Host Card Emulation (HCE) is the technology in mobile phones that enables them to emulate contactless smartcards, but more about that later. The above question about HCE security was posed by a member of the Transport Card Forum committee when deciding the agenda for the June event in London. I was asked to speak on the subject and this blog is a summary of the presentation I gave.
Cryptography on smart cards
Smart card chips are tamper-resistant hardware running secure operating systems (OSs). They are expensive to design and certify as being secure. However, the design and certification is done once and they are manufactured in high volumes in order to drive the price down.
The cryptographic algorithms execute on the smart chip in order that the secrets they use need not be revealed to the outside world. Only the results of the cryptographic calculations emerge to be used by others within the scheme to achieve authentication, confidentiality and non-repudiation.
Typically, the secrets are loaded to the card before it is issued. Thereafter, it is assumed that the secrets cannot be compromised within the lifetime of the card (e.g. bank cards typically have a 3-year life). Therefore, the cards are not typically designed to allow the secrets to be changed after they have been issued.
Cryptography on mobile devices
As mobile phones became popular and began to be able to emulate contactless smart cards in the noughties, it was at first assumed that a smart chip (or secure element (SE) as they are sometimes known) within the mobile device would be needed to securely hold the secrets and execute the cryptographic algorithms without revealing the secrets. However, the smart card within the phone was typically the SIM card owned by the MNO and not convenient for third parties (e.g. transit operators and banks) to use.
One of the reasons clients like to engage with Chyp is that we have our own lab where we can put leading-edge technologies together in new and interesting ways.
In 2008, Chyp ran a trial of ITSO bus tickets on Nokia 6131 NFC clam phones on the NoWCard scheme in Cumberland.
The trial was considered a success and the trialists did not want to give up their phones. However, the need to load tickets to apps residing on the SIM remained a big inconvenience in the real world. And this factor stopped any such proposals from advancing into production beyond trial.
What is HCE?
Host Card Emulation (HCE) is an alternative to SE-based contactless smart card emulation. The ‘Host’ is the main processor within the mobile device. Typically, SEs within the mobile device are not used and clever software solutions are found instead to allow cryptographic algorithms to execute using secrets without revealing the secrets and without using secure hardware.
Our work in the field of HCE began before the term was coined. We used to call it ‘NOSE’ which stood for ‘No Secure Element’.
- 2007: We built prototypes in our lab using standard NFC controller chipsets found in mobile phones that allowed us to perform EMV transactions with contactless readers without using an SE. We were unable to implement this on mobile phones at the time since the mobile device operating systems did not allow it.
- 2008: Our ITSO mobile ticket trial at NowCard showed that users liked the experience once the phone was provisioned, but provisioning to the SE remained a big barrier, so ‘NOSE’ could be popular in the future.
- 2012: The term ‘HCE’ was coined by SimplyTapp who used an open-source Android OS called ‘CyanogenMod’ with extensions to allow HCE software implementations to work on mobile devices.
- 2013: Bankinter (Spain) made an HCE implementation on Blackberry for Visa.
- 2013: Google decided to allow HCE on the official Android OS release v4.4 known as ‘Kitkat’.
- 2014: At the World Congress, both MasterCard and Visa made public announcements supporting HCE.
- 2015: Android Pay launches using HCE on Android.
- 2015 Chyp designs ‘ITSO with HCE’ for ITSO with the requirement to minimise changes to the existing ITSO infrastructure.
- 2016: Chyp advise on the Barclays contactless mobile first UK bank HCE solution.
- 2016: Amex Pay launches with HCE on Android.
- 2017: Transport for the North trial of ‘ITSO with HCE’ between Leeds and Huddersfield.
- 2017: ITSO announces working with Nexus (Newcastle) and a ‘global digital distributor’ to bring HCE to the North East.
- 2018: ITSO on Mobile HCE trials start with Google Pay using the Google wallet on Android phones. Trials are taking place in the West Midlands (TfWM) and the North East (Nexus).
Rambus and ACT both currently have working HCE solutions for ITSO on mobile devices and are waiting for ITSO to carry out the testing and certification before they can be deployed on live ITSO schemes.
While HCE implementations free us from the inconvenience of provisioning apps to SEs within the mobile device, they are not without their challenges. In addition to the provisioning of short-life secrets described above, there are the following challenges:
- Each HCE implementation is unique and will have aspects of its implementation that are not off-the-shelf and already certified as secure. Typically, penetration testing will be needed to show that the HCE transit app is secure enough and that tickets cannot be easily faked or cloned. This is bespoke testing carried out by specialists.
- Mobile handsets are constantly evolving. Typical customers replace them every two years with a newer generation. HCE apps should be maintained to ensure they are available to use on as many of the handsets in use as practical.
- Mobile OS updates mean that you need to allow for all the possible combinations of handset running all the possible OS versions.
- Security is an arms race. Regular reviews of the latest known attacks are needed and potential updates made to the HCE app in order to remain secure.
So, can HCE be secure enough for transit ticketing? Well, yes, you can imagine, if it can be secure enough for banking, it can be secure enough for ticketing. But HCE implementations are difficult to implement and deploy. They require a dedicated and experienced team and constant maintenance as attacks and handsets and OSs evolve. So, it will be interesting to see how many HCE transit implementations appear and remain on the scene to displace the traditional smart card or whether yet other mobile ticketing solutions replace them altogether.