EP1577840A2 - Method for server controlled security management of yieldable services and arrangement for providing data according to a security management for a franking system - Google Patents

Abstract

The method involves transmitting data record between a franking system and a data center (3) over a communication interface when a desired service is requested. The record has service and security data, and is stored in a post security device of the franking system. A logical connection to a franking machine via a server of the center and the reception of relative operation that has been issued by the machine are cutback. An independent claim is also included for a system for allocation of data according to security management for a franking system.

Description

The invention relates to a method for a server-controlled security management of deliverable services according to the generic term of claim 1 and an arrangement for providing data after a security management for a franking system according to the The preamble of claim 5. The invention is for franking machines and for other mail processing devices and their peripherals used, which is a service of a remote Use data center.

The franking machine JetMail® of the Applicant is with a base and with equipped with a removable meter. The latter is one in the base housing integrated static balance operatively connected and is u.a. also used for postage calculation. In connection with a service of reloading a postage rate table will not taken special security measures, although on the aforementioned Table based on the accuracy of the postage calculation and although the Meter contains a security module, with the security module next to a canceling unit also equipped with a cryptographic unit is. The latter only serves to secure the postage fee data to be printed. The meter also includes a control for controlling printing and controlling peripheral components of the postage meter. The base contains a mail transport device and a Inkjet printing device for printing the postage stamp on the Postal matter. Replacing the printhead is unnecessary as the ink tank is separated from the printhead and can be replaced. Also, no special security measures are required for the printhead or for protection of the control and data signals when inserted with a special piezo inkjet printhead Security imprint is printed with a mark, which is an inspection the authenticity of the security print (US 6,041,704) allowed. In addition to the service of reloading a postage rate table and a known service of a teleportation data center, such as the Reloading (US 5699415 or EP 689170 A2) a credit, of which is deducted from the stamped postal value before printing can be another service in the base tracking exist. to Prevention of possible forgery by manipulation the printing unit, i. especially if the base with the printing unit can be separated from the meter, the postal authority is about information interested in the location of the printing unit, if the base with one meter is operated again. The base tracking is released only that printing unit, which by an identification code can be identified by the data center (EP 1154381 A1).

In franking machines of the Applicant - for example in the mymail® and ultimail® - bubble jet printing heads are also used in the printing module. The ink tank and bubble-jet printhead are integrated into a replaceable ink cartridge, as it is already known from the ½ inch ink cartridges from Hewlet Packard (HP). The contacting of the electrical contacts of the print head of the replaceable ink cartridge can be done via a connector of a commercial Pen Driver Board's company HP. Both the postal authority and the customer have an increased interest in high evaluation security of the mark printed on the mail piece. Another service of the data center can therefore consist of piracy protection. Via the connector, additional pirate protection enabling data, for example, a code of the printhead can be queried and sent via modem to the data center. The data center then performs a code comparison with a reference code stored in a database and transmits a message to the postage meter machine about the result of the check (EP 1103924 A2).
The security module participates in such services in different ways, but at least when security-relevant data has to be exchanged with a remote data center via an unsecured data transmission path during the communication. On the one hand, the meter housing or the housing of a franking machine offers a first protection against manipulation in the intention of forgery. Enclosing the safety module with a special housing provides additional mechanical protection. Such an encapsulated security module corresponds to the current postal requirements and is also referred to below as a post-security device (PSD). The credit recharge in some countries requires security measures that only one PSD can deliver. The applicant's franking machines are connected to a teleportation data center in a manner known per se for telephone credit recharge and can be expanded with other devices to form a franking system.

In addition to the positive remote value default in the above-mentioned credit recharge is also a negative Fernwertvorgabe in repayment the remaining credit balance of the customer known (EP 717379 B1 or US 6587843 B1).

From US 5,233,657 is already a store of not one Credit recharge data prior to commissioning of a Postage meter known.

