By Ding Fumin

The prepayment time sharing energy meter and its vending management system should provide extremely high security in all situations, with features including accurate and stable measurement functionality and strong anti-electromagnetic interference. It should guarantee high security in the process of data measurement and exchange, and should guarantee accuracy in measurement and settlement. It should also guarantee that the benefits to both customers and power suppliers are maintained.

The prepayment time sharing energy meter constitutes an organic unit with the vending management system and the prepayment key management system (the issuing card). Key to its design is security, and therefore it is necessary to test the security of the system from end to end, from the meter production process to operation management.

Because the number of users of the prepayment time sharing energy meter is large, and the exchange of data is through the IC card after the meter is installed, the management system cannot monitor the data in real time and so the user’s card must have a high level of security. In this case the prepayment time sharing energy meter has a CPU card with key control and high level security to ensure that the key cannot be intercepted or read during operation. In the process of issuing cards, the keys are randomised in order to reduce the possibility of the code being broken by a hacker, and also there is encryption protection during data transmission to prevent the possibility of altering the data.

The smart card has the following advantages over the logic encryption card:

  • Higher security: The smart card security is based on a special purpose, safe microprocessor hardware platform and a secure, reliable software card operating system (COS). The logical encryption card depends only on the logic circuit to realise data protection. Except for the password verification of the general logic encryption, the smart card can provide a safer authentication mechanism through the key and security algorithm. The authentication process takes a random number as the carrier, so that duplication and tracking of the data is prevented. In the case of the general logical encryption card the password verification process is not randomised and the password transmission process is specific for password testing and analysis. The smart card also supports a nimble key system design, enabling different combinations of file archive jurisdictions, according to the demand. For example, if used as an electronic wallet, the expenditure and remaining value may easily be controlled with a different key. If a general logical encryption card is used as the electronic wallet, the information is protected by only the one password, and the security is weak.
  • Greater flexibility: The smart card contains management chip hardware resources, which can generate different key systems according to need. Thus the card is guaranteed as multipurpose in terms of security and flexibility.
  • Better standard: The smart card is based on a more comprehensive international standard in terms of the communication protocol, documentation and ordering. Moreover its external characteristics can be expanded and upgraded through the operating system, offering better compatibility and functional extension. While the logical encryption card has no strict standard for communication, read-write characteristics or memory classification, the different products can not be for common use, which has limited the continuity of product space and supply, thus greatly reducing the life cycle of the system.


Separating the production and operation management processes ensures that once the meter is in operation any data exchange is performed under the control of the operation management system. It prevents the manufacturer or management personnel using the special tool card from rewriting meter data outside the management system. To ensure this, an embedded safe authentication secure access module (ESAM) is installed in the meter.

The ESAM becomes part of the finished product, and has all the characteristics of a highly secure mechanism, with a standard encryption algorithm producing a subsidiary key according to the dispersion factor, etc.

The ESAM special security enables its insertion into other safe smart equipment to complete the safe memory, digital signature, data encryption decipher, bidirectional status authentication, internal disperser key, electronic wallet, communication lines protection, etc.

The ESAM is used to save the data in the meter and the security key, whose safe authentication and data transmission in the operation process is carried by the user card and the ESAM. The ESAM is managed by the operation management system. When the meter is tested, the key in the ESAM is changed into an operation key by the revision key card of the management system. In this way, no-one in the factory can rewrite the data in the energy meter without authorisation.

The ESAM security module can be made by the meter operations management department and then sent to the manufacturer.

In the prepayment time sharing vending management system, system security is based mainly on the release and management of the key. Therefore there must be a set of appropriate cards as well as their releases and the transfer mode of the ESAM security module key. Because banks, public utilities (water, electricity, gas and heat) management sections, meter manufacturers, card suppliers, system integrators and others form part of the system, and each link is associated with the key management. If the key is stolen in the data transmission process, the security will be greatly affected. Thus the card release and key management structure is essential. The key release transmission takes on multiple levels from master control card to first class card, second class card, application card and so on, with each level transmitted to the next in a scrambled form.


Figure 1 - The prepayment meter key management system

Therefore, in the prepayment time sharing vending system, there are two systems – the key management system and the vending management system, which operate independently. The vending management is controlled by the key management system, which in turn is controlled by the utility’s meter management division. Each sub-system completes its respective work according to its function and jurisdiction. The system performance data is managed by a special database on a central computer, and the card which is used in the metering system can only accept the special card which is released by the key management system, as illustrated in Figure 1.

In the key management system, the power supply department is responsible for the key management and can decide to make the system correlation agreement public, and to issue the ESAM module so that each meter manufacturer can produce the meter based on the required demands of users and the special ESAM module.

The ESAM module has no direct connection with the IC card in the meter, but transmits data through the master control chip to perform the key certificate and data exchange with the IC card. The master control chip in the meter is responsible for data exchange between the IC card and ESAM module, but not for the key certificate and data solution.

The ESAM module stores the power purchase data and other important parameters, including the main key in document form, which can be read and changed as required. Each key from the production state in the ESAM can be changed into a working condition key by the operation management department changing main the key card, the parameters being written into the ESAM after passing the multistage key security certification. The MCU on the energy meter can only do the decreases progressively during operation of the power user’s account and the read operation of each run-set parameter, but it cannot reset the default parameters in the ESAM or supplement the vending data.