Home |
Search |
Today's Posts |
|
London Transport (uk.transport.london) Discussion of all forms of transport in London. |
|
LinkBack | Thread Tools | Display Modes |
#2
|
|||
|
|||
Security of Oyster Cards
On Tue, 18 Nov 2003 03:47:35 +0000, Matthew wrote:
I am interested in the mechanics of these cards, which are smart cards for use on London's transport system. One would hope given the reported £1billion+ that they are secure. Apparently they work using a form of RFID very large snip Given the fact that these cards are smart cards, I believe that your speculations are wrong. I could not find any technical information about the card, but I have some experience with smart cards, so here are my speculations. The system is probably based on conventional secret key encryption, I would not be surprised when it simply uses single DES. The oyster card would contain several cryptographical keys. For example, it will contain a key that is used to write info about the card capabilities. You will need that key to be able to update the info on the card. The card will also contain some authentication key that readers will use to verify that it is a valid card. Card authentication will use some challenge-response protocol, where the reader will generate a random challenge and the card should return the value of this challenge encrypted with the authentication key. Again, when you will need to have this key in order to convince the card readers. Even though there are some possible attacks, in general it is very difficult to extract those keys from the smart card. The next problem is, how do these readers work? In order to authenticate the card they will also need the same authentication keys that the card has. Every reader has a SAM (Security Access Module) that securely holds these keys, in most cases the SAM is just another type of smart card. What basically happens is that the SAM and the postcard will engage in some end-to-end secure communication protocol, after which the SAM will tell the reader if the card was OK or not. The SAM will not be able to encrypt external data with the authentication key, otherwise it could be used to imitate the oyster cards. So even when you steal a SAM, it is of little use, you can only use it to read and validate other oyster cards. The keys for updating the oyster cards are not available on the SAM for the normal card readers. It is very likely that they are only stored in some secure central location and that all places where you can update the card will have to communicate with this central location. Again, this will be an end-to-end secure protocol between the oyster card and the central location. Another trick that is likely to be used is key diversification. The keys for a specific card is derived from some master key in such a way that it is unique for this card, e.g. the card authentication key for a card is probably derived from a master authentication key by encrypting the card id with the master authentication key. In this way, even when one card is cracked, you still don't have the keys for the other cards. I expect that this system should be fairly secure, breaking smart cards is certainly not trivial. Smart cards have been used for quite some time, e.g. as electronic purses, in several countries and as far as I know there have not been any major attacks against the smart cards themselves. BTW, one of the major reasons that many public transportation institutions are highly interested in smart cards is that it will give them a wealth of information about the travel patterns of their customers, which they don't have now. greetings, Ernst Lippe |
Thread Tools | Search this Thread |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Forum | |||
Oyster Cards damaged by proximity door entry cards | London Transport | |||
Oyster and the b***y security question!! | London Transport | |||
New National Security Technology ignored that might have stopped the bombing | London Transport | |||
removing staff? What happens to security? | London Transport | |||
How do you enter your security answer on the Oyster Sales site? | London Transport |