EP0717379B1 - Method for improving the security from franking machines at a credit transfer - Google Patents

Description

The invention relates to a method for improvement the security of franking machines when transferring credit, especially for fund retransfer to Data center, according to the in the preamble of claim 1 specified type.

A franking machine usually creates an imprint right-justified in a form agreed with Swiss Post, starting parallel to the upper edge of the mail with the content of postage in the postmark, date in Daily stamps and stamp impressions for advertising slogan and if necessary, type of shipment in the election stamp. The post value that The date and the type of shipment form the corresponding ones variable information to be entered into the item of mail.

The post value is usually that of the sender prepaid transportation fee (franking), the one taken from the refillable credit register and at Postage is used. In contrast For this purpose, a register is opened in the current account procedure Dependence on those made with the post value Frankings only counted up and in regular Intervals, read by a postal inspector.

In principle, every franking made must be billed and any manipulation that leads to an unpaid Franking leads must be prevented.

A known franking machine has at least one Input means, an output means, an input / output control module, a program, data and in particular the storage device carrying the accounting register, a control device and a printer module. With a printer module with print mechanics Measures are also taken so that when switched off Condition the print mechanics not for unpaid Imprints can be misused.

The invention relates to a method for franking machines, which generated a fully electronic impression Franking of postal items including reprinting one Deliver advertising clichés. The result is that only a non-billed valid one when switched on Franking must be prevented.

In a franking machine known from US 4,746,234 are fixed and variable information in Storage means (ROM, RAM) are stored, then if a letter is on the transport path before the print position actuated a microswitch by means of a Microprocessor read out and around a pressure control signal to build. Both are then electronically one Print image composed and can by thermal transfer printing medium on one to be franked Envelope can be printed out.

A method of controlling the printing a postage stamp image in columns proposed a franking machine EP 578 042 A2, which is separated from each other in graphical Pixel image data converted fixed and variable data during column printing. It would therefore be difficult without great and expensive effort to manipulate the pressure control signal, when printing at a high speed he follows.

On the other hand, the storage device comprises at least a non-volatile memory device that currently contains remaining credit, which results from that from earlier into the franking machine loaded credit of the respective postage value to be printed is subtracted. The franking machine is blocked, if the remaining balance is zero.

Known franking machines contain at least one Store three relevant postal registers for total value used (increasing register), still available balance (falling register) and Register for a checksum. The checksum is with the sum of the total value used and available credit compared. That is one Verification of correct billing possible.

It is also possible from a data center recharge information via a remote value specification to transfer the franking machine to the Register for the remaining credit (residual value) a credit reload. It goes without saying that for this suitable security measures must be taken, the credit stored in the franking machine not be increased in an unauthorized manner can. The above solutions against abuse and Protecting attempts at counterfeiting requires one additional material and time expenditure.

From US 48 64 506 it is known that when the value of Credit in the falling register below a threshold lies and a predetermined time is reached, a Communication to the remote data center from the Franking machine is included.

From the above Patent is also known that the data center for receiving register data and for checking, whether the franking machine is still connected to a specific one Telephone number is connected - the connection with the franking machine after a defined period of time picks up and the franking machine only to predetermined Times answers.

According to the above Patent also provided before a Credit reloading into the franking machine, for Authorization through the data center Identity number of the franking machine and the values in the query falling and rising registers.

Furthermore, from the above Patent known that the Communication of the data center with the franking machine not just transferring credit to the Postage meter needs to remain limited. Much more If the franking machine is deregistered, the Communication of the data center with the franking machine for transferring the remaining credit of the franking machine used in the data center. The value in the falling The postal register of the franking machine is then zero, which effectively takes the franking machine out of operation.

A security housing for franking machines, which has internal sensors, is from DE 41 29 302 A1 known. The sensors are especially with a battery connected switches, which when opening the safety housing to be active to the remaining credit storing memory (falling postal register) by interrupting the energy supply Clear. As is well known, it is not predictable which state a voltage-free memory chip when the voltage returns. So could there is also an unpaid higher remaining balance. On the other hand, it cannot be ruled out that in the above way, the residual value balance at least partially discharged. But that would be one Inspection disadvantageous, because the residual value which had been paid by the franking machine user, too the amount of this remaining credit must be reloaded however by the above Influences are falsified can. Finally, the description cannot be seen how to prevent a manipulator restores an unpaid remaining balance.

In known franking machines FM, there are already others Safety measures such as breakaway screws and encapsulated shielded safety housing known. Common are also keys and a combination lock for access to complicate on the franking machine.

In US 4,812,994 an unauthorized access is said a use of the franking machine beyond by blocking the franking machine in the event of incorrect entry a predetermined password can be prevented. In addition, the franking machine can be password and corresponding input via keyboard set be that franking only during a predetermined time interval or times of day possible is.

The password can be obtained through a personal computer MODEM, through a chip card or manually in the Postage meter can be entered. After positive Comparison with one in the franking machine The franking machine will save the saved password Approved. In the control module of the accounting unit a safety module (EPROM) integrated. As another Security measure is an encryption module (separate microprocessor or program for FM CPU based on DES or RSA code) provided the one the postage value, the subscriber number, a transaction number and similar comprehensive identification number generated in the franking stamp. With enough criminal energy could also be a password researched and owned together with franking machine of a manipulator.

It is already a remote inspection system in US 4,812,965 have been proposed for franking machines, which is based on special messages in the imprint of Mail items that have to be sent to the head office or based on a remote query via MODEM. Sensors Within the franking machine, each one should be made Detect falsification act, so in related Save a flag can be set, if in the Franking machine intervened for manipulation purposes has been. Such an intervention could be done to a to load unpaid credit into the register.

If a manipulation is found, the franking machine during remote inspection via modem a signal emanating from the data center is blocked. Skillful manipulation could on the other hand consist of producing after billing Franking imprints, the flag and the registers to restore it to its original state. A such manipulation would be via remote inspection by the Data center not recognizable if this reverses manipulation before the remote inspection. Also the receipt of the postcard from the data center which is a franking to be made for inspection purposes the manipulator is allowed to Franking machine in sufficient time in the original Reset state. So that's still no higher security can be achieved.

The disadvantage of such a system is that cannot be prevented that a sufficiently qualified Manipulator, which in the franking machine collapses, its traces left behind fixed by clearing the flags. Can too this does not prevent the impression itself is manipulated, which by a properly operated machine is manufactured. At acquaintances There is the possibility of a manufacturing machine of prints with zero postage. Such Zero frankings are required for test purposes, and could also be falsified by adding a Postage value greater than zero is simulated.

A security imprint according to FP's own European one Patent application EP 576 113 A2 sees symbols in one Marking field in the franking stamp in front of the one contain cryptified information. This allows the postal authority, which is connected to the data center interacts from the respective security imprint detection of tampering with the Franking machine at any time. Is an ongoing control of such with a Postcards provided with a security imprint corresponding security markings in the stamp image technically possible, but that means one additional effort in the post office. With one on Random control, but will be a Manipulation is usually found late.

On the other hand, an additional evaluation can be carried out in the data center regarding a user of a franking machine, by the user beyond the inspection date continued to operate. However, so far this information is not yet a forgery manipulation can be concluded.

In US 4,251,874 a mechanical printing unit, that must be preset for printing with a Detector device used to preset monitor. Also in the electronic billing system Means for detecting errors in data and Control signals provided. Reaches this number of errors a predetermined value, the further operation of the Franking machine interrupted. The sudden failure the franking machine is for the franking machine user disadvantageous. With a non-mechanical On the other hand, the printing principle is hardly any such internal Errors are to be expected and if there is a serious error switch off the franking machine immediately anyway anyway. In addition, security against one Manipulation of the franking machine is hardly any bigger, by the postage meter according to a predetermined Number of errors is switched off.

A franking machine is known from US Pat. No. 4,785,417 a program sequence monitoring known. The correct one The course of a larger program is carried out using a Special codes assigned to each program section checked that when the program part was called in a specific memory cell is stored in RAM. It is now checked whether the in the aforementioned Memory cell stored code in the currently running Program part is still available. Would at one Manipulation of the run of a program part interrupted and another part of the program is running such control question an error can be found. The comparison can only be carried out in the main process become. Secondary processes, for example security-relevant Calculations made by several main processes can be used by such monitoring but not checked for the execution of the program part because the program control is independent of the The program runs. Is allowed on the basis of Program parts and secondary processes manipulated in such a way that secondary processes are also integrated into main processes or be omitted from the latter or on secondary processes is branched, then no error would be found because neither the length of the program part determined, can still be determined which Program branch how often was run.

Another type of expected manipulation is that Reloading the franking machine register with a not billed credit value. This results in the requirement secure reloading. An additional Safety measure is the comparison according to US 4,549,281 an internal one in a non-volatile register stored fixed combination with an entered external combination, after a number of failed attempts, i.e. Non-identity of the combinations that Franking machine using escapement electronics is blocked. According to US 4,835,697 can prevent unauthorized access to the franking machine the combination can always be changed.

From US 5,077,660 is also a method for Change in the configuration of the franking machine is known, the franking machine by means of suitable input Using a keyboard from the operating mode to a configuration mode switched and a new meter type number can be entered, which of the desired number corresponds to characteristics. The franking machine generates a code for communicating with the computer Data center and the entry of the identification data and the new meter type number in the aforementioned computer, which also has a corresponding code for transmission and input generated in the franking machine, in the two code are compared. If they match with both codes the franking machine is configured and switched to the operating mode. The data center has thereby of the respectively set meter type for the corresponding franking machine always accurate records. However, security is solely from encryption the transmitted code depends.

In addition, EP 388 840 A2 is a comparable one Safety technology for setting one Postage meter is known to get this from data clean without the franking machine going to the manufacturer must be transported. Here too is the Security solely from the encryption of the transmitted Code dependent.

Secure reloading of a franking machine with a credit has already been made in US 3,255,439 on the one hand with an automatic signal transmission from the franking machine connected to the data center whenever a predetermined amount of funds franked or number of pieces of mail processed or a predetermined period of time has been reached. Alternatively can be one of the funds total, number of pieces or period of time corresponding signal are transmitted. Here communication takes place via binary signals connected to each other via a telephone line Converter. The machine receives an equally secured one Reload according to the credit balance and blocked in the case when no credit is replenished.

The transactions are known from US 4,811,234 encrypted and the registers of To query the franking machine and the register data of the Data center to transmit a temporal reference the reduction in the right of disposal stored in the register Amount. On the one hand identified the franking machine at the data center, when a preset threshold is reached is by means of its encrypted register content. On the other hand, the data center is modified by appropriate ones Authorization signals the desired franking amount, up to which postage can be paid. The encryption is the only security against a manipulation of the register status. So if a manipulator properly the same amount loads at the same time intervals, but in the meantime with the manipulated franking machine franked much higher amount than he paid the data center found no manipulation.