From EP 1037172 A2 the provision and transmission of a Machine and customer specific data set from a data center to a franking device known. The data set comprises at least temporarily and locally valid at the franking location data in the data center assigned to a number code in a database are stored. The customer is a pre-initialized franking device purchased through a distributor of dealers, is thus able to do so be completely put into operation, without the franking device that a customer service or service technician must be called and without a visit to the post office. The data stored in the data center Data are all subject to the same security measure. Independently of which, in the postage meter machine, the graphics data will be without further Safety measures in a memory of the motherboard's Postage meter saved. The graphics data can be a stamp image, for example, concern the city stamp.

For changing of advertising clichés is already in the US 4,831,554 proposed a telephone communication.

In US 4,933,849 is already a date-dependent switching from Stamp images (with city stamp and with value stamp) communicated which were loaded by modem earlier.

According to EP 780 803 A2, the possibility becomes after an initialization provided that from a data center news or carrier specific Advertising will be provided if this is an order in the Data center is present. The customer must first have a contract with the Service provider or operator of the data center.

From EP 1067482 it is already known different security levels attributable to the elements of a printed image to be printed. These different security levels are different assignable permission to change any of the items. to Authorization and reloading of the elements to modify the Print image chip cards are used, the elements after a validate special hierarchy.

Another service of a mail carrier is associated with a statistical collection of franked mail by statistical class (EP 892368 A2). For storing data about using a Terminal are also from EP 992947 A2 and EP 101383 A2 already Solutions known according to which the entries according to statistical classes (Class of Mail) are stored until the remote data center on it accesses to query or determine the user profile.

It is also known that a remote data center via modem You can exchange safety data with a franking system that has a Postal Security Device (PSD). Such franking systems of Applicant, for example, under the brand name jetmail® and ultimail® known.

The invention is based on the object, an arrangement and a To develop a process that ensures that both the Franking system as well as the postal security device security data save and process.

The object is achieved with the features of the method according to claim 1 and the features of the arrangement according to claim 5 solved.

The invention assumes that one is authorized by the manufacturer operated data center is safest against manipulation and thus also a security for remote services is given, which can use a franking system. For the future, it can not be ruled out that next to a franking machine also other or other Devices of a franking system also provide services of a remote Use data center. If now following safety information is spoken to save in the form of records and to be further processed, should be included and taken into account, that the security requirements for each remote services in the countries are very different or sometimes even missing.

a) daß ein Speicherort für einen gewünschten Datensatz innerhalb oder außerhalb des PSD's des Frankiersystems verwendet wird,

b) auf welche Weise die übertragenen Daten beim Datenaustausch gesichert werden, und/oder

c) welche Elemente des Frankiersystems durch die übertragenen Daten beeinflusst werden.

It is suggested that a remote data center have a list of records containing security information and an associated security category. The latter concerns information that is collected, processed, transmitted and provided by the data center's security management system in accordance with a security policy, at least for security measures and / or the location of the storage system in the franking system. Both information is typically stored in a database of a database management system (DBMS). The security policy defines for each security category:

a) that a storage location for a desired data record is used inside or outside the PSD of the franking system,

b) the way in which the transmitted data is saved during data exchange, and / or

c) which elements of the franking system are influenced by the transmitted data.

The record may result in the request for a service be transmitted from the remote data center to the franking system and contains in its header the information about it Security policy. A desired one with the respective safety category associated header equipped record can by means of Transmission means, for example wirelessly or via modem, from Data center transmitted by the franking system and stored internally in the PSD or stored externally by the PSD.

A) Rufannahme bei Kommunikationsverbindung zwischen Frankiermaschine bzw. -system und Datenzentrum mit automatischer Einwahl durch die Frankiermaschine bzw. -system in das Datenzentrum und Empfangen der Anforderung einer gewünschten Dienstleistung mittels eines Servers des Datenzentrums,

B) Ermitteln der dieser Dienstleistung zugeordneten Sicherheitsdaten und Sicherheitskategorie im Datenbankmanagementsystem des Datenzentrums, Steuerung eines Selectors des Servers entsprechend der jeweiligen Sicherheitskategorie und Generierung eines Datensatzes mit Dienstleistungsdaten und Sicherheitsdaten durch den Server,

