I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.

Apparently they work using a form of RFID

According to http://www.google.co.uk/search?q=cac...hl=en&ie=UTF-8

Embedded in the smartcard is a small microchip, which can handle and
store information, and an ariel. When the card is touched to the
cardreader, power flows through the aerial and information moves from
the card to the reader and back again. Communication between the card
and reader is by radio signals and takes less than a fifth of a
second.

Once issued, Oyster cards can be topped up to meet the travel needs of
each customer. This can be done at the upgraded ticket machines in
stations, at any of the local ticket outlets or at a station ticket
office. The ability for customers to purchase and top up smartcards
away from the station i.e. internet and telesales are being developed
for introduction next year.

Individual members of the TranSys consortium have successfully
installed, operated or are developing similar systems around the
world, including in San Francisco, Los Angeles and Hong Kong and
therefore can use their experience to build and maintain a world class
system for London.

Smartcards are amongst the most secure ways to store information and
users of Oyster can be confident of the security of the data on their
card. Access to the information is only possible using secret keys
specific to that card, known only to devices permitted to process the
cards. These cards are very difficult to break into, making the cards
very secure; in the unlikely event that a card has its key broken
then the system - and all other cards - will remain secure.

----

I don't know if the mechanics system of this are documented anywhere,
or have been analyzed by anyone independent, but I am wondering about
the cryptographic approach used for this system.

I can see potentially two (or three) ways of doing this system:

using a globally unique identifier - a unique ID on the card. All
information is stored on London Transport's servers. When a card is
used, radio contact is made to the central server to find what value
is remaining on the card.

I don't believe that this is the case. Considering the large number of
readers (handheld, fitted to buses and underground gates), and the
speed of operation, this doesn't seem feasible. The only security
problem I can see with this method, assuming it is in use, is cloning:
e.g., cloning an annual travel card (value up to £2500). This could be
detected fairly easily, in that I assume that the train readers store
information, which is regularly analyzed to detect fraudulent
acitivity.

secondly: using encrypted information stored on the card as to what
the card's capabilities (e.g., 1 month bus pass, expiring 20th
November, valid zones 1-4). Some kind of public/private key would work
well here, in that the public key would not be keept secure.

The problem with this is that the cards are reusable, and have some
kind of recharge functionality. This means that a potentially large
number of devices would have to have the ability to modify the
information. It also doesn't really handle the question of how the
promised ability to renew online will be functionality.

This appears to be implied from the fact that the blurb states that
there is a private key technology work 'known only to the device
readers'. Given that there are thousands of these readers fitted to
every bus, train station, and possibly some other forms of transport
as well, how secure can something equipped to thousands of devices be;
if the system can be cracked, you can be sure that it will be worth
someone's while to do so.

thirdly: a combination of the two: the cards do appear to have some
kind of unique identifier, as it is possible to enter your id number
into their website, which is linked to your details. This does not
preclude them from storing validity information as well, for the
benefit of devices that are not connected up to the central database.


Any insights better than mine into how the system works, and where
vulnerabilites lie would be welcomed.

Thanks

PS. Does anyone know whether the bus passes actually store zone
information, and whether this is checked by the buses? I have a
single-zone pass and I'm curious to know whether it would work in
other zones.

On Tue, 18 Nov 2003 03:47:35 +0000, Matthew wrote:

I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.

Apparently they work using a form of RFID
very large snip

Given the fact that these cards are smart cards, I believe
that your speculations are wrong. I could not find any
technical information about the card, but I have some
experience with smart cards, so here are my speculations.

The system is probably based on conventional secret key encryption, I
would not be surprised when it simply uses single DES. The oyster card
would contain several cryptographical keys. For example, it will
contain a key that is used to write info about the card capabilities.
You will need that key to be able to update the info on the card. The
card will also contain some authentication key that readers will use
to verify that it is a valid card. Card authentication will use some
challenge-response protocol, where the reader will generate a random
challenge and the card should return the value of this challenge
encrypted with the authentication key. Again, when you will need to
have this key in order to convince the card readers.

Even though there are some possible attacks, in general it is very
difficult to extract those keys from the smart card.

