article

Calypso specifications to facilitate secure interoperability

Posted: 15 February 2008 | Gilles de Chantérac, Chairman, Calypso Networks Association | No comments yet

Currently, only 10% of transport cards are micro-processor cards. However, this proportion has started to grow and will continue to increase if the transport market wants to provide the most secure solutions for fare management.

Calypso cards account for 85% of those used today – outside the SONY FELICA non-standard proprietary card used in Japan. At the moment they are used in Belgium, France, Italy, Portugal, and Switzerland and also in many other places outside of Europe. In the UK they are compliant with ITSO specifications (see Figure 1 on page 38) which makes them best suited for the first level of any interoperable fare management system that is oriented to benefit from the top security level. As the necessity to increase security becomes more apparent, they offer an open solution, with multiple vendors, with the possibility to follow the progress of silicon technologies and those of multi-application platforms, whatever the fare policies and business rules between stakeholders.

Currently, only 10% of transport cards are micro-processor cards. However, this proportion has started to grow and will continue to increase if the transport market wants to provide the most secure solutions for fare management. Calypso cards account for 85% of those used today – outside the SONY FELICA non-standard proprietary card used in Japan. At the moment they are used in Belgium, France, Italy, Portugal, and Switzerland and also in many other places outside of Europe. In the UK they are compliant with ITSO specifications (see Figure 1 on page 38) which makes them best suited for the first level of any interoperable fare management system that is oriented to benefit from the top security level. As the necessity to increase security becomes more apparent, they offer an open solution, with multiple vendors, with the possibility to follow the progress of silicon technologies and those of multi-application platforms, whatever the fare policies and business rules between stakeholders.

Currently, only 10% of transport cards are micro-processor cards. However, this proportion has started to grow and will continue to increase if the transport market wants to provide the most secure solutions for fare management.

Calypso cards account for 85% of those used today – outside the SONY FELICA non-standard proprietary card used in Japan. At the moment they are used in Belgium, France, Italy, Portugal, and Switzerland and also in many other places outside of Europe. In the UK they are compliant with ITSO specifications (see Figure 1 on page 38) which makes them best suited for the first level of any interoperable fare management system that is oriented to benefit from the top security level. As the necessity to increase security becomes more apparent, they offer an open solution, with multiple vendors, with the possibility to follow the progress of silicon technologies and those of multi-application platforms, whatever the fare policies and business rules between stakeholders.

Calypso: looking for the most secure transaction with the media

From the very beginning of the European project, Calypso opted for micro-processors and standard algorithms to provide the transport market with secure media.

Ticketing in public transport was a hard use case, as validations couldn’t be backed by a real-time on-line comparison with secured back-office data. The vehicles cannot be permanently on-line and the transaction has to be processed fast enough to avoid people queuing at the doors or gates.

Securing the transactions in automatic systems was not a new concern. The threat had long been identified, as magnetic tickets themselves could be fraudulently reproduced or reinscripted.

But it was obvious that the temptation for fraud would grow as interoperability spread to more and more networks, and that processed security would contain the risks of real cards being tricked.

As early as 1993, the original ICARE project was using a customer device with a micro-processor chip. At that time, such contactless chips needed a battery to operate and the transmission was still a problem. However, the first basis for a high decentralised security process was now in place.

Keys would be diversified with an individual ID number of each medium to prevent faulty duplication. Keys would be different for each type of transaction (issuing, loading or debiting) making it difficult to change the destination of validators and use them as loading machines.

Different sets of keys would protect different applications on the same medium, should application providers not wish to share products, unless with the medium. Secured sessions would guarantee the transaction to be fully processed without the help of back-offices, even if the contactless link was interrupted.

These initial options remain common to all Calypso compliant products and it clearly shows that they were an advanced answer to the most ambitious objectives.

Of course, the original ICARE device now deserves to be regarded as a collector’s item. The cards, as we know them now, appeared in 1996 and since that time, the dual interface which used to make it easier to adapt vending machines is no longer necessary.

The Silicon industry and its suppliers made huge progresses and changed their chips. Ticketing applications that used Calypso cards only had to change some parameters to follow the changes and adapt to the new chips.

Other forms of media now appear that can be a Global Platform working with JAVA. The Calypso fundamentals can then be implemented in an applet.

