meters" whose physical location becomes unknown (due to theft, for instance) and have been compromised to essentially generate unlimited postage. This is one reason why the "meter head" of a conventional meter can never be sold in the United
States--the USPS requires that it only be rented (and thus owned/tracked by the four firms who currently can sell meters in the US).
When a conventional meter rental agreement is signed between a Vendor and an end user, here is a list of some of the actions that are required. Importantly, the "new" PSD will require most, if not all, of these steps.
1. The end user must complete an extensive USPS form to be filed both with the Vendor and USPS
2. At the vendor's factory, and under the eyes of USPS Inspectors, a specific meter must be seeded with initial data that associates that meter uniquely with the new end user.
3. The meter is shipped to the end user's local Post Office where it is "enabled" for operation by the USPS and entered into the administrative control of that office.
4. The meter is then installed at the end user's site by a representative of the Vendor. Additional enabling codes are then entered into the meter.
The meter is now ready for operation.
Once in service, meters must be periodically inspected visually by USPS representatives. In the case of older style mechanical meters, which are carried to the local Post Office for re-crediting, the inspection takes place during the
re-crediting process. In the case of telephonically re-credited meters, the inspection must take place at the end user's site.
If the user cancels the contract, a similar withdrawal procedure must be followed where the device moves through the local Post Office for disabling and then to the Vendors secure manufacturing site for de-initialization and possible reuse with
another customer.
If a meter fails in the field and there is sufficient proof that the meter contained a non-zero balance, the end user can apply for a refund transaction.
Like conventional meters, the USPS is requiring that PSD's not be sold on store shelves (e.g., a computer software retail outlet), but instead must be carefully disseminated and tracked by the Vendor, just like conventional meters. This process
alone adds very significant costs which must be passed on to the end user.
In contrast to the USPS requirement for a local CD-ROM subscription of the US National ZIP+4 directory, a telephone and/or Web-based Dial-A-ZIP protocol, is currently operational nationwide for free public use. This same Dial-A-ZIP directory
technology is used internally by the USPS national network infrastructure to provide address verification for USPS corporate mailings.
Dial-A-ZIP is a simple one step process that submits an address to the very same US National ZIP+4 directory and returns the so-called standardized address, ZIP+4, carrier route and other postal data. On the Web, the response time for this
process is typically 1 second. In the dial-up mode, the process takes 20-30 seconds because of the dialing and modem connect time.
Dial-A-ZIP is an appropriate, USPS-certified, and cost-effective ZIP+4 validation technique that is ideal for the small and medium sized mailer who might use the PC-based metering system of the present invention. The present invention
incorporates Dial-A-ZIP within a broader context of solving the overall metering problem. In fact, the invention can be thought of an extension of a Dial-A-ZIP transaction.
The postage dispensing system design depicted in FIG. 3 follows the methodology of both conventional meters and the PC-based meter described in U.S. Pat. No. 5,319,562. That is, the local user-based system serves as a repository for unused
(i.e., available) postage and manages the dispensing of that postage on a piece by piece basic. This type of postage dispensing system design brings with it the requirement for stringent and costly security measures at each user's site.
The present invention is based in part on the observation that standard USPS security and operational requirements make it not cost-effective to maintain postage balances and indicia generation at the local user level. Rather, in accordance with
the present invention, these secure operations are removed completely from the end user's environment and instead accomplished at either the a postal Vendors site (e.g., Pitney Bowes) or at the agency's site (e.g., the USPS, or the UK Royal Mail). A
secure communication between the user and a secure central site would occur just prior to the creation of each and every mail piece. A much less frequent mode of communication would also occur when the user requests an increased postage balance, which
is maintained at the central site. As a result, all operations requiring compliance with standard postal security requirements would be performed as secure central sites, eliminating most of the security overhead costs that have to date made the use of
desktop computer-based postal dispensing systems impractical.
SUMMARY OF THE INVENTION
A system for electronic distribution of postage includes at least one secure central computer for generating postal indicia in response to postage requests submitted by end user computers, and at least one postal authority computer system for
processing the postal indicia on mail pieces. A key aspect of the system is that all secure processing required for generating postal indicia is performed at secure central computers, not at end user computers, thereby removing the need for specialized
secure computational equipment at end user sites.
A typical secure central computer includes a data processor; and a database of information concerning user accounts of users authorized to request postal indicia from the secure central computer. A request validation procedure authenticates
received postage requests with respect to the user account information in the database. A postal indicia creation procedure, applies a secret encryption key to information in each authenticated postage request so as to generate a digital signature and
combines the information in each authenticated postage request with the corresponding generated digital signature so as to generate a digital postage indicium in accordance with a predefined postage indicium data format. A communication procedure
securely transmits the generated digital postage indicium to the requesting end user computer.
