DESIGNINGCRYPTOGRAPHICPOSTAGEINDICIA UniversityofCalifornia,SanDiego BennetYEE ComputerScienceDept,5000ForbesAve,PittsburghPA15213,USA J.D.TYGAR DeptofCompSciandEng,0114,LaJolla,CA92093,USA CarnegieMellonUniversity NevinHEINTZE BellLaboratories 600MountainAve,MurrayHillNJ07974,USA devices,andcryptographyinafully-integratedsecurefrankingsystem.thissystem providesprotectionagainst: describeamailsystemthatcombineso-the-shelfbarcodetechnology,tamper-proof 1.Tamperingwithpostagemeterstofraudulentlyobtainextrapostage; Weapplycryptographictechniquestotheproblemoffraudinmeteredmail.We Abstract scanningstrategies,encryptiontechnologyand2-dbarcodetechnology.theuspostal Weprovidedetailedjusticationforourdesign,anddiscussimportanttradeosinvolving Service'recentInformationBasedIndiciaProgram(IBIP)announcementadoptedthe 2.Forgingandcopyingofindicia; principaldesignfeaturesofourmodel. 4.Stolenpostagemeters. 3.Unauthorizeduseofpostagemeters;and
1Motivation aspecialmark(calledapostalindicia)onthemail.fraudisaseriousproblemforthe USPostalService: TheUSPostalService1handlesover165billionpiecesofmaileachyearthroughalmost themaildoesnothaveanordinarystampattachedtoit.instead,apostagemeterprints 40,000autonomouspostocefacilities.Muchofthismailismetered,whichmeansthat TheUSPostalServicerecentlycalculatedthatmeterfraudcheatstheagencyout Thereareover82,000postagemetersintheUSthatarecurrentlyreportedaslost ofsubstantiallymorethan$100millioneachyear[4]. printerandatamper-proofdevicetoproduceunforgeablepostageindicia.thispaper withcryptographicinformation.thissystemallowsapcorworkstationwithalaser describesthatdesign. TheUSPostalServiceisprosecutingtwocasesinNewYorkandBoston;each Toaddresstheseproblems,weproposeanewsystemforprintingpostageindicia involvesmorethan$4milliondollarsinpostagemeterfraud[11]. orstolen[14]. [13]adoptstheprincipaldesignfeaturesofourmodel. engineering.theuspostalservice'srecentinformationbasedindiciaprogram(ibip) 2PostalFraud Today'spostagemetersandindiciaarenotverysecure.Theyarevulnerabletoatleast Thedesignofcryptographicpostageindiciaisaninterestingexerciseinsecurity fourkindsoffraud: Thepostagemetermaybetamperedwithsothatitgeneratesfreepostage; developmentsindigitalbarcoding,wecannowuseo-the-shelftechnologytoreplace Theindiciaimprintproducedbyapostagemetermaybeforgedorcopied,using old-fashionedstampsbymachinereadableindicia.theseindiciacanbeprintedbylaser Avalidpostagemetermaybeusedbyanunauthorizedperson;and Apostagemetermaybestolen. Anumberoftheseissuescanbeaddressedbycryptography.Thankstorecent arubberstamp,acolorphotocopier,oracolorlaserprinter. postagedevice.moreover,wecanincludecryptographicallysignedinformationinthe indiciatoprovetheauthenticityoftheindicia.byincludinginformationsuchasthe printersorsimilardevices,underthecontrolofaworkstation,apc,oradedicated 1ThispaperaddressesmailintheUnitedStates,butthebasicdesigncanbegeneralizedtomailinothercountries. mailingdateandthezipcodeofthesenderandreceiver,wecanalsoguardagainst forgedorcopiedindicia.pastor[8]gavearoughoutlineofhowsuchasystemcould additionaltypesofattack: work. Unfortunately,Pastor'ssystemandsimilarproprietaryproposalsarevulnerableto
