FR2674050A1 - Installation for safeguarding transport passes, in particular magnetic-track passes - Google Patents

Abstract

In response to an authorisation request emanating from the processing station (PT) accompanied by a first session key (KS1) enciphered by the first means of encipherment/decipherment (ENCP) as a function of a first base key (KB1), the second means of encipherment/decipherment (ENCA) decipher the first enciphered session key (KS1) thus received as a function of the first base key (KB1) previously stored in the second storage means (STOA). Next, the authorisation centre (CA) forwards to the processing station (PT) a first sealing key (KC1) enciphered by the second means of encipherment/decipherment (ENCA) as a function of the first session key (KS1). Finally, the first means of encipherment/decipherment (ENCP) decipher the first enciphered sealing key (KC1) thus received as a function of the first session key (KS1) and finally store the said first sealing key (KC1) thus deciphered in the first storage means (ST0).

Description

The invention relates to securing transport tickets, in particular magnetic strip.

There is already known an installation for processing tickets, in particular magnetic strip, comprising a plurality of processing stations each intended for transmission, access control at the entrance, verification control by a controller en route, or access control at the exit of said tickets.

Most often, said processing stations are connected to a remote authorization center which authorizes the processing of said tickets according to the information exchanged between the processing station and the authorization center, in particular that contained on the magnetic strip of the ticket to be processed.

These tickets can have a significant market value and are therefore the subject of acts or attempts to fraudulently copy or modify the content of the magnetic tracks.

The Applicant has posed the problem of installing an installation which makes it possible to secure travel tickets against such acts.

The present invention relates to an installation for securing tickets, in particular magnetic strip, comprising - an authorization center - at least one station for processing said tickets capable of intercommunication with the authorization center, following a request for authorization of said processing station.

According to a general definition of the invention, the processing station comprises - first means of encryption / decryption of variable-key data, and - first means of storing keys, the authorization center comprises - second means of encryption / decryption of variable key data, and - second key storage means, and in response to an authorization request first emanating from the processing station accompanied by a first session key encrypted by the first means of encryption / decryption based on a first basic key, the second encryption / decryption means decrypt the first encrypted session key thus received according to the first basic key previously stored in the second storage means, then the center authorization transmits to the processing station a first sealing key encrypted by the second encryption / decryption means in function n of the first session key, finally, the first encryption / decryption means decrypt the first encrypted sealing key thus received as a function of the first session key and store said first sealing key thus decrypted in the first storage means, and the processing station further comprises - reading means suitable for extracting data from at least part of the content of the magnetic strip of the ticket; and to read the title seal of the transport ticket - means for securing data suitable for calculating the expected title seal according to a security algorithm predetermined by the first sealing key and the data thus drawn, and for checking the authenticity of the title seal thus calculated by comparison with the read title seal, - and of the means capable of inhibiting the processing of the transport ticket and / or the transport ticket itself in the event of authenticity not confirmed by said control.

Such an installation thus has the advantage of conferring a high degree of security at the level of the content of the magnetic strip of the ticket by sealing said content and at the level of the exchange of secret data (sealing key) between the data center. authorization and processing station by encryption / decryption of said secret data.

According to a preferred embodiment of the invention, the authorization center further comprises - second security means suitable for calculating at least a first authorization seal according to a security algorithm predetermined by a sealing key and - second means of verifying the authenticity of the first authorization seal, in addition, the authorization request emanating from the processing station is accompanied by a second session key encrypted by the first encryption / decryption means as a function of a second basic key and a first authorization seal calculated according to the first security algorithm under the first and second session keys, said first authorization seal then being encrypted by the first encryption / decryption means under the sum or exclusive of the first and second session keys, for their part, the second encryption / decryption means also decrypt the second encrypted session key thus received as a function of the second basic key previously stored in the second storage means, the second securing means calculate the first authorization seal according to the second securing algorithm under the key formed by the first and second session keys as well transmitted by the processing station and decrypted at the authorization center, said first authorization-seal thus calculated being encrypted by the second encryption / decryption means under the sum or exclusive of the first and second session keys, for its part , the authorization center verifies the authenticity of the first encrypted authorization seal thus received by comparison with the first authorization seal thus calculated; in the event of authenticity not confirmed by the first authorization seal by said verification, the authorization request is refused, while in the event of authenticity confirmed by the first authorization seal by said verification, the authorization center then transmits to the post of processing the second sealing key encrypted by the second encryption / decryption means as a function of the second session key, and a second authorization seal calculated according to the second security algorithm under the first and second sealing keys, said second seal authorization then being encrypted by the second encryption / decryption means under the sum or exclusive of the first and second sealing keys, for their part, the first encryption / decryption means also decrypt the second encrypted sealing key thus received as a function of the second session key, in addition, the first security means calculate the second d authorization seal according to the first security algorithm under the key formed by the first and second sealing keys thus transmitted encrypted by the authorization center and deciphered at the processing station, said second authorization seal thus calculated then being encrypted by the sum or exclusive of the first and second sealing keys, for its part, the processing station verifies the authenticity of the second authorization seal thus received by comparison with the second authorization seal thus calculated, in the event of unconfirmed authenticity of the second seal authorization by said verification, the authorization request is refused, while in the event of confirmed authenticity of the second seal authorization by said verification, the second sealing key thus deciphered is finally stored in the first storage means.

