Written by Stephen McSpadden for Rambus Press
The non-proprietary CIPURSE security specification was first established by the Open Standard for Public Transportation (OSPT) Alliance in late 2010. Targeted primarily, but not exclusively, at the public transport sector, CIPURSE addresses the current and future automated fare collection system requirements of local, regional and national transit authorities.
The open CIPURSE specification continues to evolve and develop in line with the market via the participation of OSPT Alliance members. The CIPURSE specification is available to all classifications of membership: evaluators, associate members, affiliate members, full members and board members; thereby allowing a broad range of perspectives from the differing participants to contribute to its development. CIPURSE has also been reviewed and analyzed by the wider security industry. While the standard was primarily designed for transit and closed-loop ePurse scenarios, its application has been extended to areas as diverse as airport access control.
There are multiple suppliers of products compliant with the CIPURSE specification. With clear and open interfaces, it is possible to define a comprehensive architecture that eschews the tradition of being tied to one supplier. This paradigm encourages genuine competition, product differentiation and innovation – all of which clearly benefit Public Transportation Organizations (PTO) and System Integrators. The CIPURSE standard is also a natural fit for Mobility as a Service (MaaS) type solutions which are built around open APIs.
HCE and the Open Standards of CIPURSE
As discussed above, CIPURSE is an open standard that allows any member to access the specification, with full and associate members actively participating in its development. CIPURSE members include semiconductor manufacturers, smart card and mobile software developers, transit software solution providers, system integrators, transit hardware providers, other specification bodies and transit operators.
Originally, CIPURSE was a smart card-focused specification that sought to provide an open platform, with support spanning smart paper tickets to high-end, multi-use, multi-application smart cards. In 2018 and beyond, the OSPT Alliance considers wearables and mobile platforms to be an essential part of the transport industry and CIPURSE continues to evolve accordingly.
Within the mobile category, CIPURSE is not restricted to any specific hardware-based solution such as SIM or embedded Secure Elements, which can constrain innovation and choice of supplier. While CIPURSE solutions on a Secure Element can be readily provided, Host Card Emulation (HCE) is being embraced by developers. In fact, the OPST Alliance demonstrated a CIPURSE HCE solution in January 2017, with the full HCE specification slated for release in early 2018. This open and collaborative approach to providing comprehensive HCE support leverages the collective expertise; even amongst competitors, to encourage an interoperable growth opportunity for the industry.
The Benefits of CIPURSE
CIPURSE provides a detailed definition of its authentication protocol and security mechanisms which are based on industry standard AES-128 encryption. However, CIPURSE does not stipulate a specific ticket format, effectively creating a trusted, multi-supplier platform that addresses the life-cycle of the ticket wallet – be it smart card, Secure Element (SE) or HCE on a mobile Android handset. Put simply, CIPURSE helps promote competition, both in terms of pricing and innovation, while also encouraging the continued evolution of differentiated solutions.
All members of the OSPT Alliance, including semiconductor manufacturers, see the benefits of developing and promoting an HCE-based mobile specification for CIPURSE. Just as cash isn’t dead quite yet, physical (transport) smart cards will likely be in circulation for the foreseeable future. However, as is illustrated by the Glasgow Subway which has announced a pilot HCE solution, mobile applications facilitating seamless transport represent the future of smart ticketing and travel.
By basing these applications on open platforms, there is a real opportunity to bring transit ticketing into the 21st century in a form that meets the expectations of modern commuters. The OSPT Alliance CIPURSE specification aligns particularly well with the open APIs of MaaS, allowing CIPURSE to act as an enabling platform for a wide range of current and future MaaS services. Moreover, CIPURSE provides easy access to a multi-supplier backed definition of a robust, independently validated security protocol, offering a viable alternative to the proprietary solutions that have traditionally dominated the transport sector.
Conclusion
CIPURSE is an open specification defining an authentication and security protocol that is designed for transit and closed-loop ePurse scenarios. There are multiple suppliers of products compliant with the specification, which helps create healthy competition in the transport market. With clear interfaces, it is possible to define an open architecture that won’t become tied to any one supplier. This also positions CIPURSE as a natural fit for mobile-based platforms, whether via a secure element or HCE. This competitive approach helps encourage innovation for both technical solutions and commercial models, while offering a logical, clear alignment with the goals of MaaS style solutions built around open APIs.
