ON THE SECURITY AND PERFORMANCE OF MOBILE DEVICES IN TRANSPORT TICKETING Submitted by Assad Abdullahi Umar Royal Holloway, University of London Thesis submitted to The University of London for the degree of Doctor of Philosophy 2017. Declaration of Authorship I Assad Abdullahi Umar hereby declare that this thesis and the work presented in it is entirely my own. Where I have consulted the work of others, this is always clearly stated. Signed: Date: 2 Statement of Sponsorship The work presented in this thesis is the result of a PhD sponsored by Transport for London (TfL). 3 Abstract There have been significant developments in the field of transport ticketing. Major transport operators are transitioning from closed-loop, proprietary sys- tems to open systems that utilise the global payment infrastructure for tick- eting via smart cards and, increasingly, smartphones. Modern smartphones support Near Field Communication (NFC) which can be used to emulate contactless smart card tickets. NFC transactions are quick, making them a viable technology for use in transport ticketing where speed is very critical. NFC transactions initially required a Secure Element (SE) for security reasons. However, commercial constraints and restrictive security practices relating to the SE have paved the way for Host Card Emu- lation (HCE). HCE facilitates NFC transactions without requiring an SE; this provides a simpler and more flexible ecosystem, at the expense of security. This thesis investigates the impact of the aforementioned developments on the security and performance of mobile devices in ticketing. A comparative analysis of various security mechanisms that have been put forward as options to mitigate the security risks of HCE is carried out, and their suitability for ticketing is determined. A novel ticketing protocol based on Linkable Digital Signatures is proposed to solve the problem of blacklisting (the barring of in- valid tickets/smartphones) in tokenised payments. A novel tokenisation frame- work based on Format Preserving Encryption (FPE) algorithms and Trusted Execution Environments (TEE) for secure token generation on the user's de- vice has been proposed. All proposals were implemented on mobile devices to test the performance for efficiency. The work conducted in this thesis shows that mobile devices, and partic- ularly HCE, offer several benefits in ticketing, however, a new approach to 4 security is required. It also shows that despite the clear advantages of adopt- ing open payments, careful considerations must be taken for it to be successful in ticketing. 5 Acknowledgements Firstly, I would like to thank God, the most beneficent and the most merciful, for giving me the strength, courage and ability to get through this journey. I would like to thank my parents whose support, care, love and encourage- ment gave me the foundations necessary to embark on the PhD journey, and to successfully complete it. I love you! I would like to thank my supervisor Professor Keith Mayes, Director of the Smart Card Centre (SCC) and Head of the School of Mathematics and Infor- mation Security at Royal Holloway,for his encouragement, support, patience, understanding and expert knowledge during the course of the PhD. I would also like to thank Mrs. Sheila Cobourne for her support, guidance and for being a reliable source of motivation. Thanks to Professor Konstanti- nos Markantonakis for his encouragements and insights. I would also like to say a big thank you to Dr Raja Naeem Akram, Sarah Abu-Ghazalah and Iakovos Gurulian for all their help and criticisms that have helped in making this thesis a possibility. To the other members of the SCC: Mehari Msgna, Danushka Jayasinghe, Benoit Ducray, Hafizah Mansor and Lazaros Kyrillidis, thank you for your support, kindness and motivation. In all of you, I have made friends that I will cherish for life. To my uncles, aunties, cousins and the entire extended family, thank you all for your encouragements, push and financial support. Thank you for your understanding when times were tough. One love! A big thank you to Mr Vassilis Korkas, who painstakingly proofread the thesis, it would not have been possible without your help. To the love of my life { Naima Ali, I cannot thank you enough for your encouragement, understanding, love and affection. Your contributions to this endeavour are dearly appreciated. 