D6-4

HIGH SECURITY ELECTRONIC TOLL AND TRAFFIC MANAGEMENT AND ROAD PRICING SYSTEM USING ENCRYPTED MESSAGES AND PERSONAL IDENTITY NUMBER
Kazushi Tetsusaki
Ship & Industrial Project Department Mitsubishi Corporation 6-3, Marunouchi 2-Chome, Chiyoda-ku, Tokyo 100-86,Japan Abstract: A new electronic toll collection ( E X ) system has been developed primarily for toll road This EIC system features to ( 1 ) cryptographic techniques and personal identity number (PIN) to ensure complete privacy and security, and (2) applicability to both open and closed toll systems as well as both prepay andpostpay transactions. After development of the prototype system, field tests conducted in Japan confirmed good performance under various conditions. the vehicle and communicates with the RCS, has many useful characteristics. This tag, which we call the IVU ( I n Vehicle Unit), is a twwpiece, passive type. The IVU consists of the IVU tag itself and a removable smart card The IVU includes a user interface consisting of keypad, buzzer and LED display. Using these interfaces a patron can prevent theft by entering a PIN (Personal Identity Number) after every card insertion into the tag. The passive-type tag was preferred for radio communication because it provides advantages such as reduced electric power and elimination of the need for a radio license.

1. INTRODUCTION

Traffic congestion on Japan's major roads has been the source of a number of major social problems, disturbing the vital economy, creating air pollution and so forth. I t is expected that E X systems will provide a solution. Japanese Government and major toll road authorities seem to have become aware of ETC and have begun extensive study toward implementation of such systems in the near future. To meet critical social needs, Mitsubishi Corporation and Amtech Corporation of the U.S.A. have started jointly developing the next generation automatic E X system, which we are calling @nicashN. We have carried out a series of field tests from early this year using a prototype system and will here introduce the system along with our test results.

IW

U000

I
fig. 1 System Outline Ill. SECURITY AND PRIVACY When used in a prepay mode, Dynicash" does not record or reveal tag or card identity during payment. Thus the patron's payment history, destination and other related transaction data used in automatic toll communication is not traced, ensuring complete privacy. Security, as it is implemented in Dynicash" using encryption algorithms, guarantees both toll agencies and patrons against fraud.

11. SYSTEM OUTLINE

Qlr system outline is shown in fig.1. 'Ihe Roadside Charging Station(RC3) consists of a single
enclosure which fully integrates the functions of antenna, RF module, interrogator, cryptor (cryptographic device) and power supply. The R C ; can he mounted on the side of the lane or on the overhead gantry as required. Qlr newly developed tag, which is attached to

lY94 Vehicle Navigation & Information Systems Conference Proceedinbs

695

For the patron, Dynicashm provides electronic cash, the value of which may be recovered if the card is lost or stolen. The smart card also carries indisputable proof of payment for the patron's protection and records. The following prncedure shows how Dynicashm performs toll payment transactions while it guarantees patron privacy and security. (see fig. 2 ) (1) To load value into the smart card, the patron gives the bank a n amount of money, either with cash or credit card and enters a P I N code. The smart card sends to the bank numerically disguised random numbers, similar in nature to blank checks, for validation. While the bank knows it validates a specific patron's checks, it cannot know the actual check numbers. The validatedchecks are sent back to the smart card where they are stored
( 2 ) When the smart card is inserted into an IVU, it prepares for the next transaction by unmasking a validated check.

securr Bank signature

( 3 ) As the patron approaches a payment location, the RCS beams a message to the IVU asking for payment. The smart card verifies the RCS
credentials. Then [ V U sends acheck to the RCS filled in with the proper amount of money. fig. 2 Dynicashm Electronic Cash System

(4) The RCS confirms the hank's validating signature andsends the checks to the collecting operator's bank.

I W

IV. SIGNAL SEQUENCE

Each roll transaction in the prepaid mode consists of three distinct phases: ( 1 ) commit, ( 2 ) challenge and ( 3 ) payment. (see fig. 3) The commit phase consists on an uplink message (vehicle to RCS) which includes a 64bit transaction I D (random number created at each transaction) and other information including the vehicle classification. The RCS verifies the commit message and responds with the downlink ( R G to vehicle) challenge message. The challenge message requests the debit of the smart c a r d a c e the challenge message is received and verified by the IVU, the smart card reveals the payment data which is transmitted back to the RCS. The payment message is authenticated by the RCS and serves as proof of payment. The IVU retains a receipt of the transaction which can be revealed by the user in event of dispute over non-payment.

Commit Message

Challenge Message Payment Message

"Be quiet" Command

fig. 3 Signal Sequence

696

1994 Vehicle Navigation & Information Systems Conference Rocecdings

The commit message is continually transmitted once the IVU enters the R F fieldof the RCS until the IVU receives the challenge message. The IVU can respond to the challenge message either with a negative acknowledgement (if the challenge message is received in error) or with the payment message (if the challenge message is received correctly) Qlce the payment is received and verified, the RCS requests the IVU to cease transmission in order to minimize interference during the next transaction. So, all messages can be fully verified by the recipient without the necessity of sending redundant messages.

