EP0996097B1 - Method for improving the security of franking machines during the credit transfer - Google Patents

Description

The invention relates to a method for improving the security of franking machines in the credit transfer, especially in the fund return to the data center, according to the specified in the preamble of claim 1. Art.

A franking machine usually generates a print in a form agreed with the post office right-justified, parallel to the top edge of the mail starting with the content postage in the postmark, date in the day stamp and stamp imprints for advertising clichés and possibly transmission type in the Wahldruckstempel. The postal value, the date and the type of shipment form the variable information to be entered in accordance with the item of mail.

The postage value is usually the forwarding charge prepaid by the sender (Franko), which is taken from a refillable credit register and used to clear the postal consignment. In contrast, in the current account procedure, a register is only counted up and read at regular intervals by a postal inspector, depending on the frankings made with the postage value.

Basically, any franking made must be accounted for and any manipulation that leads to an unbilled franking must be prevented.

A known franking machine is equipped with at least one input means, an output means, an input / output control module, a program, data and in particular the billing register bearing memory device, a control device and a printer module. In the case of a printer module with a pressure mechanism, measures must also be taken to ensure that the print mechanics can not be misused for uncalculated impressions when switched off.

The invention relates to a method for franking machines, which provide a fully electronic impression produced for franking mail including the imprint of an advertising cliché. This has the consequence that only when switched on a non-billed valid franking must be prevented.

In a postage meter known from US Pat. No. 4,746,234, fixed and variable information is stored in memory means (ROM, RAM) for reading out by means of a microprocessor when a letter on the transport path before the printing position activates a microswitch and for applying a pressure control signal form. Both are then electronically assembled into a printed image and can be printed by thermal transfer printing printed on an envelope to be franked.

A method has already been proposed for controlling column-by-column printing of a postage indicia image in a postage meter EP 578 042 A2, which separately combines fixed and variable data converted into graphic pixel image data during column-wise printing. It would therefore be difficult to manipulate the print control signal without great and expensive expense when printing at a high speed.

On the other hand, the memory device comprises at least one non-volatile memory module which contains the remaining balance remaining, which results from the fact that the respective postage value to be printed is deducted from a credit that was previously loaded into the postage meter machine. The franking machine blocks when the remaining balance is zero.

Known franking machines contain at least one memory three relevant postal registers for consumed sum value (increasing register), remaining balance still available (falling register) and registers for a checksum. The checksum is compared to the sum of the used totals and the available credits. Already so a check for correct billing is possible.

Furthermore, it is also possible to transfer a recharging information to the franking machine from a data center via a remote value specification in order to recharge a credit in the register for the remaining balance (residual value). It goes without saying that suitable security measures must be taken for this, so that the credit stored in the postage meter can not be increased in an unauthorized manner. Protecting the abovementioned solutions against abuse and counterfeiting requires additional material and time expenditure.

From US 48 64 506 it is known that when the value of the credit in the falling register is below a threshold and a predetermined time has been reached, a communication to the remote data center is received by the postage meter.
It is furthermore known from the above-mentioned patent that the data center for receiving register data and for checking whether the franking machine is still connected to a specific telephone number receives the connection with the franking machine after a defined period of time and the franking machine answers only at predetermined times.
It is also provided, according to the abovementioned patent, to query the identity number of the franking machine and the values in the falling and rising register for a credit recharge in the franking machine, for authorization by the data center.
Furthermore, it is known from the above-mentioned patent that the communication of the data center with the franking machine need not be limited to a mere transfer of the credit to the franking machine. Rather, in the case of a logoff of the franking machine, the communication of the data center with the franking machine is used to transfer the remaining balance of the franking machine into the data center. The value in the falling post register of the postage meter is then zero, effectively suspending the postage meter.

A method of diagnosis in an electrically controlled mechanical device known from GB 22 61 748 A monitors parameters and generates an analysis histogram.

A Sicherheitsagebäuse for franking machines, which has internal sensors is known from DE 41 29 302 A1. The sensors are in particular with a battery connected switches, which become active when the security case is opened in order to delete a memory storing the residual value credit (falling postal register) by interrupting the energy supply. It is known, but not predictable, which state a voltage-free memory module occupies when the voltage returns. Thus, an unpaid higher residual balance could arise. On the other hand, can not be excluded that in the above manner, the residual assets at least partially discharged. However, this would be disadvantageous in an inspection since the residual value credit which had been paid by the postage meter user must also be reloaded, but the amount of this residual credit can be falsified by the above-mentioned influences. Finally, the description can not be deduced how to prevent a manipulator from restoring an unpaid balance.

In known franking machines FM, further safety measures such as breakaway screws and encapsulated shielded safety housing are already known. Also common are keys and a combination lock to complicate access to the franking machine.

Moreover, in US 4,812,994, unauthorized access to use of the postage meter machine is to be prevented by blocking the postage meter machine if a predetermined password is entered incorrectly. In addition, the franking machine can be set by means of a password and corresponding input via the keyboard so that franking is possible only during a predetermined time interval or times of day.

The password can be entered by a personal computer via MODEM, by a smart card or manually in the postage meter. After positive The franking machine is released compared with a password stored in the franking machine. A security module (EPROM) is integrated in the control module of the billing unit. As a further security measure, an encryption module (separate microprocessor or program for FM CPU based on DES or RSA code) is provided which generates a postage value, the subscriber number, a transaction number and the like in the franking stamp. If enough criminal energy but also a password could be explored and brought together with franking machine in the possession of a manipulator.

It has already been proposed in US 4,812,965 a remote inspection system for franking machines, which is based on special messages in the imprint of mailpieces that must be sent to the headquarters, or on a remote query via MODEM. Sensors within the franking machine should detect any adulteration action taken, so that a flag can be set in associated memories if the postage meter machine intervened for manipulation purposes. Such intervention could be to load an unpaid balance into the registers.

Upon detection of tampering, the postage meter will be disabled during remote inspection via modem by a signal originating from the data center. On the other hand, skilful manipulation could be to return the flag and registers to their original state after making unfilled franking imprints. Such manipulation would not be detectable via remote inspection by the data center if this undone manipulation was prior to the remote inspection. Also, the receipt of the postcard from the data center, on which to be carried out for inspection purposes franking should allow the manipulator to restore the postage meter in sufficient time to the original state. Thus, no higher security can be achieved yet.

The disadvantage of such a system is that it can not be prevented that a sufficiently skilled manipulator breaking into the franking machine subsequently removes its left-over traces by deleting the flags. Also, it can not be prevented that the impression itself is manipulated, which is produced by a properly operated machine. In known machines, there is the possibility of producing impressions with the postage value zero. Such zero frankings are needed for testing purposes, and could also be counterfeited by simulating a postage value greater than zero.

A security print according to the FP's own European patent application EP 576 113 A2 provides symbols in a marking field in the franking stamp, which contain a cryptified information. This allows the postal authority, which interacts with the data center, to detect a manipulation of the franking machine at any time from the respective security print. Although a current control ⁿ is such provided with a security imprint of mail ^ting via appropriate security markings in the stamp image technically possible, but this means an extra effort in the post office. In a sample-based control, however, a manipulation is usually detected late.

On the other hand, in the data center, an additional evaluation with regard to a user of a franking machine, the user beyond the inspection date was continued. However, it has not yet been possible to conclude a manipulation based on this forgery from this information.

In US 4,251,874, a mechanical printing unit that must be preset for printing is used with a detector to monitor the preset. Furthermore, means for detecting errors in data and control signals are provided in the electronic accounting system. If this number of errors reaches a predetermined value, further operation of the franking machine is interrupted. However, the sudden failure of the postage meter machine is disadvantageous to the postage meter user. On the other hand, in the case of a nonmechanical printing principle, hardly such internal errors are to be expected, and in the event of a serious error, the franking machine is anyway to be switched off anyway. In addition, the security against manipulation of the franking machine is hardly increased by the franking machine is switched off after a predetermined number of errors.

From US 4 785 417 a postage meter with a program sequence monitoring is known. The correct sequence of a larger program piece is controlled by means of a special code associated with each program part, which is stored in RAM when the program piece is called in a specific memory cell. It is now checked whether the stored in the aforementioned memory cell code is still present in the currently running program part. If during a manipulation the course of a program part is interrupted and another program part is running down, an error can be detected by such a control question. However, the comparison can only be carried out in the main sequence. Subsidiary processes, for example safety-related calculations, which are used by several main processes, can be monitored by such monitoring but are not checked for execution of the program part, because the program control is independent of the program sequence. If it is manipulated on the basis of permitted program parts and secondary processes in such a way that secondary processes are additionally integrated into main processes or omitted from later processes or branched to secondary processes, then no error would be detected, since neither the length of the program part can be determined nor determined Program branch how often was passed.

Another type of expected manipulation is the reloading of the postage meter registers with a non-cleared credit value. This results in the requirement of a secure recharge. An additional security measure, according to US 4 549 281, is the comparison of an internal fixed combination stored in a nonvolatile register with an input external combination, wherein after a number of failed attempts, i. Non-identity of the combinations, the franking machine is locked by means of an escapement electronics. According to US 4 835 697, in order to prevent unauthorized access to the franking machine, the combination can be changed in principle.

From US 5,077,660 a method for changing the configuration of the franking machine is also known, wherein the franking machine can be switched by means of a suitable input via a keyboard from the operating mode in a configuration mode and a new meter type number can be entered, which corresponds to the desired number of features. The franking machine generates a code for communication with the computer of the data center and the input of the identification data and the new meter type number in the aforementioned computer, which also generates a corresponding code for transmission and input to the postage meter, in which both codes are compared. With agreement In both codes, the franking machine is configured and switched to the operating mode. As a result, the data center always has accurate records of the respectively set meter type for the corresponding franking machine. However, security depends solely on the encryption of the transmitted code.

In addition, EP 388 840 A2 discloses a comparable safety technology for setting a franking machine in order to clean it of data without the franking machine having to be transported to the manufacturer. Again, security depends solely on the encryption of the transmitted code.

