CIPURSE

CIPURSE is an open security standard for transit fare collection systems. It makes use of smart card technologies and additional security measures.

History
The CIPURSE open security standard was established by the Open Standard for Public Transportation Alliance to address the needs of local and regional transit authorities for automatic fare collection systems based on smart card technologies and advanced security measures.

Products developed in conformance with the CIPURSE standard are intended to:


 * include advanced security technology,
 * support multiple applications,
 * help enable compatibility with legacy systems, and
 * be available in a variety of form factors.

The open CIPURSE standard is intended to:


 * promote vendor neutrality,
 * enable cross-vendor system interoperability,
 * reduce the risk of adopting new technology, and
 * improve market responsiveness.

All of these factors are intended to reduce operating costs and increase flexibility for transport system operators.

Background
In the past, public transport systems were often implemented using standalone, proprietary fare collection systems. In such cases, each fare collection system employed unique fare media (such as its own style of ticket printed on card) and data management systems. Because fare collection systems did not interoperate with each other, payment schemes and tokens varied widely between local and regional systems, and new systems were often costly to develop and maintain.

Transport systems are migrating to microcontroller-based fare collection systems. These are converging with similar applications and technologies, such as branded credit-debit payment cards, micropayments, multi-application cards, and Near Field Communication (NFC) mobile phones and devices. These schemes will enable passengers to use transit tokens seamlessly across multiple transit systems. These new applications demand higher levels of security than most existing schemes that they will replace.

The OSPT Alliance defined the CIPURSE standard to provide an open platform for securing both new and legacy transit fare collection applications. Systems using the CIPURSE open security standard address public transport services, collection of transport fares, and transactions related to micropayments.

The transition to an open standard platform creates opportunities to adopt open standards for important parts of the fare collection system, including data management, the media interface and security. An open standard for developing secure transit fare collection solutions could make systems more cost-effective, secure, flexible, scalable and extensible.

Specification
In December 2010, the OSPT Alliance introduced the first draft of the CIPURSE standard. It employs existing, proven open standards, including the ISO/IEC 7816 smart card standard, as well as the 128-bit Advanced Encryption Standard and the ISO/IEC 14443 protocol layer. Designed for low-cost silicon implementations, the CIPURSE security concept uses an authentication scheme that is resistant to most of today’s electronic attacks.

Its security mechanisms include a unique cryptographic protocol for fast and efficient implementations with robust, inherent protection against differential power analysis (DPA) and Differential fault analysis attacks. Because the protocol is inherently resistant to these kinds of attacks and does not require dedicated hardware measures, it should be both more secure and less costly. It is intended to guard against counterfeiting, cloning, eavesdropping, man-in-the-middle attacks and other security threats.

The CIPURSE standard also:
 * Defines a secure messaging protocol
 * Identifies four minimum mandatory file types and a minimum mandatory command set to access these files
 * Specifies encryption keys and access conditions
 * Is radio frequency (RF) layer agnostic
 * Includes personalization and life cycle management, as well as system functionality to provide interoperability and fast adoption
 * Provides a security concept and guidelines

OSPT Alliance technology providers are allowed to add functionality outside the common core (which is defined in the standard) to differentiate their products, so long as they do not jeopardize interoperability of the core functions.

Introduced in late 2012, Version 2.0 of the CIPURSE Specification is the latest version. Designed as a layered, modular architecture with application-specific profiles, the open and secure CIPURSE V2 standard comprises a single, consistent set of specifications for all security, personalization, administration and life-cycle management functions needed to create a broad range of interoperable transit applications – from inexpensive single-ride or daily paper tickets to rechargeable fixed-count or weekly plastic tickets to longer-term smart card- or smart phone-based commuter tickets that can also support loyalty and other applications.

