OPERA - Open Payments European Research Association
by Rafael Hirschfeld
The Open Payments European Research Association (OPERA) is investigating the use of a multi-currency cross-border electronic purse based on smart cards and hand-held infrared wallets. A multinational trial is currently underway in Belgium and Greece.
The technology employed by OPERA was developed by another European project, CAFE, which concluded in February of 1996. The CAFE project was carried out by academic and industrial partners, but the consortium did not include financial institutions. Instead, a group of financial institutions sponsored the CAFE trial and made up the initial partners of OPERA. They include the two largest commercial banks in Greece: the National Bank of Greece and the Commercial Bank of Greece.
The CAFE wallet combines conventional and digital money storage.
OPERA picks up where CAFE left off, and aims to test the electronic purse in a multinational environment with a view to possible future commercialisation. There are a number of commercial electronic purse trials underway throughout Europe and around the world. The OPERA purse, called Xchange, differs from these systems in that it is far more technically advanced but also far less commercially developed. Some specific differences include:
The security of most commercial electronic purses is based on secret-key (symmetric) cryptography. This requires that the information stored in the merchant terminal be protected by some sort of tamper-resistant device (called a security module), because if it were revealed it could be used to generate value. The Xchange system is based entirely on public-key (asymmetric) cryptography, so there are no secrets in the terminal; accepting payments is simply a matter of additional software and no special trust relationship with the merchant is required. This allows greater flexibility for inclusion of not only arbitrary merchants but also multiple issuers of electronic value.
Most commercial electronic purses (with the notable exception of Mondex) operate in a single currency. Mondex cards have pockets for multiple currencies, but the merchant must accept one of the currencies present in the purse. The Xchange purse includes a conversion mechanism that enables the merchant to obtain payment in its local currency from a purse loaded only with foreign currencies. Although this mechanism is fully general, in the OPERA trial the ECU is used as a medium of exchange: the cardholder can spend her home currency in her home country, and ECU anywhere. This is done in anticipation of EMU in order to allow people to try out the use of the ECU/Euro. Already ECU loaded in Brussels (converted from Belgian francs) have been successfully used in Athens to purchase items priced in Greek drachma.
Digital money in the research literature somewhat resembles physical cash in that electronic banknotes are produced by the issuer and are only carried by the card. Unfortunately, such banknotes are too bulky for a smart card to store a sufficient number of them, so most electronic purse systems adopt a counter-based approach: the card generates money based on the balance in a counter, which is then decremented. This is tantamount to allowing the card to print its own banknotes, and if the physical security of the card is compromised, the potential loss is unlimited. The Xchange purse uses a hybrid approach: the card 'prints money' from a stored balance as in other counter-based systems, but only on special paper (in the form of signed certificates) that is supplied by the issuer in limited quantities. That way, if the protected area where the 'plates' are stored is in some way compromised, the loss is limited. The basic security approach is to store as much as possible of the information needed for generating electronic value at the issuing bank rather than on the card.
Anonymous payments are supported. As electronic purse technology rushes in to capture low value cash payments, many have raised concerns about consumer privacy. Although this is more a societal or legal issue, the availability of technology to support anonymous payments allows the choice to be made purely on societal grounds. In the Xchange system, anonymity is an issuer option, and it is possible to mix some issuers that provide it with others that do not. Anonymity is one-way, ie, it is always possible for the payer to prove to which payee she made a particular payment. This addresses many of the serious objections to fully anonymous payments while still protecting the privacy of consumers' spending habits.
Recovery of lost, stolen, and damaged cards is supported. Because the privacy features preclude mirroring of the cards (except in debugging versions of the system), cardholders may have to wait before recovering the value on their cards, but they can eventually recover any value remaining on their card at the time they report its loss.
Contactless transactions can be performed via infrared wallets. In principle these could be the consumer's own computer or personal digital assistant. In addition to convenience in particular situations (eg parking garages), the cardholder can complete the transaction through her own trusted device, which displays the amount requested and asks for confirmation. By analogy, the contactless payment can be likened to taking the appropriate amount of money out of one's wallet and handing it to the cashier, whereas payment with a smart card is more like handing over one's entire wallet and asking the cashier to take the correct amount. This becomes even more dangerous when the wallet contains other things besides cash, such as credit cards, credentials, room keys, etc.
The cryptographic protocols used to secure most commercial systems are shrouded in secrecy. By contrast, the protocols employed by the Xchange purse are published and open to public scrutiny. It is believed that only by subjecting the protocols to attack by the wider research (and hacker) community can they be sufficiently hardened, and that only by making them known to all can they be trusted by all. In principle, anybody can follow the specifications and make compliant devices.
Although the primary technical aspects of the OPERA purse were developed within the CAFE project, OPERA is developing technical extensions of its own. These include an unattended reloading device, which interfaces to the banking network to load money from the purseholder's bank account, or which can accept cash coins and bank notes. Also investigated is the addition of debit and credit facilities, compliant with the specifications of Europay, Mastercard, and Visa (EMV), alongside the purse. These extensions are being developed primarily by Mellon Technologies and Ethnodata, both based in Athens.
At the moment, the OPERA trials are limited in size and scope. There are real users, but they are limited to employees of the institutions involved in the trial. Experience is being gained, however, that could ultimately lead to a commercial system. Although any commercial deployment would probably require reimplementation of much of the system, OPERA will have demonstrated the feasibility.
Finally, it is worth pointing out that OPERA also stands for interOPERAbility. Although the current focus is on the Xchange electronic purse, OPERA remains committed to the CAFE vision of the electronic wallet as a user's device for managing relationships with several issuers, application providers, etc, including possibly several (competing) electronic purses on the same device, and with none of the applications compro-mising the security of any of the others.
Rafael Hirschfeld - CWI
Tel: +31 20 592 4169
The OPERA secretariat - CardWare Ltd.
Tel: +44 1582 760664
Fax: +44 1582 764518