An access to data in a Calypso card is submitted to a number of rules that may require that specific access rights be granted. These rules depend on file access conditions specific to every file, and upon cryptographic computations using secret keys stored in the card.
A specific security mechanism is also used to change the value of these keys.
Furthermore, to handle the specific ergonomics of the contactless link, two special security features called “secure session” and “ratification” are used.
A secure session begins with a specific command sent to the card to open the session (Open Secure Session), and ends with a specific command to close the session (Close Secure Session).
During the session, it is possible to read and write data onto the card (access may be restricted on some files by specific conditions, e.g. having presented a PIN code).
When the session closes, all the data exchanged is certified by the card, and by the SAM included in the terminal. This certification simultaneously:
- proves the authenticity of the terminal to the card (authenticating the terminal),
- proves the authenticity of the card to the terminal (authenticating the card),
- certifies that the data exchanged is authentic and has not been tampered with by a defrauder.
Finally, this command also proves to the terminal that the card has been correctly updated.
The secure session performs simultaneously:
- Authentication of the card.
- Authentication of the terminal.
- Authentication of all the data exchanged during the session.
- Proof that the card modifications have been correctly done.
These operations are done with a high-speed algorithm to allow a very quick transaction. This is particularly important when using the card with a contactless validator.
All the data modification commands given during the session are automatically cancelled if the final authentication fails, or is not done. The data modifications commands are: Write, Update, Append, Increase, Decrease, Invalidate, Rehabilitate.
Thus, the session mechanism ensures that either the modifications made during the session are all completely and correctly done, or that none are done. If the session is not successfully closed (because of a bad signature, a card error, an unexpected shut down, etc.), then all the modifications done during the session are cancelled. Furthermore, a special feature, named the “ratification”, allows the ground validator to handle as well a possible communication link problem (see the later ratification section). These rules apply in exactly the same way in contactless and in contact modes.
During any communication, the link may be broken unexpectedly. This is particularly true in contactless communication, where the card may be taken out of the validator radio field during normal use, and before the transaction completion.
The signature session is a very efficient mean to solve this problem, as an interruption before the session closing will cancel all the modifications done to the card, leaving it in the same state as it was before the session. For example, if a counter must be decreased and a network entrance event must be recorded at the same time on the card, the session mechanism will ensure that either both are completed or that none is done.
However, after the end of the session, and the validation of the changes by the card, the acknowledgement (including the card signature) must still reach the validator. If the communication link is broken between the session closing, and the good reception of its acknowledgement, the validator has no proof that the card is legitimate and that the transaction succeeded. In this case, the user might have paid, or have his transport rights decreased, and not be allowed entrance to the network.
The usual solution to this problem involves a complex mechanism in the validator, which must remember the cards that might fall into this case, and handle them properly if they are presented again soon after. The problem is even more complex in transport networks, where many validators may control the same network gate, and where the user might be tempted to try another validator if the previous one failed to open the gate.
To allow the user to enter the network without paying twice, while avoiding this very complex management in the validators of a network entrance or exit, the ratification mechanism was put in place.