Such an installation thus also has the advantage of allowing a processing station to authenticate itself vis-à-vis the authorization center and therefore of guaranteeing the integrity of the information exchanged between the authorization center and the station. treatment.

Other characteristics and advantages of the invention will become apparent in the light of the detailed description below, and of the drawings in which, - Figure 1 is a schematic view of an installation for securing tickets according to l invention - Figures 2A to 2E schematically represent different tickets according to the invention - Figure 3 shows schematically the essential and constitutive means of a processing station and an authorization center according to the invention - Figure 4 schematically illustrates the means of securing data according to the invention - FIG. 5 is a flow diagram illustrating the remote loading of the sealing key in the processing station according to the invention - FIG. 6 is a flow diagram illustrating the loading at distance from the sealing key accompanied by authentication of the processing station vis-à-vis the authorization center according to the invention - FIG. 7 is a schematic view of the data security means and of the data encryption / decryption means according to the invention - FIG. 8 is a flowchart illustrating the loading of the basic keys in the processing station from a memory card ; and - Figure 9 is a flowchart illustrating the hierarchy of keys according to the invention.

In Figure 1, there is shown an installation according to the invention.

This is a processing chain for tickets with magnetic stripe, for example that concerning in France public transport tickets of the metropolitan, train or bus type.

Regarding the application relating to train or metropolitan type public transport, processing stations are provided for the distribution of tickets
DIS, CTR ticket control devices and equipment for recharging tickets
RCH.

These different treatment stations are respectively connected to a departmental ECS computer via a telematic link
LIA of the TRANSPAC type (Registered trademark) under the reference X 25.

The ECS departmental computer is in turn linked via a LIA link to a large CA computer playing the role of authorization center which authorizes the processing of transport tickets according to the information exchanged between the various processing stations and the authorization. For example, the CA authorization center is a computer sold by the
BULL company under the reference DPS 7000.

The installation is completed by terminals for the sale of TVM transport tickets, for example those sold by the Applicant under the reference TOM 300.

These TVM and PC processing stations are directly connected via a LIA link of the TRANSPAC X 25 type to the authorization center
IT.

Regarding the bus application, it is planned to equip the installation with VAL ticket validators.

When stopping at the bus depot, such VAL magnetic validators for buses are in cooperation with a host ECD computer which is itself connected via a LIA link of the TRANSPAC X 25 type to the authorization center CA.

For example, the cooperation between the magnetic validator VAL and the ECD computer takes place via an infrared type link
READ.

Reference is now made to FIG. 2A which represents a magnetic track PM of a ticket. The PM track is around fifty bytes and is subdivided into three zones.

The first zone Z1, with a length of the order of 20 bytes, concerns the identity ID and the type TY of the transport ticket.

The second zone Z2, about thirty bytes long, relates to the INFO information relating to the tickets.

Finally, the third zone Z3, with a length of the order of 1 byte, relates to the authentication AU (or sealing) of the content of the magnetic track PM according to the invention.

In general, it is possible to distinguish four categories of transport tickets which differ from one another according to the nature of said transport tickets.

In FIG. 2B, a magnetic strip is shown relating to a passkey-type transport ticket. Zone Z2 concerning information relating to tickets includes the deadline and the identification number of said ticket.

In Figure 2C, there is shown a magnetic track PM associated with a conventional type of ticket. The zone Z2 relating to the information includes data relating to the journey, the amount, the date, the emission and control codes of the transport ticket.

In FIG. 2D, a ticket of the periodic type is represented, the data of which contained in the zone Z2 represent in particular the zone of validity, the period of validity and the journey in progress of said transport.

