BACKGROUND

[0002] Access to some transport systems is controlled using near-field communication (NFC) based devices used by passengers and reader devices that are mounted at entrances and/or exits. Some transport systems have automatic gates that open when a chip card is validated, some systems merely have a terminal that is tapped by the passenger device. In identity based systems, user identities are stored and associated with respective user accounts and electric tickets. The use of public transport is charged from the respective user account when use of the electric tickets at the gated or non-gated terminals is observed.

[0003] In identity based systems, the user identities are not as such used as tickets so as to mitigate the risk of identity theft by someone who might electrically eavesdrop communications between gated or non-gated terminals and passenger devices, or even use a malicious program for the purpose. Instead, electric tickets are produced such that the user identity is derivable from the electric ticket only by parties intended to do so. Furthermore, some passenger devices are provided with a secure environment for added security.

[0004] In some NFC identity based ticketing systems, the passenger device authenticates itself to the gated or non-gated terminal by communications over NFC interface, using standardized cryptographic techniques. Furthermore, in some systems, a constant communication between the passenger device and the transport authority server, either directly or through the terminal, is provided. SUMMARY

[0005] According to a first example aspect of the invention, there is provided an apparatus comprising:

a first memory unit; a first input/output interface; and

a first processor configured to:

receive a challenge from a user device;

update a filter based on the challenge; and

send the contents of the filter to the user device.

[0006] The filter may comprise a bloom filter.

[0007] The first processor may be further configured to receive a token time stamp and a time counter value from a user device.

[0008] The first processor may be further configured to choose the token time stamp or the time counter value as estimated time.

[0009] The first processor may be further configured to receive an entry or an exit token as a part of the challenge.

[0010] The first processor may be further configured to control the validity of the entry token.

[0011] The first processor is further configured to not update the filter if an exit token is received.

[0012] According to a second example aspect of the invention there is provided an apparatus comprising:

a second memory unit; and

a second input/output interface;

a second processor configured to:

send a challenge to a terminal; and

receive contents of a filter from the terminal; wherein

the contents of the filter include information derived from the sent challenge.

[0013] The filter may be a bloom filter.

[0014] The second processor may be further configured to receive a pair of tokens from a backend server; wherein the tokens comprise an entry token and an exit token.

[0015] The second processor may be further configured to receive a token time stamp from a backend server.

[0016] The second processor may be further configured to provide a time value counter; and to periodically update the value of the time value counter after receiving the pair of tokens. The second processor may be configured to update the value of the time value counter every second after receiving the pair of tokens. The updating of the value of the time value counter may increment the time value counter by an increment. The increment may be one.

[0017] The second processor may be further configured to send the value of the time value counter to a terminal.

[0018] The second processor may be further configured to send the filter contents to a backend server.

[0019] According to a third example aspect of the invention there is provided an apparatus comprising:

a third processor configured to:

receive contents of a filter from a user device; and

derive from the filter contents information concerning user behavior; wherein

the contents of the filter relate to a user device and to a terminal.

[0020] The filter may be a bloom filter.

[0021] The third processor may be further configured to send a pair of tokens to a user device.

[0022] The third processor may be further configured to send a token time stamp to a user device.

[0023] The third processor may be further configured to derive from the filter contents the identity of user devices that have not sent any challenge to a terminal.

[0024] The third processor may be further configured to derive from the filter contents identity of user devices from which the filter contents have not been received.

[0025] According to a fourth example aspect of the invention, there is provided a method comprising:

receiving a challenge from a user device;

updating a filter based on the challenge; and

sending the contents of the filter to the user device.

[0026] The filter may be a bloom filter.

[0027] The method may further comprise updating the bloom filter.

[0028] The method may further comprise receiving a token time stamp and time counter value from a user device. [0029] The method may further comprise choosing the token time stamp or the time counter value as estimated time.

[0030] The method may further comprise receiving an entry or exit token as a part of the challenge.

[0031] The method may further comprise controlling the validity of the entry token.

[0032] The method may further comprise not updating the filter if an exit token is received.

[0033] According to a fifth example aspect of the invention, there is provided a method comprising:

sending a challenge to a terminal; and

receiving contents of a filter from the terminal; wherein

the contents of the filter include information derived from the sent challenge.

[0034] The filter may be a bloom filter.

[0035] The method may further comprise receiving a pair of tokens from a backend server; wherein the tokens comprise an entry token and an exit token.

[0036] The method may further comprise receiving a token time stamp from a backend server.

[0037] The method may further comprise providing a time value counter; and updating the value of the time value counter with one every second after receiving the pair of tokens. The method may further comprise updating the value of the time value counter every second after receiving the pair of tokens. The updating of the value of the time value counter may increment the time value counter by an increment. The increment may be one.

