PREPAID SMART CARD TECHNIQUES:
A Brief Introduction and Comparison
_________________________________________________________________
by David Chaum, david@digicash.nl
Copyright (c) 1994 by DigiCash bv.
_________________________________________________________________
A prepaid smart card contains stored value which the person holding it
can spend at retailers. After accepting stored value from cards,
retailers are periodically reimbursed with actual money by system
providers. A system provider receives money in advance from people and
stores corresponding value onto their cards. During each of these
three kinds of transactions, secured data representing value is
exchanged for actual money or for goods and services, as illustrated
in Fig. 1.
Telephone cards used in France and elsewhere are probably the best
known prepaid smart cards (though some phone cards use optical or
magnetic techniques, which are not considered here). National prepaid
systems� combining public transportation, public telephones,
merchants, and vending�have already been announced in a number of
countries. And road tolls at full highway speed are not far behind.
The systems proposed so far are compared, after a quick look at the
card types on which they are based.
Card Types
There are in essence only four types of microcircuit card that have
been suggested for use in prepaid applications, each based on a
particular kind of chip. They are listed here in historical order:
* Memory cards
The chip in these cards consists only of storage and a little extra
hardware that prevents access to the stored data unless certain stored
passwords or PIN�s are input correctly. Most telephone cards are of
this type.
* Shared-key cards
Secret keys in the chip let the card authenticate its communication
with any device sharing the same keys. The chips are standard
microcontroller card chips, with masked-in software for the
cryptographic authentication algorithms.
* Signature-transporting cards
The same chip hardware as in shared-key cards is used, but with
different software masked-in. The card stores publicly-verifiable
�digital signatures� created by the system provider and fills them in
like blank checks when spending them.
* Signature-creating cards
These chips also contain a microcontroller, but in combination with a
dedicated co-processor capable of making digital signatures. Instead
of spending signatures created by the system provider, they create
their own.
COMPARISON
Security and cost are the fundamental criteria used here for comparing
prepaid card techniques, but the best choice of technology depends on
the situation. Security suitable for an in-house company card, for
instance, may be wholly inadequate for a national or international
card�which may require protection of many system providers from each
other as well as protection of personal privacy. Also depending on the
setting, higher card costs can lead to lower system costs.
Closed or Open Security
Memory cards are suitable only for closed systems where a single
company issues the cards and accepts them as payment for goods and
services, or for systems with very low fraud incentive. The reason is
that defrauding such systems requires only a small computer interposed
between an actual card and a cash register. The computer merely has to
record the secrets communicated during an initial transaction and can
then, as often as desired, be used to play the role of a card having
the initial balance.
Shared-key card systems require a tamper-resistant secured module in
each vending machine or other point of payment. The module uses the
key it shares with a card to authenticate messages during purchases.
This lets the card convince the module that it has reduced its stored
value by the correct amount and that it is genuine. A card convinces
by using the shared key to encrypt a random challenge issued by the
module together with an amount, so that the module can decrypt the
transmission and compare the result with the expected challenge and
amount. Periodically, the module transmits a similarly authenticated
message, via telecommunication or manual collection procedure, back to
the system provider, who reimburses the retailer.
The secured module in a shared-key system thus needs to store or at
least be able to re-create secret keys of all cards, which gives some
problems. If the cards of multiple system providers are to be accepted
at the same retailers, all the retailers must have secured modules
containing keys of every provider. This means either a mutually
trusted module containing the keys of multiple providers, which might
be hard to achieve, or one module per provider, which becomes
impractical as the number of providers grows. Furthermore, in any
shared-key system, if a module is penetrated, not only is significant
retailer fraud facilitated, but the entire card base may be
compromised.
Signature-transporting and -creating card types avoid these problems
since they do not require secured modules. Cash registers need no
secret keys, only public ones, in order to authenticate the
signatures, which act like guaranteed checks filled in with all the
relevant details. These same signatures can later be verified by the
system provider for reimbursement. (Although tamper-resistant modules
are not needed for verfication, they can still be used to aggregate
transactions.) Both signature-based card types also allow the cards of
any number of issuers to be accepted at all retailers; retailers
cannot cheat issuers, and issuers cannot cheat each other. These are
the only truly open systems.
Privacy
All cards, except the signature-transporting type, uniquely identify
themselves in each transaction. This means that even if the card does
not reveal the person�s identity, all payments a person makes are
linked together by the card identity. As a consequence, if a reload or
any one of the payments made by a person is traced to that person,
then they all are.