From EP 516 403 A2 it is known that in the past logged and stored in a memory Errors of the franking machine regularly to one removed fault analysis computer for evaluation transfer. Such a remote inspection allows one early warning of an error and enables further measures (service) to be taken. This alone does not offer a sufficient criterion for manipulation.

Communicates according to GB 22 33 937 A and US 5 181 245 the franking machine periodically with the data center. The franking machine permits a blocking means Expiration of a predetermined time or after a predetermined time Number of operation cycles, block and provides a warning to the user. To unlock an encrypted code must be entered from the outside which is encrypted with an internally generated Code is compared. To prevent that incorrect accounting data delivered to the data center will be in the encoding of the aforementioned Codes the billing data included. Disadvantageous is that the warning coincides with the blocking of the Franking machine takes place without the user Possibility to act accordingly in time to change.

A franking machine is known from US Pat. No. 5,243,654. where the current delivered by clock / date block Time data compared with stored decommissioning time data become. Is the saved shutdown time reached by the current time, the Franking machine deactivated, i.e. printing prevented. When connecting to a Data center, which the accounting data from the reading the rising register, the franking machine an encrypted combination value is transmitted and set a new deadline, causing the franking machine is made operational again. Here is the Amount of consumption representing the postage used contains summed and read from the data center is also part of the encrypted transmitted Combination value. After decryption of the combination value becomes the total consumption amount separated and with that stored in the franking machine Amount of consumption compared. Is the The lock on the franking machine is a positive comparison automatically canceled. With this solution achieved that the franking machine at Data center reports periodically to billing data to transfer. However, they are cases of use conceivable where the amount of mail to be franked fluctuates (Seasonal operation). In these cases it would be disadvantageous Way the franking machine blocked unnecessarily often become.

From US 4,760,532 a postal handling system with postage transfer and billing capability is known. Information is transmitted to the data center via telephone using the touch-tone process that is common in the USA. The operator can transmit a number by pressing a corresponding key on the telephone. Information from the data center is transmitted to the operator by means of a computer voice, who has to enter the transmitted values into the franking machine. For fund retransfer, the transfer of a negative postal find to a postal device is provided in a first step for establishing communication with a central station. The central station monitors the total amount of mail (residual value credit) that is stored in the mail device. In a second step, the aforementioned central station is supplied with information relating to a desired change in order to reduce the total amount of postage values available in the aforementioned postal device and with a clear identification regarding the aforementioned postal device. A third step includes receiving from the central station and inputting a first unique code into the aforementioned postal device, the input being operated to reduce the total amount of postal values stored in the postal device in accordance with the aforementioned request. And in the fourth step, generation of a second unique code is provided in the postal device when the first unique code has been entered in the postal device, the second unique code providing an indication such that the aforementioned postage value is available for printing on the mail , has been reduced in the aforementioned postal device.
However, if the transmission is disrupted or interrupted, no first code is received from the data center and the fund in the franking machine would remain unchanged, while a chargeback has already been made in the data center. For checking purposes, the register statuses of the franking machine could of course be queried in order to compare them with those stored in the data center. It is feared that a potential manipulator would fail to do so. In US 4,760,532, the transmission of the aforementioned second unique code to the central station is provided as the final method step. Under the conditions of the touch-tone procedure, it is again necessary to press numeric keys, which is cumbersome with multi-digit codes and usually does not result in input errors. There is also provision for the data center to generate a third unique code in order to transfer the retransferred credit to another franking machine. The responsible authority can thus be damaged by errors during the transmission. Thus, the same question arises with the positive and negative remote value specification, namely how to synchronize the data in the central and franking machine in a simple manner.

The task was to solve the disadvantages of the stand the technology to overcome and a significant Security in the transfer of credit increases guarantee.

Here, between authorized action (service technician) and unauthorized action (intention to manipulate) distinguished and the security against manipulation increase. Another job is that Security when communicating with the data center improve when data in both directions be transmitted.

The object is achieved with the features of claim 1, solved.

The solution according to the invention is based on the one hand on the Realization that only centrally in a data center stored data sufficient before manipulation can be protected. A significant increase in Security and synchronicity in the stored data is predetermined by reporting data before each Action on the franking machine reached. Likewise increases that in more or less large intervals reports, especially for reloading a Credit in connection with the above Logging the security against possible manipulation. The data to be stored centrally include at least Date, time, identification number of the franking machine (ID number or PIN) and the type of data (e.g. Register values, parameters) if the franking machine starts communication with the data center. For the purpose of pre-synchronization of the franking machine data with the data of the data center can specific default request for a first transaction be used.

On the other hand, to increase security Distinguish between authorized actions (service technicians) and unauthorized action (intention to manipulate) by means of the control unit of the franking machine in conjunction with steps for executing a negative remote value specification for retransmission of a Credit value in the data center, whereby the Franking machine a default request to the data center transmitted and there and in the franking machine is saved.

The control unit of the franking machine checked whether with predetermined actuating means defined procedure for entering the site Special mode for negative remote value specification made and a predetermined timing during the negative Remote value specification was complied with, and if so further steps for automatic execution of communication must be carried out in order to Retransmission to complete if the previous ones Steps to execute a negative remote value specification interrupted or faulty to the franking machine encrypted data was transmitted.

According to the invention, communication takes place between Franking machine and data center with at least encrypted Messages, preferably the DES algorithm is used.

The franking machine thus points to the task at least two special modes. A first fashion is provided to deal with fraudulent acts or Intention to manipulate the franking machine at franking with postage values to prevent (kill mode). This inhibition can be carried out at the next inspection on site by of an authorized person. The Postage meter has another fashion to The franking machine fulfills selected criteria for automatic communication with the To initiate data center. With such a Another fashion is according to the invention Special mode negative remote value transmission or by one second (sleeping) mode. After completing the special mode is only for checking the franking machine a limited number of ZERO frankings possible. If the intended number of pieces is used up, automatic communication with the Data center triggered, which is thus informed and learns relevant register data. The franking machine is inhibited in sleeping mode. By the interaction of at least two aforementioned modes security in the handling of credit, which are loaded into or out of the franking machine Data center are to be retransmitted fraudulent manipulation.

In a first variant, security is through a predetermined operating sequence during switching on the franking machine for a side entry into achieved the special mode negative remote value specification and later when the postage meter communicates recorded by encrypted transmission Messages during two transactions. in the The result of a first transaction becomes a predetermined one Default request in the data center and in the Franking machine saved. It is therefore no longer necessary during a second transaction to transmit the saved default request again. As a result of the second transaction, a corresponding one Default value from the content of the Descending Register subtract or add a negative value added so that a zero credit in the franking machine saved.

However, if it is different from the predetermined one Operating sequence while switching on the franking machine for a side entry into the special mode negative remote value specification selected, which is prohibited switches the franking machine in the aforementioned first fashion, the franking machine for franking blocked with a postage value (kill mode).

If necessary, to increase the security against manipulation the authorized operator (service technician) from the data center one earlier reported side entry into the special mode negative Remote value specification changed. The future one Operating sequence can be in connection with at least one Transaction during a positive or negative At least some of the remote values are transmitted.

An authorized operator of the franking machine, preferably the service technician leads to the side entrance a negative remote value specification in the special mode predetermined operating action, which in addition to Service technicians only known to the data center is. A special flag is set, which as special transaction request is evaluated.

Monitoring by the control unit of the franking machine while executing a transaction in Special mode ensures that if it remains incomplete Transaction the transactions in special mode negative Remote value specification to be carried out until the end. At Completed transaction in special mode becomes the special flag reset.

In addition, there is time monitoring by the control unit the franking machine during the execution of a Transaction in special mode, which occurs when the time is exceeded or in the event of an unfinished transaction take effect to complete the transaction.

The time is also monitored by the Data center when a transaction in special mode negative remote value specification is made. The Register data of the franking machine are central can be checked if a connection to the A remote value specification is carried out, for example to top up a credit. Either takes if the transaction remains incomplete, the franking machine automatically reconnects to the To complete the transaction or the authorized Service technician hands over to the data center by End of day a message about the current status the franking machine for the purpose of canceling the im Special mode negative remote value mode transmitted data. Otherwise the time monitoring on the part of Data center after the predetermined time period has expired, a recognition of the negative in special mode Remote value specification transmitted data.

In a second variant, security is through a check of the operating sequence for compliance with a predetermined operating sequence in the franking machine and by checking the default request in the data center in accordance with one stored there Code for a predetermined default request elevated. It is possible to change the operating sequence depending on the time to change, being in the data center and in the Franking machine the same calculation algorithm is used to create a current operating sequence determine. A transfer of a valid operating sequence from the data center to the franking machine it becomes superfluous.

In a third variant, security is through a combination of a number of measures increases. In a first transaction is distinguishable Log in to the data center. This is transmitted in In response, a new security flag X and / or a predetermined operating procedure for a side entry in the special mode negative remote value specification for Postage meter if the postage meter machine is switched on normally was and the communication link records, in a first transaction a predetermined Default request in the data center and in the franking machine has been saved. In the data center it is checked whether the transmitted default request corresponds to a predetermined default request. In the first transaction, for example, a new one Code word or security flag and / or operating sequence transmitted to the franking machine and in a second Transaction, the registered transaction is carried out and a default value according to the default request in the corresponding memory of the franking machine and also to check the transaction in one corresponding memory of the data center added.

For a side entry into the special mode negative The service technician must specify the remote value for the operating sequence while the franking machine is switched on as it was transmitted from the data center, be carried out, i.e. at the same time as switching on a certain key combination has to be pressed.

In the second transaction, the Franking machine - according to the corresponding default value - With a negative credit, so that in The result is a residual credit of zero.

The solution according to the invention also assumes that the funds stored in the franking machine protected against unauthorized access have to. Adulteration in the franking machine stored data is so difficult that the effort for a manipulator is no longer worth it.

Commercial OTP processors (ONE TIME PROGRAMMABLE) can all safety-relevant program parts in Inside the processor housing, also the Code for forming the message authentication code (MAC). The latter is an encrypted checksum, that is attached to information. As a crypto-algorithm is, for example, Data Encryption Standard (DES) suitable. This allows MAC information to be displayed the relevant safety and special flags respectively attach the register data and thus the difficulty manipulation of the aforementioned flags or Increase postal registers to a maximum.

The procedure to improve the security of a Franking machine, which is used for communication with a remote data center is capable and a microprocessor in a control device of the franking machine also includes forming one Checksum in the OTP processor about the content of the external Program memory and comparison of the result with a predetermined value stored in the OTP processor before and / or after the franking mode or operating mode has expired, especially during initialization (i.e. when the franking machine is started), or at times when there is no printing (i.e. when the franking machine is operated in standby mode).

In the event of an error, logging and subsequent blocking of the franking machine.

