I am publishing this post as a hobbyist, because I find barcodes cool (as demonstrated by a prior open source project using 2D barcodes that I worked on). Do not attempt to use this information for any illegitimate purpose. Counterfeiting postage is a federal crime. 18 U.S.C. § 501.
Blogs don’t really have to be about a single theme, but it’s nice when they let the blogger’s personality shine through. This post ties together some of my favourite things: 2D barcodes, high speed automation, printers, cryptographic signatures (!), postal mail and postage, fraud prevention, and even a little bit about patents! If you know me at all, you’ll understand why I find this stuff so ridiculously cool.
Background: printing stamps at home
Did you know that you can literally print your own postage? You have to pay for the value of the postage, of course, but with the right thermal printer and USPS-approved labels, there are “PC postage” services like pbSmartPostage (by Pitney Bowes, the same company that makes commercial postage meters and mailroom equipment for big businesses) and Endicia.com that will let you do so without monthly fees.
I should note that, given the cost of consumables, even without monthly fees, most people would not benefit from PC postage. But if you ever send certified mail, send letters in large envelopes or heavier than 1 ounce, ship packages, or send mail internationally — and I have done all of the above in the last few months alone (heck, I might be single-handedly keeping the post office in business) — it’s quite convenient to be able to print just the right amount (e.g. $4.155 for certified 2-ounce First Class lettermail) instead of figuring out how to stick eight-and-a-half (?) Forever stamps to one envelope or instead of waiting in line at the post office.
Sometimes I just want to prepare my mail at home, sipping tea, in my pajamas, you know?
The United States Postal Service only allows you to do so through authorized vendors, including pbSmartPostage, Endicia.com/DYMO Stamps, and Stamps.com. (Each of these companies operates under contract with the USPS.) Printed postage labels aren’t just graphics like preprinted stamps. They contain unique 2D barcodes, which the USPS calls “information-based indicia” (IBI), that validate the postage.
As annoying as it may be to have a big advertisement at the top of the label paper, the pink strip is actually part of what allows the USPS to validate this kind of postage at high speed, automatically.
Ordinarily, the USPS equipment “look[s] for special ink in the stamp or postage area” to validate the postage. Plain ol’ stamps are “tagged” with some kind of fluorescence — phosphors in the paper, ink, or coating — that allow them to be recognized and validated by the high-speed Facer Canceler machines. That’s how they very quickly detect counterfeit stamps that might look real to the untrained eye. Meter imprints, used by business mailrooms, are printed in fluorescent ink, and now include the same kind of 2D barcodes, too.
Because PC postage, printed at home, is usually done by a thermal label printer — or, in some cases, by laser or inkjet printer — the fluorescence has to be in the label supplies, either in the label paper or the pink/orange strip, for the automated machinery to recognize these mailpieces as bearing postage.
Peeking into the barcode
Here’s an example 1-cent postage label I printed, which we can analyze. (Please don’t try to use this — it won’t be valid postage if you reprint it, and it is a federal crime to counterfeit postage…)
The label contains several important elements:
- Fluorescent strip, at top; see previous section for discussion
- 2D (Data Matrix) barcode
- Value of postage ($0.01)
- Sender ZIP code (02138)
- Device ID/type (024P0007631396)
- Apparently, some sort of customer ID (0017056389) — this line has remained the same across all of the postage I’ve printed
- Provider name (Pitney Bowes)
I’m not the first person to try decoding these barcodes by hand — some folks over at Stack Overflow have apparently tried. If you simply tried to scan the barcode with a standard smartphone app, you’d get seemingly unreadable gobbledygook.
Well, obviously the USPS isn’t relying on gobbledygook. In fact, the 2D barcode encodes all of the remainder of the list (#3-7), in addition to other data fields and a cryptographic signature.
How do we know this? Well, two specifications from 1999 and 2000 defined the standards. US patent 7233930 assigned to Pitney Bowes, filed in November 2000, referred to these specifications and summarized the new barcoded postage standards:
The Information-Based Indicia Program (IBIP) is a distributed trusted system established by the USPS to retrofit and augment existing postage meters using new technology known as information-based indicia. The IBIP relies on digital signature techniques to produce for each mail piece an indicium whose origin cannot be repudiated. Thus, in contrast to traditional postage metering systems employing mechanical printing technology and physical security, the IBIP supports new methods of securely applying postage to mail pieces. Generally, the IBIP requires printing a high density two-dimensional (2D) bar code on a mail piece. The 2D barcode encodes various information associated with the mail piece and is subsequently signed with a digital signature.
The USPS has published detailed specifications for the IBIP. Generally, the IBIP is directed to two types of postage metering systems. The first type is referred to as a closed system and is defined in the INFORMATION BASED INDICIA PROGRAM—PERFORMANCE CRITERIA FOR INFORMATION-BASED INDICIA AND SECURITY ARCHITECTURE FOR CLOSED IBI POSTAGE METERINGS SYSTEMS, dated Jan. 12, 1999, (“IBIP Closed System Specification”). The second type is referred to as an open system and is defined in the INFORMATION BASED INDICIA PROGRAM—PERFORMANCE CRITERIA FOR INFORMATION-BASED INDICIA AND SECURITY ARCHITECTURE FOR OPEN IBI POSTAGE EVIDENCING SYSTEMS, dated Feb. 23, 2000, (“IBIP Open System Specification”). Together, the IBIP Closed System Specification and the IBIP Open System Specification define the requirements for next generation postage metering systems.