Similarly, Calypso readers can embed CALYPSO SAMs, but the SAM function can also be provided remotely.

Keys used to be adapted to simple DES algorithm but they can now be lengthened to 3DES.

The aim remains to provide a high security level for the customer media, in a continuous compatibility of evolutions.

Calypso: looking for open procurement

Besides the level of security, the global cost and the possibility of an open procurement form the basic criteria for any decision about the cards. Some users buy their cards directly from the card manufacturers, whereas others will buy them through their integrator.

Whatever the case, the choice of the technology (memory card or micro-processor) can be considered as fundamental. If the short term economy was only considered then micro-processor cards would be the choice. But as interoperability extends to larger and more numerous networks, their flexibility and ability to be operated without centralisation brings an extra-value to the projects, which must be taken into account to make the choice.

Open procurement is considered a necessity by all major actors. From 1997, it has been possible to get the same Calypso cards and Calypso readers from different manufacturers.

Open procurement shouldn’t apply only to the manufacturing of the card, but should extend to the entire product. Vendors can now provide a complete variety of Calypso media. Different silicon chips are available as basic components and different masks are proposed with different memory sizes. Transport networks have already experienced the easy change to new generations of chips.

Calypso mechanisms comply with all standardised proximity transmission protocols. 14443-B remains the most frequent, but 14443-A could also be possible where the existing infrastructure is not compliant with B.

They lead the way to the use of new multi-application devices where they can be implemented as pure software products, applets to be used in javacards, or more generally java platforms. Calypso applets have already been tested with complete success in USB devices and in NFC multi-application mobile sets using the existing readers of different networks. This opens the way to the development of remote customer services; through Internet from home with USB devices or over airwaves with mobile phones. At the same time, the application benefits from the possibility of a remote application management.

They allow any design of the architecture of the system. But the collection, forwarding and clearing functions can be simply designed thanks to the high level of real-time, off-line decentralised security funded through standard asymmetric cryptography and by secured sessions that guarantee that contactless transactions have been fully completed.

The existing joint ITSO-CALYPSO SAM illustrates how end-to-end security is achieved by coupling front end (card:reader) and back end (reader/system) securities.

Application managers can be confident in the durability of their investment. Proof already exists that the interface could follow new generations of chips. By the end of 2007, 30 million cards were issued and more than 130,000 readers have been deployed.

Calypso: flexible to local organisations and fare policies

Just as Calypso specifications help to share the same media, they do not constraine the liberty of authorities and operators to define their applicative content which reflects their fare policies and business rules.

Their agreement upon common fares can take a more or less important place in their global offer. It can for example be limited to one transport product (that is a common pricing of an access right to a network), or a payment facility offered to users (such as stored value or post-payment).

The file structure for Brussels illustrates how this can be used, see Figure 2.

The French implementation which now covers 12 regions, proves the flexibility of the specification and its ability to be used by schemes with growing numbers of partners that in certain cases have no common fares but use the same card to host their tickets and to operate the gates, validators or control devices.

Even when partners wish to use different keys and issue their cards independently from each other, can they provide a comfortable solution: The Calypso Triangle demonstration proved that Calypso media could host an application specially dedicated to occasional trips outside the territory of the initial issuer.

This provides a simple solution in answer to the most difficult use-case scenario, namely to provide a simple seamless travel for occasional trips without requiring an immense back-office system to route and clear low-values.

Calypso specifications were initially set by partners of a European Project, representing all modes of public transport, buses, trams, subways, suburban rail and even boats in Venice. As an extensive interoperability becomes an important issue for transport policy in Europe, they can stand to help institutions to implement customer friendly access to all public transport in Europe.

Calypso Networks Association was established as a non-profit organisation after the end of the project to continue gathering experience and expertise from transport operators and improve the specifications. It brings suppliers together to work to define common open solutions to be implemented in their products, however does not sell any of their products.

For these reasons, Calypso Networks Association is convinced that the efforts invested in recent years to bring open answers to the market needs are promised to major developments and implementations, and can adapt to the coming development of remote customer services.

They can fit in the national organisations that have progressively been set up over recent years to organise the fare policies.

Transport authorities, operators or suppliers of any countries are welcome to join.

chanterac figure 1

chanterac figure 2

Related topics

Related organisations