To improve the security of franking machines a distinction is made between manipulation non-manipulated and manipulated operation of a Franking machine by means of the control device by monitoring of the duration during an operating mode the execution of programs, program parts or security-relevant routines are carried out and by an after the end of programs, program parts subsequent safety-related routines the measured transit time with a given one Running time. This should also be used during communication fraudulent manipulation is prevented, in particular by one made in communication mode Monitoring compliance with a particular Timeout in special mode negative remote value specification. It will be the time from sending a third encrypted message from the franking machine until receipt of the data center Postage meter sent fourth encrypted Message in the franking machine, which during verification triggers a zeroing of the credit value, supervised. It is contemplated that a decremental Counter or an incremental counter is used to an exceeding of the time tl in the special mode as a sure indication of a failed transmission too detect and that a special subroutine is called, which means that the Special mode negative remote value specification prepared and automatically triggers so the first and second Transaction will be repeated automatically.

In a fourth variant, security is provided by a additional input security means increased, which is brought into contact with the franking machine in order to a remaining credit from an authorized person to transfer to the data center.

Figur 1,

Blockschaltbild einer Frankiermaschine,

Figur 2,

Ablaufplan nach der erfindungsgemäßen Lösung,

Figur 3a und 3b,

Darstellung der Sicherheitsabläufe der im Kommunikationsmodus befindlichen Frankiermaschine und Datenzentrum,

Figur 4,

Ablaufplan für den Frankiermodus nach einer bevorzugten Variante,

Figur 5,

allgemene Blockdarstellung eines Ablaufes mit zwei Transaktionen für das Nachladen mit einem Null-Guthabenwert,

Figur 6,

Blockdarstellung eines Ablaufes mit zwei Transaktionen für das Nachladen mit einem negativen-Guthabenwert,

Figur 7,

Ablaufplan zur Einspeicherung eines Sicherheits-Flags bzw. Codewortes nach der erfindungsgemäßen Lösung

Advantageous developments of the invention are characterized in the subclaims or are shown in more detail below together with the description of the preferred embodiment of the invention with reference to the figures. Show it:

Figure 1,

Block diagram of a franking machine,

Figure 2,

Flow chart according to the solution according to the invention,

3a and 3b,

Representation of the security processes of the franking machine and data center in communication mode,

Figure 4,

Flow chart for the franking mode according to a preferred variant,

Figure 5,

general block diagram of a process with two transactions for reloading with a zero credit value,

Figure 6,

Block representation of a process with two transactions for reloading with a negative credit value,

Figure 7,

Flow chart for storing a security flag or code word according to the solution according to the invention

Figure 1 shows a block diagram of each Franking machine according to the invention with a printer module 1 for a fully electronically generated franking image, with at least one of several actuators having input means 2, a display unit 3, and communication with a data center manufacturing MODEM 23, which has an input / output control module 4 coupled to a control device 6 and with a non-volatile memory 5 or 11 for the variable or the constant parts of the Franking image.

A character memory 9 supplies the necessary print data for a volatile working memory 7. The control device 6 has a microprocessor µP which with the input / output control module 4, with the character memory 9, with the volatile memory 7 and with the non-volatile memory 5, with a Cost center memory 10, with a program memory 11, with the motor of a transport or feed device if necessary with stripe release 12, an encoder (Coding disk) 13 and with a clock / date module 8 communicates. The individual stores can be in several physically separate or in not shown together in a few building blocks_ be realized realized by at least one additional measure, for example sticking on the PCB, sealing or potting with epoxy resin, are secured against removal.

FIG. 2 shows a flow chart for a franking machine with a security system according to a preferred one Variant of the solution according to the invention shown.

After switching on the franking machine in step Start 100 is then within a start routine 101 a functional test with subsequent Initialization done.

This step also includes several - in FIG. 7 illustrated in more detail - sub-steps 102 to 105 for Storage of a security flag or code word. With a step 103, if according to step 102 new security flag X 'in another predetermined one Storage location E of the non-volatile memory 5 exists, this new security flag X 'in the Memory location of old security flag X copied, if there is no longer a valid safety flag X there saved. The latter applies equally the case of an authorized as well as unauthorized Intervention, because with every intervention the old one Security flag X is cleared. Likewise, with a other unauthorized act, the security flag X be deleted (kill mode). If not a valid one Security flag X is stored more can in Franking mode 400 no more postage value can be printed. If no action is taken, no new code word is transmitted been. In this case it is not copied and after Step 104 remains the old security flag X in Get memory. Finally, with point s System routine 200 reached.

The system routine 200 comprises several steps 201 to 220 of the security system. In step 201, the Calling up current data, which is linked below with the invention for a second fashion, namely for the sleeping mode is executed. As in Figure 2 it is shown in step 202 whether the Criteria for entering sleeping mode met are. If this is the case, the process branches to step 203, by at least one warning by means of the display unit 3 display. According to the above In any case, steps will the point t reached.

If a prohibited side entry is found (Step 217), the aforementioned security flag X deleted. The safety flag X also act as a MAC-secured security flag, as well as an encrypted code. The verification the security flag X is valid, for example in step 409 of a franking mode 400 using a selected checksum procedure within a OTP processor (ONE TIME PROGRAMMABLE) carried out, the internally the corresponding program parts and also the code for forming a MAC (MESSAGE AUTHENTIFICATION CODE), which is why the The manipulator does not manipulate the type of checksum procedure can understand. Also other security-related ones Key dates and processes are only in the Saved inside the OTP processor, for example to get key data from the data center to Franking machine transmitted new key complete, so with the key data so completed messages are encrypted which can be transmitted to the data center. On the other hand, the same security-relevant allow Key data or processes a hedge about to put the postal register.

Another backup variant, which without OTP processor is difficult to find the key through its coding and partial storage in different memory areas. Again will be MAC to any information in the security Attached to registers. A manipulation of the Register data can be recognized by control over the MAC become. This routine is performed in step 406 Franking mode, which is shown in Figure 4. The difficulty of the manipulation can thus be dealt with increase the postal registers to a maximum.

If the check was successful in step 217, where a relevant deficiency identified and the safety flag X was deleted in step 209, the point e, i.e. the start of a communication mode 300 is reached and in a - shown in Figures 2 and 3a - Step 301 queries whether a transaction request is present. If this is not the case, the Leave communication mode 300 and point f, i.e. operating mode 290 reached. Have relevant data transmitted in communication mode, then is to To branch data evaluation to step 213. Or otherwise if in step 211 the non-transmission step 212 is determined branch. Now it is checked whether appropriate Inputs have been made to test request 212 in test mode 216, otherwise at intended registry check 214 into one Display mode 215 to enter. Is not that the case, the point d, i.e. the franking mode 400 reached.

In the event of tampering, step 213 becomes Statistics and error evaluation achieved. On the Step 213 enters display mode 215 and then branched back to the system routine. Locking can thus advantageously take place by the branching on the franking mode 400 no longer executed becomes. According to the invention it is further provided that in Step 213 carried out a statistical and error evaluation to get more current data, which after branching to system routine 200 in Step 201 can also be called, for example for a aforesaid second fashion or another Special fashion.

Between points s and t of system routine 200 can do a variety of other queries Fulfillment of further criteria for further modes lie. Further details regarding a query for a first mode, which is used to prevent printing or is used to lock the franking machine German application P 43 44 476.8, procedure for Improve the security of franking machines, too remove. In the event of an opening of the franking machine housing by authorized persons is one written or telephone registration in the data center proposed for authorized opening, which the opening date and time for the approximate opening date. Before that Franking machine can actually be opened communication with the data center via MODEM be included to request authorization to open and to load a new future code Y 'that the can replace old ones.

In contrast, however, the presence of the Safety flags X not between points s and t but only in step 409 in franking mode queried. This allows the service technician to go through Reload the new security flag X ' deleting the aforementioned flag then the restore the full functionality of the franking machine. This now also allows one, for example Check to see if an unauthorized Act actually to clear the security flag or code word, or whether the deletion Tampering has been prevented.

In the event of an authorized operation, the - in of FIG. 2 - step 217 recognized that none prohibited side entry was carried out. On allowed side entry for another entry was carried out, is not shown in Figure 2 been shown. However, such a query criterion is also provided for example in Step 212 to determine whether an operator action was made to get into a test mode. With the allowed side entry, which is not the right one Side entry for the special mode of a negative Remote value specification for the purpose of transferring funds back from Postage meter to the data center becomes a point The system routine 200 branches. Otherwise when entering the correct side to step 220 branches to a special flag for entry into the To set special mode. It is in a further form possibly a further query step 219 before the Step 220 provided to go with another criterion security against unauthorized access to the Special mode to increase further, if not of the criterion to point e of system routine 200 is branched. For example, the one in FIG query step 219 shown such another Query criterion whether the identification number (ID no. or PIN) was entered. Through the side entrance the security is already high enough so that in the interest of easier operation such additional additional criteria queries too can be dispensed with. Another possibility in that such a query step 219 shown in FIG query another criterion whether at least n times the same predetermined default request made and a the corresponding default value is added to the remaining credit value is also only optional and therefore drawn in dashed lines in FIG. Here it can is a NULL default request that leads to Transfer of a NULL default value leads to Residual value can be added without changing the height of the stored credit is changed.

To further increase security against manipulation, it is provided that the special flag set in step 220 N also a MAC-secured for the special mode Flag N is.

Security is additionally checked in the data center increased whether a predetermined Default request transmitted by the franking machine has been. It is envisaged that the transmitted Requirement specified in the data center as code to perform a very specific transaction. The transmitted default request can be in the data center be used as a code for a fund retransfer to allow. Otherwise, the transmitted Default request in the data center as code be evaluated, a transfer for a security flag To allow X or for an X code word.

FIGS. 3a and 3b show the Security processes of those in communication mode Franking machine on the one hand and the security processes the data center in communication mode on the other hand.

If the point e, i.e. the beginning of the explained below Communication mode 300 is reached in a step shown in Figures 2 and 3a 301 queried whether there is a transaction request. This can be used, for example, to top up your credit, Change of telephone number etc. be put.

The user selects the communication or remote value default mode the franking machine by entering the Identification number (eight-digit postage call number) on. It is now assumed, for example, that the Fund transfer back in the amount in the franking machine remaining residual value. Here the descending register is queried first R1, which contains the residual value saved. After the franking machine is switched off, the Reactivate a side entry into the special mode performed. After entering the identification number the entry is made with the Teleset key confirmed and the default request in the amount of the previously queried residual value entered. Through the side entrance the default request is automatically closed subtracting default value. The default request is activated by pressing the Teleset key (T key) approved. Because with every communication from the Data center can also be queried the residual value thus a comparison in the data center of both, i.e. of residual value and default request. Otherwise can in special mode the above entries for a preferred variant of the automatically Postage meter machine to be operated simplify.

Otherwise, for example, communication to load a new security flag X ', that can replace the old security flag X. Will only If such a transaction request is made, the The default amount must be changed, because in this case the credit in the franking machine of course not to be increased. On the other hand, another can Value other than zero can be agreed, especially one Value that corresponds to only a minimal amount by which the descending register value would have to be increased.

That part of the communication is shown in FIG. 3a represented a transaction with unencrypted Messages is made. Still, these can Messages contain data which are secured by MAC, for example the identification number of the franking machine.