Cryptographictechniquesarevulnerabletomisuse,leadingtosystemsthatcanbe Postagemetercreditmaystillbetamperedwith,evenifcryptographictechniques successfullyattackedbyanadversary. nearly40,000postalfacilitiesandayearlyvolumeof165billionpiecesofmail,such masterlistcontainingallexaminedindiciaismaintained.thiswouldrequirealarge, distributeddatabaseonahighlyavailablenetworkconnectingpostocefacilities.with Apostagemetermaybeopenedandexaminedbyadversarieslookingforcryptographickeys,thusallowingtheadversarytobuildnewboguspostagemeters. Evenmoreproblematic,Pastor'sproposalreliesonanimplicitassumptionthata areused. anintegrated,real-time,distributed,highly-availabledatabasewouldbeunrealisticat presentwithoutdramaticallyincreasingthecostofpostage. ThissystemismostsuitableforaPCorworkstationprintingoutcryptographicindicia onastandardlaserprinter.aslightlylesssecuredesignalsoallowspostalmeters toprintoutcryptographicindicia.centraltoourdesignistheuseoftamper-proof computingdevices,suchasthoseinthespeciedintheusfips140-1standard[6]. Usingthistechnology,wecanproducesecure,unforgeablepostalindicia. Thispaperdescribesacompletepostalfrankingsystemaddressingtheseconcerns. 3TraditionalIndicia cryptographicindicia. Herewereviewthestructureoftraditionalindiciaanddenenecessarypropertiesfor postageaccountingmechanism,enclosedinasealedcase.eachpostagemeterisinitializedwithapostagecreditbyapostoce;aseachletterisstamped,thepostage postocesothatadditionalpostagecreditmaybetransferredtothem.although postagemetercasesarenottamper-resistantortamper-proof,theyaresupposedtobe tamper-evident.metersaresubjecttoperiodicinspectionbypostalauthorities.unfortunately,thetamper-evidentmechanismsfrequentlyfail.furtherproblemsarecreated Today'spostagemetersareportabledevicescontainingaprintmechanismanda valueisdeductedfromthemachine'scredit.metersareperiodicallyreturnedtothe postalemployeesoftenfailtorecognizesignsoftampering. ascendingregisterthemonetarytotalvalueofallindiciaeverproducedbythismeter. bystolenormissingmeters,whichcannotbeinspectedbutmaybeinuse.finally, descendingregistertheremainingcreditavailableinthemeter. piece-countregisterthenumberofindiciawithnon-zeropostageproducedbythe Traditionalpostagemetersmaintainthreeimportantregisters: 2Zeropostageindiciaaresometimesusedfortesting. isincrementedbyone.duringnormaloperation,theascendinganddescendingregisters theascendingregisterandsubtractedfromthedescendingregister,andthepiece-count sumtoaconstantvalue.whenthemeterisrelledandadditionalpostagecreditis Whenanewindiciaisprintedbyameter,thepostagevalueofthenewindiciaisaddedto transferredtoameter,thesumoftheascendinganddescendingregistersincreases. meter2.
Figure1:Traditionalindiciacanbeeasilyforgedorreproducedbyalaserprinter. ontheright-handendoftheindiciaisthepostagevalue(29cents). eagle,isameteridenticationmark(pbmeter6829680).thisindicatesthatthe imprintwasmadebyapitney-bowesmeter,serialnumber6829680.finally,inthebox thecity-statecircle,whichnotesthecity(pittsburgh),state(pennsylvania)andthedate (26thFebruary,1993)oftheindicia.Furthertotheright,anddirectlyunderneaththe Class"printedvertically,identifyingtheclassofthemail.Immediatelytotherightis postagevalue,date,etc.ontheleftsideoftheindiciaarethewords\presortedfirst Figure1showsanexampleofatraditionalindicia.Itcontainsinformationabout hasbeenpaid.tomakecopyingmoredicult,theindiciaisprintedusingspecial uorescentink.howeverinkuorescenceisrarelychecked,andinanycaseuorescent indiciacanbeeasilyspecialordered.so,littlesophisticationandlittleinvestmentis inkisopenlysoldwithoutrestriction.moreover,rubberstampsthatproducebogus requiredtodefeatthetraditionalpostalindiciasecuritymeasures. Thebasicfunctionofanindiciaistodemonstratestothepostalcarrierthatpostage 4CryptographicIndicia followingtwoproperties:(a)copiedindiciaaredetectableand(b)malicioususerscannot