6 Last but not the least, I gratefully acknowledge the funding and support received towards my PhD from Transport for London. 7 Contents Declaration of Authorship 2 Statement of Sponsorship 3 Abstract 4 Acknowledgements 6 Contents 8 List of Tables 13 List of Figures 14 Contents 15 1 Introduction 16 1.1 Motivation . 16 1.2 Research Questions . 20 1.3 Contributions . 21 1.4 Organisation of the Thesis . 22 1.5 List of Publications . 24 2 Background I: Ticketing Systems 25 2.1 Evolution of Ticketing Fare Media . 25 2.2 Description of Ticketing Systems . 27 2.2.1 General Architecture . 27 2.2.2 Participants . 28 2.2.3 Phases . 29 8 2.3 Classification of Ticketing Systems . 31 2.3.1 Card-Based Ticketing Systems (CBT) . 31 2.3.2 Account-Based Ticketing Systems (ABT) . 32 2.3.3 Closed-Loop Ticketing . 32 2.3.4 Open Ticketing Systems . 33 2.4 Ticketing System Requirements . 37 2.4.1 Security Requirements . 37 2.4.2 Functional Requirements . 40 2.4.3 Privacy Requirements . 40 2.5 Notable Ticketing System Implementations in the UK . 43 2.5.1 Integrated Transport Smartcard Organisation (ITSO) . 43 2.5.2 Transport for London (TfL) Oyster Card . 45 2.6 Summary . 46 3 Background II: Technical Background 47 3.1 Near Field Communication . 47 3.1.1 NFC Modes of Operation . 47 3.2 Card Emulation Using A Security Element . 49 3.3 Host Card Emulation . 52 3.3.1 HCE Application Development: Android Example . 52 3.3.2 Application Selection . 53 3.3.3 Data Exchange . 53 3.3.4 NFC Applications Requirements . 54 3.4 EMV Payment Technology . 57 3.4.1 EMV Architecture . 58 3.4.2 EMV Primary Account Number . 59 3.5 EMV Key Concepts . 60 3.5.1 Data Authentication . 60 3.5.2 Card-Holder Verification . 61 9 3.5.3 Transaction Authorisation . 61 3.6 EMV Considerations for Ticketing . 63 3.7 EMV Payment Tokenisation . 64 3.8 Summary . 66 4 Comparing SE and HCE Capabilities 67 4.1 Introduction . 67 4.2 Related Work . 69 4.3 Implementational Considerations . 71 4.3.1 Ecosystem Complexity . 71 4.3.2 Provisioning . 71 4.3.3 Usability . 72 4.3.4 Performance . 72 4.3.5 Cryptography . 72 4.3.6 Cost . 73 4.3.7 Standardisation . 73 4.4 Security Considerations . 74 4.4.1 Cloud Storage . 74 4.4.2 Tokenisation . 74 4.4.3 Trusted Execution Environment (TEE) . 75 4.4.4 White-Box Cryptography (WBC) . 76 4.5 Considerations of HCE Performance . 77 4.5.1 Android CPU Policy . 77 4.5.2 Test Methodology . 78 4.6 Experimental Results . 81 4.6.1 SE-app Testing . 81 4.6.2 HCE-app Testing . 82 4.7 Discussion . 85 4.8 Summary . 87 10 5 Blacklisting Tokenised Payments 88 5.1 Introduction . 88 5.1.1 Problem Statement . 89 5.1.2 Proposed Solution . 89 5.2 Privacy and Accountability . 91 5.3 Related Work . 93 5.4 Cryptographic Background . 96 5.4.1 Linkable Group Signatures (LGS) . 96 5.4.2 Intractability Solutions . 96 5.4.3 Linkable Group Signature Processes . 97 5.5 Proposed Ticketing Scheme . 101 5.5.1 Functional Requirements . 101 5.5.2 Security Requirements . 102 5.5.3 Adversary Model . 102 5.5.4 Assumptions . 103 5.5.5 Entities . 104 5.5.6 Phases . 105 5.5.7 Proof of Concept . 107 5.5.8 Lessons Learned and Considerations . 108 5.5.9 Performance Analysis . 108 5.5.10 Requirements Analysis . 109 5.6 Summary . 112 6 Ecosystems of Trusted Execution Environments 113 6.1 Trusted Execution Environment . 115 6.1.1 TEE Security Services . 115 6.1.2 ARM's TrustZone . 117 6.1.3 Intel Software Guard Extensions (SGX) . 118 6.2 Ecosystem Models for TEE . 120 11 6.2.1 Centralised Model . 120 6.2.2 Security as a Service Model . 120 6.2.3 Consumer-Centric Model . 121 6.3 Comparison Between Models . 122 6.3.1 Comparison Criteria . 122 6.3.2 Comparison and Discussion . 123 6.4 Making a Case for Security as a Service . 125 6.5 Summary . 126 7 On-device Tokenisation 127 7.1 Introduction . 127 7.2 Shortcomings of Tokenisation . 129 7.3 Related Work . 130 7.3.1 Encryption of PANs . 131 7.4 Format Preserving Encryption (FPE) . 132 7.4.1 Feistel Structure . 132 7.5 Proposed Tokenisation Framework . 135 7.5.1 Entities . 135 7.5.2 Phases . 135 7.5.3 Proof-of-Concept and Testing . 137 7.6 Summary . 138 8 Conclusion 139 8.0.1 Future Work . 141 Bibliography 143 12 List of Tables 2.1 Trends in Open Ticketing . 42 3.1 EMV Cryptograms . 58 3.2 Payments: Retail vs Ticketing . 63 4.1 Comparison of Security Mechanisms . 76 4.2 Devices Used in Testing . 78 4.3 SE-app Testing Results in Milliseconds . 82 4.4 HCE-app Testing Results in Milliseconds (Case 1) . ..