The Technical Group sub-groups TAG and TAP-NT have been working on specifications for the barcodes used in ATB RCT2, RCCST and print@home paper tickets and also for barcodes used in mobile App tickets. To ensure that the barcodes cannot be counterfeited, they are digitally signed using keys based on the Public Key Infrastructure (PKI) model.
Public-key cryptography, or asymmetric cryptography, is any cryptographic system that uses pairs of keys: public keys that may be disseminated widely paired with private keys which are known only to the owner. The functions achieved: using a public key to authenticate that a message originated with a holder of the paired private key.
This model requires the distribution of public keys to Ticket Controlling Organisations (Gates and control devices). To facilitate automation, the key itself and other relevant information are distributed using the XML file from which the standard is part of UIC leaflet 918.2.
The distribution of public keys among railways was achieved before using non secured emails. Since 2014 UIC has developed and operates a Public key Management Website (PKMW). The website is used initially by those currently involved in key exchange – nevertheless it is a free resource that can be used by any UIC member where their business requires public key distribution, even if simply used for domestic purposes.
To date, the following Railway Undertakings have published their public key on the PKMW (https://railpublickey.uic.org): CFL, DSB, NS, OBB, SNCB, SNCF and ZSSK.