[0038] The method may further comprise sending the value of the time value counter to a terminal.

[0039] The method may further comprise sending the filter contents to a backend server.

[0040] According to a sixth example aspect of the invention, there is provided a method comprising:

receiving contents of a filter from a user device; and

deriving from the filter contents information concerning user behavior; wherein the contents of the filter relate to user device and a terminal.

[0041] The filter may be a bloom filter. [0042] The method may further comprise sending a pair of tokens to a user device.

[0043] The method may further comprise sending a token time stamp to a user device.

[0044] The method may further comprise deriving from the filter contents the identity of user devices that have not sent any challenge to a terminal.

[0045] The method may further comprise deriving from the filter contents identity of user devices from which the filter contents have not been received.

[0046] According to a seventh example aspect of the invention, there is provided a computer program, comprising:

code for performing a method of any example aspect of the invention, when the computer program is run on a processor.

[0047] According to an eight example aspect of the invention, there is provided a memory medium comprising the computer program of the seventh example aspect.

[0048] According to a ninth example aspect of the invention, there is provided a system comprising at least two of

the device according to the first example aspect of the invention;

the device according to the second example aspect of the invention; and the device according to the third example aspect of the invention.

[0049] Any foregoing memory medium may comprise a digital data storage such as a data disc or diskette, optical storage, magnetic storage, holographic storage, opto-magnetic storage, phase-change memory, resistive random access memory, magnetic random access memory, solid-electrolyte memory, ferroelectric random access memory, organic memory or polymer memory. The memory medium may be formed into a device without other substantial functions than storing memory or it may be formed as part of a device with other functions, including but not limited to a memory of a computer, a chip set, and a sub assembly of an electronic device.

[0050] Different non-binding example aspects and example embodiments of the present invention have been illustrated in the foregoing. The foregoing example embodiments are used merely to explain selected aspects or steps that may be utilized in implementations of the present invention. Some example embodiments may be presented only with reference to certain example aspects of the invention. It should be appreciated that corresponding example embodiments may apply to other example aspects as well.

BRIEF DESCRIPTION OF THE DRAWINGS

[0051] For a more complete understanding of example embodiments of the present invention, reference is now made to the following descriptions taken in connection with the accompanying drawings in which:

[0052] Fig. 1 shows a block diagram of the environment of identity based ticketing according to an example embodiment;

[0053] Fig. 2 shows an architectural overview of a system of an example embodiment;

[0054] Fig. 3 shows a messaging architecture according to an example embodiment; and

[0055] Fig. 4 shows a flow diagram of the operation of a filter according to an example embodiment.

DETAILED DESCRIPTON OF THE DRAWINGS [0056] An example embodiment of the present invention and its potential advantages are understood by referring to Figs. 1 through 4 of the drawings.

[0057] Fig. 1 shows a block diagram of the environment of identity based ticketing according to an example embodiment. A transport authority 310 system operates non-gated ticket readers, or terminals 200, for example onboard a vehicle 121 in connection with bus stops or the like. Some gated near-field communication (NFC) readers 301 are in an example embodiment connected, directly or indirectly to a backend system 300 of transport authority 310 and the authentication support platform 303 thereof. The readers 301 , which are connected, can receive information which they refer to during user verification.

[0058] In some example embodiments, all or some of the information exchanged during a user verification is collected as transaction evidence and forwarded to a processing unit of the backend system 300 of the transport authority 310, such as a an accounting system 307, a fare calculation engine 31 1 , or a combination thereof. The fare calculation engine 31 1 may be a database maintained by the transport authority 310. The parts 307, 309, 31 1 are in an example embodiment implemented as separate servers or as one or more combined servers. In the foregoing, all systems of the transport authority are referred to as the backend.

[0059] In an example embodiment, the transport authority 310 is responsible for distributing and maintaining the terminals 200, e.g. smart cards, for non-gated travel. In an embodiment these non-gated terminals are physically and firmly attached to their location and are assumed to be tamper-resistant.

[0060] In an example embodiment, the backend 300 of the transport authority 310 is responsible for fare collection from the users of devices 100. The backend 300 of the transport authority 310 can simultaneously be connected to several accounting authorities 307. Additionally, all users may have a relationship with at least one accounting authority 307, in the form of a prepaid or credit-based user account 309. In an example embodiment, user account statuses can be used for determining user history that can affect the services provided to the user.

[0061] In an example embodiment, the backend 300 of transport authority

310 is also responsible for generating ticketing credentials and provisioning secrets to the user devices 100. Furthermore, in an example embodiment, the accounting authority 307 is responsible for a cryptographic validation of transport evidence and user device and identity use statistics.