The reason for identification of shared-key cards is that security is
thought to be too low if all cards have the master key. Therefore
cards are given unique keys, and the cash register needs the card
identity each time to re- create the corresponding unique card key
from the master key.
The signature-transporting approach avoids the need for
identification, since instead of a single key per card, cards use a
different signature per payment. When signatures are made by the
system provider on �blinded� checks that are then �unblinded� by the
card, not even the system provider can trace payments to cards.
Card Costs
The overall cost of cards for a system is determined not only by how
much each card costs, but also by how long cards last and how much of
each card is needed. Nonrefillable memory cards have a very limited
card lifetime and are suitable only for a single purpose. But
microcontroller cards can last years and are flexible enough to handle
a variety of things, not limited to stored value, thereby allowing
sharing of card cost among multiple applications.
Bonding chips into modules, assembling them into cards, and printing
can cost about the same for all card types, roughly US$ 0.50�2.00
(plus the cost of the small fraction of chips that are damaged during
production). Nonrefillable cards, however, typically use less durable
materials and less costly production techniques.
Memory card chips are much smaller, and consequently much less
expensive to produce, than those in microcontroller cards. They cost,
depending on the type, roughly between US$ 0.10�0.40 in quantity.
Shared-key and signature-transporting cards today use exactly the same
chip hardware, only the masked-in software differs. Suitable chips
cost about US$ 1.00�1.20 in quantity. Signature-creating card chips,
which need extra circuitry for the co-processor (or a very powerful
processor), require more on a chip, are relatively new on the market,
and currently cost several times more.
Non-Card Costs
Apart from cards themselves, the other main system costs are card
issuing and refilling, retailer equipment, and system provider
processing and security measures.
If cards are issued with value on them, as is of course required with
nonrefillable memory cards, then they must be transported, stored, and
dispensed, using costly security and audit provisions, like those
associated with bank notes. Refillable cards can be distributed
without value and avoid these costs, but on the other hand require
infrastructure for on-line reload transactions with system providers.
Retailer equipment costs may be higher than card costs. Typical ratios
of cards to points of sale (about 100 to 1 for cash registers and
higher with vending, phones, etc.) and even the price of current
terminals (about US$ 150� 1500) suggest that the point-of-sale
equipment can be more costly than even a dedicated microcontroller
card base.
In the shared-key approach, secured modules trusted by all system
providers must be installed in all retailer equipment. In open systems
such security modules must be significantly more elaborate and costly
than any card, since the security offered by a card is generally
considered inadequate to protect the keys of all other cards. But the
higher cost of terminals incorporating such modules is at odds with
the objective of automating all manner of low value payments, such as
in vending. Transaction processing by the system providers also
requires tamper-resistant devices. Proper management of keys and
auditing of such systems are cumbersome and expensive. If shared-key
systems grow, and start to include less trustworthy retailers and more
system providers, even the minimum security necessary becomes
excessively costly.
With either signature card type, suitable software�not
tamper-resistant modules�is all retailer equipment needs in order to
verify payments and later forward the signatures for reimbursement.
These can then be verified by any transaction processing computer that
has copies of the freely available public keys, thereby reducing
exposure while both increasing the quality and reducing the cost of
security audit and controls.
CONCLUSION
The simplest of the four card types, the memory card, is well suited
for closed systems where there is little incentive for fraud by
persons or retailers. The low card cost makes this approach
attractive, but the low security makes it unsuitable for more general
use. The most expensive type, the signature-creating card, seems to
offer little fundamental advantage over less expensive cards and,
incidentally, is far too slow in signing for highway speed road-tolls
and even some telephones.
The remaining two card types, shared-key and signature-transporting,
can today be based on exactly the same kinds of microcontroller chips,
and thus have the same card cost. The system cost with shared-keys,
however, is significantly higher than with signature-transporting. The
main reason is that shared-keys require tamper-resistant modules at
all points of payment and processing sites, while these modules are
not needed with signature- transporting.
In addition to cost, there are other reasons to prefer
signature-transporting cards for larger systems. Privacy may be an
issue in large-scale consumer systems, and the other card types are
unable to address this problem, while signature-transporting solves it
neatly. When more retailers and system providers are included, as
large open systems are built or as closed systems grow and merge, the
cost of maintaining even merely acceptable security with shared keys
becomes prohibitive. By contrast, signature-transporting maintains a
very high level of security while allowing flexible scaling and
merging of systems.
_________________________________________________________________