generatevalidnewindicia(evenbymodifyingexistingindicia). Usingcryptography,wecandesignpostageindiciathatsubstantiallyimproveupon thesecurityoftraditionalpostagemeterindicia.inparticular,wecanguaranteethe destination,sender,andreturnaddressofthemail,andthedate/timeofcreationofthe indicia,thecopiedindiciaisonlyvalidformailtothesameaddress.asweshalldiscuss indicia.suchindiciacanbecopied,butsincethedestinationaddressisincludedinthe later,thischeckcanbeautomated.theinclusionoftimestampsallowsustoseta maximum\lifetime"foranindicia.serialnumberstracethesourceoftheattacktoa uniquepostagemeterlicensee. Weachievetherstpropertybyincludingadditionalinformationinindicia:the value,andaddresses. 3Inadditiontothe2-Dbarcode,theenvelopewillcontainhuman-readableversionsofsomeinformation,suchasthepostage represented,cryptographicallysigned[12],andprintedonanenvelopeasa2-dbarcode3. Suchbarcodescanbeprintedusingcommoditylaserprinters,andtheycanbescanned Thesecondpropertyisachievedusingcryptography.Indiciainformationisdigitally
andre-digitizedatapostoce.several2-dbarcodetechnologiesexist;gure2shows 10].PDF417canstore400bytespersquareinch. Lincoln'sGettysburgAddressencodedinSymbolTechnologiesPDF417barcode[3,9, Centraltothesecurityofcryptographicindiciaischeckingindiciavalidity.Section Figure2:PDF417barcoderepresentationofTheGettysburgAddress signaturealgorithmsrequiredierentamountsoftimeforgeneratingthesignatureand 5addressesthisimportantissue. 5IndiciaDesign Whattypeofcryptographicsignaturealgorithmshouldweuse?Mostcryptographic verifyingthesignature.foracryptographicpostalindiciasystem,thebottleneckis signatureverication:atypicalpostocewillverifymanymoremailitemsthana typicalmailerwillgenerate.thisarguesthatweshoulduseasignaturemechanismwith fastvericationtime.thetwomostwidelyusedsignaturemechanismsarersa[12] anddsa[7];ofthesersaisbestsuitedforourpurposesbecauseitgivesthefastest ofcryptographytoday,werecommendthatuseofrsawith128byteblocks.smaller blocksizeswillnotbesafefortheexpectedlifetimeofoursystem.ifindiciainclude 0.6to1.0squareinches. signaturevericationtimes. acerticatecontainingthevericationpublickey(seesection6),thenbarcodeswill Dependingontheamountoferror-correctionrequired,such2-Dbarcodeswilloccupy contain256bytesofdata,ofwhich128byteswillbeformail-specicinformation. Forthebestsecurity,cryptographicpostageindiciashouldcontainthefollowing RSAisablockcipher;itsignsplaintextinxedlengthblocks.Giventhestate items: meternumber(4bytes)andtype(2bytes):thiseldidentiesthemanufacturer,modelnumber,individualmeternumber,andrevisionnumberforthemeter's
postage(2bytes):inadditiontothe2-dbarcode,thiseldshouldappearin date/time(7bytes):inadditiontothe2-dbarcode,thiseldshouldappearin itemcount(4bytes):thiseldcontainsapiececountforthisparticularmeter. software. ascendinganddescendingregisters(4byteseach):again,forprivacyreasons, Forprivacyreasons4,thisshouldnotbereadabletonon-USPSparties. entryaddress(5bytes)5:thisistheaddressfromwhichthemailisstamped humanreadableform. destinationaddress(5bytes):thedestinationaddressmustalsobefullywritten returnaddress(5bytes):thisistheaddresstowhichundeliverablemailshould addressmustalsobefullywrittenoutinhumanreadableform. outinhumanreadableform. bereturned.itmayormaynotbethesameastheentryaddress.thereturn andentersthemailsystem. availableforfutureadvancedservices. manuallyentertheaddressinformationintotheunit. useastand-alonesystemwiththeaboveindicia,theoperatorwouldneedtoscanor ofapostagemeterwhichaxesanindiciawithoutknowingthedestinationaddress.to theindicia.unfortunately,thisrequirementprecludesthetraditionalstand-alonemodel Theseitemsuseatotalof38bytesofour128bytedataeld,leaving90bytes couldomitdestinationaddressinformationfromtheindicia.