In step 302, an input of the identification number (ID no.) And the intended input parameters done in the following way. With the ID no. it can the serial number of the franking machine, one PIN or PAN (postage call number) act by pressing by means of a predetermined T key on the input means 2 is acknowledged. Appears in the display unit 3 of the last remote value specification (reloading) used input parameters (default value), which is now by overwrite the input of the desired input parameter or is maintained. With the input parameter is a combination of numbers which in the data center is understood as a request, for example a new security flag or code word X 'to be transmitted if previously an authorization has been caught up. If the above is entered incorrectly The display can be input parameters by pressing a C key.

For example, a change is entered to at to load a transaction with the value zero, but no authorization to intervene is obtained beforehand. Thus the input parameter only serves as a new one Default value. However, neither the credit for Frankings increased in value if the input parameter has the value zero, a new security flag loaded. However, with every communication a Quantity S 'are transmitted, as is the German application P 43 44 476.8, procedure for Improve the security of franking machines, too can be seen.

Only through the previous notification, for example by means of a separate call to the data center or another form of communication, the data center notified that a new security flag X ' to be transmitted to the franking machine if then within a predetermined period of time on the part of the franking machine a transaction for the Value zero is started. The request for intervention only applies then as posed if after registering one authorized intervention in the franking machine in such a way agreed communication mode occurs.

Before that, however, any other input parameter agreed with the data center, takes place upon entry this input parameter except the transmission of a new security flags X 'according to the pre-agreed Codes of by the predetermined default request a reload of the credit is also formed according to the entered default value in the result a second transaction.

If a different input parameter than the one agreed entered, this only leads to the result Reloading in the amount of the selected new target amount, where in contrast to the other transaction data however, the default amount is not for the franking machine needs to be transmitted. Rather, the fact that a valid transaction has been verified for the Franking machine sufficient, an increase or Reduction of the descending register content by Specification amount according to the saved specification request to make.

If the desired input parameter is displayed correctly, this is done by pressing the predetermined T button again of the input means 2 confirmed. In the display unit 3 then a representation appears accordingly an input parameter change or according to the No change (old default value).

By pressing the predetermined T key, the Modification of the input parameter via MODEM connection started. The input is checked (step 303) and the further process runs automatically, the process accompanied by a corresponding ad.

To do this, the franking machine checks whether a MODEM is connected and is ready for use. Isn't that Case, a branch is made to step 310 to indicate that the transaction requests are repeated got to. Otherwise the franking machine reads the selection parameters, consisting of the selection parameters (Main / extension, etc.) and the telephone number the NVRAM memory area F and sends it with a Dial request command to the modem 23. Then the connection setup required for communication takes place via the MODEM 23 with the data center in a step 304.

In the figure 3a is also on the left half parallel process shown in the data center, which is necessary for communication. in the Step 501 is constantly checked whether there is a call in the Data center is done. If so, and that MODEM 23 has dialed the opposite side, takes place in Step 502 parallel the connection establishment also in the Data center. And in step 503 it is constantly monitored whether the connection to the data center was broken has been. If this is the case, an error message appears in step 513 a branch back to step 501.

In parallel, the step in the franking machine 305 monitors whether communication errors have occurred and optionally branched back to step 304 to on the part of the franking machine the connection again build up. After a predetermined number n unsuccessful Redials to establish a connection via a display step 310 to point e branched back. There was no ascertainable in step 305 Error before, is in step 306 on the part of the franking machine found that the connection is established and a transaction is pending, the step 307 branches to an opening message or identification, leader or register data to send. In the subsequent step 308, the same check as performed in step 305, i.e. in the event of a communication error branched back to step 304. Otherwise an opening message from the franking machine sent the data center. Among other things, the Postage call number to announce the caller, i.e. the franking machine included in the data center.

This opening message is in the data center in Step 504 checked for plausibility and on evaluated by then again in step 505 it is checked whether the data is transmitted without errors have been. If this is not the case, a Back to the error message in step 513. On the other hand, the data is error-free and in the data center it is recognized that the franking machine is a Has made requests for reloading, then in step 506 a reply message to the franking machine as a leader Posted. In step 507 it is checked whether in Step 506 including the header message Leader end has been sent. But it is not if so, the process branches back to step 513.

In the franking machine it is checked in step 309 whether from the data center now a leader as Reply message was sent or received. Is if not, will be displayed on the step 310 branched back and then on again Transaction requests queried in step 301. Has been received a leader and has the franking machine received an OK message, a occurs in step 311 Checking the preload parameters with regard to a Change phone number. If an encrypted parameter no phone number change has been transmitted before and it goes to step 313 in the Figure 3b branches.

The safety processes are shown in FIG. 3b the one in communication mode Franking machine and parallel to that in the Data center.

In step 313, the franking machine sends the Data center sent a start message encrypted. In step 314, the communication error message checked. There is a communication error the process branches back to step 304 and it another attempt is made to connect to the data center build up to encrypt the start message to send.

This encrypted start message is sent from the data center received if at step 506 the header message had been sent completely and in step 507 the leader end has been communicated. in the Step 508 checks in the data center whether this has received the start message and the data in Are okay. If not, the crotch 509 checks whether the error can be remedied. Is the Error cannot be corrected, go to step 513 branches after an error message from the Data center DZ to the FM franking machine in step 511 was transmitted. Otherwise, in step 510 performed an error handling and on the step 507 branches. At step 508, reception becomes more orderly The data center begins to detect data perform a transaction in step 511. in the aforementioned example will be at least the identification number by means of an encrypted message to the Transfer franking machine, which in step 315 the Transaction data received.

In the following step 316, the data is checked. If there is an error, the method branches back to step 310. Otherwise it takes place in the data center in Step 512 storing the same above Data like in the franking machine. In step 318 the transaction with the in the franking machine Data storage completed. Then becomes Step 305 branches back. Shouldn't be another Transaction is performed, step 310 is displayed and then reached step 301.

If no transaction request is made, will in step 211 according to FIG. 2 checks whether data have been transmitted. If data has been transmitted, step 213 is reached. According to the input request the franking machine places the current one Default request or the new code word Y 'or others Transaction data, for example in the memory area E the non-volatile memory 5.

If an input parameter in step 302 is a entered a combination of numbers other than zero and the Entry was OK (step 303), a connection is established (Step 304). And if without errors (Step 305) a connection is established (Step 306), an identification and leader message sent to the data center. In this The opening message is again also the postage call number PAN to identify the franking machine included in the data center. The data center recognizes from the entered number combination, if the data is error-free (step 505), that in the Franking machine, for example, a credit with a Default value should be increased.

Has now become the current phone number of the Data center changed, measures must be taken be saved in the franking machine becomes. Then in step 506 the data center a reply message with the elements change the phone number and current phone number are unencrypted Posted. The franking machine that this Receives message, recognizes in step 311 that the phone number should be changed. Now it becomes a step 312 branches to the current phone number to save. Subsequently, step 304 branched back. Is the connection still established and a communication error does not exist (305), is Step 306 then checked to see if there was another Transaction should take place. If that is not the case, the method branches to step 301 via step 310. The transmission of the telephone number can also be MAC-secured respectively.

After saving the current phone number the franking machine automatically builds a new one Connection to the data center with the help of new phone number. The actual, by the user intended transaction, a remote value requirement of the new security flag X 'or a transmission of a Encrypted message suitable for verification for reloading the residual value credit according to a The default request is thus automatic, i.e. without one further intervention by the user of the franking machine, carried out. A appears in the display appropriate notification that due to the Phone number change will automatically reconnect the connection is built up.

It is envisaged that after an intervention, the franking machine controlled in the communication mode 300 becomes. The authorized person can also use the data center Submit the completed review afterwards. A Communication can be a phone number storage, as also a credit reload or fund retransfer include. Without interrupting communication so multiple transactions are carried out.

Should the amount of credit to be reloaded in the remain the same height as the last Credit reload, only one transaction is necessary.

Should the amount of credit to be reloaded two transactions are required. Both transactions are carried out in a comparable way.

A successful transaction runs as follows:

The franking machine sends your ID number and one Default value for the amount of the desired Reload credit together with a MAC to the Data center. This checks such a transmitted Message against the MAC, then also a MAC-secured OK message to the franking machine send. The OK message does not contain the default value more.

It is envisaged that the submission of a new one Security flags X 'or relevant data for one Change in the amount of credit in the franking machine in encrypted form, but the transmission of Telephone number in unencrypted form. However MAC protection is also possible. Is in the data center found that the connection to Postage meter has been released (step 503) or incorrect data (505) or unrecoverable errors (509) or no leader has been sent (507), communication is ended. After a Error message occurs when the communication connection is released, storing the transmitted data and their evaluation in step 513 by the data center.

During a first transaction, at least one encrypted message to the data center as well Franking machine transmitted. The default request is only in the encrypted message of the first transaction contain. Every transmitted message, which security-relevant Transaction data is encrypted. As an encryption algorithm for the encrypted messages is, for example, the DES algorithm intended.

A transaction request results in the franking machine to a specially secured credit reload. Preferably the outside of the processor is secured in the cost center memory 10 postal register also during the credit reload using a time control. Will the franking machine for example observed with an emulator / debugger, then it is likely that the communication and Billing routines not within a predetermined one Time is running out. If so, i.e. who need routines considerably more time, becomes part of the DES key changed. The data center can do this modified key during a communication routine determine with register query and then report the franking machine as suspect as soon as in accordance with Step 313 an encrypted start message is sent becomes.

In the data center, step 509 determines that the error cannot be remedied. The data center cannot then carry out a transaction (step 511), because branching back to step 513. Because in the Postage meter machine received no data in step 315 the transaction was not successful (Step 316). Then, step 310 opens up branched back to step 301 for a display to recheck whether a transaction request continues is provided.

If this is not the case, the communication mode Leave 300 and point f, i.e. the operating mode 290 reached. Thus, in the case discussed above, with modified DES key, no data transmitted (step 211). It is also assumed that neither a test request (step 212) another register call (step 214) has been initiated, to check the remaining balance. But then the Franking mode 400 reached.

Safety sets in the event of an authorized intervention ahead, the reliability of the authorized person (Service, inspector) and the possibility of their presence to check. Control of the seal and checking the register status during an inspection the franking machine and regardless of the data in the data center then provides verification security. The control of the franked postal items under Inclusion of a security imprint provides one additional security of verification.

The franking machine performs regularly and / or at Switch on the register check and can thus Detect missing information if in the machine intervened unauthorized or if this is unauthorized had been served. The franking machine will then blocked. Without the invention in connection with a security flag X the manipulator would Clear blockage easily. But that's how it works Security flag X lost and it would Manipulator cost too much time and effort, the valid one MAC-secured security flag X or code word Attempts to determine. In the meantime, that would be Franking machine long ago in the data center as suspect registered.