C) Auswahl des betreffenden logischen Kanals gesteuert durch den Selector des Servers des Datenzentrums und Übermitteln des Datensatzes entsprechend der gewünschten Dienstleistung über die bereits aufgebaute Kommunikationsverbindung zwischen Frankiermaschine bzw. -system und Datenzentrum,

D) Abbau der logischen Verbindung zur Frankiermaschine durch den Server des Datenzentrums, sobald die Dienstleistung beendet ist und Empfang einer entsprechenden von der Frankiermaschine bzw. - system ausgegebenen Bestätigung und

E) Warten auf den Empfang einer weiteren Dienstleistungsan-forderung mittels des Servers oder auf die Beendigung der Kommunikationsverbindung, wobei die Beendigung durch die Frankiermaschine bzw. -system erfolgt.

A method for server-controlled security management of deliverable services is characterized by the following steps:

A) call acceptance in the case of a communication connection between the franking machine or data center and the automatic dial-in by the franking machine or system into the data center and reception of the request for a desired service by means of a server of the data center,

B) determining the security data and security category associated with this service in the database management system of the data center, controlling a selector of the server according to the respective security category and generating a data record with service data and security data by the server,

C) selection of the relevant logical channel controlled by the selector of the server of the data center and transmitting the record according to the desired service on the already established communication link between postage meter or system and data center,

D) removal of the logical connection to the franking machine by the server of the data center as soon as the service has ended and receipt of a corresponding acknowledgment issued by the franking machine or system

E) Waiting for the receipt of another service request by means of the server or on the termination of the communication connection, wherein the termination by the postage meter or -system takes place.

The logical channel is either an unsecured channel or a secured channel automatically formed to a selected one To transmit data record to the franking machine or system.

The relevant data record can also be used during operation of the franking system be called or read again. By specifying a Safety category can be addressed, whether the desired Record from the franking system from inside or outside of the PSD's is read.

The arrangement for providing data for security management for a franking system assumes that a remote Data Center provides the data records requested by the franking system, which application data and security information contain. According to the invention, it is provided that the data center a server comprising at least one server communication means and with a database management system in operational Connection stands that the requested records data for a Safety category included, the latter at least information for the security measure for a data exchange between the Franking system and data center and / or location of storage in Franking system used by the database management system of the Data center recorded in accordance with a security policy, be processed, transmitted and provided that the Franking system has a microprocessor, the at least one postal security device, with a first non-volatile memory and with a communication means for receiving the requested Data sets is connected, wherein the microprocessor is programmed, the Evaluate data for a security category to a corresponding one logical channel to form and the place of storage of Determine application data in the franking system.

It is further contemplated that the microprocessor is programmed to store the application data and the first non-volatile memory or a second non-volatile memory for storing the application data is formed, wherein only the second non-volatile memory is part of the postal security device (PSD).
In addition, a third non-volatile memory may be located externally of the postage meter machine in another mailing machine connected to the postage meter, which is designed to store the application data.

Figur 1,

Blockbild mit Baugruppen eines bekannten Frankiersystems,

Figur 2,

Blockschaltbild für eine Anordnung zur Bereitstellung von Daten nach einem Sicherheitsmanagement für ein Frankiersystem,

Figur 3,

Frankierabdruck nach DPAG-Anforderungen,

Figur 4,

Flußplan für ein servergesteuertes Sicherheitsmanagement,

Figur 5,

Detail des Blockschaltbildes der Steuereinheit des Servers.

Advantageous developments of the invention are characterized in the subclaims or are presented in more detail below together with the description of the preferred embodiment of the invention with reference to FIGS. Show it:

FIG. 1,

Block diagram with components of a known franking system,

FIG. 2,

Block diagram for an arrangement for providing data for a security management for a franking system,

FIG. 3,

Franking imprint according to DPAG requirements,

FIG. 4,

Flowchart for server-controlled security management,

FIG. 5,

Detail of the block diagram of the server control unit.

FIG. 1 shows a block diagram with components of a known franking system 1, comprising a franking machine 2, to which a storage box 4 is connected downstream of the downstream post and an automatic supply station 7 is connected upstream. In the case of the Jetmail® type of franking system, a stack 6 is fed on edge-mounted mail items. The storage box 4 is a stack 5 can be removed to lying mailpieces. To a first and second interface of the franking machine 2, the automatic feed station 7 and a personal computer 9 are electrically connected via cables 71 and 91. The franking machine 2 can be communicatively connected to a remote teleportation data center 8 for the purpose of credit recharging and to a remote service center 11. The franking machine 2 has an internal static balance 22 and is equipped with means for postage calculation. From the remote service center 11, a current postage fee table can be transmitted to the franking machine 2 or to the franking system 1. The franking system may optionally have a - not shown - dynamic balance, which can be arranged between the automatic feed station 7 and the franking machine 2.
Another known franking system of the type ultimail® corresponds in principle likewise to the block diagram shown in FIG. 1, with the difference that the stack 6 is fed to horizontal mail pieces of the automatic feed station 7 and no dynamic scale can be retrofitted.

While according to the known solution (Figure 1), the selected Data center only one service or only a minimum number of Service without security feature can provide with a Data center according to the invention with a number of services Security feature available. Another advantage is the avoidance of multiple calls at different data centers with different Phone numbers.

FIG. 2 shows a block diagram of an arrangement for providing data in accordance with a security management for a franking system. In addition to the assemblies of a remote data center 3, the assemblies of a franking system 1 are shown, which has at least one franking machine 2 and optionally a static balance 22. Also, if necessary, further mail processing stations (not shown) can be connected, for which services via the franking machine 2 can also be provided. The static balance 22 is preferably an optional component of the franking machine 2. The franking machine 2 comprises a postal meter 20 which has at least one communication means 21, a mainboard 24 and a postal security device (PSD) 23. The motherboard 24 is provided with a first nonvolatile memory 241 and a microprocessor 242 in operative communication with the PSD 23, the memory 241 and the communication means 21. The communication means 21 is, for example, a modem which can be communicated via a telephone network 12 to a modem 31 of the data center 3 in terms of communication. However, this means that other means of communication, such as wireless transmitter / receiver devices, mobile devices, Bluetooth, WAN, LAN and other communication devices and other networks, such as Internet, Ethernet, etc., can not be excluded. Rather, a variety of communication means and networks for data transmission come into consideration. The PSD 23 is - not shown - connected via an interface on the motherboard 24 and includes, inter alia, a second non-volatile memory 232 for booking data and security-related data for secure communication with the remote data center. Further details on the PSD can be found in the publications EP 789333 B1, EP 1035513 A1, EP 1035516 A1, EP 1035517 A1, EP 1035518 A1, EP 1063619 A1, EP 1069492 A1 and EP 1278164 A1.
The data center 3 comprises a server 30 which is in operative connection with at least the one server communication means 31 and with a database management system (DBMS) 32. The server communication means 31 is in a - not shown - variant part of a communication server that allows a variety of separate connections to the network 12. Also, the database management system 32 may be implemented in a separate server or within the existing server 30. A control unit 34 of the server 30 is provided with a selector 341 and a microprocessor 342 in operative communication with the server security module (SSM) 33, the selector 341, and the at least one server communication means 31. The selector 341 is hardware and / or software implemented.
The plurality of separate connections of the communication server to the network 12 allows the connection of several franking machines 2 or franking systems 1 with the data center 3 to a security management system 10.

Data center 3 has a list of records containing security information and related security policy information. Both information is typically stored in a database of a database management system (DBMS) 32. Each record containing the security information is assigned a security category, for example a number on the scale 1 to 10.
By specifying the security category, it can optionally be addressed whether the desired data set is exchanged with the franking system 1 from inside or outside the PSD 23, in which way the transmitted data is saved during the data exchange, or which elements of the franking system influence the transmitted data. The security policy defines, for example, which elements of the franking imprint are influenced by the transmitted data.