Secured reloading of a postage meter with a balance has already been linked in US 3 255 439, on the one hand, to automatic signal transmission from the postage meter machine to the data center, whenever a predetermined sum of funds that has been franked or pieces of processed mailpieces or a predetermined time period has been reached. Alternatively, a signal corresponding to the funds amount, quantity or time period can be transmitted. In this case, the communication takes place by means of binary signals via connected via a telephone line converter. The machine receives an equally secure recharge according to the credit balance and blocks in case no credit is re-delivered.

From US Pat. No. 4,811,234 it is known to encrypt the transactions while interrogating the registers of the franking machine and transmitting the register data to the data center to indicate a temporal reference to the reduction of the authorized amount stored in the register. On the one hand, the postage meter identifies itself at the data center when a presettable threshold is reached is, by means of their encrypted register content. On the other hand, the data centers modified by appropriate authorization signals the desired franking amount, to which may be franked. Encryption is thus the only security against manipulation of the register statuses. Thus, if a manipulator duly loads always the same amount at equal time intervals, but in the meantime with the manipulated franking machine franked a much higher amount than he has paid, the data center can not detect any manipulation.

It is known from EP 516 403 A2 to regularly transmit the error of the franking machine which has been recorded in the past and stored in a memory to a remote error analysis computer for evaluation. Such a remote inspection allows an early warning of an error occurring and allows further action (service) to be taken. But this alone does not provide a sufficient criterion for manipulation.

According to GB 22 33 937 A and US 5 181 245 the postage meter communicates periodically with the data center. A blocking means allows the postage meter to be blocked after a predetermined time or after a predetermined number of operation cycles and provides a warning to the user. For unlocking an encrypted code must be entered from the outside, which is compared with an internally generated encrypted code. In order to prevent incorrect billing data from being delivered to the data center, the billing data is included in the encryption of the aforementioned code. The disadvantage is that the warning takes place at the same time as blocking the franking machine, without the user having a chance of correspondingly changing his behavior in a timely manner.

From US Pat. No. 5,243,654 a franking machine is known, where the current time data supplied by the clock / date module is compared with stored shutdown time data. If the stored shutdown time is reached by the current time, the franking machine is deactivated, that is, prevents printing. When connecting to a data center, which reads the billing data from the rising register, the franking machine is transmitted an encrypted combination value and set a new deadline, whereby the franking machine is made operational again. In this case, the amount of consumption sum which sums up the spent postage and is read by the data center is also part of the encrypted transmitted combination value. After the decryption of the combination value, the consumption sum amount is separated and compared with the consumption sum amount stored in the postage meter machine. If the comparison is positive, the lock on the franking machine is automatically canceled. By means of this solution it is achieved that the postage meter machine periodically reports at the data center in order to transmit billing data. However, cases of use are quite conceivable, where the postage to be franked fluctuates (seasonal operation). In these cases, the franking machine would disadvantageously often be blocked unnecessarily.

From US 4,760,532 a mail handling system with postal value transfer and billing capability is known. In this case, information is transmitted to the data center via telephone by means of the touch-tone method widely used in the USA. By pressing a corresponding key on the telephone, the operator can transmit a digit. Information from the data center is transmitted by computer voice to the operator, who transfers the transmitted values to the computer Must enter postage meter. For fund return transfer, the transfer of a negative postal fund to a mailing device is provided in a first step for establishing a communication with a central station. The central station monitors the total amount of mail (residual credit) stored in the mailing device. In a second step, the aforesaid central station is provided with information related to a desired change in order to reduce the total amount of postage available in the aforesaid mailing device and with a unique identification as to the aforesaid mailing device. A third step involves receiving from the central station and inputting a first unique code into the aforesaid mailing device, wherein the inputting is operated to reduce the total amount of postal values stored in the mailing device in accordance with the aforesaid request. And in the fourth step, generating a second unique code in the mailer is provided when the first unique code has been entered into the mailer, the second unique code providing an indication such that the aforesaid postal value available for printing the mail , has been reduced in the aforementioned postal device.
If, however, the transmission is disturbed or interrupted, no first code is received by the data center and the funds in the franking machine remain unchanged, while a reversal has already been made in the data center. Of course, for checking, the register statuses of the franking machine could be queried in order to compare them with those stored in the data center. It is to be feared that a potential manipulator would refrain from the latter. In US Pat. No. 4,760,532, the transfer of the aforementioned second unique code to the central station is provided as a concluding method step. Under the conditions of touch-tone Procedure is again pressing numeric buttons required, which is cumbersome and usually not free of input errors in multi-digit code. In addition, it is provided to generate from the data center a third unique code to transfer the returned balance to another franking machine. Thus, the responsible authority can be damaged by errors during transmission. Thus, in the case of the positive and negative remote value specification, the same question arises as to how a synchronicity of the data in the central office and postage meter machine can be achieved in a simple manner.

It was the object to solve, to provide a method for improving the security of franking machines and to ensure a significant increase in security in the credit transfer.

A distinction should be made between authorized action (service technician) and unauthorized action (intent to manipulate) and increased security against manipulation. Another task is to improve the security of communication with the data center when transmitting data in both directions.

The object is achieved with the features of claim 1.

On the one hand, the solution according to the invention is based on the knowledge that only data stored centrally in a data center can be adequately protected against manipulation. A significant increase in security and synchronicity in the stored data is achieved by data reporting prior to each predetermined action on the postage meter. It also increases in more or less large intervals reporting, in particular for reloading a credit in connection with the above-mentioned logging the security against a possible manipulation. The data to be stored centrally comprise at least the date, time, identification number of the franking machine (ID number or PIN) and the type of data (eg register values, parameters) when the postage meter machine is in communication with the data center. For the purpose of pre-synchronization of the data of the franking machine with the data of the data center, a specific default request for a first transaction can be used.

On the other hand, in order to increase security, a distinction is made between authorized action (service technician) and unauthorized action (manipulation intention) by means of the franking machine control unit in conjunction with steps for the execution of a negative remote value specification for retransferring a credit value to the data center Default request is transmitted to the data center and stored there and in the franking machine.

In this case, it is checked by the control unit of the franking machine, whether with predetermined actuating means a defined procedure for page entry into the special mode for negative remote value default made and a predetermined timeout was observed during the negative remote value specification, and if necessary further steps for automatically performing the communication must be performed to complete the retransmission if the previous steps to execute a negative handoff preset have been interrupted or erroneous encrypted data has been transmitted to the postage meter.

According to the invention, a communication between franking machine and data center takes place at least with encrypted messages, the DES algorithm preferably being used.

In order to solve the problem, the franking machine thus has at least two special modes. A first mode is provided to prevent fraudulent actions or manipulation of the franking machine on franking with postage values (kill mode). This inhibition may be lifted on the occasion of the next on-site inspection by a person authorized to do so. The postage meter machine has another mode to cause the postage meter to automatically communicate with the data center, if necessary, upon satisfaction of selected criteria. Such a further mode is according to the invention the special mode negative remote value transmission or a second (Sleeping) mode. After completing the special mode only a limited number of zero-frankings is possible in order to check the franking machine. If the intended number of pieces is used up, an automatic communication with the data center is forcibly triggered, which is thus informed and receives relevant register data. The franking machine is inhibited in the sleeping mode. By cooperating at least two of the aforementioned modes, the security in the handling of credits which are to be loaded into the postage meter machine or to be transferred back to the data center is increased in comparison to a fraudulent manipulation.

However, if a different than the predetermined operation during the turning on the postage meter machine for a page entry in the special mode negative remote value preset is selected, which is prohibited, the postage meter switches to the aforementioned first mode to lock the postage meter for a postage with a postage value (kill mode).

If necessary, in order to increase the security against tampering, a page entry previously made known to the authorized operator (service technician) by the data center is changed to the special mode negative remote value default. The future valid operating procedure can be at least partially transmitted in connection with at least one transaction during a positive or negative Fernwertvorgabe.

An authorized operator of the franking machine, preferably the service technician, performs a side entry into the special mode negative remote value preset a predetermined operator action, which is known only the data center, except the service technician. Here, a special flag is set, which is considered a special transaction request.

Monitoring by the control unit of the franking machine during the execution of a transaction in the special mode ensures that if the transaction is left unfinished, the transactions in the special mode negative remote value default are executed until the end. When the transaction is completed in special mode, the special flag is reset.

In addition, there is a time monitoring by the control unit of the franking machine during the execution of a transaction in special mode, which are effective in case of time-out or in the case of an unfinished transaction to complete the transaction.

Time monitoring also takes place on the part of the data center when a transaction in the special mode negative remote value default is made. The Register data of the franking machine can be checked centrally when a connection is again made to carry out a remote value specification, for example, to recharge a credit. Either the franking machine automatically resumes the connection to complete the transaction if the transaction is left unfinished, or the authorized service technician gives the data center a message about the current state of the postage meter until the end of the day, in order to cancel the data transferred in special mode negative remote value mode. Otherwise, the time monitoring by the data center after expiration of the predetermined time period results in recognition of the data transmitted in the special mode of negative remote value specification.

In a preferred variant, the security is increased by checking the operating sequence for compliance with a predetermined operating procedure in the franking machine and by checking the default request in the data center for compliance with a code stored there for a predetermined default request. It is possible to change the operating procedure in a time-dependent manner, wherein the same calculation algorithm is used in the data center and in the postage meter machine to determine a current operating procedure. A transfer of a valid operating procedure from the data center to the franking machine is thus superfluous.

In another variant, security is increased by a combination of a number of measures. In a first transaction, a distinctive logon occurs at the data center. In response to this, the latter transmits a new security flag X and / or a predetermined operating procedure for a page entry into the special mode negative remote value default to the franking machine, when the franking machine is switched on normally and the communication link is received, wherein in a first transaction, a predetermined default request has been stored in the data center and in the postage meter. In the data center, it is checked whether the transmitted default request corresponds to a predetermined default request. In the first transaction, for example, a new code word or security flag and / or operating sequence is transmitted to the franking machine and in a second transaction, the registered transaction is performed and according to the default request a default value in the corresponding memory of the franking machine and in order to check the transaction in one corresponding memory of the data center added.

For a side entry into the special mode negative remote value specification must be carried out by the service technician, the operation during the switching of the franking machine as it was transmitted from the data center, ie. at the same time as switching on, a specific key combination must be pressed.

In the second transaction, the reloading of the franking machine - according to the corresponding default value - takes place with a negative credit, so that the result is a residual value balance of zero.

The solution according to the invention further assumes that the funds stored in the franking machine must be protected from unauthorized access. The falsification of data stored in the postage meter data is so far complicated that the effort for a manipulator is no longer worthwhile.

Commercially available OTP processors (ONE TIME PROGRAMMABLE) can contain all safety-relevant program parts inside the processor housing, as well as the code for forming the message authentication code (MAC). The latter is an encrypted checksum attached to information. As a crypto algorithm, for example, Data Encryption Standard (DES) is suitable. In this way, MAC information can be attached to the relevant security and special flags or to the register data, thus maximally increasing the difficulty of manipulating the aforementioned flags or postal registers.

The method of enhancing the security of a postage meter capable of communicating with a remote data center and having a microprocessor in a controller of the postage meter further comprises forming a checksum in the OTP processor over the contents of the external program memory and comparing the result with a postage meter in the OTP processor stored predetermined value before and / or after expiration of the franking mode or operating mode, in particular during initialization (ie, when the postage meter is started), or in times in which is not printed (ie when the postage meter in standby mode is operated). In the event of an error, logging and subsequent blocking of the franking machine takes place.

In order to improve the security of franking machines against manipulation, a distinction is made between non-manipulated and manipulated operation of a franking machine by means of the control device by monitoring the duration of the execution of programs, program parts or safety-relevant routines during an operating mode and by running programs after Program parts or safety-related routines subsequent comparison of the measured running time with a predetermined duration. Even during a communication with it a manipulation in fraud intentions should be thwarted, in particular by a made in the communication mode Monitoring the observance of a certain time in special mode Negative remote value specification. The period of time from the sending of a third encrypted message by the postage meter machine to the receipt of the fourth encrypted message sent by the data center to the postage meter machine in the postage meter machine, which triggers a zeroing of the credit value upon verification, is monitored. It is contemplated that a decremental counter or an incremental counter will be used to detect exceeding the time t1 in the special mode as a safe indication of an unsuccessful transmission and that a special subprogram will be called which will prepare a re-execution of the special mode negative remote value preset and automatically triggers, so that the first and second transactions are automatically repeated.

In an optional variant, security is increased by additional input security means which is brought into contact with the postage meter to transfer a remaining balance from an authorized person back to the data center.

Figur 1,

Blockschaltbild einer Frankiermaschine,

Figur 2,

Ablaufplan nach der erfindungsgemäßen Lösung,

Figur 3a und 3b,

Darstellung der Sicherheitsabläufe der im Kommunikationsmodus befindlichen Frankiermaschine und Datenzentrum,

Figur 4,

Ablaufplan für den Frankiermodus nach einer bevorzugten Variante,

Figur 5,

allgemene Blockdarstellung eines Ablaufes mit zwei Transaktionen für das Nachladen mit einem Null-Guthabenwert,

Figur 6,

Blockdarstellung eines Ablaufes mit zwei Transaktionen für das Nachladen mit einem negativen-Guthabenwert,

Figur 7,

Ablaufplan zur Einspeicherung eines Sicherheits-Flags bzw. Codewortes nach der erfindungsgemäßen Lösung

Advantageous developments of the invention are characterized in the subclaims or are presented in more detail below together with the description of the preferred embodiment of the invention with reference to FIGS. Show it:

FIG. 1,

Block diagram of a franking machine,

FIG. 2,

Schedule according to the solution according to the invention,

FIGS. 3a and 3b,

Representation of the safety procedures of the franking machine and data center in communication mode,

FIG. 4,

Schedule for the franking mode according to a preferred variant,

FIG. 5,

general block diagram of a transaction with two transactions for reloading with a zero credit value,

FIG. 6,

Block diagram of a transaction with two transactions for reloading with a negative credit value,

FIG. 7,

Flowchart for the storage of a security flag or codeword according to the inventive solution

1 shows a block diagram of the franking machine according to the invention with a printer module 1 for a fully electronically generated franking image, with at least one plurality of actuating elements having input means 2, a display unit 3, and a communicating with a data center producing MODEM 23, which via an input / output Control module 4 are coupled to a control device 6 and a non-volatile memory 5 and 11 for the variable or the constant parts of the franking image.

A character memory 9 supplies the necessary pressure data for a volatile random access memory 7. The control device 6 has a microprocessor μ P connected to the input / output control module 4, to the character memory 9, to the volatile random access memory 7 and to the nonvolatile working memory 5, with a cost center memory 10, with a program memory 11, with the motor of a transport or feed device optionally with strip trigger 12, an encoder (encoder disk) 13 and with a clock / date module 8 communicates. The individual memory can be realized in several physically separate or not shown combined in a few modules, which are secured against removal by at least one additional measure, such as sticking on the circuit board, sealing or casting with epoxy resin.

FIG. 2 shows a flowchart for a franking machine with a security system according to a preferred variant of the solution according to the invention.

After the franking machine has been switched on in step 100, a functional test with subsequent initialization is then carried out within a start routine 101.

This step also includes a plurality of sub-steps 102 to 105 for storing a security flag or codeword-shown in greater detail in FIG. In a step 103, if a new security flag X 'exists in another predetermined memory location E of the non-volatile memory 5 according to step 102, this new security flag X' is copied to the memory location of the old security flag X, if there is none valid security flag X more stored. The latter equally concerns the case of authorized and unauthorized intervention, because with each intervention the old security flag X is deleted. Likewise, in another unauthorized action the security flag X can be deleted (kill mode). If there is no more valid security flag X stored, no postage value can be printed in franking mode 400. In case of non-intervention, no new code word has been transmitted. In this case, it does not copy and after step 104, the old security flag X remains in Memory received. Finally, the system routine 200 is reached with point s.

The system routine 200 includes several steps 201 to 220 of the security system. In step 201, the call of current data takes place, which is carried out below in connection with the invention for a second mode, namely for the sleeping mode. As shown in FIG. 2, it is checked in step 202 whether the criteria for entering the sleeping mode are met. If this is the case, a branch is made to step 203 in order to display at least one warning by means of the display unit 3. After the o.g. In any case, steps t will be reached.

Upon detection of a prohibited page entry (step 217), the aforementioned security flag X is deleted. The security flag X can also be a MAC-secured security flag, as well as an encrypted code. The checking for validity of the security flag X is carried out, for example, in step 409 of a franking mode 400 by means of a selected checksum method within an ONE TIME PROGRAMMABLE (OTP) processor which internally contains the corresponding program parts and also the code for forming a MAC (MESSAGE AUTHENTIFICATION CODE ), which is why the manipulator can not understand the nature of the checksum method. Other security-related key data and processes are stored exclusively inside the OTP processor, for example to supplement key data with the transferred from the data center to the postage meter new key so that with the key information so supplemented an encryption of messages can be made, which transmits to the data center become. On the other hand, the same security-relevant ones allow Key data or procedures to provide a hedge on the post office.

Another security variant, which does not require an OTP processor, is to make it more difficult to find the keys by coding them and storing them in different memory areas. Again, MACs are appended to each piece of information in the security-relevant registers. A manipulation of the register data can be detected by control over the MAC. This routine is performed in step 406 in the franking mode, which is shown in FIG. Thus, the difficulty of manipulating the postal registers can be maximized.

Upon a check in step 217, where a relevant defect has been detected and the security flag X cleared in step 209, the point e, i. reached the beginning of a communication mode 300 and in a - shown in Figures 2 and 3a - step 301 queried whether a transaction request exists. If this is not the case, the communication mode 300 is exited and the point f, i. the operating mode reaches 290. If relevant data has been transmitted in communication mode, branch to step 213 for data evaluation. Or else, if non-transmission is determined in step 211, step 212 is to be branched. It is then checked whether appropriate inputs have been made to enter test mode 216 at test request 212, otherwise to enter display mode 215 at intended register level check 214. If this is not the case, the point d, i. the franking mode 400 is reached.

In the case of a manipulation, the step 213 for statistics and error evaluation is achieved. On the Step 213, the display mode 215 is reached and then branched back to the system routine. The blocking can thus be advantageously carried out by the branching on the franking mode 400 is no longer executed. According to the invention, it is further provided that in step 213 a statistical and error evaluation is carried out in order to obtain further actual data which can also be called after branching to the system routine 200 in step 201, for example for an aforementioned second mode or another special mode.

Between the points s and t of the system routine 200, a plurality of further queries may be after fulfillment of further criteria for further modes. Further details regarding a query for a first mode, which serves to prevent the printing or to lock the postage meter, can be found in the German application P 43 44 476.8, methods for improving the safety of franking machines. In the case of an opening of the franking machine housing by authorized persons a written possibly telephone notification in the data center for authorized opening has been proposed, which notifies the opening date and time for the approximate beginning of opening. Before the franking machine can actually be opened, communication with the data center must be received via MODEM to request the opening authority and to load a new future code Y 'which can replace the old one.

In contrast, however, the presence of the security flag X is not interrogated between the points s and t but only in step 409 in the franking mode. This allows the service technician by loading the new security flag X 'yet after deletion of the aforementioned flag then the restore full functionality of the franking machine. This now also makes it possible, for example, to carry out a check as to whether an unauthorized action actually leads to the deletion of the security flag or codeword, or whether the deletion by manipulation has been prevented.