(ENT CATEJ

V. FIELD EXPERIMENT IN JAPAN

We conducted field tests in Japan on February 2&27 and March 13-14 in order to evaluate the applicability of the system to Japanese toll roads as a tool for electronic toll collection system. After confirming suitable tag position on the vehicle, we tested the system in both prepaid and postpaid modes. We also tested both closed and open toll collection systems.
V-1 System Configuration (see fig. 4) We configured with separate entry and exit gates. At the entry gate, the RCS and a plaza computer which supervises the RCS were installed The RCS was attachedon a gantry five meters from the ground At the exit gate, the RCS and plaza computer were installed in the same manner as at the entry gate, and a lane controller PC which controlled an enforcement camera and traffic light was also installed In this experiment, the lane controller PC was connected to the plaza computer so that test results from RCS were transmitted to the lane controller PC through a plaza computer to show transaction results. This configuration was chosen for test purposes and may change in real operation.

(ENTRYCATEJ

fig. 4 System Configuration

V-2 Test Procedure and Conditions For the closed system, when a vehicle passedthrough the entry gate, the name of the gate is written to the tag installed on the vehicle. When the vehicle passes through the exit gate, the toll is calculated by the exit gate RCS by reading the name of the entry gate written on the tag. In the prepaidsystem, the toll is subtracted from the smart cardandin the post paid system, the account number is sent to plaza computer and toll to be paid is sent to the smart card. For open system test, we used a n

exit gate only since toll is not related to the mileage in such systems so toll calculation is not necessary. A traffic light and enforcement camera were used for indication of violation. If a passing tag is found to be on a negative list or is different from the actual vehicle classification, a traffic light indicates "CALLTAG OFFICE' and the vehicle image is captured by an enforcement camera. In actual use, the vehicle class is identifiedby another system and is sent to our system, but for this test we registered vehicle class in the lane controller PC beforehand Vehicle class of the tag, which is transmitted to the lane controller PC through the RCS, is compared to files in the lane controller PC to judge whether tag is valid for the actual vehicle class or not. V-3 Test Result V-3-1 Tag Position At first, we confirmed suitable tag position for each type of vehicle. Current Japanese regulations Q not allow placement of the tag directly on the windshield, so alternate locations were necessary. For cars, large trucks and buses, we tried setting the tag both at the

1994 Vehicle Navigation & M b Systems Coafaence Racedngr " 'on

697

back of the rear view mirror and on the front dash board and confirmed good transaction results in both cases. We decided to set it on the dash board throughout all the tests because of better visibility from the driver's seat. For motorbikes, we tried setting the tag in front of the speedometer, at the back of the rear view mirror and on the rear carrier and again confirmed good transactions in every case. We decided to set it in front of the speedometer throughout all tests because of better rider visibility. V-3-2 Closed System Test We performed many tests under various conditions. At very high speed testing, we confirmed successful transactions at speeds up to 140km/h, missing no transactions in 68 passes. We also confirmed successful transactions in a bumper-tebumper test. Bumper-tebumper conditions often occur in actual highway environments, and this condition is very difficult for radio communication systems because a large vehicle, such as a bus or truck may block the radio link between the RCS and a smaller vehicle, such as a motorbike or rar, locatedjust behindthe large vehicle. We experienced only one transaction error in 131 passings. Following the test, we found that the error was caused by a software bug rather than by poor radio communication. A side-by-side motorbike test, also difficult, because the RCS must communicate with two tags at the same time, was also successfully conducted No missed transactions occurred in 44 passes. We tested in rain and snow conditions also, and neither harmful environment had any effect on communications. V-3-3 Open System Test We performed open system tests in the same manner for a closed system. We confirmed successful transactions in all condition, including high speed and bumper-tebumper passes. Generally speaking, open system transactions are easier because open systems require less transmitted data. V-3-4 Other Tests We tried imposing more extreme conditions such as 180km/h very high speed passes, 100km/h passes in rain and bumper-tebumper formations using two parallel motorbikes between a large bus and a large truck. In spite of such harsh conditions, we were able to attain perfect results.

VI. CONCLUSION Field tests conducted in Japan give us confidence that the DynicashTM system has the competence to be applied to Japanese toll roads as an effective tool for electronic toll collection. We can summarize advantages of L3ynicashTM for users as follows: The system features advanced cryptographical techniques which ensure complete privacy to the user as well as complete security for the toll authority. The system architecture provides for both open and closed toll systems as well as both pre- and post-paid billing. The IVU dynamically adapts to both open and closed tollways as they are encountered The user can select whether he prefers pre- or post-payment prior to entering a tollway. The compact, battery operated 1VU is easily installed into any vehicle by the user. The design provides for P I N code security to minimize any problem associated with the theft of smart cards. The IVU also allows for checking of current balance, past transactions, and proof of payment in case of payment dispute. The system uses ISOcompatible, multi-application smart cards which allow the user to use the same smart card and I V U for non-toll applications such as parking, public transportation, vending machines, etc. The very fast transaction time enables vehicles to pass toll gates normally at speeds up to 180km/h .

ACKNOWLEDGEMENTS The author would like to thank Mr. FranCois Lasnier of Amtech World Corporation for his valuable advice and suggestions.

REFERENCFS [l] Achieving Electronic Privacy, by David Olaum, SCIENTIFIC AMERICAN, August 1992

698

1994 Veiucle Nangauon & lofonnation System Conference Raceedings