Re: Is Mondex secure?

Tim Smith <reply_in_group@mouse-potato.com> writes:
> I don't know what these "Mondex" cards use, but I wonder if one
> could do a system like this where it is possible for the card to
> pre-compute much of the next transaction, before it exchanges
> anything with the other side?
>
> Then a card with, say, $200 stored in it could pre-compute part of,
> say, a $5 transaction, to be used in situations like paying a mass
> transit fare. It would pay the fare from the pre-computed
> transaction, and then pre-compute another $5 transaction for use in
> the next small payment situation.
>
> Result: the occasional small purchase would be fast. You'd only
> have to wait if you did a big transaction, or did small transactions
> back to back.
>
> The pre-computed transaction would be less secure, but only $5 would be
> at risk.

transit tends to have both contactless as well as time-constraint
(with contactless operation helping meet time-constraint). nominal
contactless draw their operational power is drawn from RF energy in
the air near reader (besides using RF for communication).

there were some mondex people at transit meeting in the mid to late
90s. they proposed mondex card in wireless sleeves and 15ft tunnels
approaching transit turnstyle. if people walked slowly thru the
tunnel, by the time they reached the turnstyle the communication would
have completed. i don't remember whether they required the wireless
sleaves to provide battery power to the mondex card ... or whether
they were trying to power from RF energy in the tunnel. I also don't
know if they proposed limiting one person at a time in a tunnel.

for some drift, starting 4-5 years ago, newer generation chips could
handle contactless (power derived from RF energy near reader) doing
ECC public key operations within transit time requirements.

for some of the non-ecc public key infrastructures ... elapsed time in
contact cards has been achieved by driving a much larger number of
circuits in parallel (elapsed time somewhat inversely proportional to
peak power). you might get the necessary level of power draw with
contact cards ... but it was much harder to provide that much peak
power for contactless cards powered with RF energy thru the air.

some of the transit chip systems use symmetric master key contained in
armored, secure turnstyle readers. they read some sort of chip serial
and value, compute derived symmetric key based on combination of
system master key and the chip serial, decrypt the value read, update
the value, re-encrypt and rewrite the chip with the new value.

within past two years, i had transit chipcard in one of the systems go
from something like positive $10 balance to negative $5 balance
between the time i left transit system and the next time I tried to
enter the transit system. somewhere in the time outside the transit
system, the chip experienced some sort of glitch. not only did the
glitch cause the card to loose value ... but the balance value went
negative (something the transit people weren't able to explain).

-- 
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/