[0062] Fig. 2 illustrates an architectural overview of a system suited for performing some example embodiments. The system comprises a user device 100 such as a smart phone and a reader, or terminal, 200. The user device 100 has at least intermittently access to a backend system 300, such as a server cluster or cloud. The terminal has at least indirectly, through user device 100, access to the backend system 300.

[0063] The user device 100 is, for example, a portable device such as a mobile phone, a portable gaming device, a chip card ticket, a navigator, a personal digital assistant, a tablet computer or a portable web browser. The device 100 generally has capabilities for processing information, for performing cryptographic operations and for communicating with other entities, such as the backend 300 and the terminal 200 at least intermittently when in contactless or contacting access with other entities, or with a related communication element.

[0064] The user device 100 has a processing circuitry for cryptographic operations, such as a processor 101 . Some user devices have a secure environment processing circuitry such as an isolated Trusted Execution Environment (TEE) 1 1 1 . The user device 100 further has a communication interface 1 12 such as a near field communication (NFC) interface, near field communication (NFC) interface driver 1 13, a Logical Link Control Protocol (LLCP) stack 1 14, a credential manager CM 1 15, i.e. an interface by which an operating system and/or applications can interact with the processing circuitry for cryptographic operations, and a public transport application 1 16.

[0065] The user device 100 further comprises, in some example embodiments, a user interface, a mobile communication circuitry, an application platform for enabling user installation of applications, and/or a battery for powering the apparatus. In some example embodiments, the user device is externally powered when used, e.g. with electromagnetic induction or with galvanic contacts.

[0066] The terminal 200 comprises a communication interface such as a near field communication interface 222, a Logical Link Control Protocol (LLCP) stack 224, an engine 226 that is a processing circuitry for controlling various authentication operations, and a memory 228 that comprises various data needed by the terminal 200 for its operations, including e.g. public authentication key(s). The terminal further comprises processing circuitry for cryptographic operations, such as processor 201 , for example for maintaining and updating a filter 400 such as an arithmetic filter. In some example embodiments, the processing circuitry for cryptographic operations in the user device 100 and in the terminal 200 is isolated as a logically separate function using common hardware circuitries, i.e. a processor 101 ,201 . In some example embodiments some or all logical elements of the processing circuitry are implemented with dedicated hardware elements. Further in some example embodiments the processing circuitry is implemented by using dedicated applications and common hardware circuitries.

[0067] The terminal 200 is in some embodiments a fixedly installed device at a gated or non-gated entrance of a public transport system. In some other embodiments, the terminal 200 is built into a portable device e.g. for use by ticket inspecting personnel.

[0068] The transport backend system 300 is, in some embodiments, a server that is operated by a service provider and that has communication capabilities for exchanging information directly or indirectly with the user device 100 and/or with the terminal 200. The server comprises a processor that is configured to perform its task.

[0069] In an example embodiment, the near field communications (NFC) interface 1 12 interfaces as provided by currently available hardware and various messages are size optimized. Data transaction between the user device 100 and the terminal 200, e.g. at transport station, is performed using Logical Link Control Protocol (LLCP) over NFC peer-to-peer communication mode. This use of LLCP over NFC can enable using link layer transport service classes, such as connectionless data transmission and connection-oriented data transmission.

[0070] In some example embodiments, one or more of the user device 100, the terminal 200 and the backend system 300 comprises or comprise other elements, such as user interface device, display, audio device or the like.

[0071] Fig. 3 shows a messaging architecture according to an example embodiment. Prior to commencing any travel with public transport using the identity based ticketing, the user device 100 communicates 330 with the backend system 300 in order to receive certificates necessary for the identity based ticketing according to an example embodiment. The backend 300 is accordingly involved at entries into the system. The user device 100 retrieves 340 a data element, or a token, from the backend system 300. The retrieved token relates to the account, or identity, of the user and contains cryptographic elements. The retrieved token is valid for a limited period of time, for example fifteen minutes. The user device 100 further receives the current time from the backend system 300. The user device further maintains a time counter value bound to the token retrieval. The value of said counter is periodically increased e.g. by one every second so as to provide a time value in seconds with respect to the time the token and/or other cryptographic elements were retrieved from the backend 300.

[0072] At the terminal 200, as the user is about to start using public transport and wishes to enter the system through a gated or a non-gated public transport station, the user device 100 and the terminal 200 communicate with each other. At the entry operation, the user device 100 sends 310 a challenge to the terminal 200, containing the entry token retrieved from the backend 300, the current value of the time counter, and the certificate. The certificate includes information on whether the user device has a secure environment, e.g. a TEE, or a non-secure environment. In an example embodiment, the certificate includes further information, for example information relating to the identity of the user, information on the validity of the certificate and/or cryptographic elements such as a public key.

