APTA
Open Standard For Transit Solutions
Thomas Parker
Infineon Technologies,
Business Development
Milpitas, California
OSPT™:4 Years of Growth & Achievement
Copyright © Infineon Technologies AG
2015. All rights reserved
OSPT™ License and Royalties
Provide an Open Security Standard
at No Cost to Public Transportation
 Open for anyone to join under the same conditions
 OSPT™ Alliance makes its IP available under RAND conditions for
all members
 The OSPT™ Alliance is amending the CIPURSE™ Standards to
include Account Based, Account Linked and Mobile Payment
 Manufacturers of modules, cards, transit agency, system integrator,
consultant or other sub-systems purchasing CIPURSE™ products
and implementing them in such modules, cards or other subsystems do not need to sign a license agreement with the OSPT™
 Service providers do not have to pay any licensing or royalty fees
Copyright © Infineon Technologies AG
2015. All rights reserved
Open Standard for Public Transport
(OSPT™) and CIPURSE™
Chip Manufacturers
 OSPT™ has formed a sub working
group to ensure that the Standards
in the US are supported by the
Alliance.
Card/Inlay Manufacturers
System Integrators SW Developers
 OSPT™ US WG is working to
enhance CIPURSE™ Standards in
the following areas:
 Account Based
USA
Thailand
Korea
 Account Linked
 Mobile Payments
India
Spain
Norway
Netherlands
Copyright © Infineon Technologies AG
2015. All rights reserved
Austria
UK
…
High Level Review of Account Based,
Account Linked and Mobile payments
 Account Based, Account Linked methods of ticketing and payment transactions
are being implemented in US Transit Agencies.
 As known from previous smart card forums and past experiences of US Transit
agencies, many have experienced trade offs and some success with these
systems
 There are several areas of concern that must be addressed in Account Based
systems:
 Funds not readily available to the patron
 Financial risks to the Agency
 Consumer experience has been challenging
 Account Linked areas of concern:
 Financial risks to the Agencies back end validation
 Customer transactions not completed or taking much longer to complete
 Slow adoption of contactless (Dual Interface) EMV in the US
Copyright © Infineon Technologies AG
2015. All rights reserved
How does OSPT™ align the
International Standards with CIPURSE™
Copyright © Infineon Technologies AG
2015. All rights reserved
Key Drivers For A New Technology
In Transit
 Some long-lasting, established schemes
operating for 10, 15 years+
...are using OUTDATED technologies
 Many of them using MIFARE Classic –
a hacked technology
….are ready to MIGRATE
 Transport agencies are locked into one supplier
….and are NOT WILLING to accept this for the next
generation
Copyright © Infineon Technologies AG
2015. All rights reserved
Why CIPURSE™ for Transit? Key to Driving
Growth and Multi-application Market
Copyright © Infineon Technologies AG
2015. All rights reserved
CIPURSE™: State of the Art + Security at
the Lowest Cost of Ownership
SECURE
•
•
•
State-of-the-art AES128-based
authentication and
command set
DPA- and DFA-resistant
Can be implemented on
any secure HW
platform.
SCALABLE
•
•
3 distinct, compatible
products optimized for
tickets, cards and
mobile phones
Multiple transport
applications
on a single device
OPEN
•
•
•
No royalty or licensing
fee
Many vendors across the
ecosystem
OSPT™ IP pool ensures
that the IP rights are
available to all members
- now and in future
Lowest cost of ownership
•
Best resistance to
hacking and fraud
•
•
Lowest implementation
costs (standard
command set)
Interoperability, easy
addition of other
applications (payment,
venues, loyalty,..)
