Closed-loop transit ticketing, designed offline-first.

Why offline trust

An online-only validator is a validator that fails during connectivity loss. In transit, connectivity loss happens daily — tunnels, backend deploys, NIC failures. The validator’s job is to keep collecting fares correctly anyway. That means the validator + the card must be able to decide every tap locally, without phoning home.

The architecture

Latency budget

• RF anticollision: 30-50 ms
• SAM-side key derivation: 40-80 ms (cold), <10 ms (warm)
• Mutual auth: 30-60 ms
• Read + spend: 30-50 ms
• Journal commit: 10-20 ms
• Gate motor: 30-100 ms

Typical total: 170-360 ms. Online round-trip on top would add 50-200 ms per tap with no resilience benefit.

Threat coverage

• Card cloning — SAM-derived per-card keys + EV2 anti-cloning detection.
• Validator compromise — master keys are in the SAM, not the validator’s flash.
• Replay / double-spend — monotonic sequence numbers per card.
• Insider key extraction — HSM-backed master-key generation; M-of-N personalisation.
• Backend outage misuse — tap-journal MACs verifiable independently of backend state.

Hot-list strategy

1. SAM-derived mutual auth at the validator (catches clones, always works offline).
2. Recent-revocations push from backend on connectivity (catches recent loss reports).
3. Full reconciliation at tap-journal upload (catches everything; resolves financially in closed-loop).

Related on the AmbiSecure site

• Solution: Closed-loop ticketing
• Solution: Transit ticketing
• Solution: Offline authentication
• Technology: DESFire
• Technology: SAM
• Blog: Transit Validators & Offline Trust Architecture
• Blog: DESFire EV1 vs EV2 vs EV3
• Case study: Transit ticketing