I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.

Apparently they work using a form of RFID

According to http://www.google.co.uk/search?q=cac...hl=en&ie=UTF-8

Embedded in the smartcard is a small microchip, which can handle and
store information, and an ariel. When the card is touched to the
cardreader, power flows through the aerial and information moves from
the card to the reader and back again. Communication between the card
and reader is by radio signals and takes less than a fifth of a
second.

Once issued, Oyster cards can be topped up to meet the travel needs of
each customer. This can be done at the upgraded ticket machines in
stations, at any of the local ticket outlets or at a station ticket
office. The ability for customers to purchase and top up smartcards
away from the station i.e. internet and telesales are being developed
for introduction next year.

Individual members of the TranSys consortium have successfully
installed, operated or are developing similar systems around the
world, including in San Francisco, Los Angeles and Hong Kong and
therefore can use their experience to build and maintain a world class
system for London.

Smartcards are amongst the most secure ways to store information and
users of Oyster can be confident of the security of the data on their
card. Access to the information is only possible using secret keys
specific to that card, known only to devices permitted to process the
cards. These cards are very difficult to break into, making the cards
very secure; in the unlikely event that a card has its key broken
then the system - and all other cards - will remain secure.

----

I don't know if the mechanics system of this are documented anywhere,
or have been analyzed by anyone independent, but I am wondering about
the cryptographic approach used for this system.

I can see potentially two (or three) ways of doing this system:

using a globally unique identifier - a unique ID on the card. All
information is stored on London Transport's servers. When a card is
used, radio contact is made to the central server to find what value
is remaining on the card.

I don't believe that this is the case. Considering the large number of
readers (handheld, fitted to buses and underground gates), and the
speed of operation, this doesn't seem feasible. The only security
problem I can see with this method, assuming it is in use, is cloning:
e.g., cloning an annual travel card (value up to £2500). This could be
detected fairly easily, in that I assume that the train readers store
information, which is regularly analyzed to detect fraudulent
acitivity.

secondly: using encrypted information stored on the card as to what
the card's capabilities (e.g., 1 month bus pass, expiring 20th
November, valid zones 1-4). Some kind of public/private key would work
well here, in that the public key would not be keept secure.

The problem with this is that the cards are reusable, and have some
kind of recharge functionality. This means that a potentially large
number of devices would have to have the ability to modify the
information. It also doesn't really handle the question of how the
promised ability to renew online will be functionality.

This appears to be implied from the fact that the blurb states that
there is a private key technology work 'known only to the device
readers'. Given that there are thousands of these readers fitted to
every bus, train station, and possibly some other forms of transport
as well, how secure can something equipped to thousands of devices be;
if the system can be cracked, you can be sure that it will be worth
someone's while to do so.

thirdly: a combination of the two: the cards do appear to have some
kind of unique identifier, as it is possible to enter your id number
into their website, which is linked to your details. This does not
preclude them from storing validity information as well, for the
benefit of devices that are not connected up to the central database.


Any insights better than mine into how the system works, and where
vulnerabilites lie would be welcomed.

Thanks

PS. Does anyone know whether the bus passes actually store zone
information, and whether this is checked by the buses? I have a
single-zone pass and I'm curious to know whether it would work in
other zones.

On Tue, 18 Nov 2003 03:47:35 +0000, Matthew wrote:

I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.

Apparently they work using a form of RFID
very large snip

Given the fact that these cards are smart cards, I believe
that your speculations are wrong. I could not find any
technical information about the card, but I have some
experience with smart cards, so here are my speculations.

The system is probably based on conventional secret key encryption, I
would not be surprised when it simply uses single DES. The oyster card
would contain several cryptographical keys. For example, it will
contain a key that is used to write info about the card capabilities.
You will need that key to be able to update the info on the card. The
card will also contain some authentication key that readers will use
to verify that it is a valid card. Card authentication will use some
challenge-response protocol, where the reader will generate a random
challenge and the card should return the value of this challenge
encrypted with the authentication key. Again, when you will need to
have this key in order to convince the card readers.

Even though there are some possible attacks, in general it is very
difficult to extract those keys from the smart card.

The next problem is, how do these readers work? In order to
authenticate the card they will also need the same authentication keys
that the card has. Every reader has a SAM (Security Access Module)
that securely holds these keys, in most cases the SAM is just another
type of smart card. What basically happens is that the SAM and the
postcard will engage in some end-to-end secure communication
protocol, after which the SAM will tell the reader if the card was OK
or not. The SAM will not be able to encrypt external data with the
authentication key, otherwise it could be used to imitate the
oyster cards. So even when you steal a SAM, it is of little use, you can
only use it to read and validate other oyster cards.

The keys for updating the oyster cards are not available on the SAM for
the normal card readers. It is very likely that they are only stored
in some secure central location and that all places where you can
update the card will have to communicate with this central
location. Again, this will be an end-to-end secure protocol between the
oyster card and the central location.

Another trick that is likely to be used is key diversification. The
keys for a specific card is derived from some master key in such a way
that it is unique for this card, e.g. the card authentication key for
a card is probably derived from a master authentication key by
encrypting the card id with the master authentication key. In this
way, even when one card is cracked, you still don't have the keys for
the other cards.

I expect that this system should be fairly secure, breaking smart cards
is certainly not trivial. Smart cards have been used for quite some
time, e.g. as electronic purses, in several countries and as far as I
know there have not been any major attacks against the smart cards
themselves.

BTW, one of the major reasons that many public transportation
institutions are highly interested in smart cards is that it will give
them a wealth of information about the travel patterns of their
customers, which they don't have now.

greetings,

Ernst Lippe

"Ernst Lippe" wrote in message ...
On Tue, 18 Nov 2003 03:47:35 +0000, Matthew wrote:

I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.

Apparently they work using a form of RFID
very large snip

Given the fact that these cards are smart cards, I believe
that your speculations are wrong. I could not find any
technical information about the card, but I have some
experience with smart cards, so here are my speculations.

The cards are manufactured by Philips, and are described here
http://www.semiconductors.philips.co...nders/ebg0038/

Here is some interesting information regarding what is and isn't on
the card (all the information is stored on the chip) from
http://www.computerweekly.com/Article123251.htm

Monk added that memory capacity is a key benefit of the Oyster card.

"For example, the technology could offer discounts right across the
different modes of transport in London," he said. "Current magnetic
cards cannot provide the level of stored data that smartcards can."

He also expects to see a decline in the amount of travelcard-related
fraud and theft. "If someone steals an Oyster card we can deactivate
it immediately and they are left holding nothing more than a piece of
plastic."

Apparently the promised ability to recharge the card by telephone and
internet will operate in a rather inconvenient way (you will have to
make your way to specific stations, even if your card happens to be a
bus pass)

'Travellers can renew Travelcards on their Oyster card over the
telephone or using the internet. The ticket is automatically loaded
when the smartcard is touched on a dedicated card terminal at a Tube
station gate at a nominated station.'

It's difficult to see how something that operates in this way can hope
to replace cash fares, as it is more difficult to charge the card than
to even buy one of the current generation of magnetic cards (bus
passes and travel cards), which are currently available from
newsagents and other retailers, providing a convient service, as well
as revenue source for the retailers.

In article ,
Matthew wrote:
It's difficult to see how something that operates in this way can hope
to replace cash fares, as it is more difficult to charge the card than
to even buy one of the current generation of magnetic cards (bus
passes and travel cards), which are currently available from
newsagents and other retailers, providing a convient service, as well
as revenue source for the retailers.

Pass agents (ie, newsagents where you can buy a travelcard) are
starting to get Oyster card updating hardware, too - the one opposite
Finchley Central station in Station Road has one.

I don't know what features their terminals have.

--
Good night little fishey-wishes.... I've counted you, so no
sneaky eating each other.
-- FW (should I worry?)

(Matthew) wrote in message . com...
It's difficult to see how something that operates in this way can hope
to replace cash fares, as it is more difficult to charge the card than
to even buy one of the current generation of magnetic cards (bus

You're making the classic mistake of thinking that this is being done for
OUR benefit. Nothing is ever done for the consumers benefit , its done for
the companies benefit and if it happens to benefit the consumer then , well
thats nice, if not , just chuck some marketing at it and the sheep will be
molified.

B2003

Ernst Lippe wrote:
On Tue, 18 Nov 2003 03:47:35 +0000, Matthew wrote:

I am interested in the mechanics of these cards, which are smart
cards for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.
[...]
I expect that this system should be fairly secure, breaking smart
cards is certainly not trivial. Smart cards have been used for quite
some time, e.g. as electronic purses, in several countries and as far
as I know there have not been any major attacks against the smart
cards themselves.

It's not a partiularily smart card, and it is kinda old news, but the
electronic bus tickets that were used here in New Zealand were broken. To
quote Peter Gutmann's page:

"In October 1997 I broke the security of the smart cards used by the Yellow
Bus Company, Auckland's largest public transport organisation. These are
10-ride rechargeable cards that come in various forms (adult, child,
different numbers of fare stages, and so on). As it turns out the cards have
very little security, so that it's possible to recharge them or copy them
without too much effort (to test this I created a demo $50 test card that
was accepted by the reader as a normal bus pass). I informed the YBC of the
problem, and the story was covered in Computerworld New Zealand, 26 January
1998."

