IRMA: Using attribute based credentials to stop resale of tickets.

November 6, 2012

In the IRMA (I Reveal My Attributes) project we are working to make attribute based credentials practical. One of the things we have been looking at is possible use cases for such credentials, especially when they are implemented on a (contactless) smart card. One particularly interesting use case is the sale of tickets for events.

In the Netherlands, resale of event tickets is rampant, especially for popular shows. Professional resellers buy tickets in bulk as soon as they are for sale. They do so either offline or online. Once the concert sells out, the resellers will sell their tickets at a huge profit. Even though the practice is illegal, it is hard to stop this fraud. Even when the sale of online tickets is bound to personal accounts, with a limit of say 4 tickets per account, resellers have found ways to overcome such barriers.

Smart card bound attribute based credentials, like those developed in the IRMA project, can solve this problem.

The IRMA card is bound to a person using a passport style picture of the bearer printed on the front of the card. In principle, people only have one IRMA card. When you loose a card, you may be able to obtain a new one, but this is a resource intensive process (a mechanism to avoid sybil attacks). Credentials issued to an IRMA card are bound to that card through a private key that never leaves the card and that is required to prove ownership of the credential.

In the online ticket sales scenario, a concert ticket is a credential with several attributes, including the date and title of the event for example, the number of people the ticket is valid for, and possibly a sequence number. To buy a ticket online, you inserts your IRMA card in a smart card reader attached to your PC, or put your IRMA card against the back of your NFC enabled phone (IRMA cards are contactless). The online ticket office sells tickets online as credentials that are issued to your IRMA card. In fact, the ticket office web server connects to your card to upload the credential once the transaction is approved. In the offline case, you insert your card in a terminal at the ticket office, and the process is pretty much the same after that.

At the venue, the doormen will compare you with the picture on your card, and then verify whether you have the right credential for the event on your IRMA card. They could do so with a special app installed on their NFC phone. Note that access to credentials is restricted, so the doormen can only access the credential for this particular event, and no other credentials on your card whatsoever. Because credentials are bound to a private key stored securely in the card, and IRMA cards are personal, tickets cannot be resold. If you worry about cards of people that entered the venue somehow can be smuggled out and be reused (for example because the picture check is not that reliable in the dark), the optional sequence number can be used to mark the credential (i.e. ticket) invalid. Note that even if the doormen do not check the picture on the card at all (and sequence numbers are used to invalidate used credentials) the fact that IRMA cards are in principle only issued once to a person keeps the system secure.

The approach outlined above solves the reseller problem. Moreover, it makes the sale of concert tickets online privacy friendly again (like the offline case) as long as you pay the tickets through a third party using a privacy friendly protocol (like once the SET standard for credit card payments)...

In case you spot any errors on this page, please notify me!
Or, leave a comment.
Proving your age with IRMA (without revealing you’re a dog) « Jaap-Henk Hoepman – on security, privacy and…
, 2012-11-12 21:27:35
(reply)

[…] have been looking at is possible use cases. Last week I discussed how the IRMA card can be used to stop the resale of event tickets. In this blog post I will discuss an almost trivial application: proving age […]

IRMA versus Frau Mustermann, take 2: the advantages of attribute based credentials over a more centralised approach. « Jaap-Henk Hoepman – on security, privacy and…
, 2013-02-12 07:53:38
(reply)

[…] Online sale of event tickets. The ticket is uploaded to the smart card as an attribute, that is later shown at the entrance gate of the event. If the payment method does not reveal the identity of the buyer, the online seller cannot compile a profile of all the tickets a particular person bought. In a centralised approach, the online seller is the attribute provider, where the online tickets are stored in the account of the user until they are redeemed at the entrance gate of the event. […]