Card makers hope to shake security status quo

Two smartcard makers and two chip makers hope that a new specification for securing contactless card transactions will upset the status quo in the public transit card market.

Two smartcard makers and two chip makers hope that a new specification for securing contactless card transactions will upset the status quo in the public transit card market.

Chip makers Infineon Technologies and Inside Secure hope to challenge the dominance in this field of systems developed by NXP Semiconductors, and to this end they are working with smartcard makers Oberthur and Giesecke & Devrient to create an open specification with which multiple manufacturers can secure contactless transactions between transit passes and physical access controls such as turnstiles.

The four, now calling themselves the Open Standard for Public Transport (OSPT) Alliance, plan to reveal more details of their specification, now named Cipurse, at the Cartes smartcard show near Paris on Tuesday. They first spoke of their project at the Transport Ticketing conference in London in January.

Cipurse defines only the way in which contactless transactions are secured, and is independent of the radio frequencies used or the physical form of the token, according to Charles Walton, chief operating officer at Inside Secure, which until Monday was called Inside Contactless.

Turnstiles with existing contactless systems can be upgraded to use Cipurse, he said, and the system will work with mobile phones containing NFC (Near-Field Communications) interfaces or with smart cards -- although transit authorities will need to issue passengers with new Cipurse-compatible cards as cards cannot be upgraded.

The availability of competing yet interoperable implementations of Cipurse will offer transit operators a greater choice of suppliers than the systems used today, Walton said.

"At the heart of all of today's systems is one technology with one provider defining what it costs," he said. "It's a complete pyramid, with NXP at the top."

NXP licenses Mifare technologies such as Mifare Classic, Mifare Plus and Mifare DESFire to other chip and card manufacturers -- including OSPT Alliance founders Oberthur and Giesecke & Devrient, which both sell products based on Mifare DESFire. To encrypt transactions, Mifare DESFire can use the DES and triple-DES algorithms, as well as the newer AES (Advanced Encryption Standard).

License fees for the OSPT Alliance's Cipurse -- which also uses AES encryption -- will be lower than for comparable Mifare products, said Walton, allowing manufacturers to reduce the cost of compatible cards and readers.

"We believe that this technology will come to market at a lower price," he said.

That proposition alone would probably not be enough to persuade existing Mifare Classic users to upgrade their systems, but in 2008 the encryption system of Mifare Classic was hacked wide open.

There is little evidence yet that the hack is being exploited on a wide scale, said Walton, but some transit authorities have already introduced stopgap measures or replaced their security systems, and others are thinking about doing so.

Transit authorities wishing to protect their revenue by upgrading their systems from the flawed Mifare Classic to something more secure will be prime targets for OSPT Alliance sales staff.

"The difficulty of migrating a system to the OSPT scheme is about as difficult as migrating to Mifare Plus or DESFire," said Walton.

Those transit authorities will have to be patient, though: Walton doesn't expect to see Cipurse-compatible cards using Inside Secure chips until late 2011, although the company will have Cipurse-compatible NFC chips ready sooner, he said.

The OSPT Alliance is open to new members -- even NXP, should it choose to join, said Walton. Security companies wishing to contribute to the evolution of the Cipurse specification must pay around €5,000 a year, but user groups, transit authorities, consultants and the like can join as observers at no cost, he said.

Would-be hackers wanting to speed up the process of reverse-engineering the system won't even need to become members, though, as the OSPT Alliance plans to publish the Cipurse specification on its website.

Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at

Copyright © 2010 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline