A Privacy-Preserving NFC Mobile Pass for Transport Systems

Ghada Arfaoui; Guillaume Dabosville; Sébastien Gambs; Patrick Lacharme; Jean-François Lalande

Research Article

A Privacy-Preserving NFC Mobile Pass for Transport Systems

Download1508 downloads

Cite: BibTeX Plain Text

@ARTICLE{10.4108/mca.2.5.e4,
    author={Ghada Arfaoui and Guillaume Dabosville and S\^{e}bastien Gambs and Patrick Lacharme and Jean-Fran\`{e}ois Lalande},
    title={A Privacy-Preserving NFC Mobile Pass for Transport Systems},
    journal={EAI Endorsed Transactions on Mobile Communications and Applications},
    volume={2},
    number={5},
    publisher={ICST},
    journal_a={MCA},
    year={2014},
    month={12},
    keywords={DAA, mobile pass, NFC, privacy, smartcard},
    doi={10.4108/mca.2.5.e4}
}

Ghada Arfaoui
Guillaume Dabosville
Sébastien Gambs
Patrick Lacharme
Jean-François Lalande
Year: 2014
A Privacy-Preserving NFC Mobile Pass for Transport Systems
MCA
ICST
DOI: 10.4108/mca.2.5.e4

Ghada Arfaoui^1,2, Guillaume Dabosville³, Sébastien Gambs⁴, Patrick Lacharme⁵, Jean-François Lalande^4,2^,*

1: Orange Labs, F-14066 Caen, France
2: INSA Centre Val de Loire, Univ. Orléans, LIFO EA 4022, F-18020 Bourges, France
3: Oberthur Technologies, F-92700 Colombes, France
4: Université de Rennes 1, Inria, SUPELEC, CNRS, IRISA (UMR 6074), F-35065 Rennes, France
5: Laboratoire GREYC (Unicaen, Ensicaen, CNRS), UMR 6072, F-14032 Caen, France

*Contact email: jean-francois.lalande@insa-cvl.fr

Abstract

The emergence of the NFC (Near Field Communication) technology brings new capacities to the next generation of smartphones, but also new security and privacy challenges. Indeed through its contactless interactions with external entities, the smartphone of an individual will become an essential authentication tool for service providers such as transport operators. However, from the point of view of the user, carrying a part of the service through his smartphone could be a threat for his privacy. Indeed, an external attacker or the service provider himself could be tempted to track the actions of the user. In this paper, we propose a privacy-preserving contactless mobile service, in which a user’s identity cannot be linked to his actions when using the transport system. The security of our proposition relies on the combination of a secure element in the smartphone and on a privacy-enhancing cryptographic protocol based on a variant of group signatures. In addition, although a user should remain anonymous and his actions unlinkable in his daily journeys, we designed a technique for lifting his anonymity in extreme circumstances. In order to guarantee the usability of our solution, we implemented a prototype demonstrating that our solution meets the major functional requirements for real transport systems: namely that the mobile pass can be validated at a gate in less than 300 ms, and this even if the battery of the smartphone is exhausted.

Keywords: DAA, mobile pass, NFC, privacy, smartcard

Received: 2014-02-02
Accepted: 2014-09-16
Published: 2014-12-28
Publisher: ICST

: http://dx.doi.org/10.4108/mca.2.5.e4

Copyright © 2014 Ghada Arfaoui et al., licensed to ICST. This is an open access article distributed under the terms of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/3.0/), which permits unlimited use, distribution and reproduction in any medium so long as the original work is properly cited.