Other variants or a combination with others Variants, such as deleting a part the DES key or the redundant register status or delete other data or keys that are used for the data center in a transaction meaning have been included by the inventive concept. It is essential that critical program parts stored in the OTP and the program runtime monitoring means software and / or hardware Are part of the OTP. So that with these Program parts that are external to the OTP in the program memory PSP 11 monitors monitored critical programs become. The advantage is that the monitoring program not even observed or manipulated can be because it stays in the OTP constantly and also cannot be read out.

A suitable processor type is, for example, the TMS 370 C010 from Texas Instruments, which has a 256 bytes E ² PROM. This allows security-relevant data (keys, flags, etc.) to be stored in the processor in a tamper-proof manner.

If a manipulator takes an unauthorized intervention before, the franking machine is converted into the first mode is effective with franking with a Postage value prevented.

The potential manipulator of a franking machine must overcome multiple thresholds, which of course a certain Time required. Takes place at certain intervals no connection from the franking machine the franking machine becomes the data center already suspect. It can be assumed that the one who tampered with the franking machine commits himself hardly at the data center again will report.

During an inspection, the seal of the Franking machine for integrity and then the Checked register status. If necessary, a test print can be made be made with the value 0. At a Repairs by the on-site service may need to the franking machine can be intervened. The error register are, for example, with the help of a special Service EPROM can be read out, which replaces the Advert EPROM is inserted. If on this EPROM slot is not accessed by the processor usually access to the data lines special - not shown in FIG. 1 - Driver circuits prevented. The data lines, which can be reached here through a sealed housing door can not be contacted without authorization become. Another variant is the reading out of Error register data through an interface connected service computer. To prepare the The registers of the franking machine become intervening queried to determine the type of intervention required determine. Before intervening in the franking machine and the housing is opened, there is a separate one Call the data center. Then inside a predetermined period of time the default value to zero changed and become the data center in the context of a transaction transmitted, i.e. the type of intervention and the Register data was communicated to the data center, was done a transmission of data from a data center to the franking machine according to one requested authorized intervention in the franking machine, which is logged as an allowed intervention.

But within a predetermined period of time Default value to a value other than zero changed and to the data center within a Transaction submitted remains a previous one separate call to the data center without consequences, i.e. on Intervention request is considered not submitted and one Authorization to intervene in the franking machine is not granted and therefore no new one Security flag or code word X 'transmitted.

The franking machine is able to differentiate between requested authorized and unauthorized Intervention in the franking machine by means of the control unit the franking machine in connection with the of the data center transmitted data, with unauthorized Intervention in the franking machine this intervention is logged as an error, but after authorized intervention in the franking machine the original operating state by means of the aforementioned transmitted data is restored.

The explanation of the processes after - in FIG. 4 shown - franking mode takes place in connection with the - shown in Figure 2 - schedule. It is also in times when there is no printing (Standby mode) provided that a query with regard to manipulation attempts and / or the checksum of the register status and / or via the Contents of the program memory PSP 11 is formed. The The aforementioned checksum is provided by the franking machine manufacturer MAC-secured in the non-volatile memory 5 (Memory area E of the NV-RAM). For checking the content of the program memory PSP 11 is the Checksum determined again and using a stored unchanged key MAC formed. The aforementioned key is a tamper-proof (non-readable) Partial key. Now the old MAC is secured loaded from the NV-RAM 5 and with the newly determined MAC-secured checksum compared in the OTP. For improvement The security against manipulation is in a another variant for a kill mode 2 the checksum in the processor about the content of the external program memory PSP 11 formed and the result with an im Processor stored predetermined value compared. This is preferably done in step 101 if the Franking machine is started, or in step 213, when the franking machine is operating in standby mode becomes. Standby mode is reached when a predetermined time no input or print request he follows. The latter is the case if one is in itself known - not shown - letter sensor no next envelope determines which one to be franked. The - shown in Figure 4 - Step 405 in franking mode 400 therefore includes another further query after a time lapse or after the Number of passes through the program loop, which ultimately corresponds to the input routine Step 401 leads. If the query criterion is met, a standby flag is set in step 408 and directly branched back to system routine 200 at point s, without the billing and printing routine in step 406 is run through. The standby flag will appear later in the Step 211 queried and after the checksum check reset in step 213 if no manipulation attempt is recognized.

For this purpose, the query criterion in step 211 is increased by the Question extended whether the standby flag is set, i.e. whether the standby mode is reached. In this case also branched to step 213. A preferred variant is in those already described Way to clear the security flag X if a Manipulation attempt in standby mode on the aforementioned Has been determined in step 213. The specially secured special flag N can also be in the Step 213 should be checked, especially if it is MAC secured is by the flag content with the MAC content is compared. The absence of the security flag X will recognized in query step 409 and then on the step 213 branches. The advantage of this procedure in Connection with the first mode is that the Manipulation attempt statistically recorded in step 213 becomes.

FIG. 4 shows the flow chart for the franking mode according to a preferred variant. The invention goes assume that the Postage value in the imprint according to the last one Entry before switching off the franking machine and the date in the day stamp according to the current one Date specified that the variable data in the fixed data for the frame and for all associated data that remain unchanged be electronically embedded.

The number strings (sTrings), which are entered for the generation of the input data with a keyboard 2 or via an electronic balance 22 connected to the input / output device 4 and calculating the postage value, are automatically stored in the memory area D of the non-volatile working memory 5. In addition, data records of the sub memory areas, for example B _j , C etc., are also retained. This ensures that the last input values are retained even when the franking machine is switched off, so that after switching on the postage value in the value printout is automatically specified in accordance with the last entry before the franking machine was switched off and the date in the day stamp is specified in accordance with the current date.
If a scale 22 is connected, the postage value is taken from the storage area D. In step 404, it is waited until there is one currently stored. If a new input request is made in step 404, the process branches back to step 401. Otherwise, the process branches to step 405 to wait for the print output request. The letter to be franked is detected by a letter sensor and thus a print request is triggered. It is thus possible to branch to the accounting and printing routine in step 406. If there is no print output request (step 405), the process branches back to step 301 (point e).

Since according to the - shown in Figure 4 - variant branched back to point e and step 301 a communication request can be made at any time or another entry according to the Steps test request 212, register check 214, Input routine 401 are made.

A further query criterion can be made in step 405 are queried in order to obtain a standby flag in step 408 set if none after a predetermined time Print request is pending. As above explained, the standby flag can be in the communication mode 300 following step 211 are queried. This does not branch to franking mode 400, before the checksum check is complete result in all or at least selected programs Has.

If a print output request in step 405 is detected, further queries are made in the following Steps 409 and 410 as well as in step 406 done. For example, in step 409 Presence of a valid security flag X or a corresponding MAC-secured flag X, the Reaching a further quantity criterion and / or in Step 406 for billing in the known manner queried register data. Was that for Franking predetermined number of pieces at the previous one Franking used, i.e. Number of pieces equal Zero is automatically branched to point e in order to Communication mode 300 to enter so that from the Data center a new predetermined number of pieces S again is credited. However, was the predetermined number of pieces is not yet consumed, is from step 410 to Billing and printing routine branches in step 406.

The number of letters printed, and the current one Values in the postal registers are made according to the entered cost center in the non-volatile memory 10 of the franking machine in a billing routine 406 registered and are available for later evaluation to disposal. A special sleeping mode counter is used during those immediately before printing Billing routine causes a counting step to continue.

The register values can be displayed 215 if necessary be queried. It is also provided that Register values with the print head of the franking machine Print out billing purposes. For example as well as in the German one Laid-open specification P 42 24 955 A1 becomes.

Another variant also provides that also variable pixel image data during printing be embedded in the remaining pixel image data. Corresponding the position report provided by encoder 13 about the feed of the postal items or Strips of paper in relation to the printer module 1 the compressed data from the working memory 5 read and using the character memory 9 in one converted binary image printed image, which is also in such decompressed form in volatile memory 7 is stored. Closer Executions are the European applications EP 576 113 A2 and EP 578 042 A2 can be removed.

The pixel memory area in the pixel memory 7c is thus for the selected decompressed data of the fixed Parts of the franking image and for the selected decompressed ones Data of the variable parts of the franking image intended. After the billing, the actual Print routine (at step 406). As from the Figure 1 shows the working memory 7b and the pixel memory 7c with the printer module 1 via a a print register (DR) 15 and output logic having printer controller 14 in connection. The Pixel memory 7c is on the output side to a first one Input of the printer controller 14 switched to the further control inputs, output signals of the microprocessor control device 6 concerns. Are all columns of a printed image is printed again System routine 200 branches back.

The transmission of a new number of pieces S 'can then take place in the same manner as that already explained in connection with the transmission of the new security flag X'. In the case of communication according to FIGS. 3a and 3b, a new predetermined number of items S 'is then transmitted and decremented as number of items S while the franking is running. The comparison piece number S _{ref is} calculated internally from the new predetermined piece number S '(step 213). In step 203, a warning "CALL FP" can thus be issued before the number of pieces reaches zero. The user of the franking machine is thus asked to carry out communication with the data center in order to carry out at least one zero remote value specification for subsequent accreditation of at least the number of items S.

FIG. 5 shows the process with two transactions for reloading with a credit value, preferably shown in simplified form with a zero credit value. Such a zero remote value specification always comprises two Transactions.

The first transaction of communication with the Data center DZ includes the notification of a predetermined default request. To ensure the consistency of the Register statuses between the data center DZ and the Manufacturing the franking machine FM is a ZERO default request suitable. Such leads during a second transaction at a NULL default value at Descending register value can be added without the Change the value of the remaining credit.

With a normal entry into the communication mode after the start of the franking machine in step 218 the system routine 200 shown in FIG. 2 asked whether the user had entered the page correctly was carried out. If this is not the case, Point e of the system routine 200 branches. On the A message appears about the opening of the display Communication when entering the PIN and pressing the Teleset key (T key). In addition, the previous default value is displayed, which is indicated by the new default request NULL can be overwritten. After entering zero, the T key is pressed again. Now there is a transaction request and the Communication can be done.

The first step in a first transaction includes after entering the communication mode (positive remote value specification or teleset mode) one Sub-step 301 to check for a set Transaction requests and further sub-steps 302 to 308 for entering the identification and others Data to establish the communication link and to communicate with unencrypted data in order at least identification and transaction type data to transfer to the data center.

It is envisaged that a first step of the first Transaction sub-steps 301 to 308 of the franking machine includes to establish the connection, for communication with unencrypted data and at least Identification, transaction type and other data to transfer to the data center. The transaction type data (1 byte), includes the message to the data center DZ below the teleset mode for one Desired positive remote value specification with the identified Franking machine.

A second step of the first transaction involves Sub-steps 501 to 506 in the data center to Receive the data and check the identification the franking machine and for transmitting one unencrypted OK notification to the franking machine. The second step of the first transaction also includes Sub-steps to deal with incorrect unencrypted messages 505 via a sub-step 513 for Error message on a sleep point q in the sub-step To branch 501 in the data center until the Communication from a franking machine again is recorded.