[0073] The calculations required for the challenge are carried out prior to sending the challenge by the cryptographic processing circuitry, either in a secure environment or in a non-secure environment, of the user device 100. The terminal 200 receives the time estimate from the user device 100.

[0074] The time counter value allows the terminal to have a reasonable estimate of the time even without connectivity to the backend 300. The terminal uses either the time counter value of the user device 100 or the token provision time, which should be at most as outdated as the limited validity period of the token. In other words, the token provision time differs from the actual time at most by the validity period of the token.

[0075] At each entry operation 310, the terminal 200 logs an entry signature, token, or the certificate of each user device 100 into a filter 400 thus updating 312 the filter 400.

[0076] The terminal 200 used to enter the system, returns 314 an entry signature as a response to the challenge from the user device 200. The contents of the filter 400 are also returned to the user device 100 and are bound to the entry signature returned 314 by the terminal 200 as a response to the entry challenge 310 from the user device 100.

[0077] In an example embodiment, the value of the time counter of the user device is reported to the terminal 200 each time the user device 100 and the terminal 200 are in communication with each other. The user devices 100 are partially monitored through the estimate of time. The time estimate at least partially prevents the user devices from using copied tokens in parallel for entering the system. The time estimate of each terminal 200 should not be older than the validity period of the entry token, for example 15 minutes, and accordingly most parallel use is caught or detected at the backend 300.

[0078] As the user is about to finish his journey using public transport and wishes to exit the system through a gated or a non-gated public transport station, the user device 100 and a terminal 200 communicate with each other. At the exit operation, the user device 100 sends 320 a challenge to the terminal 200, containing the entry token signature and entry token time retrieved from a terminal 200 at the previous entry operation, the current value of the time counter, and a certificate. The certificate includes information on whether the user device has a secure environment, e.g. a TEE, or a non-secure environment.

[0079] The terminal 200 used to exit the system returns 322 an exit signature as a response to the challenge from the user device 200. The contents of the filter 400 are also returned to the user device 100 and are bound to the exit signature returned by the terminal 200 as a response to the exit challenge from the user device 100.

[0080] The user device 100 reports back to the backend 300 regularly 350 if it is possible to connect to the backend 300 and the user device 100 functions in an expected fashion, i.e. the user device or the identity thereof is not maliciously used. The user device 100 provides the backend 300 with the entry and/or exit signatures received from the terminal 200. These signatures contain the filter 400 values, which are used by the backend to retrieve information on user behavior. If the user device 100 fails to report the corresponding entry and exit signatures to the backend 300, the terminal 200 will anyhow be able to report the contents of the filter 400 to the backend 300 through further passengers and their user devices 100, or in some example embodiments through connectivity provided at the terminal 200.

[0081] A factor to consider in a ticketing system is the price of the travel for the passenger. In an example embodiment, the backend 300 assumes the maximum charge for any user device 100, and the user identity thereof, that retrieves a token from the backend 300. If the token is not used during the validity period, and no malicious behavior is established, the maximum charge is redeemed to the user. Otherwise, the actual user charge will be based on the entry and exit tokens reported to the backend 300.

[0082] Fig. 4 shows a flow diagram of the operation of the filter 400 according to an example embodiment of identity based ticketing. In an example embodiment, the filter 400 is a data structure configured to be used in testing whether an element is part of a set. In an example embodiment, the filter 400 is configured in such a way as to provide no false negative responses to a query of an element being a part of a set or not. That is, a system entry token that was not used to update the contents of the filter 400 is with certainty not a part of the filter 400. In an example embodiment the filter 400 is a Bloom filter. The contents of the filter 400 are returned to the user device 100 and bound to the signature returned as a response to the challenge from the user device 100. [0083] The operation of the filter 400 is explained in relation to the terminal 200, the user device 100 and the backend 300. The terminal 200 receives an entry or exit token from the user device 100 entering or exiting the system. The system entry value of the entry token of the user device 100 is logged 422 into the filter 400, i.e. the data structure of the filter 400 is updated in such a way that the data structure contains the system entry value of the user device 100. In an example embodiment, the filter 400 is a bloom filter. In the bloom filter, the system entry value is fed to a predetermined number of hash functions in order to receive a corresponding number of bit array positions. The bits corresponding to the array positions are then set to one and thus the system entry value is logged into the filter 400.