Finally, FIG. 2E shows a ticket of the fixed-price type, the data of which is contained in the area
Z2 represent in particular the number of journeys on such a journey or within the limit of so much money.

It should be noted that the zone Z3 is provided for authenticating the data contained in particular in the zone Z2 which may contain a certain variety of information as mentioned above.

Reference is now made to FIG. 3 which schematically represents the essential and constitutive means of a processing station and an authorization center according to the invention.

In practice, the processing station PT comprises first of all LEC reading means suitable for extracting data from at least part of the content of the magnetic track PM and for reading the seal.
AU of the TT ticket.

The data thus drawn from the reading means LEC are applied to securing means SECU of data according to a predetermined securing algorithm MAA.

The SECU securing means calculate the expected seal according to the MAA securing algorithm by an authentication or sealing key KC1 and the data thus drawn from the reading means LEC.

In practice, the sealing key KC1 is stored in storage means STO.

VER checking means verify the authenticity of the seal thus calculated by the MAA security algorithm by comparison with the seal read by the LEC reading means.

INH inhibition means inhibit the processing of the transport ticket and / or the transport ticket itself in the event of authenticity not confirmed by the VER control means. The transport ticket is inhibited by rewriting the magnetic stripe.

Reference is now made to FIG. 4 which illustrates in detail the operation of the security means.
SECU.

In practice, the data security algorithm is a data compression algorithm of the MAA type for "Message
Authentication Algorithm "known under the reference ISO 8731/2.

The securing means SECU therefore receive the message to be authenticated, here the data taken from the magnetic track PM by the reading means LEC. Thus, the AU seal is the result of the compression of the PM message by the MAA type security algorithm under the sealing key KC1. The compression result is 4 bytes long; the sealing key consists of two sealing subkeys of 4 bytes each.

An operation of the EXCLUSIVE OR type of the 4 bytes of the result of the security algorithm makes it possible to obtain an AU seal with a length of 1 byte.

In order to provide an additional degree of security against fraud attempts, provision is made to equip the storage means STO containing the sealing key KC1 with a volatile memory, which allows the content of said memory to be erased in the event of a physical or software attack.

Those skilled in the art will understand that the protection conferred by the sealing of the content of the magnetic strip which has just been described above is unsatisfactory if the sealing key itself is not protected against fraudulent acts.

The Applicant has rightly posed the problem of providing protection having a high degree of security for remote loading of the sealing key in the treatment station.

The solution of the present invention consists first of all in equipping the processing station PT with first encryption / decryption means for ENCP data with variable key and then the authorization center CA with second encryption / decryption means for ENCA data with variable key, second STOA key storage means, second SECUCA security means and second VERCA verification means.

Reference is now made to FIG. 5 which represents a flow chart illustrating the protection relating to the remote loading of the sealing key in the processing station.

First, in response to an authorization request from the PT processing station accompanied by a first session key
KS1 encrypted by the first encryption / decryption means
ENCP as a function of a first base key KB1, the second encryption / decryption means decrypt the first encrypted session key KS1 thus received as a function of the first base key KB1 previously stored in the second storage means STOA.

Then, the authorization center CA transmits to the processing station PT a first sealing key KC1 encrypted by the second encryption / decryption means ENCA as a function of the first session key KS1.

Finally, the first encryption / decryption means ENCP decipher the first encrypted sealing key KC1 thus received as a function of the first session key KS1 and store said first sealing key KC1 thus decrypted in the first storage means STO.

Those skilled in the art will understand that such an encrypted transmission of the sealing key between the processing station PT and the authorization center CA makes it possible to confer a high degree of security concerning the remote loading of said key.

However, he will understand that such encryption / decryption only allows the exchange of secret data with a remote authorization center. It does not guarantee the integrity of the information exchanged with said central site.

The Applicant has rightly posed the problem of guaranteeing the integrity of the information exchanged with the authorization center.

Reference is now made to FIG. 6 which represents a flow chart illustrating the guarantee of integrity of the information exchanged with the authorization center.

For this, the authorization request from the processing station is also accompanied by a second session key.
KS2 encrypted by the first encryption / decryption means ENCP as a function of a second basic key KB2 and a first seal-authorization S1.

The first authorization seal S1 results from the calculation by the MAA security algorithm under the key formed here of KS1 and of
KS2.

The first authorization-seal S1 thus calculated is then applied to the encryption / decryption means ENCP to be encrypted under the key formed by the sum or exclusive of the first and second session keys KS1 $ KS2.

Then, the authorization center CA proceeds by means of the second encryption / decryption means ENCA to the decryption of said second encrypted session key KS2 thus received as a function of the second base key KB2 previously stored in the second storage means STOA.

