13 Mar 2006

hong kong's octopus system

while i was talking about the japan suica system, i thought about the octopus rfid card system in hong kong, which i've used ever since they introduced it back in 1997. wikipedia has a very complete description of the octopus card. here are some interesting points:

1. octopus was developed by a company in perth, australia.
2. the same company is deploying the system in netherlands.
3. there are twice as many cards issued than the population in hong kong.
4. the maximum amount you can store on the card is HK$1000 (eg. US$120).
5. transfer rate is 212kb/s, uses sony felica (same tech that sony is putting into their laptops to read japanese rfid cards, suica and edy)
6. takes 0.3 seconds to complete a transaction. that is quick!
7. the card uses a two way challenge response with PKI.

that probably is how it works on buses and trams. since these vehicles have no network connection, they couldn't possibly store the value in a central server. so i suspect what happens is the card itself stores a number of public keys, and each company is given a private key to authenticate with it.

the interesting bit is revocation, if a key is compromised (like a sloppy tram operator), how will the system revoke the key? if i were to design the system, i'd probably revoke it during the "recharge" process where you have to take your card into a 7-11 (or other convenience store), and in the process upload the new key list. the situation is a bit interesting with the auto-topup system that is operated by some banks that allows value to be added on automatically when funds run low, that means a card might never be used on a recharge station.

seems like rfid payments have come a long way -- except there hasn't been any substantial security analysis of the cards, or maybe i'm looking in the wrong place.

finally, i, for one, welcome my contactless card touting overlords.

You can reply to me about this on Twitter: