Preprint -- final version in Concurrency and Parallelism, Programming, Networking, and Security, eds. J. Jaffar and R. Yap, Springer, 1996, pp. 378-391 Cryptographic Postage Indicia J D Tygar Bennet S Yee Nevin Heintze Carnegie Mel lon Univ UC San Diego Bel l Laboratories Pittsburgh PA La Jol la CA Murray Hil l NJ tygarcscmuedu bsycsucsdedu nchbel llabscom Abstract Metered mail provides substantial opp ortunities for fraud Indeed losses due to meter fraud in the United States are said to exceed million annually We apply cryptographic techniques to prevent several typ es of improp er use of metering indicia This pap er describ es a mail system that combines otheshelf barco de technology tamp erpro of devices and cryptography in a fullyintegrated secure franking system This system provides protection against Tamp ering with p ostage meters to fraudulently obtain extra p ostage Forging and copying of p ostal indicia Unauthorized use of p ostage meters and Stolen p ostage meters We provide detailed justication for our design and discuss imp ortant tradeos involvin g scanning strategies encryption technology and D barco de technology The US Postal Service recently announced an Information Based Indicia Program IBIP which adopts principal design features of our mo del Beyond the intrinsic utility of this system it also presents what is likely to b e the rst large scale use of public key infrastructure and microtrans action technology Motivation TheUSPostal Service handles over billion pieces of mail eachyear through almost autonomous p ost oce facilities Much of this mail is metered which means that the mail do es not have an ordinary stamp attached to it Instead a p ostage meter prints a sp ecial mark called a p ostal indicia on the mail Fraud is a serious problem for the US Postal Service This work was supp orted in part by the US Postal Service and was carried out at Carnegie Mellon University It represents the opinions of the authors and do es not necessarily represent the view of their employers funding sp onsors the US Postal Service or the US Government Preliminary rep orts on this work app eared in Also a preliminary version of this work was presented at SECURICOM in Paris June Portion of this work and related work app ear in This pap er addresses mail in the United States but the basic design can b e adapted to mail in other countries In the United States there are approximately million p ostage meters in use which collectively account for approximately billion in p ostal revenue The US General Accounting Oce recently calculated that meter fraud cheats the US Postal Service out of substantially more than million eachyear There are over p ostage meters in the US that are currently rep orted as lost or stolen The US Postal Insp ection Service recently brought criminal charges in sep arate cases in New York and Boston eachinvolved more than million dollars in p ostage meter fraud To address these problems we prop ose a new system for printing p ostage indicia with cryptographic information This system allows a PC or workstation with a laser printer and a tamp erpro of device to pro duce unforgeable p ostage indicia This pap er describ es that design The design of cryptographic p ostage indicia is an interesting exercise in se curity engineering The US Postal Services recent Information Based Indicia Program IBIP adopts the principal design features of our mo del Postal Fraud Todays p ostage meters and indicia are not very secure They are vulnerable to at least four kinds of fraud The p ostage meter may b e tamp ered with so that it generates free p ostage The indicia imprint pro duced by a p ostage meter may b e forged or copied using a rubb er stamp a color photo copier or a color laser printer Avalid p ostage meter maybeusedby an unauthorized p erson and A p ostage meter may b e stolen Anumb er of these issues can b e addressed by cryptography Thanks to recent developments in digital barco ding we can now use otheshelf technology to replace oldfashioned stamps by machine readable indicia These indicia can b e printed by laser printers or similar devices under the control of a workstation a PC or a dedicated p ostage device Moreover we can include cryptographically signed information in the indicia to prove the authenticity of the indicia By including information such as the mailing date and the zip co de of the sender and receiver we can also guard against forged or copied indicia Pastor gave a rough outline of howsuch a system could work UnfortunatelyPastors system and similar proprietary prop osals are vulner able to additional typ es of attack Cryptographic techniques are vulnerable to misuse leading to systems that can b e successfully attacked by an adversary Postage meter