Faculty of Computer Science Chair of Privacy and Data Security Protection of the User's Privacy in Ubiquitous E-ticketing Systems based on RFID and NFC Technologies Ivan Gudymenko Status talk, 12 June 2013 Outline Introduction Privacy Issues in E-ticketing Systems Academic Solutions: State of the art A Privacy-preserving E-ticketing System with Regular Billing Support (PEB) References TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 2 Outline Introduction Privacy Issues in E-ticketing Systems Academic Solutions: State of the art A Privacy-preserving E-ticketing System with Regular Billing Support (PEB) References TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 3 Target Area Ubiquitous Computing (UbiComp); • { Based on RFID/NFC; Focus on electronic ticketing (e-ticketing). • Privacy protection. ! TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 4 E-ticket Taxonomy and Dissertation Focus E-ticket 1. Online ticket 2. Smart ticket public transport sport events ONLINE TICKET event ticketing concerts fitness & leisure fitness studios ski pass E-ticket Smart ticket Focus on public transport • TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 5 E-ticketing in Public Transport [Courtesy of M¨unsterscheZeitung.de] TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 6 E-ticketing: A General Application Scenario Travel Records E-ticket Trip Begin Event Processing Unit Back-end System Distribution (e.g. GPS-based) - Event Storage Check-in On-board Reader Check-out E-ticket E-ticket - Distance Calculation (Terminal) - Billing - Customer Accounts Management E-ticket E-ticket - Statistics NFC NFC Smartcard Smartcard (1) (2a) (2b) (3) TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 7 Fare Collection Approaches in E-ticketing Fare collection approaches 1. Electronic Paper Ticket 2. Check-in/Check-out based (EPT) (CICO) a) Pure CICO b) Seamless CICO i. Walk in/Walk out ii. Be in/Be out (WIWO) (BIBO) Focus on CICO-based systems • TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 8 E-ticketing: Technologies and Standards RFID-based stack (proximity cards); • NFC stack (NFC-enabled devices); • Recently, CIPURSE by OSPT (Open Standard for • Public Transport). Architecture ISO EN 24014-1 (conceptual framework) EN 15320 (logical level, abstract interface, security) Data Interfaces EN 1545 (data elements) The NFC Forum ISO/IEC 7816-4 (commands, security) Architecture Communication Interface ISO 14443 (parts 1-3 required) The NFC Forum RFID-based E-Ticketing Stack Specifications E-ticket NFC Smartcard TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 9 Target Area: Summary E-ticketing systems for public transport; • "Smart ticket" (as opposed to online ticket); • CICO for automated fare collection; • Underlying technologies: RFID/NFC. • TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 10 E-ticketing: Concerns For transport companies • { High system development/deployment costs; { Lack of well-standardized solutions; { New infrastructure is a high risk investment; { Possibly low Return of Investment (ROI). For customers • { Reluctance to using a conventional system in a new way; { Privacy concerns: Ubiquitous customer identification; • Customer profiling (esp. unconsented); • Increased surveillance potential. • TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 11 Outline Introduction Privacy Issues in E-ticketing Systems Academic Solutions: State of the art A Privacy-preserving E-ticketing System with Regular Billing Support (PEB) References TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 12 Privacy Protection: Motivation Rising privacy concerns in public; • Motivation to invest in privacy for transport companies; • A privacy-preserving solution is of mutual benefit for • both parties: { Higher acceptance among customers; { Transport companies retain competitiveness. TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 13 Generic Privacy Threats in E-ticketing Systems 1. Unintended customer identification: a) Exposure of the customer ID: i. Personal ID exposure (direct identification); ii. Indirect identification through the relevant object's ID. b) Exposure of a non-encrypted identifier during the anti-collision session; c) Physical layer identification (RFID fingerprinting). 