Copyright (c) 1994 by DigiCash bv.
Telephone cards used in France and elsewhere are probably the best known prepaid smart cards (though some phone cards use optical or magnetic techniques, which are not considered here). National prepaid systems combining public transportation, public telephones, merchants, and vendinghave already been announced in a number of countries. And road tolls at full highway speed are not far behind.
The systems proposed so far are compared, after a quick look at the card types on which they are based.
Shared-key card systems require a tamper-resistant secured module in each vending machine or other point of payment. The module uses the key it shares with a card to authenticate messages during purchases. This lets the card convince the module that it has reduced its stored value by the correct amount and that it is genuine. A card convinces by using the shared key to encrypt a random challenge issued by the module together with an amount, so that the module can decrypt the transmission and compare the result with the expected challenge and amount. Periodically, the module transmits a similarly authenticated message, via telecommunication or manual collection procedure, back to the system provider, who reimburses the retailer.
The secured module in a shared-key system thus needs to store or at least be able to re-create secret keys of all cards, which gives some problems. If the cards of multiple system providers are to be accepted at the same retailers, all the retailers must have secured modules containing keys of every provider. This means either a mutually trusted module containing the keys of multiple providers, which might be hard to achieve, or one module per provider, which becomes impractical as the number of providers grows. Furthermore, in any shared-key system, if a module is penetrated, not only is significant retailer fraud facilitated, but the entire card base may be compromised.
Signature-transporting and -creating card types avoid these problems since they do not require secured modules. Cash registers need no secret keys, only public ones, in order to authenticate the signatures, which act like guaranteed checks filled in with all the relevant details. These same signatures can later be verified by the system provider for reimbursement. (Although tamper-resistant modules are not needed for verfication, they can still be used to aggregate transactions.) Both signature-based card types also allow the cards of any number of issuers to be accepted at all retailers; retailers cannot cheat issuers, and issuers cannot cheat each other. These are the only truly open systems.
The reason for identification of shared-key cards is that security is thought to be too low if all cards have the master key. Therefore cards are given unique keys, and the cash register needs the card identity each time to re- create the corresponding unique card key from the master key.
The signature-transporting approach avoids the need for identification, since instead of a single key per card, cards use a different signature per payment. When signatures are made by the system provider on blinded checks that are then unblinded by the card, not even the system provider can trace payments to cards.
Bonding chips into modules, assembling them into cards, and printing can cost about the same for all card types, roughly US$ 0.502.00 (plus the cost of the small fraction of chips that are damaged during production). Nonrefillable cards, however, typically use less durable materials and less costly production techniques.
Memory card chips are much smaller, and consequently much less expensive to produce, than those in microcontroller cards. They cost, depending on the type, roughly between US$ 0.100.40 in quantity. Shared-key and signature-transporting cards today use exactly the same chip hardware, only the masked-in software differs. Suitable chips cost about US$ 1.001.20 in quantity. Signature-creating card chips, which need extra circuitry for the co-processor (or a very powerful processor), require more on a chip, are relatively new on the market, and currently cost several times more.
If cards are issued with value on them, as is of course required with nonrefillable memory cards, then they must be transported, stored, and dispensed, using costly security and audit provisions, like those associated with bank notes. Refillable cards can be distributed without value and avoid these costs, but on the other hand require infrastructure for on-line reload transactions with system providers.
Retailer equipment costs may be higher than card costs. Typical ratios of cards to points of sale (about 100 to 1 for cash registers and higher with vending, phones, etc.) and even the price of current terminals (about US$ 150 1500) suggest that the point-of-sale equipment can be more costly than even a dedicated microcontroller card base.
In the shared-key approach, secured modules trusted by all system providers must be installed in all retailer equipment. In open systems such security modules must be significantly more elaborate and costly than any card, since the security offered by a card is generally considered inadequate to protect the keys of all other cards. But the higher cost of terminals incorporating such modules is at odds with the objective of automating all manner of low value payments, such as in vending. Transaction processing by the system providers also requires tamper-resistant devices. Proper management of keys and auditing of such systems are cumbersome and expensive. If shared-key systems grow, and start to include less trustworthy retailers and more system providers, even the minimum security necessary becomes excessively costly.
With either signature card type, suitable softwarenot tamper-resistant modulesis all retailer equipment needs in order to verify payments and later forward the signatures for reimbursement. These can then be verified by any transaction processing computer that has copies of the freely available public keys, thereby reducing exposure while both increasing the quality and reducing the cost of security audit and controls.
The remaining two card types, shared-key and signature-transporting, can today be based on exactly the same kinds of microcontroller chips, and thus have the same card cost. The system cost with shared-keys, however, is significantly higher than with signature-transporting. The main reason is that shared-keys require tamper-resistant modules at all points of payment and processing sites, while these modules are not needed with signature- transporting.
In addition to cost, there are other reasons to prefer signature-transporting cards for larger systems. Privacy may be an issue in large-scale consumer systems, and the other card types are unable to address this problem, while signature-transporting solves it neatly. When more retailers and system providers are included, as large open systems are built or as closed systems grow and merge, the cost of maintaining even merely acceptable security with shared keys becomes prohibitive. By contrast, signature-transporting maintains a very high level of security while allowing flexible scaling and merging of systems.