by David Chaum

A prepaid smart card contains stored value which the person holding it can spend at retailers. After accepting stored value from cards, retailers are periodically reimbursed with actual money by system providers. A system provider receives money in advance from people and stores corresponding value onto their cards. During each of these three kinds of transactions, secured data representing value is exchanged for actual money or for goods and services.

Telephone cards used in France and elsewhere are probably the best known prepaid smart cards (though some phone cards use optical or magnetic techniques, which are not considered here). National prepaid systems combining public transportation, public telephones, merchants, and vending have already been announced in a number of countries. And road tolls at full highway speed are not far behind.

The systems proposed so far are compared, after a quick look at the card types on which they are based.

Card Types

There are in essence only four types of microcircuit card that have been suggested for use in prepaid applications, each based on a particular kind of chip. They are listed here in historical order:

• Memory cards—The chip in these cards consists only of storage and a little extra hardware that prevents access to the stored data unless certain stored passwords or PINs are input correctly. Most telephone cards are of this type.

• Shared-key cards—Secret keys in the chip let the card authenticate its communication with any device sharing the same keys. The chips are standard microcontroller card chips, with masked-in software for the cryptographic authentication algorithms.

• Signature-transporting cards—The same chip hardware as in shared-key cards is used, but with different software masked-in. The card stores publicly-verifiable digital signatures created by the system provider and fills them in like blank checks when spending them.

• Signature-creating cards—These chips also contain a microcontroller, but in combination with a dedicated co-processor capable of making digital signatures. Instead of spending signatures created by the system provider, they create their own.

Comparison

Security and cost are the fundamental criteria used here for comparing prepaid card techniques, but the best choice of technology depends on the situation. Security suitable for an in-house company card, for instance, may be wholly inadequate for a national or international card which may require protection of many system providers from each other as well as protection of personal privacy. Also depending on the setting, higher card costs can lead to lower system costs.

Closed or Open Security

Memory cards are suitable only for closed systems where a single company issues the cards and accepts them as payment for goods and services, or for systems with very low fraud incentive. The reason is that defrauding such systems requires only a small computer interposed between an actual card and a cash register. The computer merely has to record the secrets communicated during an initial transaction and can then, as often as desired, be used to play the role of a card having the initial balance.

Shared-key card systems require a tamper-resistant secured module in each vending machine or other point of payment. The module uses the key it shares with a card to authenticate messages during purchases. This lets the card convince the module that it has reduced its stored value by the correct amount and that it is genuine. A card convinces by using the shared key to encrypt a random challenge issued by the module together with an amount, so that the module can decrypt the transmission and compare the result with the expected challenge and amount. Periodically, the module transmits a similarly authenticated message, via telecommunication or manual collection procedure, back to the system provider, who reimburses the retailer.

The secured module in a shared-key system thus needs to store or at least be able to re-create secret keys of all cards, which gives some problems. If the cards of multiple system providers are to be accepted at the same retailers, all the retailers must have secured modules containing keys of every provider. This means either a mutually trusted module containing the keys of multiple providers, which might be hard to achieve, or one module per provider, which becomes impractical as the number of providers grows. Furthermore, in any shared-key system, if a module is penetrated, not only is significant retailer fraud facilitated, but the entire card base may be compromised.

Signature-transporting and -creating card types avoid these problems since they do not require secured modules. Cash registers need no secret keys, only public ones, in order to authenticate the signatures, which act like guaranteed checks filled in with all the relevant details. These same signatures can later be verified by the system provider for reimbursement. (Although tamper-resistant modules are not needed for verification, they can still be used to aggregate transactions.) Both signature -based card types also allow the cards of any number of issuers to be accepted at all retailers; retailers cannot cheat issuers, and issuers cannot cheat each other. These are the only truly open systems.

Privacy

All cards, except the signature-transporting type, uniquely identify themselves in each transaction. This means that even if the card does not reveal the persons identity, all payments a person makes are linked together by the card identity. As a consequence, if a reload or any one of the payments made by a person is traced to that person, then they all are.