In case of authorized operation, it is recognized in step 217 shown in FIG. 2 that no prohibited page entry has been made. A permitted page entry, which was carried out for another input, has not been shown in detail in FIG. However, such a query criterion is also provided to detect, for example, in step 212 whether an operator action has been taken to enter a test mode. In the permitted page entry, which is not the correct page entry for the special mode of a negative Fernwertvorgabe for the purpose of funds return transfer from the franking machine to the data center, the system routine 200 is branched to the point e. Otherwise, at the correct page entry, a branch is made to step 220 to set a special mode entry flag. In a further refinement, a further query step 219 may be provided before step 220 in order to further increase the security against unauthorized calling of the special mode with a further criterion, in which case the system routine 200 is branched to the point e if the criterion is not met. For example, the interrogation step 219 shown in Figure 2 may query such another criterion as to whether the identification number (ID number or PIN) has been input. By the side entrance the security is already sufficiently high, so that in the interest of a simpler handling on such additional further Kriterinabfragen can be waived also. Another possibility in the interrogation step 219 shown in FIG. 2 is one such query another criterion, if at least n times the same predetermined default request was made and a corresponding default value was added to the credit residual, is also only optional and therefore shown in dashed lines in Figure 2. This can be a NULL default request, which results in the transmission of a NULL default value and can be added to the residual value without this changing the amount of the stored credit.

In order to further increase the security against manipulation, it is provided that the special mode flag N set in step 220 is also a MAC-secured flag N.

The security is additionally increased by a check in the data center, whether a predetermined default request has been transmitted by the franking machine. It is envisaged that the transmitted default request in the data center is interpreted as a code to perform a very specific transaction. The submitted default request can be coded in the data center as a code to allow fund redemption. Otherwise, the transmitted default request in the data center can be interpreted as a code to allow transmission for a security flag X or for an X codeword.

FIGS. 3 a and 3 b show a representation of the safety sequences of the franking machine in communication mode on the one hand and the safety sequences of the data center in communication mode on the other hand.

If the point e, ie the beginning of the communication mode 300 explained below, is reached, then a step is shown in FIGS. 2 and 3a 301 queried whether a transaction request exists. Such can, for example, to the credit balance, telephone number change, etc. are provided.

The user selects the communication or remote value default mode of the postage meter machine by entering the identification number (eight-digit postage code number). It is now assumed, for example, that the funds return transfer should take place at the level of the residual value remaining in the franking machine. In this case, first a register query of the Descendingregisters R1, which contains the residual stored. After switching off the franking machine, a page entry into the special mode is made when switching on again. After entering the identification number, the entry is confirmed with the teleset key and the default request is entered in the amount of the previously requested residual value. By entering the page, the default request is automatically evaluated as the default value to be subtracted. The default request is confirmed by pressing the Teleset button (T button). Since the residual value is also requested by the data center in every communication, a comparison can be made in the data center of both, i. of residual value and default request. Otherwise, in the special mode, the above-mentioned inputs for a preferred variant can also be automatically executed by the franking machine in order to simplify the operation.

Otherwise, for example, a communication should take place in order to load a new security flag X 'which can replace the old security flag X. If only such a transaction request is made, the default amount must be changed, because in this case, the credit in the postage meter, of course, must not be increased. On the other hand, another value other than zero can be agreed, in particular a Value that corresponds to only a minimum amount by which the descending register value would need to be increased.

FIG. 3 a shows that part of the communication of a transaction which is carried out with unencrypted messages. Nevertheless, these messages may contain data which are MAC-secured, for example the identification number of the franking machine.

In step 302, input of the identification number (ID No.) and the intended input parameters may be made in the following manner. With the ID no. it may be the serial number of the postage meter, a PIN or PAN (postage code number), which is acknowledged by actuation by means of a predetermined T key of the input means 2. In the display unit 3, the input parameter (default value) used in the last remote value specification (recharge) appears, which is now overwritten or retained by the input of the desired input parameter. The input parameter is a combination of numbers, which is understood in the data center as a request, for example, to transmit a new security flag or code word X ', if an intervention authority has previously been obtained. If the aforementioned input parameter is entered incorrectly, the display can be cleared by pressing a C key.

For example, a change is entered to load a zero credit on a transaction, but no intervention authority is previously obtained. Thus, the input parameter serves only as a new default value. However, neither the credit for frankings is increased in value, if the input parameter has the value zero, nor loaded a new security flag. However, a quantity S 'can be transmitted in each communication, as well as the German application P 43 44 476.8, method for improving the safety of franking machines, it can be seen.

Only by the previous notification, for example by means of a separate call to the data center or another form of communication, the data center is informed that a new security flag X 'is to be transmitted to the franking machine, if subsequently within a predetermined period of time by the postage meter a transaction for the value zero is started. The request for intervention is only deemed to be made if, after the registration of an authorized intervention, the franking machine enters the communication mode agreed in this way.

However, if an arbitrarily different input parameter is previously agreed with the data center, if this input parameter is entered except for the transmission of a new security flag X 'corresponding to the pre-agreed code which is formed by the predetermined default request, then a recharge of the credit corresponding to the entered default value will result in a second one Transaction effected.

If an input parameter other than the agreed one is entered, this results in the result merely for recharging in the amount of the selected new default amount, where, however, unlike the other transaction data, the default amount need not be transmitted to the franking machine. Rather, the fact that a valid transaction has been verified is sufficient for the postage meter to increase or decrease the Descending Register content by the default amount according to the stored default request.

If the desired input parameter is displayed correctly, this is confirmed by re-pressing the predetermined T-key of the input means 2. In the display unit 3 then appears a representation according to an input parameter change or according to the non-change (old default value).

By pressing the predetermined T-key, the change of the input parameter via MODEM connection is started. The input is checked (step 303) and the rest of the process is performed automatically, the process being accompanied by a corresponding indication.

For this purpose, the franking machine checks whether a MODEM is connected and ready for operation. If this is not the case, a branch is made to step 310 in order to indicate that the transaction request must be repeated. Otherwise, the postage meter reads the dialing parameters consisting of the outdialing parameters (main / extension, etc.) and the telephone number from the NVRAM memory area F and sends them to the modem 23 with a dial request command MODEM 23 with the data center in a step 304.

In the figure 3a is also shown on the left half of the parallel sequence in the data center, which is necessary for the communication. In step 501 it is constantly checked whether a call has been made in the data center. If this is the case, and the MODEM 23 has dialed the opposite side, the connection is also established in the data center in step 502. And in step 503 is constantly monitored whether the connection to the data center has been solved. If this is the case, after an error message in step 513, a branch back to step 501.

At the same time, the franking machine monitors in step 305 whether communication errors have occurred and if necessary branches back to step 304 in order to reestablish the connection from the postage meter machine. After a predetermined number n inconclusive redial attempts to establish a connection is branched back to the point e via a display step 310. If there was no detectable error in step 305, it is determined in step 306 by the postage meter machine that the connection is established and a transaction is yet to take place, is branched to step 307 to an opening message or to identification, Vorspann- or To send register data. In subsequent step 308, the same check as performed in step 305, i. if a communication error has occurred, a branch is made back to step 304. Otherwise, an opening message was sent from the postage meter machine to the data center. In it is u.a. the postage number for the notice of the caller, i. the postage meter, at the data center included.

This opening message is checked for plausibility in the data center in step 504 and further evaluated by subsequently checking again in step 505 whether the data has been transmitted without errors. If this is not the case, a branch back to the error message to step 513. If, on the other hand, the data is error-free and in the data center is recognized that the postage meter has made a recharge search, so in step 506 a reply message to the postage meter is sent as a header. In step 507, it is checked whether the preamble message including preamble end has been sent in step 506. Is not that If so, then branch back to step 513.

In the franking machine, it is checked in step 309 whether a header has now been sent or received as a reply message by the data center. If this is not the case, the program branches back to step 310 and then a transaction request is queried again in step 301. If a header has been received and the postage meter machine has received an OK message, a check of the preamble parameters with respect to a telephone number change takes place in step 311. If an encrypted parameter has been transmitted, there is no telephone number change and a branch is made to step 313 in FIG. 3b.

FIG. 3b shows the safety sequences of the franking machine in communication mode and, in parallel, those in the data center.

In step 313, a start message is sent in encrypted form from the postage meter machine to the data center. In step 314, the message is checked for communication errors. If there is a communication error, the program branches back to step 304 and another attempt is made to establish the connection to the data center in order to send the start message in encrypted form.

From the data center, this encrypted start message is received if in step 506 the preamble message has been completely sent and in step 507 the preamble end has been transmitted. In step 508, it is checked in the data center whether it has received the start message and the data in Order are. If this is not the case, it is checked in step 509 whether the error can be corrected. If the error can not be corrected, branching is made to step 513 after an error message has been transmitted from the data center DZ to the franking machine FM in step 511. Otherwise, an error handling is performed in step 510 and branched to step 507. If the reception of proper data is detected in step 508, the data center begins to perform a transaction in step 511. In the aforementioned example, at least the identification number is transmitted by means of an encrypted message to the franking machine, which receives the transaction data in step 315.

In subsequent step 316, the data is checked. If there is an error, branch back to step 310. Otherwise, in the data center, a storage of the same aforementioned data takes place in step 512, as in the postage meter machine. In step 318, therefore, the transaction with the data storage is completed in the franking machine. Subsequently, a branch is made back to step 305. If no further transaction takes place, step 310 and then step 301 are reached for display.

If now no transaction request is made, it is checked in step 211 according to Figure 2, whether data has been transmitted. If data has been transmitted, step 213 is reached. According to the input request, the franking machine places the current default request or the new code word Y 'or other transaction data, for example, in the memory area E of the nonvolatile memory 5.

If, however, a different number combination than zero is entered as the input parameter in step 302 and the input was correct (step 303), a connection is established (Step 304). And if a connection is established without error (step 305) (step 306), an identification and preamble message is sent to the data center. In this opening message, among other things, the postage request number PAN for identifying the postage meter machine at the data center is also included. The data center recognizes from the entered combination of numbers, if the data is error-free (step 505), that for example a credit with a default value is to be increased in the franking machine.