PC postage stamps that are printed for value (e.g. 2-ounce First Class domestic mail for $0.705) and can be affixed to any such mailpiece — rather than for a particular mailpiece (e.g. 2-ounce First Class domestic mail for $0.705 to John Doe in ZIP code 01234-5678) — seem to fall under the IBIP Closed System Specification. Page 9 of that specification includes a handy table:
The majority of the barcode data is in a binary format, to keep the payload small and the printed barcode compact. This is why standard barcode decoders, which attempt to render the data as human-readable text, fail.
There is an online barcode reader that helpfully decodes the binary data. ClearImage recognizes the above postage stamp as this:
0000 00 01 be ab 19 00 30 32 34 50 24 72 74 00 69 c7 | ~~~~~~024P$rt~i~ | 0010 e0 11 00 0a 00 00 67 9e 33 01 0c 1b 00 00 00 00 | ~~~~~~g~3~~~~~~~ | 0020 00 00 00 85 42 04 01 00 00 f7 da 05 00 30 30 30 | ~~~~B~~~~~~~~000 | 0030 30 96 48 00 92 0d c2 e4 62 eb 7f cb 95 c3 e5 8e | 0~H~~~~~b~~~~~~~ | 0040 6c 59 e9 d8 28 87 fd bd 45 69 5c 21 c1 84 40 76 | lY~~(~~~Ei\!~~@v | 0050 79 9c d1 c6 05 54 c1 36 70 00 00 5a 08 00 00 08 | y~~~~T~6p~~Z~~~~ | 0060 00 00 00 00 00 | ~~~~~ |
Now we’re getting somewhere!
Fitting this hex data into the IBIP Closed System Specification, and correcting for the byte order, we can figure out each component:
Download this IBIP barcode decoder (Excel spreadsheet) to plug in your own data, after first extracting the 2D barcode’s binary payload. Maybe I could even create an app to decode the whole thing, from start to finish, in the near future…
We’ve done it!
We’ve decoded just about every bit of this barcode. Of course, I can’t actually validate the digital signature — that depends on having the public key of the cryptographic certificate issued by the IBIP Certificate Authority.
If you were paying close attention, you can see how the barcode data matches the human-readable components. (Actually, this is how I determined the meaning of the human-readable lines besides the sender ZIP.)
- The upper human-readable line of letters/digits under the ZIP code, 024P0007631396, is in fact a concatenation of barcode fields 4–6 (manufacturer ID 02, model ID 4P, serial number 0007631396).
- The lower human-readable line of digits, 0017056389, is barcode field 12 (software ID, seemingly issued by the PC postage service to a user).
- The sender ZIP, 02138, is encoded in part of reserved field 2.
Here’s the label again, if you wanted to confirm that the barcode matches the human-readable text:
At this point, you might point out: hey, isn’t this wasted effort if all the information was already in the human-readable part?
Um, well, we learned a few more things:
- The internal certificate serial number used in their PKI, not that we can do anything with it…
- The “ascending register” tells us $299,943.785 in postage has supposedly been imprinted through this service.
- The “descending register” tells us there’s about $383.735 in remaining value in the service before it runs out of postage. Dubious data, but I would not be surprised if this is actually the remaining amount on deposit (perhaps to mitigate fraudulent hacks depleting all their postage?).
- The “licensing ZIP code” assigned to this service is apparently 06924, which is interesting, because that ZIP doesn’t correspond to any physical location. … This needs more investigation.
- With more samples, we might see a pattern in how the rate category is assigned to different rates (0000 matches the human-readable First Class text).
- We can at least tell that they’re not using RSA in the signature, which would be 128 bytes instead of only 40 bytes for DSA/ECDSA. With more samples from other providers, we might be able to confirm whether algorithm ID 01 actually corresponds to ECDSA.
- Haven’t you ever just been curious? Does everything have to have a point? Isn’t it enough that it’s cool to see cryptography and barcodes applied at scale like this?
Amazingly, this system designed in 1999–2000 — relying on even older algorithms (heck, they’re using SHA-1 message digests) — was so durable, and reasonably secure, that it’s been in continuous operation for over 15 years. The design is really, really ingenious: a public key infrastructure (PKI) approach allows the USPS to validate mail offline, that is, without needing every stamp ever printed to be recorded in a central database before it can be validated. And because elliptic curve cryptography is fast, automation could realistically validate every barcode on every mailpiece without pausing. Conceivably, millions of mailpieces have been processed every one of those years using this technology. It’s quite an engineering marvel.
Then again, the community of people who care about stamps, or cryptographically-secured barcodes, or postal automation, is pretty small… Those interests just happened to have intersected for me.
Footnotes [ + ]
|1.||↑||To be totally accurate, the barcode decoder is properly decoding the 2D barcode into its constituent data, but it is (mistakenly) trying to decode that further as ASCII/ISO-8859-1/human-readable text.|
|2.||↑||The leftmost column is the byte index; the middle two blocks are the binary data represented in hexadecimal; and the right-most section is what the data would look like if it were transliterated directly into ISO-8859-1 (this isn’t useful for us).|
|3.||↑||”Public key” here is used in its cryptographic sense. Practically speaking, the public key is not public in the layman’s sense, because it is likely only the postal meter/PC postage manufacturers and the USPS have access to it.|
|4.||↑||The latest generation of postal barcodes — Intelligent Mail, a 1D barcode that has mostly replaced POSTNET — does not replace Information-Based Indicia, although it supplements IBI for commercial mail, value-added services, and packages (IMpb). Intelligent Mail has sorting and tracking built-in, and individual mailpieces can be tracked centrally by the USPS, but the technology does not use public-facing cryptography because it does not serve the same purpose of validating postage. As of January 1, 2016, all postage evidencing systems must produce IBI and/or Intelligent Mail barcodes.|
|5.||↑||Did you know? Similar digital signatures are used to secure 2D barcodes (PDF417 for paper and Aztec/Data Matrix/QR for mobile) on airline boarding passes.|