[0084] The filter contents are returned 424 to the user device 100 at entry and exit, although the exit token is not used to update the filter 400. In an example embodiment, the user device communicates with two different terminal 200 at entry and exit and thus receives 410 the filter contents of two separate terminals. In an example embodiment, the user device 100 reports back to the backend 300. In other words, the user device 100 sends 412 the entry and exit signatures including the contents of the filter 400 to the backend 300.

[0085] In an example embodiment, if a user device has no connectivity, the backend will anyhow receive 430 the filter contents at some point. This is so because each user device 100 will have to communicate with the backend prior to receiving the entry and exit tokens needed for travel. At this point, the filter contents are also received by the backend. The filter contents of any terminal 200 contain all the system entry values of user devices 100 that have previously entered the system through the terminal in question. Thus, even if any user device 100 fails to send the filter contents to the backend 300, no information is necessarily missing from the backend.

[0086] The backend 300 receives the filter contents of all the terminals 200 and retrieves 432 from this information a statistical representation of entry and exit history of the terminals 200 of the identity based ticketing environment. Furthermore, in an example embodiment, the backend retrieves 434 from the statistical history, i.e. the filter contents of the terminals 200, information on entry and exit operations of a user device 100. The information retrieved 432,434 is used to verify 436 user device behavior. For example, the entry and exit operations that have not been reported to the backend 300 by a user device 100 are readily evident from the contents of the filter 400 of a terminal 200.

[0087] Some examples of different use cases of some example embodiments of the identity based ticketing are as follows. In a first use case, the identity based ticketing according to an example embodiment is applied in a public transport environment wherein the constant connectivity of user devices 100 or terminals 200 to the backend 300 cannot be guaranteed, i.e. the user devices 100 are offline for limited periods of time. The time value counter added to the user device gives the terminals an estimate of time, even if offline, and thus a parallel use of the same entry tokens or user identities can be effectively prevented, i.e. the users are not able to share a same ticket and travel with it.

[0088] In a second use case, the identity based ticketing according to an example embodiment is applied in an environment, wherein the user devices, or most of them, do not comprise a secure environment, such as a TEE, and accordingly all the cryptographic calculations done in the user device 100 are vulnerable to eavesdropping or a similar attack. A possibility exists that several user identities could be copied and used for travel. By applying the filter 400 and logging each entry operation of a user device 100, and the user identity thereof, into the filter 400, the backend 300 will receive usage history from the terminals 200 and can therefrom obtain information on the behavior of the user devices, thus catching or detecting user devices or identities of misbehaving user devices.

[0089] In a third use case, the identity based ticketing according to an example embodiment provides the user of the system with a user interface with which the customer can monitor his user identity and user account. As each user device communicates with the backend 300 prior to commencing travel in the public transport system, the backend 300 is involved at least in every second transaction, i.e. before each entry operation. Even if the user device 100 had been completely compromised, the backend 300 can monitor travel patterns using the time value counter, the contents of the filter 400, and by being involved in every second operation of the user device. The backend 300 can further provide the user a user interface, for example for the user device 100 or for any web browser. The user then increases the security of system by exercising self-control of the user account behavior. [0090] Without in any way limiting the scope, interpretation, or application of the appended claims, a technical effect of one or more of the example embodiments disclosed herein is hindering malicious use of identities of users of insecure user devices. Another technical effect of one or more of the example embodiments disclosed herein is the ability to monitor account behavior without constant connectivity. Another technical effect of one or more of the example embodiments disclosed herein is providing a way of minimizing or at least reducing the costs incurred to a user caused by malicious use of her user account.

[0091] It will be understood that each operation of the flowchart, and/or combinations of operations in the flowchart can be implemented by various means. Means for implementing the operations of the flowchart, combinations of the operations in the flowchart, or other functional ity of the example embodiments described herein may com prise software, hardware, appl ication log ic or a combination of software, hardware and application logic. The application logic, software or an instruction set is maintained on any one of various conventional computer-readable media. A computer-readable medium may comprise a computer- readable storage medium that may be any media or means that can contain or store the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a computer.

[0092] If desired, the different functions discussed herein may be performed in a different order and/or concurrently with each other. Furthermore, if desired, one or more of the afore-described functions may be optional or may be combined.

[0093] Althoug h various aspects of the invention are set out in the independent claims, other aspects of the invention comprise other combinations of features from the described embodiments and/or the dependent claims with the features of the independent claims, and not solely the combinations explicitly set out in the claims.

[0094] It is also noted herein that while the foregoing describes example embodiments of the invention, these descriptions should not be viewed in a limiting sense. Rather, there are several variations and modifications which may be made without departing from the scope of the present invention as defined in the appended claims.