www.chyp.com 1

HCE A better way for smart mobile ticketing?

Payments Summit Orlando, April 2016, v0.3

Agenda

Some History

The problem

Traditional mobile solution

‘Secure-enough’ solution

The last year at ITSO

The way forward

2

Ar#cleinBCSITNow,pp34-5,December2015.

Some History

NFC Ticketing Pilots:

•  London - TfL

•  Bay Area – BART

•  Rhine-Main Traffic Association (RMV)

3

NFC Ticketing Today

4

Korea France(someof….) Turkey

Traditional mobile solution

Acceptance infrastructure •  Expensive to change •  Readers expect customer media to have keys

Mobile device has NFC •  Near Field Communication •  Can emulate a transit card (or reader)

Emulate the transit card •  Inside the mobile’s tamper-resistant secure element •  Secure element is usually the SIM card •  Mobile Network Operator owns the SIM •  Commercial barriers to entry

5

The problem

Authentication •  Cryptography •  Secret keys

Securing keys •  Tamper-resistant hardware “secure element”:

•  Smart cards as customer media •  Secure Access Modules (SAMs) in readers

6

‘Secure-enough’ solution

Mobile device has NFC •  Near Field Communication •  Accessible from apps using the Host

Card Emulation (HCE) app programming interface

•  i.e. not Apple iOS devices

Emulate the transit card •  Within an app •  Without relying upon a secure element •  Mobile Network Operator agreement

not needed •  µP and some DESFire only

7

Securing the keys

Use short-life keys •  To limit their value to attackers •  Maybe lasting just one day

Make the keys hard to find •  Within their useful life

No ‘free lunch’ •  Specialist techniques to hide the keys •  Periodic (perhaps daily) updates to keys for

longer-life tickets.

8

ITSO on HCE work in 2015

•  Funded by UK Department for Transport •  Remit was HCE without changing ITSO

infrastructure •  Options analysis •  High Level Design •  Lab-based proof of concept •  Risk Analysis to identify where controls

needed •  Testing against ITSO readers in ITSO

Warehouse •  Review by ITSO Security Committee •  Approval to go ahead

9

High level use cases

Provisioning •  Installation and configuration of app, handset

and customer identification, creation and installation of core application

Purchase •  Purchasing an HCE-based ticket (Product)

Refresh •  Initial download and then daily/regular refresh

of travel rights, without which travel rights expire and are unusable

Redeem •  Present HCE device to READER to gain travel

Inspect •  Present HCE device to RID to inspect media

and confirm customer has valid travel rights

10

HCE Mobile Device

Mobile OS

ITSO with HCE App

Application

Pro

duct

ITSO with HCE App

Application

NFC Hardware

Revenue Inspector

App store

Ticket RetailerHCE Cloud Services(Perso)

READERRID

PersoSAM

SAMSAM

NFCNFC

GSM/WiFi

GSM/WiFi

Internet

HOST

HOST

Product Owner

SAM HOST

Pro

duct

Pro

duct

Pro

duct

Pro

duct

Pro

duct

Android KeyStore

Secure on device key storage

Can be HW backed •  TEE •  SE

Not in application layer

Supported Cryptograms: •  RSA – Jellybean onwards •  AES/EC – Marshmallow onwards

11

www.chyp.com

Want to know more? Contact:

12

Mail simon.laker@chyp.com Comment http://www.chyp.com/media/blog/ Listen http://www.chyp.com/media/podcasts/ Browse www.chyp.com Follow @chyppings

Consult Hyperion USA 535 Madison Avenue, 19th Floor New York, NY 10022, USA. +1 888 835 6124 Consult Hyperion UK Tweed House, 12 The Mount Guildford, Surrey, GU2 4HN, UK. +44 1483 301793