The next problem is, how do these readers work? In order to
authenticate the card they will also need the same authentication keys
that the card has. Every reader has a SAM (Security Access Module)
that securely holds these keys, in most cases the SAM is just another
type of smart card. What basically happens is that the SAM and the
postcard will engage in some end-to-end secure communication
protocol, after which the SAM will tell the reader if the card was OK
or not. The SAM will not be able to encrypt external data with the
authentication key, otherwise it could be used to imitate the
oyster cards. So even when you steal a SAM, it is of little use, you can
only use it to read and validate other oyster cards.

The keys for updating the oyster cards are not available on the SAM for
the normal card readers. It is very likely that they are only stored
in some secure central location and that all places where you can
update the card will have to communicate with this central
location. Again, this will be an end-to-end secure protocol between the
oyster card and the central location.

Another trick that is likely to be used is key diversification. The
keys for a specific card is derived from some master key in such a way
that it is unique for this card, e.g. the card authentication key for
a card is probably derived from a master authentication key by
encrypting the card id with the master authentication key. In this
way, even when one card is cracked, you still don't have the keys for
the other cards.

I expect that this system should be fairly secure, breaking smart cards
is certainly not trivial. Smart cards have been used for quite some
time, e.g. as electronic purses, in several countries and as far as I
know there have not been any major attacks against the smart cards
themselves.

BTW, one of the major reasons that many public transportation
institutions are highly interested in smart cards is that it will give
them a wealth of information about the travel patterns of their
customers, which they don't have now.

greetings,

Ernst Lippe

(Matthew) wrote in message . com...
I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.


Smartcards are amongst the most secure ways to store information and
users of Oyster can be confident of the security of the data on their
card.

Says who?

Access to the information is only possible using secret keys
specific to that card, known only to devices permitted to process the
cards. These cards are very difficult to break into, making the cards
very secure; in the unlikely event that a card has its key broken
then the system - and all other cards - will remain secure.


All of the above adds up to a classic case of "security by obscurity."
This might mean that the inventors have already identified or suspect
weaknesses in their system that they hope will remain undiscovered if
no one is permitted to analyze their system too closely.

John Hadstate wrote:

(Matthew) wrote in message
Access to the information is only possible using secret keys
specific to that card, known only to devices permitted to process the
cards. These cards are very difficult to break into, making the cards
very secure; in the unlikely event that a card has its key broken
then the system - and all other cards - will remain secure.


All of the above adds up to a classic case of "security by obscurity."
This might mean that the inventors have already identified or suspect
weaknesses in their system that they hope will remain undiscovered if
no one is permitted to analyze their system too closely.

On the other hand, if the cost/risk of analysis is
sufficiently high, there would be 'practical' security,
I suppose. (Actually, banknotes are similar in this
respect, I believe. There are saying, though, that
the techniques/knowhow of the fraudsters are now quite
comparable to those of the governments in making
banknotes.)

M. K. Shen

"Mok-Kong Shen" schrieb im Newsbeitrag ...


John Hadstate wrote:

(Matthew) wrote in message
Access to the information is only possible using secret keys
specific to that card, known only to devices permitted to process the
cards. These cards are very difficult to break into, making the cards
very secure; in the unlikely event that a card has its key broken
then the system - and all other cards - will remain secure.


All of the above adds up to a classic case of "security by obscurity."
This might mean that the inventors have already identified or suspect
weaknesses in their system that they hope will remain undiscovered if
no one is permitted to analyze their system too closely.

On the other hand, if the cost/risk of analysis is
sufficiently high, there would be 'practical' security,
I suppose. (Actually, banknotes are similar in this
respect, I believe. There are saying, though, that
the techniques/knowhow of the fraudsters are now quite
comparable to those of the governments in making
banknotes.)
Actually, today banknotes aren't naively stuffed fithe anti-forgery-features
but the idea is to make it unprofitable to fake a banknote in a small-scale
production. So, a forger is forced to go large-scale which in turn is easily
detectable (duplicate serial numbers or unexplainable inflation for instance)
and which also justifies a large-scale counteraction to find and disable him.

Lots of Greetings!
Volker

On 18 Nov 2003 16:13:18 GMT, Huge wrote:
The hardware is a Philips MIFARE card.

http://www.nationalsmartcard.com.au/news.cfm?newsid=128

That page says "The Oyster card has attracted widespread criticism
in the UK press over the alleged incompatibility of the card with
a similar scheme being developed by the UK's national rail network.".

What is this rival system? It's the first I've heard about it.

(Matthew) writes:

I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.