If in the meantime the current telephone number of the data center has changed, measures must be taken that it is stored in the franking machine. In step 506, a reply message is then sent, unencrypted, from the data center with the elements of change of telephone number and current telephone number. The postage meter machine receiving this message recognizes in step 311 that the telephone number is to be changed. Now, step 312 is branched to store the current telephone number. Subsequently, branching back to the step 304. If the connection is still established and there is no communication error (305), then in step 306 it is checked whether another transaction should take place. If this is not the case, a branch is made via step 310 to step 301. The transmission of the telephone number can also be MAC-secured.

After the current telephone number has been stored, the franking machine automatically establishes a new connection to the data center with the aid of the new telephone number. The actual, user-intended transaction, remote value specification of the new security flag X 'or transmission of a suitable encrypted message for verification to recharge the residual value credit according to a default request is thus automatically, ie without further intervention by the user of the franking machine performed. A message appears in the display saying that the connection is automatically rebuilt due to the change in the telephone number.

It is envisaged that after an intervention, the franking machine is controlled in the communication mode 300. The authorized person can also inform the data center of the completed check afterwards. Communication may include phone number storage, as well as a credit recharge. Without interrupting the communication so several transactions can be performed.

If the amount of the credit to be reloaded is to remain at the same level as the last credit reload, only one transaction is necessary.

However, if you want to change the amount of credit to be reloaded, two transactions are required. Both transactions are done in a similar way.

A successful transaction proceeds as follows: The franking machine sends its ID number and a default value for the amount of the desired Nachladeguthabens possibly together with a MAC to the data center. The latter checks such a transmitted message against the MAC in order then to send an likewise MAC-secured OK message to the franking machine. The OK message no longer contains the default value.

It is envisaged that the transmission of a new security flag X 'or of relevant data for a change in the credit amount in the franking machine in encrypted form, but the transmission of telephone number in unencrypted form takes place. However, a MAC hedge is additionally possible. If it is determined in the data center that the connection to the franking machine has been released (step 503), or if erroneous data (505) or unrecoverable errors (509) are present or no end of bias has been sent (507), the communication is terminated. After an error message, the communication connection is released, the stored data is stored and evaluated by the data center in step 513.

During a first transaction, at least one encrypted message is transmitted to the data center as well as to the franking machine. The default request is included only in the encrypted message of the first transaction. Each submitted message containing security-related transaction data is encrypted. As encryption algorithm for the encrypted messages, for example, the DES algorithm is provided.

A transaction request leads to a specially secured credit recharge in the franking machine. Preferably, the post registers outside the processor in the cost center memory 10 are also secured during the credit recharge by means of a time control. For example, if the postage meter is being observed with an emulator / debugger, then the communication and billing routines are unlikely to expire within a predetermined time. If this is the case, ie the routines take considerably longer, a part of the DES key is changed. The data center may detect this modified key during a register polled communication routine and then report the postage meter as suspect as soon as Step 313, a start message is sent encrypted.

In the data center, it is determined in step 509 that the error is not recoverable. The data center can then not perform a transaction (step 511) because it has branched back to step 513. Since no data was received in the meter at step 315, the transaction was not done correctly (step 316). Then, it is then branched back via step 310 to step 301 in order to recheck after an indication whether a transaction request is still made.

If this is not the case, the communication mode 300 is exited and the point f, i. the operating mode reaches 290. Thus, in the case discussed above, with modified DES keys, no data could be transmitted (step 211). Also, it is assumed that neither a test request (step 212) nor a register polling (step 214) has been caused to check the remaining balance. But then the franking mode 400 is reached.

The security presupposes in case of an authorized intervention, the reliability of the authorized person (service, inspector) and the possibility to check their presence. The control of the seal and the control of the registers in an inspection of the franking machine and independent of the data in the data center then provides the verification security. The control of the postage stamped postage including a security imprint provides an additional verification security.

The postage meter performs the register check regularly and / or at power up and thus can detect the missing information if in the machine unauthorized intervention or if it had been operated unauthorized. The franking machine is then blocked. Without the invention in conjunction with a security flag X, the manipulator would easily overcome the blockage. However, the security flag X is lost and it would cost the manipulator too much time and effort to determine the valid MAC-secured security flag X or codeword by experiments. In the meantime, the franking machine would have long since been registered as suspect in the data center.

Other variants or a combination with other variants, such as the deletion of part of the DES key or the redundant register states or deletion of other data or keys, which are important for the data center in a transaction, are included in the inventive concept. It is essential that critical program parts are stored in the OTP and the program runtime monitoring means are software and / or hardware components of the OTP. With these program parts, the critical programs stored externally by the OTP in the program memory PSP 11 can be monitored. The advantage is that the monitoring program itself can not be observed or manipulated because it constantly remains in the OTP and can not be read.

A suitable processor type is, for example, the TMS 370 C010 from Texas Instruments, which has a 256 bytes E ² PROM. Thus, security-relevant data (keys, flags, etc.) can be stored tamper-proof in the processor.

If a manipulator makes an unauthorized intervention, the postage meter machine is moved by transferring into the first mode is effectively prevented from franking with a postage value.

The potential manipulator of a franking machine must overcome several thresholds, which of course takes a certain amount of time. If there is no connection from the franking machine to the data center at certain intervals, the franking machine is already suspect. It is assumed that the one who commits a manipulation of the franking machine, will hardly report back to the data center.

During an inspection, first the seal of the franking machine is checked for integrity and then the register statuses. If necessary, a test print with the value 0 can be made. In the event of a repair by the on-site service, it may be necessary to intervene in the franking machine. The error registers can be read, for example, with the aid of a special service EPROM, which is plugged into place of the advert EPROM. When this EPROM slot is not accessed by the processor, access to the data lines is usually prevented by special driver circuitry (not shown in FIG. 1). The data lines, which can be reached here by a sealed housing door, thus can not be contacted without authorization. Another variant is the reading out of error register data by a service computer connected via an interface. To prepare for the intervention, the registers of the franking machine are queried to determine the type of intervention required. Before intervening in the franking machine and the housing is opened, there is a separate call to the data center. If then within a predetermined period of time, the default value is changed to zero and the data center in the context of a transaction transmitted, ie the type of intervention and the register data has been communicated to the data center, there is a transfer of data from a data center to the postage meter according to a requested authorized intervention in the postage meter, which is logged as a permitted intervention.

If, within a predetermined period of time, the default value is changed to a value other than zero and transmitted to the data center in the context of a transaction, a previously made separate call to the data center will have no consequences, ie. a request for intervention is deemed not to have been filed and no authorization for authorized intervention in the postage meter machine is granted, and consequently no new security flag or code word X 'is transmitted.

The franking machine is able to distinguish between requested authorized and unauthorized intervention in the franking machine by means of the control unit of the franking machine in conjunction with the data transmitted from the data center, wherein in unauthorized intervention in the postage meter this action is logged as an error case, but after authorized intervention the original operating state is restored to the franking machine by means of the aforementioned transmitted data.

The explanation of the processes according to the franking mode shown in FIG. 4 takes place in conjunction with the flowchart shown in FIG. It is also in times in which is not printed (standby mode) provided that a query is made regarding manipulation attempts and / or the checksum of the register states and / or on the contents of the program memory PSP 11 is formed. The aforesaid check sum is MAC-backed by the franking machine manufacturer in the non-volatile memory 5 (Memory area E of the NV-RAM). To check the contents of the program memory PSP 11, the checksum is again determined and formed using a stored key remained unchanged a MAC. The aforementioned key is a tamper-proof (non-readable) subkey. Now the old MAC-secured is loaded from the NV-RAM 5 and compared with the newly determined MAC-secured checksum in the OTP. To improve the security against manipulation, in another variant for a kill mode 2, the checksum is formed in the processor via the content of the external program memory PSP 11 and the result is compared with a predetermined value stored in the processor. This is preferably done in step 101 when the postage meter machine is started or in step 213 when the postage meter machine is operating in standby mode. The standby mode is reached when no input or print request is made for a predetermined time. The latter is the case when a ansich known - not shown - letter sensor determines no next envelope, which should be franked. The step 405 in the franking mode 400, shown in FIG. 4, therefore includes yet another interrogation after a time lapse or after the number of passes through the program loop, which ultimately leads back to the input routine according to step 401. If the query criterion is met, a standby flag is set in step 408 and branched back directly to the point s to the system routine 200, without the billing and printing routine in step 406 is traversed. The standby flag is retrieved later in step 211 and reset after the checksum check in step 213, if no tampering attempt is detected.

The query criterion in step 211 is extended by the question whether the standby flag is set, ie whether the standby mode is reached. In this case, a branch is also made to step 213. A preferred variant is to delete the security flag X in the manner already described if a manipulation attempt has been detected in the standby mode in the aforementioned manner in step 213. The specially saved special flag N can also be checked in step 213, in particular if it is MAC-secured, by comparing the flag content with the MAC content. The absence of the safety flag X is recognized in the query step 409 and then branched to the step 213. The advantage of this method in conjunction with the first mode is that the manipulation attempt is statistically detected in step 213.

FIG. 4 shows the flow chart for the franking mode according to a preferred variant. The invention is based on the fact that, after switching on, the postage value in the value impression corresponding to the last input before switching off the franking machine and the date in the day stamp are preset according to the current date, that for the impression the variable data is stored in the fixed data for the frame and be electronically embedded for any related data that remains unchanged.

The number strings (sTrings), which are input for generating the input data with a keyboard 2 or via an electronic balance 22 which calculates the postage value and is connected to the input / output device 4, are automatically stored in the memory area D of the non-volatile main memory 5. In addition, data sets of the sub-memory areas, for example Bj, C, etc., are also retained. This ensures that the last input variables are retained even when the franking machine is switched off, so that after switching on, the postage value in the value impression automatically corresponds the last entry before turning off the franking machine and the date in the day stamp is given according to the current date.
If a balance 22 is connected, the postage value is taken from the storage area D. In step 404, it waits until one is currently stored. In the case of a renewed input request in step 404, branching back to step 401 is again effected. Otherwise, a branch is made to step 405 to await the print output request. By a letter sensor, the letter to be franked is detected and thus triggered a print request. Thus, the billing and printing routine may be branched in step 406. If there is no print output request (step 405), it branches back to step 301 (point e).