It is provided that the desired data record is stored in a non-volatile memory of a franking machine of the franking system arranged inside or outside the PSD. In connection with a remote service, it may be necessary for data to be read from the franking system 1 and remotely transmitted to the data center 3. So reads the data center 3, the security data from the franking system 1, it can also be addressed by specifying a security category, whether the desired record from the franking system 1 is read from within or outside of the PSD 23. The control unit 34 of the data center 3 ensures that records are communicated, stored and processed according to their security category. The control unit uses selector 341 for this purpose. The latter offers the possibility of selecting one of two logical communication channels in order to address a memory of the franking system inside or outside the PSD. Each logical communication channel is protected by individual security mechanisms and parameters applied by a component of the control unit 34. This component of the control unit 34 is also referred to as server security module (SSM) 33. The security category of a data record is also taken into account for its control. The record contains in its header at least the information on the associated security policy.
In addition to the addressing in the franking system, the control unit can also use this information for the associated security policy to select a suitable security mechanism for protection during the communication and / or during the subsequent storage. This will be shown below with some examples.

FIG. 3 shows a franking imprint according to the Frankit requirements the Deutsche Post AG. The franking imprint shows a one-dimensional left Bar code (1 D barcode) 15 for an identcode, which will be explained below. In addition, the Franking imprint in the value impression a two-dimensional bar code (2D barcode) 17 for verification of proper payment the mailpiece transport fee.

FIG. 4 shows a flowchart for a server-controlled security management. The data center 3 waits in step A on the Receiving a service request. For editing a Remote service selects the postage meter in Data Center and requests the desired remote service. After this Receiving the service request determines the data center in Step B in the security policy of this remote service to choose the Security features. In step C, a selection of the logical takes place Channel and a record submission from Data Center 3 to Franking machine 2 or the franking system 1. This is the logical Channel to the memory I of the mainboard or to the memory II of the PSD selected. The record transmission takes place via the already established Modem connection from the data center 3 to the franking machine 2 or to the franking system 1. In step D, the determination of the end of requested service. As soon as the remote service is finished, the Server the logical connection to the franking machine again and gives the franking machine a corresponding confirmation. In step E becomes determined whether the communication link from the franking machine has been finished. If that is the case, then the point e reached. Otherwise it will point to a starting point a before the first one Step A branches back to receive another service request.

Examples of security categories are shown in the following table: safety category protection target Logical channel Memory place Components of the franking system Place in the impression identcodes Uniqueness / uniqueness Plain Session Motherboard NVM printer control 1D barcode outside value impression Price / Product Table (PPT) Data Integrity / Origin Authentication / Timeliness Plain Session Motherboard NVM Price calculation module --- User profile of origin authentication Data Integrity / Plain Session Motherboard NVM Recording in the NVM --- PVD Protection of Remuneration / Data Integrity / Source Authentication / Receiver Data Protection Secure Session PSD NVM printer control 2D barcode in the value impression withdraw Protection of the remaining balance Secure Session PSD NVM Postal registers, --- MAC key encryption Secure Session PSD NVM Keystore, and Klicheé exam and generation ---

The table columns protection target and logical channel describe for each the categories of security referred to in the first column, to which Way the transmitted data is backed up during data exchange. The remaining table columns indicate the location that affected Components of the franking system and where in the impression the influence becomes visible.

identcodes

IdentCodes are reference numbers that uniquely identify postal items, as long as they have not been successfully delivered. Based on his IdentCodes can be a mailpiece in a letter distribution center or at the Delivery be clearly recognized. The IdentCode can be used to provide tracking information about mail pieces and for to query the sender. Each IdentCode may be used during its validity only once (uniqueness) for a maximum of a mailpiece (uniqueness) will be awarded. As storage location is the non-volatile memory used on the motherboard of the franking machine.