As a corollary, the authorization center CA proceeds with the aid of SECUCA security means to the calculation according to the MAACA security algorithm under the key formed by KS1 and KS2 thus transmitted encrypted by the processing station and decrypted at the center authorization as mentioned above. The first authorization seal S1 thus calculated is then applied to the ENCA means for encryption by the keys KS1 and KS2.

The authorization center CA by the VERCA verification means then verifies the authenticity of the first encrypted authorization seal S1 thus received by comparison with the first encrypted authorization seal S1 thus calculated.

In the event of unconfirmed authenticity of the first authorization seal S1 by said verification, the authorization request is refused.

On the contrary, in the event of authenticity confirmed by the first S1 authorization seal by said verification, the authorization center
CA transmits to the processing station PT the second encrypted sealing key KC2 by the second encryption / decryption means ENCA as a function of the second session key KS2, and a second authorization seal 82.

The second S2 authorization seal results from the calculation according to the MAACA security algorithm under the key formed by the keys KC1 and
KC2.

The second S2 authorization seal thus calculated is then applied to the ENCA means to be encrypted under the key formed by the sum or exclusive of the first and second sealing key.
KC1 $ KC2.

Then, the processing station PT proceeds using the means
ENCP on decryption of the second encrypted sealing key KC2 thus received from the authorization center as a function of the session key KS1 previously stored in the means STO.

As a corollary, the processing station PT proceeds with the SECU security means to calculate the second seal-authorization S2 according to the MAA security algorithm under the key formed by KC1 and KC2 thus transmitted encrypted by the autori center. sation and deciphered at the treatment center as mentioned above. The second S2 authorization seal thus calculated is then applied to the ENCP means for decryption by the keys KC1 and KC2.

The processing station verifies using the VER means then the authenticity of the second encrypted S2 authorization seal thus received by comparison with the second encrypted S2 authorization seal thus calculated.

In the event of unconfirmed authenticity of the second S2 authorization seal by said verification, the authorization request is refused.

On the contrary, in the event of authenticity confirmed by the second authorization seal 52 by said verification, the second sealing key KC2 thus deciphered is stored in the first storage means STO.

Those skilled in the art will understand that with such remote loading of the sealing keys accompanied by authentication of the processing station vis-à-vis the authorization center, the integrity of the information exchanged between the two is guaranteed. the PT processing station and the CA authorization center.

Reference is now made to FIG. 7 in conjunction with FIG. 3.

The message M containing for example the encrypted keys KS1 and KS2 to be transmitted is applied to the SECU data security means described above. The compression result here is 4 bytes long.

This result, which is for example the first authorization seal S1, is then applied to the first data encryption means ENCP.

For example, the encryption / decryption means are of the type
DES for "Data Encryption Standard" of ISO 8227 in mode
ECB, ie "Electronic Code Book".

It should be noted that an initialization vector V with a variable length of 4 bytes is also applied to the input of the encryption / decryption means ENCP to avoid repetitive authenticators. For example, the variable datum representing the initialization vector V includes the encryption / decryption date.

The result S1 Kas 1 $ OKS2 of the encryption / decryption means
ENCP is an encrypted authorization seal with a length of 8 bytes. Here, the encryption is carried out by the encrypted keys to be transmitted KS1 and KS2 which also undergo an EXCLUSIVE OR operation before their application KS1 $ KS2 because the encryption / decryption is performed on 8 bytes.

For a particular application concerning the loading of the basic keys KB1 and KB2 in the processing stations such as those described with reference to FIG. 1 relating to the sale of the TVM and PC ticket, it is planned to modify the protocol exchange of keys.

More specifically, it is planned to perform the loading of the basic keys from a memory card.

Reference is now made to FIG. 8 which illustrates the loading of the basic keys from a memory card.

When a user wishes to personalize a self-service processing station vis-à-vis the authorization station, he uses a memory card (not shown) containing the basic keys KB1 and KB2 mentioned above which are loaded in the card memory in an encrypted form according to master keys KM1 and KM2.

Then, the user inserts the memory card into a memory card reader fitted to the processing station.

Finally, in response to a request to load basic keys accompanied by the entry of a confidential code specific to the memory card, the confidential code thus entered is verified at the processing station.

In the event of the authenticity of the confidential code confirmed by verification, the memory card transmits the first and second basic keys KB1 and KB2 respectively encrypted under the first and second master keys KM1 and KM2.