Apparently they work using a form of RFID

According to http://www.google.co.uk/search?q=cac...hl=en&ie=UTF-8

Embedded in the smartcard is a small microchip, which can handle and
store information, and an ariel. When the card is touched to the
cardreader, power flows through the aerial and information moves from
the card to the reader and back again. Communication between the card
and reader is by radio signals and takes less than a fifth of a
second.

If these cards are what have been introduced in Espoo/Helsinki/Vantaa
over the last year or so, then the above is theoretical nonsense.
As a regular bus user I can honestly say that the new cards make
embarkation massively slower than the old 'punch-card' tickets.

Old method : click-click - half a second
New method : wave. nothing. press. nothing. hold. nothing. give to
friend - he holds it against the sensor. nothing. give
back to original person and hold it near the sensor.
beeeep! - 5 seconds or so.

If you've got exact change, then cash is quicker than the cards.
I've seen some people even give up and eventually just pay in cash!

Sorry, no cryptographic insight, but simply an IMHO of why the
things should be burnt and their inventor publicly flogged, hehehe.

Phil

--
Unpatched IE vulnerability: ADODB.Stream local file writing
Description: Planting arbitrary files on the local file system
Exploit: http://ip3e83566f.speed.planet.nl/eeye.html
(but unrelated to the EEye exploit)

On 18 Nov 2003 03:47:35 -0800, (Matthew) wrote:

I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.
[snip]
I don't know if the mechanics system of this are documented anywhere,
or have been analyzed by anyone independent, but I am wondering about
the cryptographic approach used for this system.
[snip]

I can see potentially two (or three) ways of doing this system:
[snip]
Any insights better than mine into how the system works, and where
vulnerabilites lie would be welcomed.

Out of curiosity why do you wish to know?

As one of the people who wrote the spec for Prestige (but not to the
technical level of detail you are enquiring about) I am somewhat
concerned. Perhaps you can enlighten me as to your motives?

PS. Does anyone know whether the bus passes actually store zone
information, and whether this is checked by the buses? I have a
single-zone pass and I'm curious to know whether it would work in
other zones.

So why don't you simply attempt to board a bus in a zone outside the
validity of your card and see what happens? This is far easier than
divulging the coding and interrogation details of a secure system in a
public forum.
--
Paul C
Admits to Working for London Underground!

In message , Paul Corfield
writes

So why don't you simply attempt to board a bus in a zone outside the
validity of your card and see what happens? This is far easier than
divulging the coding and interrogation details of a secure system in a
public forum.

But any travelcard covers buses in any zone. And, next year there will
only be one bus zone anyway....
At an LU station he'd get a 57 which would tell him nothing except the
brand of a well known tinned food manufacturer...
(And a request to pay the difference, of course)
--
Kat Women and cats will do as they please, and men and dogs should relax
and get used to the idea - Robert A. Heinlein

On Tue, 18 Nov 2003 07:42:09 +0000, John Hadstate wrote:

(Matthew) wrote in message . com...
I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.


Smartcards are amongst the most secure ways to store information and
users of Oyster can be confident of the security of the data on their
card.

Says who?

Of course, this was a quote from either the transport company, who
spent a lot of money on this and is therefore convinced that it must
be secure or from the manufacurer that certainly will not make much money
by selling insecure products.

Nevertheless, I think that the statement that smart cards are one of the
most secure ways to store information is basically correct.


Access to the information is only possible using secret keys
specific to that card, known only to devices permitted to process the
cards. These cards are very difficult to break into, making the cards
very secure; in the unlikely event that a card has its key broken
then the system - and all other cards - will remain secure.


All of the above adds up to a classic case of "security by obscurity."

It might, when they have let some incompetent persons design the
system. On the other hand, virtually all companies are highly
secretive about their security measures, but this does not necessarily
imply that these measures are inadequate.

This might mean that the inventors have already identified or suspect
weaknesses in their system that they hope will remain undiscovered if
no one is permitted to analyze their system too closely.

Smartcard companies have employed some very competent people. For
example, one of the main designers of the electronic smart card purse,
that we use here, was Joan Daemen (also responsible for Rijndael).

Smartcards are basically dedicated crypto engines, and you can use
them to build very secure systems (and yes you can also use them
to build insecure systems). Just like other forms of cryptography
smartcards are generally the strongest part of the system, and
most attackers will simply try to attack the other parts.

greetings,

Ernst Lippe