A third step involves the first transaction Sub-steps 309 to 314 of the franking machine, for Formation of a first encrypted message Crypto cv by means of a stored in the franking machine first key Kn and for the transmission of encrypted Data on the data center, including at least the default request, identification and postal register data. In further development of the security measures includes this encrypted message too Data in the form of CRC data (cyclic redundancy check data). The default request, the identification, Postal register and other data, such as a Checksum (CRC data) are in one with the DES algorithm encrypted message transmitted.

A fourth step of the first transaction, the sub-steps 507 to 511 in the data center to receive and decrypt the first encrypted Notification provided. An exam for Decryptibility is determined by means of a Data center stored key performed. If successful, a calculation is made in the data center to form a second key Kn + 1, corresponding to that used by the franking machine Key. Then a second is encrypted Message crypto Cv + 1 formed which at least the aforementioned second key Kn + 1, the Contains identification and transaction data, again the DES algorithm for encryption is being used. In conclusion is a transfer of the second encrypted message crypto Cv + 1 Postage meter provided.

Additional sub-steps are used to help you determine of irreversibly incorrect encrypted messages in sub-step 509 via a sub-step 513 Error message on a hibernation in the 501 Data center to branch out until communication is resumed by a franking machine. Sub-steps are also provided in order to Sub-step 509 detected incorrect encrypted Notices but with correctable errors a sub-step 510 for canceling the previous one Transaction and then to step 511 in the Branch data center. This sub-step serves to form a second key Kn + 1, which for Franking machine should be transmitted encrypted, to form a second encrypted message crypto Cv + 1 and to transfer the encrypted Message about the franking machine. In addition, the fourth step of the first transaction is a sub-step 512 of the data center for storing the default request from which to the first sub-step 701 of the second Step of the second transaction is branched to the first key Kn as the previous key and the second key Kn + 1 as successor key to save.

A fifth step of the first transaction, which comprises sub-steps 315 to 318 of the postage meter machine, serves to receive and to decrypt the second encrypted message, to extract at least the identification data and the transmitted second key Kn + 1 _{Cv + 1} , and to verify the encrypted received Notification based on the extracted identification data. Upon verification, the transmitted second key Kn + 1 _{Cv + 1} and the default _request are stored in the franking machine. Otherwise, if not verified, the process branches back to the first step of the first transaction.

After this pre-synchronization of the data center by the franking machine starts a second transaction, which is preferably through an additional manual Entry in step 602 is triggered. As a result This temporary entry is triggered the second transaction or leaving the second transaction in communication mode if the Entry time is exceeded. Preferably the T key are actuated within 30 seconds or the Entry time is exceeded and it becomes the first Branched back step of the first transaction. The Communication can now be omitted as required be repeated.

A first step of the second transaction comprises sub-steps 602 to 608 of the franking machine for communication with unencrypted data to connect to build up and at least identification and Transmit transaction type data to the data center.

A second step of the second transaction, the sub-steps 701 to 706 of the data center is for Receive the data and check the identification the franking machine and for transmitting one unencrypted OK notification to the franking machine intended. It is also contemplated that the second Step of the second transaction includes sub-steps to in the case of incorrect unencrypted messages 705 via a sub-step 513 to the error message on one To branch to sleep state 501 in the data center until communication from a franking machine again is recorded.

A third step of the second transaction comprises sub-steps 609 to 614 of the franking machine for education a third encrypted message crypto cv + 2 by means of the aforementioned in the franking machine stored second key Kn + 1 and for Transmission of the third encrypted message crypto cv + 2 to the data center, comprising at least Identification and postal register data, but without Data for a default value.

A fourth step of the second transaction, the sub-steps 707 to 711 of the data center for reception and to decrypt the third encrypted Message containing crypto Cv + 2 lists their check Decryptibility by means of a in the data center saved key. Then there is a Form a third key Kn + 2, which for Franking machine should be transmitted encrypted, forming a fourth encrypted message crypto Cv + 3, which is at least the aforementioned third Key Kn + 2, the identification and the Contains transaction data and the transfer of the fourth encrypted message crypto Cv + 3 Franking machine.

The fourth step of the second transaction closes Sub steps to get rid of undetectable errors encrypted messages (substep 709) a sub-step 513 for the error message on one To branch to sleep state 501 in the data center until communication from a franking machine again is recorded. If determined in a step 709 incorrect encrypted messages with recoverable error goes to a step 710 Cancellation of the previous transaction branches. This is followed in the data center in sub-step 711 forming a third key Kn + 2, which is used for Franking machine should be transmitted encrypted. To form a fourth encrypted message crypto Cv + 3 uses the DES algorithm again. Then the encrypted is transmitted Message about the franking machine.

It is also contemplated that the fourth step of the second transaction to save the default value comprises a data center sub-step 712 which is based on the first sub-step 501 of the second step of first transaction branches to the second key Kn + 1 as the previous key Kn-1 and the third Key Kn + 2 as successor key Kn for others save first and second transactions.

A fifth step of the second transaction, which includes sub-steps 615 to 618 of the postage meter machine, serves to receive and decrypt the fourth encrypted message, to extract at least the identification data and the transmitted third key Kn + 2 _{Cv + 3} and the transaction data, and to verify the received encrypted message based on the extracted identification data. In the case of verification, the transmitted second key Kn + 2 _{Cv + 3} and the default value in the franking machine are correspondingly added to the descending register value R1 and the resulting credit is stored or, if not _{verified, the process branches} back to the first step of the first transaction.

Either you go back to the first step to trigger further transactions effect, or in the fifth step the second Transaction will be the aforementioned transaction request canceled again.

From this NULL remote value specification in communication mode a negative remote value specification differs in Special mode especially through special tamper-proof Flags and a time watch. Such tamper evident Flags are especially a MAC secured Security flag X and a MAC-secured Special flag N.

In Figure 6, the process is with two transactions for reloading with a negative credit value, i.e. a negative remote value requirement for fund retransfer presented to the data center. Such a negative Remote value specification comprises at least two transactions.

The first transaction of communication with the Data center DZ includes the notification of a predetermined default request, preferably one Zero default request to the consistency of the Register statuses between the data center DZ and the Manufacture franking machine FM.

The first step in a first transaction after a defined page entry into the Special mode negative remote value specification compared to a normal entry into communication mode (teleset mode) one after starting the franking machine Sub-step 301 to check for a set Transaction requests and further sub-steps 302 to 308 for entering the identification and others Data to establish the communication link and to communicate with an unencrypted message, to at least identification and Transmit transaction type data to the data center. A Securing individual data in the message can again by a MAC or by means of CRC data in the can be achieved.

The defined side entry is made by pressing secret predetermined key combination during the Switching on of the franking machine reached. The Control unit of the postage meter machine can, according to the invention in conjunction with those from the data center already previously transmitted data and an input process between authorized dealings (service technicians) and distinguish between unauthorized actions (intention to manipulate).

When authorized to act, a special flag N in Step 220 set because if the franking machine FM is switched off, the continuation of the Transactions after restarting the Franking machine be secured. As protection against one any manipulation becomes the special flag N as well Saved in a non-volatile MAC-safe.

If an unsuccessful attempt is made or another key combination is entered to enter the page, this is evaluated as unauthorized action or as an intention to manipulate (error message) and saved and a step 209 is initiated to prevent further franking.
It is provided that a predetermined key combination for each franking machine is stored in the data center and only the authorized person (service technician) is informed in order to achieve a predetermined operating sequence on the franking machine. The correct side entry causes a message on the display about the opening of the communication.

For transferring the franking machine to a special mode a flag N is protected against manipulation Step 220 set if a specific criteria fulfilled, with the specific criterion for the special mode negative remote value specification at least the Use the predetermined key combination for Side entry into special mode while switching on the franking machine comprises.

In a variant, as with the positive Enter the PIN and press the remote value Teleset key (T key), then zero entry and press the T button before the communication is carried out.

Communication with the data center comprises at least two transactions, which in the event of an error be run repeatedly, after interruption communication automatically resumes and / or is carried out as long as the aforementioned Special flag N for the special mode is set by which made an automatic transaction request is to complete the retransfer of the credit.

It is envisaged that a first step of the first Transaction sub-steps 301 to 308 of the franking machine includes to establish the connection, for communication with unencrypted data and at least Identification, transaction type and other data to transfer to the data center. The transaction type data (1 byte), includes the message to the data center DZ then the special mode of a desired one negative remote value specification with the identified Franking machine.

A second step of the first transaction involves Sub-steps 501 to 506 in the data center to Receive the data and check the identification the franking machine and for transmitting one unencrypted OK notification to the franking machine. The second step of the first transaction also includes Sub-steps to deal with incorrect unencrypted messages 505 via a sub-step 513 for Error message on a hibernation in the 501 Data center to branch out until communication is resumed by a franking machine.

A third step involves the first transaction Sub-steps 309 to 314 of the franking machine, for Formation of a first encrypted message Crypto cv by means of a stored in the franking machine first key Kn and for the transmission of encrypted Data on the data center, including at least the default request, identification and postal register data. In further development of the security measures includes this encrypted message in Form of CRC data (cyclic redundancy check data) Notification to the data center DZ below Special mode of a desired negative remote value specification perform. With the two-byte Cyclic Redundancey Check is a checksum which is a manipulation of the individual to the checksum processed data can be recognized. This checksum can individual data or the components of all communications Include (transaction type) on the part of the franking machine. The default request, the identification, Postal register and CRC data are merged with the DES algorithm encrypted message transmitted. So it is not necessary to have data in the first Step MAC-secured or encrypted to the data center transferred to.

A fourth step of the first transaction, the sub-steps 507 to 511 in the data center to receive and decrypt the first encrypted Notification or its check for decryptibility by means of one in the data center stored key, to form a second Key Kn + 1 corresponding to that of the franking machine key used to form a second encrypted message crypto Cv + 1 which at least the aforementioned second key Kn + 1, the Contains identification and transaction data and to transmit the second encrypted message crypto Cv + 1 intended for franking machine.

It is envisaged that the fourth step of the first Transaction also includes sub-steps to get rid of incorrect encrypted messages over 509 a sub-step 513 for the error message on one To branch to sleep state 501 in the data center until communication from a franking machine again is recorded. There are still sub-steps provided to encrypt in case of faulty Messages 509 with correctable errors, on one Step 510 to cancel the previous transaction and then to step 511 in the Branch data center. This sub-step serves to form a second or third key Kn + 1, which is transmitted in encrypted form to the franking machine should be used to form a second encrypted Message crypto Cv + 1 and to transfer the encrypted message to the franking machine. Moreover concludes the fourth step of the first transaction a sub-step 512 of the data center for storage of the default request, of which the first sub-step 701 of the second step of the second transaction is branched to the first key Kn as Previous key and the second key Kn + 1 as Store successor key.

A fifth step of the first transaction, which comprises sub-steps 315 to 318 of the postage meter machine, serves to receive and to decrypt the second encrypted message, to extract at least the identification data and the transmitted second key Kn + 1 _{Cv + 1} , and to verify the encrypted received Notification based on the extracted identification data. Upon verification, the transmitted second key Kn + 1 _{Cv + 1} and the default _request are stored in the franking machine. Otherwise, if not verified, the process branches back to the first step of the first transaction.

After this pre-synchronization of the data center by the franking machine performs a second transaction. A first step of the second transaction includes Sub-steps 602 to 608 of the franking machine for Communication with unencrypted data to the Establish connection and to at least identify and transaction type data to the data center transferred to.

A second step of the second transaction, the sub-steps 701 to 706 of the data center is for Receive the data and check the identification the franking machine and for transmitting one unencrypted OK notification to the franking machine intended. It is also contemplated that the second Step of the second transaction includes sub-steps to in the case of incorrect unencrypted messages 705 via a sub-step 513 to the error message on one To branch to sleep state 501 in the data center until communication from a franking machine again is recorded.

A third step of the second transaction comprises sub-steps 609 to 614 of the franking machine for education a third encrypted message crypto cv + 2 by means of the aforementioned in the franking machine stored second key Kn + 1 and for Transmission of the third encrypted message crypto cv + 2 to the data center, comprising at least Identification and postal register data, but without Data for a default value.

A fourth step of the second transaction, the sub-steps 707 to 711 of the data center for reception and to decrypt the third encrypted Message containing crypto Cv + 2 lists their check Decryptibility by means of a in the data center saved key. Then there is a Form a third key Kn + 2, which is to the franking machine should be transmitted in encrypted form Form a fourth encrypted message crypto Cv + 3, at least the aforementioned third key Kn + 2, the identification and transaction data contains and transmitting the fourth encrypted Message crypto Cv + 3 to the franking machine.

The fourth step of the second transaction closes Sub steps to get rid of undetectable errors encrypted messages 709 about a sub-step 513 for the error message on a sleep state 501 in the Data center to branch out until communication is resumed by a franking machine. In the event of defective errors determined in a step 709 encrypted messages with recoverable errors to step 710 to cancel the previous one Transaction branches. Then it takes place in the data center in sub-step 711, forming a third Key Kn + 2, which encrypts to the franking machine should be transmitted. To form a fourth encrypted Message crypto Cv + 3 will be the again DES algorithm used. Then there is a Transfer the encrypted message to Franking machine.

It is also contemplated that the fourth step of the second transaction to save the default value comprises a data center sub-step 712 which is based on the first sub-step 501 of the second step of first transaction branches to the second key Kn + 1 as the previous key Kn-1 and the third Key Kn + 2 as successor key Kn for others save first and second transactions.

A fifth step of the second transaction, which includes sub-steps 615 to 618 of the postage meter machine, serves to receive and decrypt the fourth encrypted message, to extract at least the identification data and the transmitted third key Kn + 2 _{Cv + 3} and the transaction data, and to verify the received encrypted message based on the extracted identification data. The above step has a further query criterion for identifying the completion in contrast to the positive remote value specification. The franking machine FM is to receive the fourth crypto message within a predetermined time from the sending of the third crypto message. If the connection is free of interruptions, reception would take place in the predetermined time t1.

So in the preferred embodiment, the last one and particularly critical section of the second transaction monitored for exceeding the time tl. In order to the possible manipulation time is severely limited. This will be transmitted during the penultimate one Message from sending the third crypto message in the processor (control unit 6) of the franking machine started a time count. This is preferably the case solved that the corresponding program section a Routine activated, which sets a counter that in turn by the system clock or its multiple is decremented. For a longer period of time, for example in the order of 10 seconds monitor several meters are cascaded. Reached now the fourth within the critical period Crypto message from the data center, the franking machine, the counter is deactivated. This remains the last crypto message, however, is set Counter decremented further. At the zero crossing of the A program interrupt signal (interrupt) triggered. This signal triggers the call a special subroutine, which is a new one Prepared and triggered transaction. Part of this Another transaction is the transmission of the Contents of the postal register. One that takes place in the data center Consistency check then leads to the result that an unfinished transaction in special mode negative Remote value specification preceded. The inconsistent records are corrected and the negative remote value specification is accomplished.

Another variant of the invention results if an incremental counter instead of a decremental counter is used. The after each counting cycle Comparison can be made with the number that the monitored period corresponds.

Exceeding the time tl is a sure indication for a failed transmission and causes the call a special subroutine, which is a new one Execution of the special mode negative remote value specification prepared and triggered automatically. The first and second transaction will be automatic in this case repeated with key Kn + 2.

After a successful query or verification in the fifth step of the second transaction, the transmitted second key Kn + 2 _{Cv + 3} and the default value in the franking machine are added to the descending register value R1 and the resulting credit is saved or, if it is not verified or times out, becomes the first Branched back step of the first transaction.

The fifth step of the second transaction closes a sub-step (620) of the franking machine for Resetting the aforementioned special flag N or Return to the normal mode of the franking machine, whereby the aforementioned automatic transaction request is canceled again when performing the second transaction has been completed.

The service technician present secures the others trouble-free process until the completion of the negative Remote value specification.

Is the completion due to a longer or permanent Interruption of the connection between the franking machine and data center not possible, the Service technicians use the franking machine in the dealer office take with you and continue the completion from there. Otherwise, there would be a credit balance in the Postage meter result, which according to information in the data center is already considered retransmitted. The successful completion of the negative remote value specification, i.e. the fund retransfer is through a query of register values R1 = 0 or R2 = R3 and R3 = R2 + R1 verifiable.

R1 (descending register) vorrätige Restbetrag in der Frankiermaschine,

R2 (ascending register) Verbrauchssummenbetrag in der Frankiermaschine,

R3 (total resetting) die bisherige Gesamtvorgabesumme aller Fernwertvorgaben,

R4 (piece count Σprinting with value ≠ O) Anzahl gültiger Drucke,

R8 (R4 + piece count Σprinting with value =O) Anzahl aller Drucke

The franking machine can transmit register values to the data center, for example, before reloading with a zero default value. Here are:

R1 (descending register) remaining amount in the franking machine,

R2 (ascending register) amount of consumption in the franking machine,

R3 (total resetting) the previous total of all remote values,

R4 (piece count Σprinting with value ≠ O) number of valid prints,

R8 (R4 + piece count Σprinting with value = O) Number of all prints

With every remote value specification, at least R1 query and evaluate statistically.

On the part of the data center, at the end of the day Validity of the fund retransfer as a result of the Special mode negative remote value specification decided. If no incident is reported by the service technician, that, for example, the negative remote value specification is not was feasible, or if from the same franking machine no requirement to reload a positive The credit is valid, the validity is assumed.

The negative remote value specification when entering the special mode set special flag N was successful Transaction rolled back. The franking machine prevents all frankings with values greater than zero because no more credit is loaded. The franking machine is still zero for frankings with values and other modes of operation as long as these No credit required or as long as no postage franked and the quantity limit is not reached.

Either, as with the one variant, the predetermined side entry triggering the Transactions in special mode or it is in another variant, at least one manual step 302 in special mode negative remote value specification after a Side entry for entering an identification number (PIN) and for entering the predetermined default request as provided for in the positive remote value specification, which is queried in step 303. Through a additional manual step to the temporary Entry, which is queried in step 603, takes place triggering the second transaction and one Leave or repeat the first transaction in communication mode or in special mode if the Entry time is exceeded. Preferably the T key are actuated within 30 seconds or the Entry time has been exceeded.

It is still a number of variants with different ones Security level realizable. So can a transmission check in the data center a predetermined default request carried out become. In the simplest case, the default request - analogous to that which can be queried in display mode 215 Descendingregister Remaining amount R1 - entered and transmitted to the data center. There to the data center automatically with every transaction Post register contents, but at least R1 transmitted become a negative remote value requirement for fund retransfer if the specified amount corresponds earned with the balance.

In a second variant, the data center any desired request agreed as a code. A zero default request is preferably agreed. Is now within a certain time after the Agreement of the special mode negative remote value specification called and the zero default request entered or confirmed as the default request is in the franking machine automatically the remaining amount R1 to zero reset. A corresponding query step 219 according to such another specific criterion for the franking machine was dashed in FIG. 2 shown. From this, step 220 proceeds to Setting the special flag N branches. In another The operation can be simplified, if a NULL remote value specification as the last transaction already done. Then it's just that To perform the operation for the side entry, around the negative remote value specification fully automatically or a zero residual value R1 = 0 to reach.

By starting a time monitoring from Sub-step 613 sending the third crypto message to the data center until receipt of the fourth crypto message from the franking machine manipulation is limited in time. If the fourth crypto message not within one predetermined time t1 could be received special subroutine called which a the special mode negative remote value specification is carried out again prepared and triggered automatically. By further sub-steps 615, 616, 301 for automatic Resumption of communication after interruption of the Communication link between data center and Postage meter or after switching off and on again the franking machine will last as long as that aforementioned special flag N is set, the communication carried out further. That as a transaction request rated special flag N is non-volatile and against Manipulation saved with MAC protection. Only after Completion of the retransfer of the credit will be Special flag N reset in step 620.

In a third variant, security is through a combination of different measures increased. The first one is independent of the franking machine Communication link between authorized User and the data center for storing a Codes for registering an authorized action the franking machine by a later transmitted Default request made. Now you can switch on the Franking machine to make an authorized predetermined operating sequence take place in order to Side entry into a special mode negative remote value specification to enter. Then a second Communication link between franking machine and the data center and entering a default request manufactured. In a first transaction there is a distinguishable logon to the data center, if the transmitted request with a corresponding Code matches. In the first transaction for example a new code word or security flag and / or operating sequence transmitted to the franking machine. By performing at least one more Transaction and the automatic execution of the The aforementioned communication becomes the security relevant Transfer data and store it in the franking machine is completed. According to the The default value in the corresponding Memory of the franking machine and for checking the transaction also in an appropriate memory the data center added to the remaining credit.

Otherwise, step 209 is executed to delete a tamper-proof stored Safety flags X result in at least one unauthorized deviation from the predetermined operating sequence or because the franking machine was tampered with, intended. This turns the franking machine into one first mode transferred to them for franking (Franking mode 400) effectively put out of operation (Step 409), in contrast to the authorized action or intervention.

A transfer of a valid operating sequence from the data center to the franking machine becomes superfluous if the operating sequence is changed depending on the time. The same calculation algorithm is used in the data center and in the franking machine to determine a current operating sequence. Another variant is based on the storage of the current operating sequence in the franking machine by means of a special reset E ² PROM by the service technician.