Price product table

The transferred data will be a price calculation module and the footprint affects. A price / product table (or postage rate table) has a validity date from which it is valid. The entries of a price product table should be protected against manipulation (data integrity). The source of a price-product table should be authorized (Source Authentication), and a price-product table should be be provided at the latest on their validity date (timeliness). When The nonvolatile memory on the motherboard will be the location Used franking machine.

user profile

The user profiles are passively recorded and logged on the machine transfer the data center. The entries of a user profile should protected against manipulation (data integrity). Alternatively, it is enough also an integrity protection of the total volume of a user profile. In addition, the origin should be authenticated (original authentication). This is a special booking value that is included in the Framework of a special service (Class of Mail) to the data center can be transmitted. This particular booking value is one ordinary non-printable MAC-saved sum value of all summed Postal values that were franked during a billing period. If the above value is printed on a postcard, then speaks one also from a billing franking. The aforementioned MAC (Message Authorization Code) is preferably in the form of a CryptoTags realized. The storage location is the nonvolatile memory used the motherboard of the franking machine. After transferring the CoM data to the data center becomes the non-volatile memory cleared to create space for newly recorded data.

PVD

angefordert und im Datenzentrum verbucht und bestaetigt wird, so dürfen anschliessend im Sicherheitsmodul auch nur 50 mehr Guthaben stehen. Würden dort 100 zusätzlich ankommen, so wäre der Zusteller (also z.B. eine Postbehörde) um den Differenzbetrag von 50 betrogen. Daher müssen die Nachrichten, die bei einem postage value download übertragen werden, gegen Manipulation geschützt sein und ihr jeweiliger Datenursprung muss authentisiert sein.
Zusätzlich kann hier auch der Datenschutz des Empfängers ein Schutzziel sein. Es soll für Aussenstehende z.B. nicht zu erkennen sein, welchen Betrag ein Kunde gerade vom Datenzentrum lädt. Um dieses Schutzziel zu erreichen, werden bestimmte Nachrichten zwischen Datenzentrum und Sicherheitsmodul verschlüsselt. Als Speicherort dient der nichtflüchtige Speicher des PSD's. Die beeinflussten Komponenten des Frankiersystems sind das PSD und dessen postalische Register.The data that is transferred during a postage value download is partially relevant to the fee. That means if, for example, an amount of 50

is requested and recorded and confirmed in the data center, then only 50 are allowed in the security module more credits are available. Would there be 100 In addition, the deliverer would be (ie, for example, a postal authority) to the difference of 50 cheated. Therefore, the messages transmitted in a postage value download must be protected against tampering and their respective data origin must be authenticated.
In addition, the privacy of the recipient can be a protection goal here. For example, outsiders should not be aware of the amount a customer is currently charging from the data center. To achieve this protection goal, certain messages between the data center and the security module are encrypted. The storage location is the non-volatile memory of the PSD. The affected components of the franking system are the PSD and its postal registers.

withdraw

The repayment (withdraw) of the remaining credit balance of the customer is an essential protection goal when returning a machine. When Storage location is the non-volatile memory of the PSD. The influenced Components of the franking system are the PSD and its postal Register.

Mackey

The main protection goal when transferring the MACKeys is the Keys to outsiders (including the user of Franking machine). Therefore, this key is before the Transmission encrypted and decrypted only in the security module again. The storage location is the non-volatile memory of the PSD. Due to the transmitted data, components of the franking system, like PSD, keystore, cliché checking and generation in the franking machine influenced.

As a logical channel, for example, only one plain text session is distinguished from a secure session. Simplified a plain text session is a reliable data connection over a telephone network, in which the data is transmitted without cryptographic security. If necessary, error-correcting codes can be used to improve the reliability of the transmission link. Because of the general notoriety, it is not necessary to take a closer look at the characteristics of a plaintext channel.
A security text session is a reliable data connection over a telephone network where the data is transmitted cryptographically secured. If necessary, error-correcting codes can also be used here in order to improve the reliability of the transmission path.
The selector controls the selection of the channel (secure / unsecured), for example, based on a decision matrix that holds the appropriate treatment for, for example, the requested service or a pending message to be pending. For example, the decision matrix may be in the form of one or more database tables, so that channel assignment changes can be made dynamically during operation of the server.