(notethatentryaddress andreturnaddressinformationarelikelytobexed,sothatthesecanbereasonably Amoreconvenient,butlesssecuresystem,isalsopossible:astand-alonemeter Uptonow,wehavediscussedsystemswhichincorporatethedestinationaddressin includedinanindiciaproducedbyastand-alonedevice.)withoutthedestinationaddressinformation,ourindiciavaliditycheckingbecomesmoredicult;wediscussthis insection6. 6SamplingStrategiesandFraudDetection termsofscanningandvericationequipment)isunlikelytobeinplaceinnearfuture. Thealternativeistocheckonlyafractionofthemailstream. isobtainedifeveryindiciaisscannedandveried.howeverthesupportforthis(in Cryptographicindiciaprovidenosecurityunlessmailisinspected.Maximumsecurity (e.g.businesscompetitor)tondoutthesizeofamailinglistbycomparingtheitemcountsfromsuccessivemailings. 4Ifitemscountsorascending/descendingregistervaluescanbereadfromtheenvelope,thenitispossibleforanoutsider 5TheUSPS11digit\zip+4+2"addressrepresentationuniquelyidentiesalladdressesintheUSandtsin5bytes. usinghand-heldscannersanduniversalscanning.asthesystemevolves,weexpectthat importanttoadoptasystemthatsupportsallthree. eachstrategy(andperhapscombinationofstrategies)willhaveitsplace.itistherefore Wediscussthreeinspectionstrategies:randomsamplescanning,selectivescanning
6.1RandomSampling Inrandomsampling,somesmallsampleofthemailenteringthesystemisselectedand detectingfraud,butwealsoincreasethecostofscanning.animportantdesignissue scanned.asweincreasedtheproportionofscannedmail,weincreasethechancesof ishowtocheckonlyafractionofthemailstream,andstillprovideeectivefraud control.itisimportantthatsamplingbesucientlyrandomsothatthechancethatany particularitemissampledisboundedaboveandbelowbyaminimumandmaximum value. checksindicatedenitefraud,whileothersonlyindicatepossiblefraud.envelopesthat suspiciousmustremaininthesystem,butwillberecordedforfollow-upfraudinvestigation(forinstance,theenvelopecouldbephotocopiedordigitallyscanned).wenow Validity:Istheindiciavalid(doesithaveacorrectformatandsignature)? outlineeachcheckindetail: Eachscanneditemwillbesubjectedtoanumberofstaticchecks.Someofthese aredenitelyfraudulentcanbewithdrawnfromthemailstream.thosethatarejust ItemCounts:Arethesequencecount,ascendingregisteranddescendingregisterconsistent? MeterNumber:Isthemeteronalistofstolenorsuspiciousmeters? meters.) (Thetrustworthinessofthistestdependsontheintegrityofthelistofstolen/suspicious (Ifthischeckfails,thentheindiciaalmostcertainlyisfraudulent.) ItemCountLimits:Dotheitemcountsfallwithintheboundsspeciedinthemeter's (Ifthischeckfails,thentheindiciaislikelytobefraudulent.) EntryAddress:Dotheentryaddressontheindiciaandthemeter'sregisteredaddress Date:Isthedaterecent? meteraccountinginformation.) currentaccountinformation6? stampedbutnotpostedimmediately,orbecauseofpostocedelays.) (Thetrustworthinessofthistestdependsontheintegrityandtimelinessofthe themeterisregistered.currently,thisruleisnotstrictlyenforced.hence,a intothemailstream? correspond,andaretheyconsistentwiththeactualpointofentryofthemailitem (USpostalregulationsrequirethatmeteredmailbepostedatthepostocewhere (Thistestmayoccasionallyfailforlegitimatemailbecausethemailmaybe ReturnAddressDoesthereturnaddressontheenvelopecorrespondwiththatonthe DestinationAddressDoesthedestinationaddressontheenvelopecorrespondwith failureoftheentryaddresscheckindicatesasuspiciousmailitem,butitdoesnot checkcannotbeperformed.) thereliabilityofthischeckwouldcorrespondinglyincrease.) thatontheindicia?(ifthedestinationaddressisomittedfromtheindicia,this indicatedenitefraud.ifcompliancewiththeregulationbecomesmandatory,then sequencecount,andascendinganddescendingregisterscountsforaparticularperiod. 6Ameter'saccountspeciesthecurrentmetercreditandcountnumbers,andthissetsupperandlowerboundsonthe