In a further variant, the security of an authorized person by means of an additional Input security means increased, which with the Franking machine is brought in contact to a Transfer remaining credit back to the data center. First, the topicality of the data center produced by the register stands by means of a Zero remote value specification can be reported. Then will as input security means by the service technician Reset read-only memory chip (refund EPROM) in a predetermined base of the at least partially open franking machine inserted. After this Switch on or start a page in the program The franking machine is checked for a refund EPROM was used. This can be advantageous in - in the Figure 2 shown - step 219 to check a further criterion. A real one Side entry with no refund EPROM leads to point e or in a variant not shown one step to abort the routine. For example can go to a step 209 for deleting a flag X be branched out in step 409 of the franking mode (Figure 4) would be noticed and for statistics and Error evaluation or registration in step 213 leads. Otherwise, with the correct side entry and when the refund EPROM is inserted, a special flag N what is automatically set in communication mode Transfer the remaining credit back to the data center triggers.

In a sub-variant, steps 218 and 219 run reversed in order according to FIG. 2, so that only with regard to the inserted refund EPROM and only after the correct side entry is asked. Such a sub-variant has the advantage that the information about the correct side entry can also be saved in the Refund EPROM, instead of in the franking machine. With that the Protection against tampering further increased.

In the data center, the state of the Franking machine (out of service) saved. The authorized person removes the input security means from the base and closes the housing of the Franking machine. In the data center, as in the postage register registering the franking machine for available balance R1, amount of consumption R2 and total amount R3 set to zero (R1 = 0; R2 = 0; R3 = R1 + R2 = 0). It will Remaining credit of the customer into the corresponding account of the Customers returned.

With a chip card read / write unit in the franking machine can the input security means can of course also be implemented as a chip card.

The invention is not limited to the present embodiments limited. Rather is a number of Variants conceivable within the scope of the claims.

Claims (8)

1. Method for improving the safety of franking machines against manipulation in the credit balance transfer, involving a microprocessor in a control unit of the franking machine for the execution of the steps of a start and initialization routine and a subsequent system routine with the possibility to enter into a communication mode with a remote data central for loading a credit value or transferring it back to the data central and with further input steps for entering into a franking mode from which process is branched back to the system routine after the execution of an accounting and printing routine,
   characterized by:

   side entry into a special negative remote postage credit mode by performing an authorized predefined operating sequence during the startup of the franking machine (steps 100 to 105);

   calling of currently valid data (step 201) that mark an authorized action;

   monitoring of the operating sequence for the side entry (steps 217, 218, 219) with the help of a microprocessor (6) by distinguishing between authorized and unauthorized actions;

   switching over of the franking machine into a special mode for negative remote postage credit with a step (220) regarded as a transaction request in the inquiry step (301) of the communication mode, in case a side entry is recognized as permitted and correct when a number of predetermined specific criteria (217, 218, 219) has been met;

   switching over into a fist mode (209) in order to effectively prevent the franking machine from franking any postage values (step 409) when the operating sequence does not correspond to predefined permitted operating sequence;

   setting-up of a communication connection (substeps 301 to 308) and completion of an encrypted communication (substeps 313, 511, 613 and 711) with the data central in said special mode; as well as

   monitoring by means of a microprocessor (6) as to the complete performance of said special mode (substep 616).
2. A method according to Claim 1, characterized in that the mode of operation of the franking machine is monitored, which comprises an inquiry for the correct side entry and further comprises a distinguishing between completed and non-completed execution of the special negative remote postage credit mode by means of microprocessor (6), wherein, in case of a non-completed execution of the special negative remote postage credit mode, there is provided at least one further step for an automatic continuation of the communication by means of further transactions in order to complete the back-transfer when the preceding steps for performing a negative remote postage credit have been interrupted or faulty encrypted data have been transmitted to the franking machine.
3. A method according to Claims 1 to 2, characterized in that a predetermined keyboard shortcut is stored at the data central for each franking machine which is only communicated to the respective authorized person, such as a service engineer, in order to achieve a predetermined operating sequence in the franking machine, and that the above-mentioned criterion for the special negative remote postage credit mode is the utilization of the predetermined shortcut during the startup of the franking machine (side entry).
4. A method according to Claims 1 to 2, characterized in that an inquiry for the correct side entry (218) is made after a check (219) with regard to a plugged-in input safety means, wherein the information on the correct side entry also exists in a stored form in said input safety means.
5. A method according to Claims 1 to 4, characterized in that said input safety means is a refund EPROM or that the input safety means is realized in the form of a chip card in a chip-card read-write unit integrated in the franking machine, and that, prior to a side entry, the input safety means, such as a refund EPROM or a chip card, is brought into contact with the franking machine in order to transfer a remaining credit balance back to the data central.
6. A method according to one of the Claims 1 to 5, characterized by at least one manual step (302) in the special negative remote postage credit mode following a side entry for entering an identification number (PIN) and for entering the predetermined credit request and/or b y a manual step that is prompted in the first inquiry step (602) of the second transaction for making an entry limited in time in order to trigger the second transaction and for leaving or repeating the first transaction in the communication mode or in the special mode when the input time has been exceeded.
7. A method according to one of the Claims 1 to 6, characterized in

   that, if a specific criterion has been met, a sleeping flag z is set in a step (411) of the franking mode (400) for switching the franking machine over to a second mode and/or a special flag N protected against manipulation is set in a step (220) of the system routine (200) for switching it over to a special mode, wherein the specific criterion for the special negative remote postage credit mode comprises at least the utilization of the predefined shortcut for the side entry into the special mode during the startup of the franking machine;

   that a communication with the data central comprises at least two transactions which are performed repeatedly in error cases, wherein, after an interruption, the communication is automatically set up again and/or continued as long as there remains set the above-mentioned special flag N for the special mode, which means that an automatic transaction request for completing the back-transfer of the credit balance is being made; wherein

   a) a first step of the first transaction comprises substeps (301 to 308) of the franking machine for setting up the connection, for a communication with unencrypted data, and for transmitting at least identification data, data on the type of transaction and other data to the data central;

   b) a second step of the first transaction comprises substeps (501 to 506) of the data central for receiving the data, for verifying the identification of the franking machine as well as for transmitting an unencrypted OK-message to the franking machine;

   c) a third step of the first transaction comprises substeps (309 to 314) of the franking machine for creating a first encrypted message crypto Cv by means of a first cipher Kn stored in the franking machine and for the transmission of encrypted data to the data central that comprise at least the credit request, identification and postal register data;

   d) a fourth step of the first transaction comprises substeps (507 to 511) of the data central for receiving and decrypting the first encrypted message or for its verification as to decryptability by means of a cipher stored at the data central, for creating a second cipher Kn+1 according to the cipher used by the franking machine, for creating a second encrypted message crypto Cv+1 including at least said second cipher Kn+1, the identification and transaction data, and for transmitting the second encrypted message crypto Cv+1 to the franking machine;

   e) a fifth step of the first transaction comprises substeps (315 to 318) of the franking machine for receiving and decrypting the second encrypted message, for extracting at least the identification data and the transmitted second cipher Kn+1_Cv+1, as well as for verifying the received encrypted message by means of the extracted identification data, wherein, upon verification, the transmitted second cipher Kn+1_Cv+1 and the credit request are stored in the franking machine, while otherwise, in case of non-verification, the process is branched back to the first step of the first transaction;

   and wherein

   f) a first step of the second transaction comprises substeps (602 to 608) of the franking machine for a communication with unencrypted data, for setting up the connection and for transmitting at least identification data and data on the type of transaction to the data central;

   g) a second step of the second transaction comprises substeps (701 to 706) of the data central for receiving the data, for verifying the identification of the franking machine as well as for transmitting an unencrypted OK-message to the franking machine;

   h) a third step of the second transaction comprises substeps (609 to 614) of the franking machine for creating a third encrypted message crypto Cv+2 by means of the above-mentioned second cipher Kn+1 stored in the franking machine, and for transmitting to the data central the third encrypted message crypto Cv+2 that comprises at least identification and postal register data without a credit value;

   i) a fourth step of the second transaction comprises substeps (707 to 711) of the data central for receiving and decrypting the third encrypted message crypto Cv+2 or verifying it as to decryptability by means of a cipher stored at the data central, for creating a third cipher Kn+2 according to the cipher used by the franking machine, for creating a third cipher Kn+2 to be transmitted to the franking machine in an encrypted form, for creating a fourth encrypted message crypto Cv+3 including at least said third cipher Kn+2, the identification and transaction data, and for transmitting the fourth encrypted message crypto Cv+3 to the franking machine;

   j) a fifth step of the second transaction comprises substeps (615 to 618) of the franking machine for receiving and decrypting the fourth encrypted message, for extracting at least the identification data and the transmitted third cipher Kn+2_Cv+3 and the transaction data, as well as for verifying the received encrypted message by means of the extracted identification data, wherein, upon verification, the transmitted second cipher Kn+2_Cv+3 and the credit value are respectively added to the descending register value R1 and the resulting credit balance is stored in the franking machine, while otherwise the process is branched back to the first step of the first transaction; and

   k) the fourth step of the first transaction for storing the credit request comprises a substep (512) of the data central that branches to the first substep (701) of the second step of the second transaction in order to store the first cipher Kn as prior cipher and the second cipher Kn+1 as successor cipher;

   l) the second step of the first transaction and the second step of the second transaction comprise substeps that, in case of faulty unencrypted messages (505) or (705), branch the process over an error message substep (513) to a quiescent state (501) at the data central until communication is resumed by the franking machine;

   m) the fourth step of the first transaction and the fourth step of the second transaction comprise substeps that, in case of unrecoverably faulty encrypted messages (509, 709), branch the process over an error message substep (513) to a quiescent state (501) at the data central until communication is restarted by the franking machine, and that, in case of faulty encrypted messages (509, 709) with a recoverable error, branch it to a step (510, 710) for cancelling the previous transaction and then to the substep (511, 711) at the data central; as well as substeps for creating a second or third cipher Kn+1 or Kn+2, respectively, to be sent to the franking machine in an encrypted manner, for creating a second or fourth encrypted message crypto Cv+1 or crypto Cv+3, respectively, and for transmitting the encrypted message to the franking machine;

   n) the fourth step of the second transaction for storing the credit values comprises a substep (712) of the data central that branches to the first substep (501) of the second step of the first transaction in order to store the second cipher Kn+1 as prior cipher Kn-1 and the third cipher Kn+2 as successor cipher Kn for subsequent first and second transactions;

   o) the fifth step of the second transaction comprises a substep (620) of the franking machine for resetting the above-mentioned special flag N or for returning to the normal mode of the franking machine, which will cancel the above-mentioned automatic transaction request.
8. A method according to one of the Claims 1 to 7, characterized by the start of a timeout function from substep (613) for transmitting the third encrypted message to the data central till the receipt of the fourth encrypted message by the franking machine, wherein, if the fourth encrypted message has not been received within a preset time tl, a special subprogram is called that prepares and triggers a new execution of the special negative remote postage credit mode; as well as by further steps (615, 616, 301) for an automatic resumption of the communication after an interruption of the communication connection between data central and franking machine or after the switching off and on again of the franking machine, wherein the special flag N that is regarded as a transaction request is stored in a non-volatile form and is MAC protected against manipulation, wherein the communication is continued as long as said special flag N is set, and wherein the special flag N is only reset upon completion of the back-transfer of the credit balance (in step 620).

Images