The reason for identification of shared-key cards is that security is thought to be too low if all cards have the master key. Therefore cards are given unique keys, and the cash register needs the card identity each time to re-create the corresponding unique card key from the master key.

The signature-transporting approach avoids the need for identification, since instead of a single key per card, cards use a different signature per payment. When signatures are made by the system provider on blinded checks that are then unblinded by the card, not even the system provider can trace payments to cards.

Card Costs

The overall cost of cards for a system is determined not only by how much each card costs, but also by how long cards last and how much of each card is needed. Nonrefillable memory cards have a very limited card lifetime and are suitable only for a single purpose. But microcontroller cards can last years and are flexible enough to handle a variety of things, not limited to stored value, thereby allowing sharing of card cost among multiple applications.

Bonding chips into modules, assembling them into cards, and printing can cost about the same for all card types, roughly US$ 0.50-2.00 (plus the cost of the small fraction of chips that are damaged during production). Nonrefillable cards, however, typically use less durable materials and less costly production techniques.

Memory card chips are much smaller, and consequently much less expensive to produce, than those in microcontroller cards. They cost, depending on the type, roughly between US$ 0.10-0.40 in quantity. Shared-key and signature-transporting cards today use exactly the same chip hardware, only the masked-in software differs. Suitable chips cost about US$ 1.00-1.20 in quantity. Signature-creating card chips, which need extra circuitry for the co -processor (or a very powerful processor), require more on a chip, are relatively new on the market, and currently cost several times more.

Non-Card Costs

Apart from cards themselves, the other main system costs are card issuing and refilling, retailer equipment, and system provider processing and security measures.

If cards are issued with value on them, as is of course required with nonrefillable memory cards, then they must be transported, stored, and dispensed, using costly security and audit provisions, like those associated with bank notes. Refillable cards can be distributed without value and avoid these costs, but on the other hand require infrastructure for on-line reload transactions with system providers.

Retailer equipment costs may be higher than card costs. Typical ratios of cards to points of sale (about 100 to 1 for cash registers and higher with vending, phones, etc.) and even the price of current terminals (about US$ 150-1500) suggest that the point-of-sale equipment can be more costly than even a dedicated microcontroller card base.

In the shared-key approach, secured modules trusted by all system providers must be installed in all retailer equipment. In open systems such security modules must be significantly more elaborate and costly than any card, since the security offered by a card is generally considered inadequate to protect the keys of all other cards. But the higher cost of terminals incorporating such modules is at odds with the objective of automating all manner of low value payments, such as in vending. Transaction processing by the system providers also requires tamper-resistant devices. Proper management of keys and auditing of such systems are cumbersome and expensive. If shared-key systems grow, and start to include less trustworthy retailers and more system providers, even the minimum security necessary becomes excessively costly.

With either signature card type, suitable software not tamper-resistant modules is all retailer equipment needs in order to verify payments and later forward the signatures for reimbursement. These can then be verified by any transaction processing computer that has copies of the freely available public keys, thereby reducing exposure while both increasing the quality and reducing the cost of security audit and controls.

Conclusion

The simplest of the four card types, the memory card, is well suited for closed systems where there is little incentive for fraud by persons or retailers. The low card cost makes this approach attractive, but the low security makes it unsuitable for more general use. The most expensive type, the signature-creating card, seems to offer little fundamental advantage over less expensive cards and, incidentally, is far too slow in signing for highway speed road-tolls and even some telephones.

The remaining two card types, shared-key and signature-transporting, can today be based on exactly the same kinds of microcontroller chips, and thus have the same card cost. The system cost with shared-keys, however, is significantly higher than with signature-transporting. The main reason is that shared-keys require tamper-resistant modules at all points of payment and processing sites, while these modules are not needed with signature- transporting.

In addition to cost, there are other reasons to prefer signature-transporting cards for larger systems. Privacy may be an issue in large-scale consumer systems, and the other card types are unable to address this problem, while signature-transporting solves it neatly. When more retailers and system providers are included, as large open systems are built or as closed systems grow and merge, the cost of maintaining even merely acceptable security with shared keys becomes prohibitive. By contrast, signature-transporting maintains a very high level of security while allowing flexible scaling and merging of systems.