Thread: Security of Oyster Cards
View Single Post
  #21   Report Post  
Old November 18th 03, 11:12 PM posted to uk.transport.london
Matthew Matthew is offline
external usenet poster
  
First recorded activity at LondonBanter: Nov 2003
Posts: 6
Default Security of Oyster Cards
Paul Corfield wrote in message . ..
On 18 Nov 2003 03:47:35 -0800, (Matthew) wrote:

I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.
[snip]
I don't know if the mechanics system of this are documented anywhere,
or have been analyzed by anyone independent, but I am wondering about
the cryptographic approach used for this system.
[snip]

I can see potentially two (or three) ways of doing this system:
[snip]
Any insights better than mine into how the system works, and where
vulnerabilites lie would be welcomed.

Out of curiosity why do you wish to know?

As one of the people who wrote the spec for Prestige (but not to the
technical level of detail you are enquiring about) I am somewhat
concerned. Perhaps you can enlighten me as to your motives?

let me see. I could either be:

(a) a criminal determined to save the £7.50/week cost of my zone 4
pass, and asking how to do this in a public forum, conveniently
providing my name and email address

or
(b) someone with an enquiring mind intrigued about the technical
workings of a system, and concerned/interested about the security of
it.

I will leave you to work it out.

PS. Does anyone know whether the bus passes actually store zone
information, and whether this is checked by the buses? I have a
single-zone pass and I'm curious to know whether it would work in
other zones.

So why don't you simply attempt to board a bus in a zone outside the
validity of your card and see what happens? This is far easier than
divulging the coding and interrogation details of a secure system in a
public forum.

I don't believe that there is anything especially confidential about
the mechanics of this system. True security works through secure keys
and public algorithms, not by hiding ones methods. In fact, it is
possible to buy mifare readers/writers online, as well as the cards,
so the general principles are public knowledge. Trade secrets of this
nature are usually protected by patents, which are published and
available for all to see. The technical workings of this sytem, if not
the precise coding and file structure, are most likely well-known.
Reply With QuoteReply With Quote