Since, according to the variant shown in FIG. 4, branching back to point e and step 301 is reached, a communication request can be made at any time or another input can be made according to the steps test request 212, register check 214, input routine 401.

Another query criterion may be queried in step 405 to set a standby flag in step 408 if there is no print output request after a predetermined time. As already explained above, the standby flag can be interrogated in step 211 following the communication mode 300. This does not branch to the franking mode 400 until the checksum check has given the fullness of all or at least selected programs.

If a print output request is detected in step 405, further queries are made in subsequent steps 409 and 410 as well as in step 406 made. For example, in step 409, the presence of a valid security flag X or a corresponding MAC-secured flag X, the reaching of a further piece number criterion and / or in step 406 the registered in a known manner for billing register data queried. If the number of items predetermined for franking has been used up in the preceding franking, ie number of items equal to zero, the system automatically branches to the point e in order to enter the communication mode 300, so that a new predetermined number S is again credited by the data center. However, if the predetermined number of items has not yet been consumed, the process branches from step 410 to the billing and printing routine in step 406.

The number of printed letters, and the current values in the postal registers are registered according to the entered cost center in the non-volatile memory 10 of the franking machine in a billing routine 406 and are available for later evaluation. A special Sleeping Mode counter is caused to count on a count step during the billing routine immediately before printing.

If necessary, the register values can be queried in display mode 215. It is also provided to print the register values with the printhead of the postage meter machine for billing purposes. This can be done, for example, as already explained in more detail in German Patent Application P 42 24 955 A1.

In another variant, it is further provided that variable pixel image data are also embedded in the remaining pixel image data during printing. In accordance with the encoder 13 delivered position message on the feed of the mail or

Paper strip in relation to the printer module 1, the compressed data are read from the working memory 5 and converted by means of the character memory 9 in a binary pixel data having print image, which is also stored in such a decompressed form in the volatile memory 7. Further details can be taken from the European applications EP 576 113 A2 and EP 578 042 A2.

The pixel memory area in the pixel memory 7c is thus provided for the selected decompressed data of the fixed parts of the franking image and for the selected decompressed data of the variable parts of the franking image. After billing, the actual print routine is performed (at step 406). As can be seen from FIG. 1, the main memory 7b and the pixel memory 7c communicate with the printer module 1 via a printer controller 14 having a print register (DR) 15 and an output logic. The pixel memory 7c is connected on the output side to a first input of the printer controller 14, at the other control inputs output signals of the microprocessor control device 6 abut. If all columns of a printed image have been printed, the system routine 200 branches back again.

The transmission of a new quantity S 'can then take place in the same way as has already been explained in connection with the transmission of the new security flag X'. In a communication according to FIGS. 3 a and 3 b, a new predetermined number of pieces S 'is then transmitted and decremented as a quantity S while the franking is running. From the new predetermined number S 'internally the comparison piece number S _{ref is} calculated (step 213). Thus, in step 203, a warning "CALL FP" can be issued before reaching the number zero. The user of the franking machine is requested in Communication with the data center to perform at least one ZERO remote value default for Nachkreditierung least S of the number.

In FIG. 5, the transaction with two transactions for the reloading with a credit value, preferably with a zero credit value, is shown simplified. Such a ZERO prefix always includes two transactions.

The first transaction of communication with the data center DZ involves the communication of a predetermined default request. In order to establish the consistency of the register states between the data center DZ and the franking machine FM, a NULL default request is suitable. Such, during a second transaction, results in a NULL default value that can be added to the Descending Register value without changing the value of the remaining credit.

In a normal entry into the communication mode, after the start of the postage meter machine, in step 218 the system routine 200 shown in FIG. 2 is queried as to whether the user has made a correct page entry. If this is not the case, the system routine 200 is branched to the point e. A message will appear on the display informing you if the PIN is entered and the Teleset key (T key) is pressed. In addition, the previous default value is displayed, which can be overwritten by the new default request NULL. After the zero entry, the T key is pressed again. Now there is a transaction request and the communication can be done.

The first step during a first transaction includes after entering the communication mode (positive remote value default or Teleset mode) one Sub-step 301 for checking for a submitted transaction request and further sub-steps 302 to 308 for entering the identification and other data to establish the communication connection and for communicating with unencrypted data to transmit at least identification and transaction type data to the data center.

It is contemplated that a first step of the first transaction includes sub-steps 301-308 of the meter to establish the connection, communicate with unencrypted data, and transmit at least identification, transaction type, and other data to the data center. The transaction type data (1 byte), the message to the data center DZ subsequent to the teleset mode for a desired positive Fernwertvorgabe with the identified postage meter to perform.

A second step of the first transaction comprises sub-steps 501 to 506 in the data center, to receive the data and to check the identification of the franking machine and to transmit an unencrypted o.K. Message to postage meter. The second step of the first transaction also includes sub-steps to branch to a quiescent state point q in sub-step 501 in the data center in case of erroneous unencrypted messages 505 via an error message sub-step 513 until the communication by a postage meter machine is resumed.

A third step of the first transaction comprises sub-steps 309 to 314 of the franking machine, for forming a first encrypted message Crypto cv by means of a first key Kn stored in the postage meter and for transmitting encrypted data to the data center, comprising at least the default, identification and postregister data. In a further embodiment of the security measures, this encrypted message also includes data in the form of CRC (Cyclic Redundancy Check) data. The default request, the identification, postal register and other data, such as a checksum (CRC data) are transmitted in a message encrypted with the DES algorithm.

A fourth step of the first transaction, which includes sub-steps 507 through 511 in the data center, is for receiving and decrypting the first encrypted message. A test for decryptability is performed by means of a key stored in the data center. If successful, a calculation is made in the data center to form a second key Kn + 1 corresponding to the key used by the postage meter. Subsequently, a second encrypted message crypto Cv + 1 is formed which contains at least the aforementioned second key Kn + 1, the identification and the transaction data, wherein the encryption is again used the DES algorithm. Finally, a transfer of the second encrypted message crypto Cv + 1 to the franking machine is provided.

Further sub-steps are used to branch to a hibernation state 501 in the data center upon detection of irrecoverably erroneous encrypted messages in sub-step 509 via a sub-step 513 until the communication is resumed by a postage meter machine. Substeps are also provided to correct erroneous encrypted messages found in sub-step 509 but with recoverable errors, to a sub-step 510 for canceling the previous transaction, and then to sub-step 511 in FIG Branch data center. This sub-step is for forming a second key Kn + 1 to be transmitted encrypted to the postage meter, for forming a second encrypted message crypto Cv + 1, and for transmitting the encrypted message to the postage meter. In addition, the fourth step of the first transaction includes a sub-step 512 of the data center for storing the default request, from which the first sub-step 701 of the second step of the second transaction is branched to the first key Kn as the predecessor key and the second key Kn + 1 as Successor key to save.

A fifth step of the first transaction, comprising sub-steps 315-318 of the postage meter, is for receiving and decrypting the second encrypted message, extracting at least the identification data and the transmitted second key Kn + 1 _{Cv + 1} , and verifying the received encrypted _ones Message based on the extracted identification data. Upon verification, the transmitted second key Kn + 1 _{Cv + 1} and the default _request are stored in the postage meter machine. Otherwise, if not verified, the first step of the first transaction is branched back.

After this pre-synchronization of the data center by the franking machine starts a second transaction, which is preferably triggered by an additional manual input in step 602. As a result of this temporary input, the second transaction is triggered or the second transaction is left in communication mode when the input time is exceeded. Preferably, the T key must be pressed within 30 seconds, or the input time is exceeded, and it branches back to the first step of the first transaction. The Communication can now be omitted or repeated as needed.

A first step of the second transaction comprises sub-steps 602-608 of the franking machine for communicating with unencrypted data to establish the connection and to transmit at least identification and transaction type data to the data center.

A second step of the second transaction, comprising sub-steps 701-706 of the data center, is to receive the data and to check the identification of the postage meter and to transmit an unencrypted o.K. Message intended for franking machine. It is further contemplated that the second step of the second transaction comprises sub-steps to branch to a hibernation state 501 in the data center in the case of erroneous unencrypted messages 705 via a sub-step 513 for the error message, until the communication by a postage meter machine is resumed.

A third step of the second transaction comprises sub-steps 609-614 of the postage meter to form a third encrypted message crypto cv + 2 using the aforementioned second key Kn + 1 stored in the postage meter and transmitting the third encrypted message crypto cv + 2 to the data center at least identification and post-register data, but without data for a default value.

A fourth step of the second transaction, which includes sub-steps 707 through 711 of the data center for receiving and decrypting the third encrypted message crypto Cv + 2, performs its decryptability check by means of a key stored in the data center. Then there is a Forming a third key Kn + 2 to be transmitted encrypted to the postage meter, forming a fourth encrypted message crypto Cv + 3 containing at least the aforementioned third key Kn + 2, the identification and the transaction data and transmitting the fourth encrypted message Message crypto Cv + 3 to the postage meter.

The fourth step of the second transaction includes sub-steps to branch to an idle state 501 in the data center for a non-recoverable encrypted message (sub-step 709) via an error message sub-step 513 until communication from a postage meter machine is resumed. In the case of erroneous encrypted messages with recoverable errors found in step 709, a branch is made to step 710 to cancel the previous transaction. Thereafter, in the data center in sub-step 711, a third key Kn + 2 is formed, which is to be transmitted encrypted to the postage meter machine. To form a fourth encrypted message crypto Cv + 3 again the DES algorithm is used. Subsequently, the encrypted message is transmitted to the franking machine.

It is further contemplated that the fourth step of the second transaction to store the default value comprises a sub-step 712 of the data center branching to the first sub-step 501 of the second step of the first transaction to obtain the second key Kn + 1 as the predecessor keys Kn-1 and store the third key Kn + 2 as successor key Kn for further first and second transactions.