Three application-specific profiles – subsets of the CIPURSE V2 standard tailored for different use cases – have been defined, with which vendors are required to comply when creating products targeting these applications: Products based on different profiles can be added to fare collection systems at any time and can be used in parallel to provide transit operators the greatest flexibility in offering riders a range of transit fare options. Because they are derived from the same set of specifications, all the profiles are interoperable, reflect the same design criteria and have the same appearance, enabling developers to create products according to a family concept. With its modular “onion-layered” design, the CIPURSE standard can be easily enhanced in the future with additional functionality and new profiles created to address changes in technology and business. The CIPURSE V2 specification enables technology suppliers to develop and deliver innovative, more secure and interoperable transit fare collection solutions for cards, stickers, fobs, mobile phones and other consumer devices, as well as infrastructure components.
 * CIPURSE T – Takes advantage of the new transaction mechanisms included in the specification to support the use of high-level, microprocessor-based transactions using smart cards, mobile phones and similar devices for more complex transit fare applications, such as monthly or annual tickets, multi-system tickets and loyalty programs.
 * CIPURSE S – Supports tickets that can be recharged for a specific number of rides or weekly tickets and is essentially equivalent to and supplants the current CIPURSE 1.1 specification.
 * CIPURSE L – Supports applications that use very inexpensive, disposable single-ride or daily tickets.

In early 2013, the OSPT introduced the CIPURSE V2 Mobile Guidelines, a comprehensive set of requirements and use cases for developing and deploying CIPURSE-secured transit fare mobile apps for near field communication (NFC)-enabled smartphones, tablets and other smart devices. Providing everything developers need to implement and use the CIPURSE V2 open security standard when embedded in an NFC mobile device, the new guidelines enable transit operators to enhance their systems to support mobile ticketing with these new form factors.

Organization
Founded by smart card manufacturers Giesecke & Devrient GmbH (G&D) and Oberthur Technologies and chip suppliers Infineon Technologies AG, and INSIDE Secure S.A. (formerly INSIDE Contactless) in January 2010, the OSPT Alliance collectively defined the CIPURSE standard.

The Alliance partners test their products for conformance with CIPURSE to demonstrate interoperability, and have engaged an independent test authority to test compliance with the standard, interoperability, and performance.

The OSPT Alliance
The OSPT Alliance is a nonprofit industry organization open to technology vendors, transit operators, government agencies, systems integrators, mobile device manufacturers, trusted service operators, consultants, industry associations and others wishing to participate in the organization’s education, marketing and technology development activities.

Members
As of February 2019, Full members of the alliance are:


 * Americaneagle.com
 * Artesp
 * ATM Barcelona
 * AUSTRIACARD
 * Brush Industries
 * CEITEC S.A.
 * City Group
 * Consorcio Sir Cuenca
 * Cosmo.ID
 * Crane Payment Innovation
 * Dataprom
 * Delerrok Inc.
 * DIMTS
 * Discovery Research and Development Center
 * Enotria
 * ETDA
 * Etertin Corp
 * Facillite
 * FEIG Electronic
 * FIME
 * G+D Mobile Security
 * Gemalto
 * GTech Technologia E Software (Gbits)
 * GuardTek
 * HID Global
 * IDEMIA
 * Identiv
 * Infineon Technologies AG
 * Instituto Modal
 * ITSO Ltd.
 * Keith Smith Consulting
 * Kenetics Innovations
 * KEOLABS
 * Korean Testing Certification
 * Linxens
 * MaskTech
 * Medius
 * Miskimmin Consulting
 * MK Smart
 * Nexus Group
 * NSB
 * phg
 * Planeta Informática
 * Pri-Num
 * Prokart
 * Quanta-IT
 * QuantumAeon
 * Rambus
 * Rede Ponto Certo
 * Rede Protege
 * RioCard
 * RioCard TI
 * San Joaquin Regional Transit District (RTD)
 * São Paulo Transporte
 * SC Soft
 * Secure Technology Alliance
 * Sequent
 * Setransp
 * Silone
 * SIMA
 * Smarting
 * SpringCard
 * Stratos Group
 * Telenor Group
 * Telexis
 * The Open Ticketing Institute (OTI)
 * Tmonet
 * Transdata Smart
 * TU Wien - Vienna University of Technology
 * Tubitak
 * Tue Minh
 * Udobny Marshrut
 * Universitat Politécnica de Catalunya
 * Urbanito
 * UTI Infrastructure Technology And Services Ltd.
 * VISALUX Comércio e Indústria Ltda
 * Washington Metropolitan Area Transit Authority
 * Watchdata Technologies Ltd.
 * WUXI HUAJIE
 * ZeitControl cardsystems GmbH
 * ZeitControl cardsystems GmbH

The alliance is open to companies on the component supply and system integration side, as well as transport agencies and other standards bodies, to contribute their experience and knowledge to the development of the CIPURSE open standard.

Resources

 * White Paper: An Open Standard for Next-Generation Transit Fare Collection
 * Presentation: A Secure and Open Solution for Seamless Transit Systems