•
•
Non proprietary solution
Competitive market for
initial procurement,
maintenance and
upgrade
Copyright © Infineon Technologies AG
2015. All rights reserved
CIPURSE™ Industry Benefits
Agencies & service providers
 Influence over specifications
 Open standards for a highly competitive
chip market
 Optimized bills of material
 Chip products ranging from low end to
security controllers
and eSE
 Lowest cost of operation
 Security of investment
 OSPT™ Alliance drives
component interoperability
Card & ticket makers
CIPURSE™ benefits
the whole industry
System integrators
 Investments only into a future-proof,
standardized and open security solution
 Supported by independent infrastructure
component suppliers in a highly competitive
market
 Security of investment – once the
infrastructure is upgraded, the complete
range of CIPURSE™ products can be used
Reader makers
 Based on future-proof AES-128, CIPURSE™
provides an advanced authentication
scheme to counteract attacks
 Security of investment – once the
infrastructure is upgraded, the complete
range of CIPURSE™ products can be used
 Interoperability of CIPURSE™ cards
Copyright © Infineon Technologies AG
2015. All rights reserved
Multi-application
card
Season
pass
MIFARE
Classic
1k/4k
Limited Use
1995
High-end
Midrange
Low-end
Same file structure, command set, crypto
alg., protocol
Card/Ticket Portfolio
Mapping to CIPURSE™ Solution
Profile
Features
CIPURSE™T
AES authentication
7816-4 command set
14443-4 protocol
Session mechanism
CIPURSE™S
AES authentication
7816-4 command set
14443-4 protocol
No session mechanism
CIPURSE™L
AES authentication
7816-4 cmd. set (reduced)
14443-4 protocol
Single-application,
256 bytes
Now
* MIFARE, MIFARE Plus, MIFARE Classic, MIFARE Ultralight and DESFire are registered trademarks of NXP
Copyright © Infineon Technologies AG
2015. All rights reserved
Market Challenges and the CIPURSE™
Solution


Market Challenges
CIPURSE™ Solution
Standards
Open and low-cost migration
Decision makers (transport agencies &
others) demand open standards to avoid
dependency on technology owner
Technology fully controlled by one entity
which limits freedom of choice
 OSPT™ is open, transparent and anyone can
join with a low license fee
 Cost of migration to CIPURSE™ is the same as
migration to DESFire or MIFARE Plus
 …Once implemented, however, CIPURSE™
supports all devices and applications such as
LUT, multi application cards, mobile or NFC
devices
Security
Current technology MIFARE 1 crypto has been
hacked, DESFire has been hacked and DESFire
EV1 is under attack – the market wants to
move to AES
Compatibility
The different Mifare technology flavors are not
compatible and not scalable as they are using
different crypto algorithms and different
command sets
Secure design & AES
 CIPURSE™ security design provides DPA &
DFA resistance
 CIPURSE™ applies high security standard AES
Flexible & scalable
 Same crypto protocol & command set for
limited use tickets (LUT), transport cards and
multi-app cards
 Migration products available supporting
CIPURSE™ & MIFARE Classic
* MIFARE, MIFARE Plus, MIFARE Classic, MIFARE Ultralight and DESFire are registered trademarks of NXP
Copyright © Infineon Technologies AG
2015. All rights reserved
Key Take Aways
 Market is moving towards Account Based, Account Linked and Mobile
payment systems
 The CIPURSE™ open security standard is focused on transit system
requirements supporting legacy systems
 OSPT™ has formed a working group to enhance Account Based, Account
Linked and Mobile payment systems
 OSPT™ supports International Standards
 Provide an Open Security Standard at No Cost to Public Transportation
 OSPT™ Alliance makes its IP available under RAND* conditions
for all members Transportation
 Service providers do not have to pay any licensing or royalty fees
 Transit Readers: Early research suggest that the transportation
industry is limited by the lack of an off the shelf open transit reader
Copyright © Infineon Technologies AG
2015. All rights reserved
Contact Information
Thomas Parker
Business Development Infineon
T: 510-376-5135
Thomas.Parker-EE@Infineon.com
Laurent Cremer
Executive Director
T : +33 (0) 695 443 652
M : +33 (0) 625 728 099
www.osptalliance.org
Copyright © Infineon Technologies AG
2015. All rights reserved