Each end user computer typically includes a data processor and a communication procedure for sending postage requests to a secure central computer at which a user account has been established, and for receiving a corresponding digital postage
indicium. A postage indicium printing procedure prints a postage indicium in accordance with the received digital postage indicium. Each postage request will typically include a user account identifier that identifies a previously established user
account, a source address identifier indicating where a mail piece is to be mailed from, a destination address identifier indicating where the mail piece is to be mailed to, authentication information for authenticating that the postage request is from
an end user associated with the specified user account identifier, and data concerning the package size and/or weight sufficient to determine an amount of postage required for the mail piece. Each digital postal indicia will typically include data
representing the user account identifier, source address identifier, and destination address identifier in a corresponding on of the postage requests.
In a preferred embodiment, to avoid the need for digital signature certificates, a unique key identifier is assigned to each secret encryption key used to create the digital signatures in postal indicia, and each generated digital postal indicium
includes data representing the key identifier of the secret encryption key used to generate the digital signature in that digital postal indicium.
Each postal authority subsystem typically includes a data processor and a database of information concerning the user accounts. A postal indicium validation procedure authenticates the postal indicium on each mail piece. The validation
procedure includes instructions for decrypting the digital signature in the postal indicium using a decryption key corresponding to the key identifier in the postal indicium.
BRIEF DESCRIPTION OF THE DRAWINGS
Additional objects and features of the invention will be more readily apparent from the following detailed description and appended claims when taken in conjunction with the drawings, in which:
FIG. 1 is a block diagram of a desktop computer-based postage dispensing system as taught in U.S. Pat. No. 5,319,562.
FIG. 2 depicts a facsimile of a test mail piece created on a personal computer and mailed by officials of the USPS on Sep. 12, 1996.
FIG. 3 depicts a postage dispensing system design consistent with methodology of both conventional meters and the PC-based meter described in U.S. Pat. No. 5,319,562.
FIG. 4 is a block diagram of a secure postage dispensing system in accordance with the present invention.
FIGS. 5A and 5B are a flow chart depicting steps performed by a postage request verification procedure and postal indicium generation procedure in a preferred embodiment of the present invention.
FIG. 6 is a flow chart depicting a postal indicium transaction in accordance with the present invention.
FIG. 7 depicts a postal authority computer system in accordance with the present invention.
FIG. 8 is a flow chart depicting the postal indicium validation procedure performed by a postal authority system in a preferred embodiment of the present invention.
DESCRIPTION OF THE PREFERRED EMBODIMENTS
While the present invention is described below with reference to a few specific embodiments, the description is illustrative of the invention and is not to be construed as limiting the invention. Various modifications may occur to those skilled
in the art without departing from the true spirit and scope of the invention as defined by the appended claims.
FIG. 4 shows a distribute postage generation system 100 in accordance with a preferred embodiment of the present invention. One or more secure central computers 102 are used as the principle devices for generate postage indicia for many users,
who use desktop computers 104 (herein called PC's) to receive the postage indicia and print mail piece labels 105 that each include a corresponding digital postage indicium 107 received from one of the secure central computers 102. The customer PC's
contain conventional computer hardware, including a user interface 106 with a printer 108, a data processor (CPU ) 110 for executing programs, a communication interface 112 such as a modem, LAN connection, or Internet connection, for handling
communications with one of the secure central computers 102, and local memory 114. The user interface 116 may also include a scale 116 for weighing mail pieces, or a separate scale may be used to provide mail piece weight information.
Local memory 114, which will typically include both random access memory and non-volatile disk storage, preferably stores a set of mail handling procedures 120, including:
message encryption and decryption procedures 122;
encryption keys 124 needed to send and receive messages from the secure central computer 102;
a communication procedure 126 for handling communications with the secure central computer 102;
an indicium printing procedure 128 for printing two dimensional barcode indicia corresponding to postage indicia messages received from the secure central computer 102; and
a local database 130 of information needed by the mail handling procedures, including local account balance information and transaction records representing all recent postage purchase transactions by the customer PC 104.
Each secure central computer 102 includes a data processor (CPU ) 150 for executing programs, a communication interface 152 such as a bank of modems, a LAN connection, or an Internet connection, for handling communications with the customer PCS
services by the secure central computer 102, local memory 154, and a ZIP+4 or ZIP+4+2 database 156.
Local memory 154, which will typically include both random access memory and non-volatile disk storage, preferably stores a set of postage dispensing procedures 160, including:
a postage indicium request validation procedure 161 for validating requests from end user computers for postal indicia;
message encryption and decryption procedures 162;
encryption keys 164 needed to generate the digital signatures in postal indicia, and keys for secure communications with the postal authority computer system 180;
a ZIP+4 or ZIP+4+2 procedure 166 for generating a ZIP+4 or ZIP+4+2 value for each destination address specified in a postage request message received from any of the customer PCS;
an indicium generation procedure 168 for generating a sequence of bits representing a postage indicia corresponding to a destination address specified by a customer PC, including a procedure for digitally signing each postage indicium; and
a communication procedure 170 for handling communications with the customer PCS 104.
Local memory 154 in the secure central computer also preferably stores:
a customer database 172 of information about each of the user accounts serviced by the secure central computer 102; and
a transaction database 174 for storing records concerning each postage indicium generated by the secure central computer 102 and each postage credit transaction in which funds are added to a user account.
Each secure central computer 102 is also connected by the communication interface 152 to one or more postal service computers 180. The postal service computers 180, which are used to process mail pieces, need access to the databases in the
secure central computers when verifying the postage indicia on mail pieces. For instance, if the serial number on a mail piece is sufficiently different from the serial numbers on other mail pieces recently processed for the same meter, the postal
service computer may request a copy of the meter's recent postage purchase history to determine if the postal indicia on the mail piece being processed is authentic. More generally, if a postal indicia on a mail piece is determined to be fraudulent, or
is merely suspected of being fraudulent, the postal service computer may request data concerning the associated meter from the secure central computer 102 so that the fraud or suspected fraud can be further investigated.
Note that only mail handling software resides in each end user's computer 104. No secure hardware is used at the local site, no USPS ZIP+4 CD-ROM is required locally, and no communications port is consumed for a PSD. The secure computer 102 at
a central site contains all of the customer account information, current balances, a transaction log for each customer, details on each mail piece indicia dispensed, and encryption software and keys. Furthermore, the encryption procedures 122 required
for end user computers are relatively modest, because the encryption of client/server messages is used only to protect the privacy of those communications and are not used to protect the generation of postal indicia. This is an important distinction.
The secure central computer 102 generates postal indicia using secure mechanisms and transmits the resulting postal bit pattern to the end user's computer for printing on a mailing label or envelope. The encryption of client/server communications helps
to prevent casual theft of postal indicia and eavesdropping on the postal indicia requests being made, but nothing more.
In one preferred embodiment, the end user encryption procedures 162 include both public/private key encryption/decryption and symmetric key encryption/decryption capabilities. However, the public/private key encryption/decryption capability of
the end user encryption procedures 162 is used only for establishing and changing the session key associated with the end user computer's "meter" account. In particular, in one preferred embodiment the secure central computer 102 is configured to
periodically replace the session key for each meter account with a new randomly generated key. The new key is sent to the end user computer in a message that is encrypted with the end user computer's public key, and is decrypted by the end user computer
using the corresponding private key. Alternately, but somewhat less secure, the new session key can be transmitted to the end user computer using a message encrypted with the previous session key, thereby avoiding the need for private/public key
encryption in the end user's computer.
In yet another alternate embodiment, the new session key can be generated by requesting the end user computer to generate a public/private key pair and to send the public key to the secure central computer. The end user computer and the secure
central computer can then both independently generate a new session key as a function of each computer's private key and the other computer's public key, using a well-known technique called "Diffie-Hellman" session key generation. The advantage of this
technique is that the end user computer only needs symmetric encryption/decryption software and key generation software for making public/private key pairs and session keys, but does not need public/private key encryption/decryption software.
In the preferred embodiments, the session key for each meter is replaced every K (e.g., 25) transactions, or after the current session key has been in use for more than a predefined period of time (e.g., a week), whichever is earlier.
Because communication between the secure central computer 102 and the end user's computer 104 is required for each and every mail piece created, the communication requirements for this invention are substantially greater than those contemplated
in U.S. Pat. No. 5,319,562 and its subsequent USPS IBIP incarnation. However, as of 1997, there are a number of reasons to believe that a postage dispensing system with such communication requirements is viable:
1. The exponential growth of the World Wide Web (hereinafter called the "Web") and other part of the Internet, as well as internal corporate Intranets, has greatly reduced the unit cost and overall complexity of an electronic communication
transaction. For instance, many PC user's have unlimited dial-up access to the Internet at low flat monthly rates. Many corporations have networks with 24 hour gateways to the World Wide Web, so that each PC in the organization has instant access to
any Internet or Web resource.
2. Because of dramatically-improved networking infrastructure, most transaction-based computer programs are migrating to a "client-server" topology. That is, applications (and to some extent, business models) are being structured so that data
is being stored centrally on a "server". A host of authorized "clients" run a local program that draws upon data from the server as required. The only data transferred to and from a given client relates to the specific activity that the client is
undertaking.
3. Direct, automated telephonic connections between a user and a host server (via modem) are commonplace. A small mailer (say 10 pieces per day) could post each of her mail pieces with a simple 30 second phone transaction that was completely
automated. A typical call to a national 800 number indirectly costs $0.20/minute (i.e., the costs associated with the 800 number are indirectly passed onto end users). For that user, the added telephonic cost for his 10 mail pieces would be $2.00.
While this is a non-trivial surcharge, it is probably less than the cost imposed by a rented PSD device, the USPS requirement for local ZIP+4 verification (with attendant CD-ROM subscription), and the bureaucratic costs of tracking secure hardware in the
field, which must be passed on to the customer in transaction charges, monthly rental or software upgrades.
Data Stored by the Secure Central Computer
The data stored by th | | |