FIG. 5 shows a detail of the block diagram of the control unit 34 of FIG Server. The selector 341 is, for example, a hardware and / or Software component that is intended to create a record D1 ... Dn to Dx from a memory 321 of the database management system 32 and at least partially temporarily store, until the processing of the record by the operationally with the Selector 341 connected microprocessor 342 is completed. The record D1 ... Dn to Dx comprises at least first data, i. an addressable one Data part of the assigned application data identifies and / or includes application data AD directly. The record also includes associated safety data SD and an assignment rule, the further steps, data tables or a decision matrix points, which puts the micro-processor in the position, in the result one to generate selected logical channel. This assignment rule is also referred to as security category SC of a security policy. Microprocessor 342 accesses this in a program memory 343 stored program and works the program and the desired protocols. The first data is application data AD of the addressed data record D1 and are via a bus to the micro-processor 342 or at the lowest level of security categories directly transmitted to input / output unit 344. To the latter, for example be connected to a modem. At a higher level of security categories, if the selector further safety data SD and data of the Security category SC caches a predetermined security policy is an interrupt I or a control signal for the Microprocessor generated 342, based on the selector of the micro-processor passed second data CD the type of further data processing finds. The first data transmitted to the micro-processor 342 can be further processed while being encrypted, for example, i.e. be further treated according to the type which the passed second (control) data CD informs. The in the figure 5 shown record D1 contains data AD, SD and SC, with their Order can be realized differently than was drawn. Preferably, a record Dn contains in its header at least the safety category SC, i. Information about associated security policy. The selector is from the microprocessor to the Example via an address bus ADD-BUS 345 addressable and from the Selector passed second (control) data CD can thus be repeated be queried by the microprocessor. In addition to the requested first Data can also be used by the microprocessor for the security category SC via input / output unit 344 are output to the Mark storage location in the franking system 1. With the Explanations to Figure 5 will be explained only one embodiment However, it can not be ruled out that the control unit 34 of the Servers partially realized in other ways. Alternatively, the Selector 341 as part of the microprocessor 342 hardware and / or be executed by software.

The selector controls the logical channel by the use of cryptographic methods on messages or submessages (or their omission); ie to the methods of technical transport of the information, for example by a transmission via modem or via another suitable server communication means 31, mathematical methods of cryptography are used.
Another possibility is to firmly link the allocation of the channel to the services or data fields at the time of development, that is, to firmly code which channel is to be used. In this case, the selector is a logical component of the sequence program in the server.

In general, secure channels are characterized by authentication of messages or partial messages by means of message authentication Codes (MAC) that are a typically encrypted (cryptographic) Contain checksum. Methods such as HMAC-SHA1 do this. Furthermore, messages or sub messages with Help by encryption method (3DES, AES) be encrypted. The used key material for authentication and encryption is chosen statically and for example during production imprinted on the service device or based on a key exchange procedure recreated for each session.

The identity of the two communication partners can e.g. through digital Signatures can be determined with certainty in the sense of a common Public key hierarchy are linked together. Both entities are in In this case, it has its own key identity.

The cryptographic features of a secure channel are detailed For example, in the non-prepublished German patent application 10 2004 032 057.8 under the title: Method and Arrangement for Generate a secret session key, in particular based on the Figures 3 and 4 described.

The as part of a remote service from the data center provided security information can be both from the postage meter as well as used by other devices of a franking system become.

Under a franking system can also be a so-called PC meter be understood, which at least from a personal computer with PSD and a commercial office printer exists.

In another - not shown in the figure 2 - variant is the Database Management System (DBMS) 32 within the server 30 realized. It is also envisaged that the selector 341 as a component of the microprocessor 342 hardware and / or software is.

The invention is not limited to the present embodiment, as obviously other other arrangements or embodiments of Invention can be developed or used, the - of the same Basic idea of the invention, starting from the adjacent Claims are included.