ItemCounts:Datesshouldincreasewithitemcounts.Theaverageincrementbetween thesamemetershouldbecollectedandsubjectedtosomestatisticalchecks.todescribe thesechecks,supposethatoneineveryitemsisscanned. Inadditiontothesechecks,informationfromsampledmailitemsthatarestampedby AccountCheck:If,oversomeintervaloftime,nitemswithaspecicmeter(orPC (thatis,thecheckisdoneasthepieceofmailisbeingscanned).however,itislikelythat mostcheckswillhavetobedoneo-line(particularlythosethatinvolvelookingupa Dependingontheequipmentused,someofthesechecksmaybeperformedon-line itemsshouldbeabout.thesameitemcountshouldnotoccurtwice. letters,itisbettertoperformcheckson-line:ifwendasuspiciousletter,wecancapture databaseofpreviouslyscannedmaterial).fromthepointofviewofcatchingfraudulent postagesystem)numberarescanned,thentheaccountforthatmetershouldindicateaboutnitems. theparticularitem,ratherthanletitpassonthroughthesystem.notethatweonly suggestdelayingdeliveryofmailinthosecaseswherethereisclearfraud. 6.2SelectiveScanningwithHand-HeldScanners asmostpostagemeterusers. Thisstrategyinvolvesselectingsomeportionofthemailstreamforvalidationbasedon criteriasuchassuspiciousvisualindicators(forexample,theindiciamaylookunusual ortampered,thereturnaddressmaybeunusual,etc.).allofthestaticchecksdescribed Randomsamplescanningisparticularlyeectiveagainsthighvolumeviolators,such aboveforrandomsamplingareapplicable.(wepresumethathand-heldscannerswill laterbystoringthescannedindiciainthehand-heldunitandtransmittingthemtoa beperiodicallydownloadedwithlistsofsuspiciousmetersandrevokedcerticates;see Section7.)Thosechecksthatcannotbecarriedoutonthespotcouldbeperformed centralserverattheendoftheday. 6.3UniversalScanning Universalscanningmeansthateachmailitemisscanned.Herewecancheckforuniquenessofmeternumbersanditemcountnumbers.Wecanalsocheckfortheconsistency streamatadierentsortingcenter).thesearelikelytoberare. initialsortingcenters.mostcheckscanbeperformedbylookingupthelocaldatabase. Somecheckswillrequirecommunicationbetweendatabases(whenmailentersthemail wecantakeadvantageofthelocalitycharacteristicsofmail.sincemeteredmailtypically entersthemailstreamatasinglesortingcenter7,wecansetupalocalizeddatabaseatall ofpostageusedwithdescendingregistervalues.theimplementationofsuchasystem facestwochallenges.first,allenvelopesmustbescannedorrecordedinsomeform. becomecost-eectiveinthefuture.thesystemwehavedescribediscompatiblewith Universalscanningwillnotbecost-eectiveinthenextfewyears.However,itmay Second,universalscanninginvolvesconsiderabledatabaserequirements.Fortunately 7Asnotedearlier,USpostalregulationsrequirethatmeteredmailbepostedatthepostocewherethemeterisregistered. suchamove.allofthechecksdescribedforrandomsamplingareapplicable,andare