I beleive there was a similar attack developed against the Telecom
phone-call cards, though I can't find any details of it so quite possibly it
was just my imagination.

[...]

--
Michael Brown
www.emboss.co.nz : OOS/RSI software and more
Add michael@ to emboss.co.nz - My inbox is always open

Michael Brown wrote


I beleive there was a similar attack developed against the Telecom
phone-call cards, though I can't find any details of it so quite possibly it
was just my imagination.

At one time BT phone-call cards used IR pulses to deactivate (melt) each
token on the card. If you covered the relevant part of the card with eg a
good quality clear nail polish the deactivation failed, and you could reuse
the card forever. I don't think they work that way any more.



Oyster cards have a few unexpected security risks - people tend to keep them
in their wallets, and take their wallets out of their pockets to wave over
the reader. Gives pickpockets a chance to eye up the wallet, and learn where
its owner keeps it, and it gives thugs the chance/ inspiration to grab the
wallet and run.

The privacy implications aren't good either. All card usage is tracked
offline, to prevent use by multiple people, and usage records stored for
that purpose. The Police etc can ask for them (and may soon become able to
demand them, but that's another story) and use them to track your movements.


--
Peter Fairbrother

Peter Fairbrother wrote:
Oyster cards have a few unexpected security risks - people tend to
keep them in their wallets, and take their wallets out of their
pockets to wave over the reader. Gives pickpockets a chance to eye up
the wallet, and learn where its owner keeps it, and it gives thugs
the chance/ inspiration to grab the wallet and run.

Unexpected? Why is that any different from the situation with old-style
mag-stripe season tickets? Are you suggesting that people who keep their
Oyster in their wallet didn't keep their old season tickets there?
--
Richard J.
(to e-mail me, swap uk and yon in address)

Richard J. wrote

Peter Fairbrother wrote:
Oyster cards have a few unexpected security risks - people tend to
keep them in their wallets, and take their wallets out of their
pockets to wave over the reader. Gives pickpockets a chance to eye up
the wallet, and learn where its owner keeps it, and it gives thugs
the chance/ inspiration to grab the wallet and run.

Unexpected? Why is that any different from the situation with old-style
mag-stripe season tickets? Are you suggesting that people who keep their
Oyster in their wallet didn't keep their old season tickets there?

To quote RP on another list:

"However, you still have to get your wallet out, as the range is
reportedly not enough otherwise. I'd rather *not* take my wallet out in
a place like Kings Cross, and so I always keep my paper ticket in the
breast pocket of my shirt - where it's really easy to take out and use."

Personally, I keep them in my left trousers back pocket.


--
Peter Fairbrother

On Wed, 19 Nov 2003 05:49:38 +0000, Peter Fairbrother
wrote:

Michael Brown wrote


I beleive there was a similar attack developed against the Telecom
phone-call cards, though I can't find any details of it so quite possibly it
was just my imagination.

At one time BT phone-call cards used IR pulses to deactivate (melt) each
token on the card. If you covered the relevant part of the card with eg a
good quality clear nail polish the deactivation failed, and you could reuse
the card forever. I don't think they work that way any more.


There aren't any BT phonecards (at least in the sense of cards that
you load value onto and put in a public phone) any more. However the
first generation of BT phone cards were reputed to be very easy to
hack - this sounds like why



Oyster cards have a few unexpected security risks - people tend to keep them
in their wallets, and take their wallets out of their pockets to wave over
the reader. Gives pickpockets a chance to eye up the wallet, and learn where
its owner keeps it, and it gives thugs the chance/ inspiration to grab the
wallet and run.


Good point that the risks often have as much, or more, to do with
users' behaviour than the technical characteristics of the card.
Though in practice do people keep their Oyster cards in their wallet?
I keep mine in a separate wallet with my photocard, which is how I've
carried my travelcard for years. The walllet with my cash and credit
cards is separate, but of course it comes out when I want to buy a
paper and a cup of coffee before I get on my train or bus.

The privacy implications aren't good either. All card usage is tracked
offline, to prevent use by multiple people, and usage records stored for
that purpose.

Again (and I'm aware this is controversial) I'm not convinced it's a
big deal. Given the extent to which, in my case, Vodafone and Lloyds
TSB can already track my movements,and that TfL is only monitoring my
movements in terms of my use of their services, then I can't get
worried about TfL having a record of my Oyster use.

The Police etc can ask for them (and may soon become able to
demand them, but that's another story) and use them to track your movements.

OK - but that's an issue with whether the police have excessive
powers, not specifically an issue with Oyster. In any case plastic
cards tend to fall out of pockets, get stolen, and, however good the
security, will eventually get cloned: all reasons why a plastic card
being in a particular place isn't very strong evidence that its owner
was in a particular place

Martin