A fifth step of the second transaction comprising sub-steps 615-618 of the postage meter is used for receiving and decrypting the fourth encrypted message, for extracting at least the identification data and the transmitted third key Kn + 2 _{Cv + 3} and the transaction data, as well as for verifying the received encrypted message from the extracted identification data. Upon verification, the transmitted second key Kn + 2 _{Cv + 3} and the default value in the meter are added in accordance with the descending register value R1 and the resulting balance stored or otherwise, if not _{verified, is branched} back to the first step of the first transaction.

Either the first step is returned to effect a further triggering of the transactions, or in the fifth step of the second transaction the aforementioned transaction request is canceled.

From this NULL distance value specification in the communication mode, a negative distance value specification in the special mode differs above all by special tamper-proof flags and a time monitoring. Such tamper-resistant flags are, in particular, a MAC-secured security flag X and a MAC-secured special flag N.

In Figure 6, the transaction is with two transactions for reloading with a negative credit value, i. a negative fair value default for fund reverse transfer to the data center is shown. Such a negative distance value specification comprises at least two transactions.

The first transaction of communication with the data center DZ involves the communication of a predetermined default request, preferably a NULL default request, to the consistency of the Register states between the data center DZ and the franking machine FM produce.

The first step during a first transaction includes after a defined page entry into the special mode negative Fernwertvorgabe compared to a normal entry into the communication mode (Teleset mode) after the start of the meter a sub-step 301 for checking for a given transaction request and further sub-steps 302 to 308 to Inputting the identification and other data to establish the communication link and for communicating with an unencrypted message to transmit at least identification and transaction type data to the data center. A protection of individual data in the message can be achieved again by a MAC or CRC data in the aforementioned manner.

The defined page entry is achieved by pressing a secret predetermined key combination while turning on the postage meter. According to the invention, the control unit of the franking machine, in conjunction with the data previously transmitted by the data center, and an input procedure between authorized action (service technician) and unauthorized action (intent to manipulate) may differ.
In the case of authorized action, a special flag N is set in step 220, because if the franking machine FM is switched off, the continuation of the transactions must be ensured after the franking machine has been switched on again. To protect against possible manipulation, the special flag N is also stored non-volatile MAC-secured.

If an unsuccessful attempt is made or if another page entry key combination is entered, this is rated as unauthorized action or as a manipulation intention (error message) and stored and a step 209 is triggered to prevent further franking.
It is envisaged that a predetermined key combination for each franking machine will be stored in the data center and communicated to only the authorized person (service technician) to achieve a predetermined operation in the postage meter machine. The correct page entry causes a message on the display about opening the communication.

In order to convert the franking machine into a special mode, a tamper-resistant flag N is set in step 220 if a specific criterion is met, the specific criterion for the special mode negative handoff being at least the use of the predetermined shortcut to enter the special mode during turn on Postage meter machine covers.

In one variant, as with the positive remote value specification, an input of the PIN and pressing the teleset key (T key), then zero input and pressing the T key, before the communication is performed.

The communication with the data center comprises at least two transactions which are repeatedly executed in the event of an error, the communication being automatically resumed after interruption and / or as long as the aforementioned special flag N is set for the special mode, by which an automatic Transaction request is made to complete the return of the balance.

It is provided that a first step of the first transaction sub-steps 301 to 308 of the franking machine To establish the connection, to communicate with unencrypted data and to transmit at least identification, transaction type and other data to the data center. The transaction type data (1 byte), the message to the data center DZ below the special mode of a desired negative Fernwertvorgabe with the identified postage meter to perform.

A second step of the first transaction comprises sub-steps 501 to 506 in the data center, for receiving the data and for checking the identification of the franking machine and for transmitting an unencrypted or no-message to the franking machine. The second step of the first transaction also includes sub-steps to branch to a quiescent state 501 in the data center in case of erroneous unencrypted messages 505 via a sub-step 513 for the error message until the communication by a postage meter machine is resumed.

A third step of the first transaction comprises sub-steps 309 to 314 of the franking machine, for forming a first encrypted message Crypto cv by means of a first key Kn stored in the franking machine and for transmitting encrypted data to the data center, comprising at least the default request, identification and postal register Dates. In a further embodiment of the security measures, this encrypted message in the form of CRC data (cyclic redundancy check data) comprises the message to the data center DZ subsequently to carry out the special mode of a desired negative distance value specification. The two-byte Cyclic Redundancyy Check is a checksum that identifies a manipulation of each of the checksumed data. This checksum can be individual data or the components of all messages (Transaction type) on the part of the franking machine. The default request, identification, postal register and CRC data are transmitted in a message encrypted with the DES algorithm.
Thus, it is not necessary to transfer data in the first step MAC-secured or encrypted to the data center.

A fourth step of the first transaction, which includes sub-steps 507 to 511 in the data center, is to receive and decrypt the first encrypted message or its decryptifiability check by means of a key stored in the data center, to form a second key Kn + 1 the key used by the postage meter, for forming a second encrypted message crypto Cv + 1, which contains at least the aforementioned second key Kn + 1, the identification and the transaction data and for transmitting the second encrypted message crypto Cv + 1 to the postage meter.

It is envisaged that the fourth step of the first transaction also includes sub-steps to branch to an idle state 501 in the data center in the event of irrecoverably erroneous encrypted messages 509 via a sub-step 513 for the error message, until the communication by a postage meter machine is resumed. Sub-steps are further provided for branching to faulty encrypted messages 509 with recoverable errors, to a step 510 for canceling the previous transaction, and then to sub-step 511 in the data center. This sub-step is used to form a second or third key Kn + 1, which is to be transmitted encrypted to the franking machine, to form a second encrypted message crypto Cv + 1 and to transmit the encrypted message to postage meter. In addition, the fourth step of the first transaction includes a sub-step 512 of the data center for storing the default request from which the first sub-step 701 of the second step of the second transaction is branched to the first key Kn as a predecessor key and the second key Kn + 1 as a successor key save.

A fifth step of the first transaction, comprising sub-steps 315-318 of the postage meter, is for receiving and decrypting the second encrypted message, extracting at least the identification data and the transmitted second key Kn + 1 _{CV + 1} , and verifying the received encrypted ones Message based on the extracted identification data. Upon verification, the transmitted second key Kn + 1 _{CV + 1} and the default request are stored in the postage meter machine. Otherwise, if not verified, the first step of the first transaction is branched back.

After this pre-synchronization of the data center by the franking machine, a second transaction takes place. A first step of the second transaction comprises sub-steps 602-608 of the franking machine for communicating with unencrypted data to establish the connection and to transmit at least identification and transaction type data to the data center.

A second step of the second transaction, which comprises sub-steps 701 to 706 of the data center, is provided for receiving the data and for checking the identification of the franking machine and for transmitting an unencrypted OK message to the franking machine. It is further contemplated that the second step of the second transaction includes sub-steps to in the case of erroneous unencrypted messages 705, branching to a quiescent state 501 in the data center via a sub-step 513 for the error message until the communication by a postage meter machine is resumed.

A third step of the second transaction comprises sub-steps 609-614 of the postage meter to form a third encrypted message crypto cv + 2 using the aforementioned second key Kn + 1 stored in the postage meter and transmitting the third encrypted message crypto cv + 2 to the data center at least identification and post-register data, but without data for a default value.

A fourth step of the second transaction, which includes sub-steps 707 through 711 of the data center for receiving and decrypting the third encrypted message crypto Cv + 2, performs its decryptability check by means of a key stored in the data center. Then, forming a third key Kn + 2 to be transmitted encrypted to the postage meter, forming a fourth encrypted message crypto Cv + 3 containing at least the aforementioned third key Kn + 2, the identification and the transaction data, and transmitting the fourth encrypted message crypto Cv + 3 to the postage meter.

The fourth step of the second transaction includes sub-steps to branch to an idle state 501 in the data center in the event of irrecoverably erroneous encrypted messages 709 via a sub-step 513 for the error message, until the communication by a postage meter machine is resumed. If erroneous encrypted messages with recoverable errors are found in step 709 branched to a step 710 to cancel the previous transaction. Thereafter, in the data center in sub-step 711, a third key Kn + 2 is formed, which is to be transmitted encrypted to the postage meter machine. To form a fourth encrypted message crypto Cv + 3 again the DES algorithm is used. Subsequently, the encrypted message is transmitted to the franking machine.

It is further contemplated that the fourth step of the second transaction to store the default value comprises a sub-step 712 of the data center branching to the first sub-step 501 of the second step of the first transaction to obtain the second key Kn + 1 as the predecessor keys Kn-1 and store the third key Kn + 2 as successor key Kn for further first and second transactions.

A fifth step of the second transaction, comprising sub-steps 615-618 of the postage meter, is for receiving and decrypting the fourth encrypted message, extracting at least the identification data and the transmitted third key Kn + 2 _{Cv + 3,} and the transaction data, as well as for verification the received encrypted message based on the extracted identification data. The aforementioned step has to identify the completed implementation in contrast to the positive remote value default on another query criterion. Within a predetermined time, from the sending of the third crypto message, the fourth crypto message is to be received by the franking machine FM. If the connection was uninterrupted, the reception would take place in the predetermined time t1.

Thus, in the preferred embodiment, the last and most critical portion of the second transaction becomes monitored for exceeding time t1. Thus, the possible manipulation time is severely limited. For this purpose, a time count is started during the penultimate message to be transmitted, starting from the dispatch of the third crypto message in the processor (control unit 6) of the franking machine. This is preferably solved so that the corresponding program section activates a routine which sets a counter, which in turn is decremented by the system clock or its multiple. In order to monitor a larger period of time, for example of the order of 10 seconds, several meters are cascaded. If the fourth crypto message from the data center reaches the franking machine within the critical time period, the counter is deactivated. On the other hand, if this last crypto message remains off, the set counter is further decremented. At the zero crossing of the counter, a program interrupt signal (interrupt) is triggered. This signal causes the call of a special subroutine which prepares and triggers a re-transaction. Part of this renewed transaction is again the transmission of the postal register contents. A consistency check carried out in the data center then leads to the result that an unfinished transaction in special mode was preceded by a negative remote value specification. The inconsistent data records are corrected and the negative remote value specification is completed.