infactmoreeectiveinthissetting.inparticular,universalscanningwouldgreatly increasethechancesofdetectingviolatorswhopostalowvolumeofmail. 6.4FraudDetection Therearetwobasickindsofattacks:copyingofindiciaandforgingofindicia.Foreach ofthese,therearetwosubcases:thoseinvolvingindiciathatincludedestinationaddress information,andthoseinvolvingindiciathatomitit. Thetablebelowsummarizesourfrauddetectionmethods. DestinationAddressOmitted DestinationAddressIncluded ImmediatedetectionofchangedImmediate addressinformation; CopiedIndicia ForgedIndicia otherwiseusestatisticalmethods. entryorreturnaddress; detection. 7KeyManagementandProtection Fundamentalprotectionforourkeyswillbeprovidedbyatamper-proofdevicethatwill beableto: storeandmaintainascending,descending,anditemcountregisters; keepthedevice'sprivate/publickeypair,andacerticatesignedbyanauthority preparebytes(includingtheappropriatemessagedigitallysignedbythedevice's (typicallyamanufacturerorthepostalservice)attestingtothedevice'spublickey (theprivatekeyshouldneverbedisclosedoutsidethedevice); forcryptographicmodules.thehighestlevelsofsecurityareconsiderednearlyunbreakablesystems.theusnationalinstituteofstandardsandtechnologyhasalsorecently thefips140-1criteria.)someexamplesofpossibletechnologiesincludetheabyss announcedasystemforvalidatingandrankingproposedphysicaldevicesaccordingto [16]andCitadel[17]systemsfromIBM;theiPower[5]encryptioncardbyNational Cylink[1];andsometamper-proofsmartcardsystems[2].Therewillbeadditional Semiconductor;theCryptaPlus[15]encryptioncardbyTelequip;theCY512ichipfrom announcementsoftamper-proofdeviceswithincreasedprocessingpowerfrommajor InformationProcessingStandard140-1[6].(Thispublicationgivesfoursecuritylevels oftheseareverysecure,satisfyingthehighestsecuritylevelspeciedbyusfederal betamper-proofinthesensethatanyattempttopenetrateitwillresultinthe Severalappropriatetamper-proofplatformsexist,andmoreareforthcoming.Some privatekeyofthedevicebeingerased. publickey)fortransformationin2-dbarcodeformat;and vendorsinthenextfewmonths.manyofthesedevicesarehighlyportableandexist
inpcmciaorsmartcardformat.weproposethatusersleaseasecuredevice(private computer-generatedpostage. ownershipofpostalmetersorpostalequipmentisillegalintheus)fromanauthorized vendor.thesametypesofsecuredevicescouldbeusedforbothpostagemetersand tohaveitsownkeytoreducetheriskexposureshouldakeybecompromised.second,it isnotpracticaltomaintainmorethanasmallnumberofkeysineachhand-heldscanner. Keygenerationandmaintenancemustaddresstwoissues.First,wewanteachdevice indicia. tialization(typicallyperformedinasecurefacilitybythevendor).thedevicetransfers key:thepublickeyisrevealedtothevendorandtheprivatekeyisusedtoencrypt theprivatekeyisusedonlybythevendor.eachdevicehasadierentpublic/private vendorhasapublic/privatekeypair:thepublickeyisrevealedtothepostoce,and Weusevendor-specicanddevice-specicpublic/privatekeypairs.Specically,each Thetwogroupsofkeysareusedasfollows.Adevicegeneratesitskeypaironini- Thesetwoproblemscanbeelegantlysolvedbytheuseofpublickeycerticates. itspublickeytothevendorandthevendorgeneratesasimplepublickeycerticatefor thedevice'skey,signedusingthevendor'sprivatekey.thesecerticatesarefarsimpler anexpirationdate,andthepublickeycorrespondingtothelicense.thiscerticateis thanx.509orotherproposedpublickeycerticates;theycontainonlyalicensenumber, thentransferredbacktothedevice.thedeviceincludesthecerticate(alongwitha communicationsbetweentamper-proofdevicesandvendor'scerticategeneratorscan usesthevendor'spublickeytocheckthecerticateandobtainthedevicespecickey, onkeepingthepublickeyssecret thesekeyscouldbepublished,andinfactthe vendoridentier)inanyindiciaitgenerates.whenanindiciaisscanned,thepostoce secret,thenweobtainanadditionalbenet:cryptographicindiciacanonlyberead bepublic.however,ifboththedevicespecicandvendorspecicpublickeysarekept