credit may still b e tamp ered with even if cryptographic tech niques are used A p ostage meter may b e op ened and examined by adversaries lo oking for cryptographic keys thus allowing the adversary to build new b ogus p ostage meters Even more problematic Pastors prop osal relies on an implicit assumption that a master list containing all examined indicia is maintained This would re quire a large distributed database on a highly available network connecting p ost oce facilities With nearly p ostal facilities and a yearly volume of billion pieces of mail suchanintegrated realtime distributed highlyavailable database would b e unrealistic at present without dramatically increasing the cost of p ostage This pap er describ es a complete p ostal franking system addressing these concerns This system is most suitable for a PC or workstation printing out cryptographic indicia on a standard laser printer A slightly less secure design also allows p ostal meters to print out cryptographic indicia Central to our design is the use of tamp erpro of computing devices such as those in the sp ecied in the US FIPS standard Using this technologywe can pro duce secure unforgeable p ostal indicia For further details and qualications see the discussion in Section Traditional Indicia Here we review the structure of traditional indicia and dene necessary prop erties for cryptographic indicia Todays p ostage meters are p ortable devices containing a printmechanism and a p ostage accounting mechanism enclosed in a sealed case Each p ostage me ter is initialized with a p ostage credit by a p ost oce as each letter is stamp ed the p ostage value is deducted from the machines credit Meters are p erio dically returned to the p ost oce so that additional p ostage credit may b e transferred to them Although p ostage meter cases are not tamp erresistant or tamp er pro of they are supp osed to b e tamp erevident Meters are sub ject to p erio dic insp ection by p ostal authorities Unfortunately the tamp erevidentmechanisms frequently fail Further problems are created by stolen or missing meters which cannot b e insp ected but may b e in use Finally p ostal employees often fail to recognize signs of tamp ering Traditional p ostage meters maintain three imp ortant registers ascending register The monetary total value of all indicia ever pro duced by this meter descending register The remaining credit available in the meter piececount register The numb er of indicia with nonzero p ostage pro duced by the meter When a new indicia is printed by a meter the p ostage value of the new indicia is added to the ascending register and subtracted from the descending register and the piececount is incremented by one During normal op eration the ascending and descending registers sum to a constantvalue When the meter is relled and additional p ostage credit is transferred to a meter the sum of the ascending and descending registers increases Fig Traditional indicia can b e easily forged or repro duced by a laser printer Figure shows an example of a traditional indicia It contains information ab out p ostage value date etc On the left side of the indicia are the words Presorted First Class printed verticallyidentifying the class of the mail Im mediately to the right is the citystate circle which notes the city Pittsburgh th state Pennsylvania and the date February of the indicia Further to the right and directly underneath the eagle is a meter identication mark PB METER This indicates that the imprintwas made by a Pitney Bowes meter serial numb er Finallyinthebox on the righthand end of the indicia is the p ostage value cents The basic function of an indicia is to demonstrates to the p ostal carrier that postage has been paid Tomakecopying more dicult the indicia is printed us ing sp ecial uorescentinkHowever ink uorescence is rarely checked and in any case uorescent ink is op enly sold without restriction Moreover rubb er stamps Zero p ostage indicia are sometimes used for testing The observant reader undoubtedly notes that the indicia shown in the gure is smudged For the scoaw attempting to defraud p ostal authorities this is quite imp ortant a traditional clear sign of meter fraud has b een indicia that are to o crisp and readable that pro duce b ogus indicia can b e easily sp ecial ordered So little sophistication and little investment is required to defeat the traditional p ostal indicia security measures Cryptographic Indicia Using cryptographywe can design p ostage indicia that substantially improve up on the security of traditional p ostage meter indicia In particular wecan guarantee the following two prop erties a copied indicia are detectable and b malicious users cannot generate valid new indicia even by mo difying