A further variant of the invention results when an incremental is used instead of a decremental counter. In this case, the comparison with the number corresponding to the monitored period of time must be carried out after each count clock.

Exceeding the time t1 is a sure indication of an unsuccessful transmission and causes the call of a special subprogram, which a renewed Carrying out the special mode prepares the negative value for the remote value and triggers it automatically. The first and second transactions are automatically repeated in this case with key Kn + 2.

Upon successful retrieval or verification in the fifth step of the second transaction, the transmitted second key Kn + 2 _{Cv + 3} and the default value in the postage meter are added in accordance with the descending register value R1 and the resulting balance is stored or otherwise at non-verification or timeout becomes the first one Step of the first transaction branched back.

The fifth step of the second transaction includes a sub-step (620) of the postage meter for resetting the aforementioned special flag N or for returning to the normal mode of the postage meter, whereby the aforementioned automatic transaction request is canceled when the execution of the second transaction has been completed is.

The present service technician secures the further trouble-free expiration until the completion of the negative remote value specification.

If the completion is not possible due to a prolonged or permanent interruption of the connection between franking machine and data center, the service technician must take the postage meter machine into the dealer's office and continue the completion from there. Otherwise, a credit would result in the franking machine, which is already considered to be transferred back to information in the data center. The successful completion of the negative remote value specification, ie the fund retransmission, can be checked by querying the register states R1 = 0 or R2 = R3 and R3 = R2 + R1.

• R1 (descending register) vorrätige Restbetrag in der Frankiermaschine,
• R2 (ascending register) Verbrauchssummenbetrag in der Frankiermaschine,
• R3 (total resetting) die bisherige Gesamtvorgabesumme aller Fernwertvorgaben,
• R4 (piece count öprinting with value Ï O) Anzahl gültiger Drucke,
• R8 (R4 + piece count öprinting with value = O) Anzahl aller Drucke

The postage meter machine may transmit the data central register values, for example, before reloading with a NULL default value. Here are:

• R1 (descending register) remaining amount in the franking machine,
• R2 (ascending register) consumption sum amount in the franking machine,
• R3 (total resetting) the previous total of all remote value defaults,
• R4 (piece count öprinting with value Ï O) Number of valid prints,
• R8 (R4 + piece count öprinting with value = O) Number of prints

For each remote value specification, at least R1 can be queried and statistically evaluated.

On the part of the data center, at the end of the day, the validity of the fund retransfer as a result of the special mode is decided on the basis of a negative fair value. If no incident is reported by the service technician that, for example, the negative remote value specification was not feasible, or if no request for reloading a positive credit from the same franking machine, the validity is assumed.

The special flag N set on entry into the special mode negative distance value specification was reset on successful transaction. The franking machine prevents all frankings with values greater than zero, because no more credit is loaded. The franking machine is still ready for franking with values equal to zero and other modes, as long as they do not require a credit or as long as no postage is franked and the piece number limit is not reached.

Either the triggering of the transactions in the special mode is effected as in the one variant by the predetermined page entry or in another variant at least one manual step 302 in the special mode is negative remote value specification after a page entry for entering an identification number (PIN) and for entering the predetermined default desired as provided in the positive remote value default, which is queried in step 303. An additional manual step for temporary input, which is requested in step 603, triggers the second transaction and exits or repeats the first transaction in communication mode or in special mode if the input time is exceeded. Preferably, the T key must be pressed within 30 seconds or the input time is exceeded.

There are still a number of variants with different levels of security feasible. Thus, a check for transmission of a predetermined default request can be performed in the data center. In the simplest case, the default request - analogous to the rest in the display mode 215 in Descendingregister still in stock remaining amount R1 - must be entered and transmitted to the data center. Since the post office content is automatically transmitted to the data center for each transaction, but at least R1, a negative remittance default is made for fund repayment if the default amount matches the balance.

In a second variant, an arbitrary default request is agreed as code with the data center. Preferably, a NULL default request is agreed. If, within a certain time after the agreement, the special mode negative remote value default is called and the NULL default request is entered or confirmed as a default request, the remaining amount R1 is automatically reset to zero in the franking machine. A corresponding query step 219 according to such a further specific criterion for the franking machine has been shown in dashed lines in FIG. From this, a branch is made to step 220 for setting the special flag N. In a further embodiment, the operation can be simplified if a ZERO remote value default has already taken place as the last transaction. Then only the operating action for the page entry is made to perform the negative remote value default fully automatically or to achieve a zero residual value R1 = 0.

By starting a time monitoring from the sub-step 613 of sending the third crypto message to the data center until receipt of the fourth crypto message by the postage meter, manipulation is limited in time. If the fourth crypto message could not be received within a predetermined time t1, a special subprogram is called, which prepares and automatically triggers a re-execution of the special mode negative remote value default. By further sub-steps 615, 616, 301 for the automatic resumption of communication after interrupting the communication connection between data center and franking machine or after switching off and on the franking machine, the communication is continued as long as the aforementioned special flag N is set. The special flag N evaluated as a transaction request is non-volatile and saved against manipulation MAC-secured. Only after completing the retransmission of the balance is the special flag N reset in step 620.

In a third variant, safety is increased by a combination of different measures. Regardless of the franking machine, a first communication connection between the authorized user and the data center for storing a code for registering an authorized action on the postage meter machine is established by a later-transmitted default request. Now a turning on the postage meter for making an authorized predetermined operation can be done to enter via a page entry into a special mode negative Fernwertvorgabe. Then, a second communication connection between postage meter and the data center and input of a default request is made. In a first transaction, a distinctive log on to the data center occurs when the submitted default request matches a corresponding code. In the first transaction, for example, a new code word or security flag and / or operating sequence is transmitted to the franking machine. By carrying out at least one further transaction and automatically carrying out the aforementioned communication, the security-relevant data are transmitted and their storage in the postage meter machine is completed. According to the default request, the default value in the corresponding memory of the franking machine and for the purpose of checking the transaction is also added to the remaining balance in a corresponding memory of the data center. Otherwise, an execution of a step 209 for deleting a tamper-proof stored security flag X as a result of at least one unauthorized deviation from the predetermined operation or because it was intervened in the postage meter provided. Thus, the postage meter machine is transferred to a first mode, thereby effectively putting it out of commission for franking (franking mode 400) (Step 409), in contrast to the authorized action or intervention.

A transmission of a valid operating procedure from the data center to the franking machine becomes superfluous if the operating sequence is changed over time. In the data center and in the franking machine, the same calculation algorithm is used to determine a current operating procedure. Another variant is based on the storage of the current operating procedure in the franking machine by means of a special reset E ² PROM by the service technician.

In a further variant, the security is increased by an authorized person by means of an additional input security means, which is brought into contact with the franking machine, in order to transfer a remaining balance back to the data center. First of all, the actuality is established at the data center by reporting the register statuses by means of a zero remote value specification. Subsequently, a reset read-only memory module is inserted as input safety means by the service technician into a predetermined socket of the at least partially opened franking machine. After switching on or a side entry into the program of the franking machine, it is checked whether a reset read-only memory device (Refunds-EPROM) has been used. This can advantageously take place in step 219 shown in FIG. 2 for checking a further criterion. A correct page entry in the absence of Refunds EPROM leads to the point e or in a variant not shown a step to abort the routine. For example, it is possible to branch to a step 209 for deleting a flag X, which would be noticed in step 409 of the franking mode (FIG. 4) and for statistics and error evaluation or registration in step 213 leads. Otherwise, with the correct page entry and with the Refunds EPROM plugged in, a special flag N is set, which in the communication mode automatically triggers the return of the remaining credit to the data center.

In a sub-variant, steps 218 and 219 according to FIG. 2 can be reversed in their order, so that only with regard to the inserted Refunds EPROM and only after that is the correct page entry requested. Such a sub-variant has the advantage that the information about the correct page entry can also be stored in the Refunds EPROM, rather than in the postage meter machine. Thus, the security against manipulation in the intention to counterfeit is further increased.

The status of the franking machine (out of service) is stored in the data center. The authorized person removes the input security device from the socket and closes the housing of the postage meter machine. In the data center, as in the postage meter, the post office registers registering for available remaining balance R1, consumption sum amount R2 and total amount R3 are set to zero (R1 = 0, R2 = 0, R3 = R1 + R2 = 0).

In the case of a chip card write / read unit present in the franking machine, the input security means can of course also be realized as a chip card.

The invention is not limited to the present embodiments. Rather, a number of variants within the scope of the claims is conceivable.

Claims (2)

1. A method for improving the security of franking machines against manipulation including a microprocessor in a control unit of the franking machine for executing steps for a starting and initialization routine and a subsequent system routine with the possibility to enter into a communication mode with a remote data center for the purpose of loading a credit value or transferring it back to the data center as well as with a further input step for entering into a franking mode from which, after executing an accounting and printing routine, there is branched back to the system routine, characterized by distinguishing between non-manipulated and manipulated operation of a franking machine by the control unit (6) by means of monitoring the compliance with a certain time sequence during a communication in the communication mode (300), wherein a retransfer of the credit stored in the franking machine back to the data center executed in the special mode for remote negative value setting is secured and wherein, in said special mode, there are executed a first and a second transaction for exchanging encoded data by sending a first encoded message by the franking machine and receiving a second message sent by the data center to the franking machine during the first transaction and sending a third encoded message by the franking machine and receiving a fourth message sent by the data center to the franking machine during the second transaction, wherein compliance with the period of time from the sending of the third encoded message by the franking machine till the receipt of the fourth message sent by the data center at the franking machine is monitored, which, upon verification of the fourth encoded message, triggers the credit value to be set to zero.
2. A method according to Claim 1, characterized in that a decremental counter or an incremental counter is used for the purpose of detecting an exceeding of the time t1 in the special mode as a certain indication for a failed transmission and that there is called a special subroutine that prepares and automatically triggers a repeat execution of the special mode for remote negative value setting so that the first and second transactions are automatically repeated.

Images