Claims (15)

Method for a server-controlled security management of deliverable services, characterized by the steps: A) Call acceptance at communication link between postage meter (2) or system (1) and data center (3) with automatic dial-in by the postage meter (2) or system (1) in the data center (3) and receiving the request for a desired Service by means of a server (30) of the data center (3), B) Determining the security data and security category assigned to this service in the database management system (32) of the data center (3), controlling a selector (341) of the server (30) according to the respective security category and generating a data record with service data and security data by the server (30) . C) selection of the relevant logical channel controlled by the selector (341) of the server (30) of the data center and transmitting the record according to the desired service via the already established communication link between postage meter (2) or system (1) and data center (3 ) D) Dismantling of the logical connection to the franking machine by a server (30) of the data center (3) as soon as the service has ended and receipt of a corresponding confirmation issued by the franking machine (2) or system (1) and E) waiting for the receipt of a further service request by means of the server (30) or on the termination of the communication connection, wherein the termination by the postage meter machine (2) or -system (1) takes place. A method according to claim 1, characterized in that in connection with a remote service for a franking system (1) data is exchanged and remotely transmitted from or to the data center (3), which can be selectively addressed by specifying a security category, which storage location for a desired record is to be used inside or outside of the PSD (23) of the franking system (1). A method according to claim 1, characterized in that in connection with a remote service for a franking system (1) data exchanged and remotely transmitted from or to the data center (3), which can be selectively addressed by specifying a security category, in which way the transmitted data be secured during data exchange. A method according to claim 1, characterized in that in connection with a remote service for a franking system (1) data exchanged and remotely transmitted from or to the data center (3), which can be addressed by specifying a security category optionally, which elements of the franking system by the transmitted data. Arrangement for providing data for a security management system for a franking system (1), wherein a remote data center (3) provides the data records requested by the franking system (1) containing application data (AD) and data (SD) for security information, characterized in that the data center (3) comprises a server (30) operatively connected to at least one server communication means (31) and to a database management system (32), the requested data sets containing data (SC) for a security category, the latter being at least Information on the security measure for a data exchange between the franking system and the data center (3) and / or the location of the storage in the franking system (1), which is recorded, processed, transferred and provided by the database management system (32) of the data center (3) according to a stored security policy be that the franking system (1) a A microprocessor (242) connected to at least one postal security device (23) to a first non-volatile memory (241) and communication means (21) for receiving the requested data sets, the microprocessor being programmed to write the security category data (SC) in order to form a corresponding logical channel and to determine the location of the storage of the application data (AD) in the franking system (1). Arrangement according to Claim 5, characterized in that the microprocessor is programmed to store the application data (AD) and the first nonvolatile memory (241) or a second nonvolatile memory (232) is designed to store the application data (AD), only the second non-volatile memory (232) is part of the postal security device (23). Arrangement according to claims 5 to 7, characterized in that a third non-volatile memory externally of the franking machine arranged in another connected to the postage meter device and for storing the application data (AD) is formed. Arrangement according to Claim 5, characterized in that a control unit (34) of the server (30) is equipped with a selector (341) and with a microprocessor (342) connected to a server security module (33), the selector (341) and the server communication means (31) is operatively connected, the list being stored in a database of the database management system (32) in the form that each record is assigned a security category, the security policy defining for each security category whether the record in question is for Mailing system (1) and stored in the postal security device (23) of the franking system (1) is stored or transferred to the franking system (1) and stored there but outside the postal security device (23). Arrangement according to claim 8, characterized in that the server communication means (31) is part of a communication server, which allows a plurality of separate connections to a network (12) and that between the data center (3) and the franking system (1 ) the server communication means (31) and a further transmission means (21) are arranged, via which a data set equipped with the relevant security category can be transmitted if necessary. Arrangement according to claim 9, characterized in that the server communication means (31) and the transmission means (21) of the franking system (1) is a wireless transmission means. Arrangement according to claim 9, characterized in that the server communication means (31) and the transmission means (21) of the franking system (1) is a modem. Arrangement according to claim 8, characterized in that the database management system (32) is implemented in a separate server. Arrangement according to claim 8, characterized in that the database management system (32) is implemented within the existing server (30). Arrangement, according to claim 8, characterized in that the selector (341) is implemented in hardware and / or software. Arrangement according to claim 14, characterized in that the selector (341) is designed as part of the microprocessor (342).

Images