2. Information linkage; 3. Illegal customer profiling. A cross-layered set of countermeasures required. ! TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 14 Protecting User Privacy: Problems Customer privacy is not in primary focus of • standardization effort; Several tailor-made solutions (in add-on fashion); • No holistic approach treating privacy from an outset (in • real systems) Privacy by Design is required. ! TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 15 A Privacy-preserving E-ticketing System: Reqs (1) Privacy Identification: no (a) Against terminals Correlation: no Identification: no (b) Against back-end Correlation: yes (c) Against observers PII Derivation: no (2) Billing (a) Regular Billing Regular billing support (b) Billing Correctness In accordance with fare policy (3) Efficiency Check-in/out events handling TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 16 A General System Architecture and Requirements: An Overview Check-in/out Backbone Network E-tickets Terminals Back-end E-ticket 1 Terminal 1 TR Processing: E-ticket 2 Terminal 2 - Singulation ... ... - Billing E-ticket n Terminal n - Identification Real-time Non-real-time TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 17 A General System Architecture and Requirements: An Overview (1) (1) Privacy Identification: no (a) Against terminals Correlation: no Check-in/out Backbone Network E-tickets Terminals Back-end E-ticket 1 Terminal 1 TR Processing: E-ticket 2 Terminal 2 - Singulation ... ... - Billing E-ticket n Terminal n - Identification Real-time Non-real-time TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 18 A General System Architecture and Requirements: An Overview (2) (1) Privacy Identification: no (b) Against back-end Correlation: yes Check-in/out Backbone Network E-tickets Terminals Back-end E-ticket 1 Terminal 1 TR Processing: E-ticket 2 Terminal 2 - Singulation ... ... - Billing E-ticket n Terminal n - Identification Real-time Non-real-time TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 19 A General System Architecture and Requirements: An Overview (3) (1) Privacy (c) Against observers PII Derivation: no Check-in/out Backbone Network E-tickets External Observer Terminals Back-end E-ticket 1 Terminal 1 TR Processing: E-ticket 2 Terminal 2 - Singulation ... ... - Billing E-ticket n Terminal n - Identification Real-time Non-real-time TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 20 A General System Architecture and Requirements: An Overview (4) (2) Billing (a) Regular Billing Regular billing support (b) Billing Correctness In accordance with fare policy Check-in/out Backbone Network E-tickets Terminals Back-end E-ticket 1 Terminal 1 TR Processing: E-ticket 2 Terminal 2 - Singulation ... ... - Billing E-ticket n Terminal n - Identification Real-time Non-real-time TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 21 A General System Architecture and Requirements: An Overview (5) (3) Efficiency Check-in/out events handling Check-in/out Backbone Network E-tickets Terminals Back-end E-ticket 1 Terminal 1 TR Processing: E-ticket 2 Terminal 2 - Singulation ... ... - Billing E-ticket n Terminal n - Identification Real-time Non-real-time TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 22 Main Goals/Research Questions RQ: How to build a privacy-preserving e-ticketing system with the following properties? (1) Loose-coupling between front-end and back-end (scaling); (2) Offline e-ticket validation at the terminal side: { Valid e-tickets remain anonymous to the terminal; { Invalid e-tickets must be rejected. (3) Privacy-preserving travel records processing in back-end: { With regular billing support for personalized tickets; { Preventing direct identification (pseudonymization). TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 23 Outline Introduction Privacy Issues in E-ticketing Systems Academic Solutions: State of the art A Privacy-preserving E-ticketing System with Regular Billing Support (PEB) References TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 24 Important Evaluation Criteria Mutual authentication between terminals and e-ticket; • E-ticket anonymity/untraceability against terminals; • Trust assumptions (esp. concerning terminals); • Back-end coupling (close/loose); • Regular billing support. • TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 25 Solutions Taxonomy: Outline E-ticketing Systems Close-coupled Loosely-coupled Fully Offline Semi-offline Asymmetric Symmetric Asymmetric Symmetric Asymmetric Crypto Symmetric Crypto Crypto Crypto Crypto Crypto Linear Logarithmic Constant time Reader-specific Full DB on E-cash based E-cash based E-cash based O(n) ~O(log n) O(1) Tag Access Lists a terminal TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 26 Solutions Taxonomy: Detailed E-ticketing Systems Close-coupled Loosely-coupled Fully Offline Semi-offline Asymmetric Symmetric Asymmetric Symmetric Asymmetric Crypto Symmetric Crypto Crypto Crypto Crypto Crypto Linear Logarithmic Constant time E-cash Reader-specific Full DB on E-cash