whichinturnisusedtoverifythesigneddatainthemainpartoftheindicia. bythepostoceandvendors.thiscouldbeusedtosatisfyprivacyrequirementsfor sensitiveinformationcontainedintheindicia. Notethatthesecurityofthesystem(fromafraudpointofview)doesnotdepend deviceswillbeabletoeasilystoreallvendorpublickeys.updatedlistsofvendorpublic keyscanbeperiodicallydownloadedintoeachscanningdevice. verypracticalmeasure. Sincemostexistingandproposedtamper-proofdevicesarehighlyportable,thisisa modem;orthephysicaldevicecouldbesentbacktothefactoryforcerticaterenewal. inspectionofequipment.newkeycerticatescouldbedownloadedthroughanetworkor Weanticipatearelativelysmallnumberofvendors,andwebelievethatallscanning possibilitythatsomeprivatekeymaybecomecompromisedbyanadversary.forthis reason,arevocationlistshouldbemaintainedofrevokedprivatekeys.thislistcan Althoughtamper-proofdevicesshouldbefreefromattack,onemustnotexcludethe Keycerticatesshouldberenewedinconjunctionwiththelegallyrequiredphysical stolenorlostequipment.) periodicallybedownloadedtoscanningdevices(alongwithalistoflicensenumbersof
8Conclusion Inthecomingmonths,theUSPostalServiceplanstobegintoexperimentwithcryptographicindiciathroughitsIBIPprogram[13].Thiswillprovideanexcitingopportunity toseepublickeycryptographytechniquesdeployedonawidescale(ifsuccessful,most peopleintheuswillbereceivingmailwithcryptographicindiciainthenearfuture).
References [2]LouisClaudeGuillou,MichelUgon,andJean-JacquesQuisquater.Thesmart [3]StuartItkinandJosephineMartell.APDF417primer:Aguidetounderstanding [1]CylinkCorp.CY512ipressrelease,February1995. Simmons,editor,Contemporarycryptology:Thescienceofinformationintegrity. card:astandardizedsecuritydevicededicatedtopubliccryptology.ingustavusj IEEEPress,Piscataway,NJ,1992. [6]U.S.NationalInstituteofStandardsandTechnology.Federalinformationpro- [5]NationalSemiconductor,Inc.iPowerchiptechnologypressrelease,February1994. [4]BillMcAllister.Postagemeterfraudestimatedat$100millionthisyear.WashingtonPost,September1993. 8,SymbolTechnologies,April1992. secondgenerationbarcodesandportabledatales.technicalreportmonograph cessingstandardspublication140-1:securityrequirementsforcryptographicmod- ules,january1994. [7]U.S.NationalInstituteofStandardsandTechnology.Federalinformationprocessingstandardspublication186:Digitalsignaturestandard,May1994. [8]JosePastor.CRYPTOPOSTTM:Auniversalinformationbasedfrankingsystemfor [9]TheoPavlidis,JeromeSwartz,andYnjiunP.Wang.Fundamentalsofbarcode automatedmailprocessing.u.s.p.s.advancedtechnologyconferenceproceedings, [12]R.Rivest,A.Shamir,andL.Adleman.Amethodforobtainingdigitalsignaturesandpublic-keycryptosystems.CommunicationsoftheACM,21(2):120{126, [11]JudyRakowsky.4menaccusedofpocketing$4millioninpostagefraudscheme. [10]TheoPavlidis,JeromeSwartz,andYnjiunP.Wang.Informationencodingwith BostonGlobe,February1995. informationtheory.computer,23(4):74{86,april1990. two-dimensionalbarcodes.computer,24(6):18{28,june1992. [15]Telequip,Inc.CryptaPluspressrelease,January1995. [13]U.S.PostalService.InformationBasedIndiciaProgram(IBIP)NewTechnology [14]U.S.PostalServiceandU.K.RoyalMail.Personalcommunications. MeteringDevices,May1995. [16]SteveH.Weingart.PhysicalsecurityfortheABYSSsystem.InProceedingsofthe February1978. [17]SteveR.White,SteveH.Weingart,WilliamC.Arnold,andElaineR.Palmer.IntroductiontotheCitadelarchitecture:Securityinphysicallyexposedenvironments. WatsonResearchCenter,March1991.Version1.3. TechnicalReportRC16672,Distributedsecuritysystemsgroup,IBMThomasJ. IEEEComputerSocietyConferenceonSecurityandPrivacy,pages52{58,1987.