The first encryption / decryption means then decrypt the first and second encrypted basic keys KB1 and KB2 thus stored as a function of the first and second master keys
KM1 and KM2 previously stored in the first STO storage means in a non-public site.

Once the basic keys KB1 and KB2 are decrypted and stored in the storage means STO, the authorization request is made as described with reference to FIGS. 5 and 6.

Advantageously, the authorization request is also accompanied by the number of the processing station as well as the number of the memory card.

In response to the authorization request, also accompanied by the terminal number and card number, the authorization center checks the admissibility of the authorization request.

If the authorization request is admissible, the session keys KS1 and KS2 encrypted by the basic keys KB1 and KB2 are transmitted, as well as the first authorization seal S1 as described with reference to the figure 6.

In the event of inadmissibility of the authorization request, the processing ends.

Reference is now made to FIG. 9 which illustrates the hierarchy of the keys.

The master keys KM1 and KM2 which are used for encryption / decryption of the basic keys KB1 and KB2 are themselves encrypted / decrypted by manufacturer keys KF1 and KF2.

Advantageously, the manufacturer keys KF1 and KF2 are loaded by the manufacturer of the processing stations at a non-public protected site in the storage means of the processing station.

As described above, the master keys KM1 and KM2 are stored in the storage means of the processing station in a non-public site.

For their part, the basic keys KB1 and KB2 are stored in the storage means by means of a memory card as described with reference to FIG. 8.

Finally, the session keys KS1 and KS2 and the sealing keys
KC1 and KC2 are stored according to the protocol described above with reference to Figures 5 and 6.

Advantageously, the processing station is further equipped with means suitable for counting the number of inhibitions of processing of travel tickets, comparing said number thus counted with a predetermined value and prohibiting the operation of the processing station in the case where said number exceeds the predetermined value.

Such means also called braking means thus make it possible to confer an additional degree of security on the installation.

In practice, the memory card is of the EEPROM type with a capacity of 416 bits with synchronous access and in CMOS technology.

It should be noted that each key includes an identifier of a predetermined length suitable for specifying the reference, the use and the state of each key. For example, the identifier has a length of 4 bytes.

Advantageously, the processing station includes means suitable for erasing the content of the magnetic strip of the transport ticket when the latter does not have the property of high coercivity.

In practice, the erasing means comprise a magnet placed upstream of the magnetic stripe reader.

It should also be noted that the session keys are drawn pseudo-randomly, which makes it possible to confer an additional degree of security.

Advantageously, in the event of an incident, for example detected by the braking systems, or at the end of each session, the sealing keys stored in the terminal in volatile memory are destroyed.

 It should be noted that automatic equipment such as DIS distributors, RCH rechargers, and CTR controllers are not equipped with memory card readers because the latter are not self-service. In this case, the memory card is replaced by the first storage means STO which then contain the basic keys KB1, KB2.

The braking means refuse the operation of the treatment stations until the complete and correct initialization of the treatment station has been carried out. The braking means are also supplemented by a black list of treatment stations stored at the level of the authorization center. It is also planned to detect the use of erroneous keys several times in a given time. Finally, an automatic session closure is planned in the event of prolonged inactivity of the treatment center.

Claims (13)

Claims 1. Installation for securing tickets, in particular magnetic strip, comprising - an authorization center (CA); - at least one processing station (PT) for said tickets capable of intercommunication with the authorization center (CA), following a request for authorization of said processing station (PT); characterized in that the processing station (PT) comprises - first encryption / decryption means (ENCP) of variable key data; and - first key storage means (STO), in that the authorization center (CA) comprises - second encryption / decryption means (ENCA) of variable key data, and - second storage means ( STOA) of keys, and in that, first of all, in response to an authorization request emanating from the processing station (PT) accompanied by a first session key (KS1) encrypted by the first encryption means / decryption (ENCP) as a function of a first base key (KB1), the second encryption / decryption means (ENCA) decrypt the first encrypted session key (KS1) thus received as a function of the first base key (KB1) previously stored in the second storage means (STOA), in that the authorization center (CA) then transmits to the processing station (PT) a first sealing key (KC1) encrypted by the second encryption / decryption means ( ENCA) according to the first sessi key on (KS1), in that the first encryption / decryption means (ENCP) decrypt the encrypted first sealing key (KC1) thus received as a function of the first session key (KS1) and finally store said first sealing key ( KC1) thus deciphered in the first storage means (STO), and in that the processing station (PT) further comprises - reading means (LEC) suitable for extracting data from at least part of the content of the magnetic strip of the transport ticket, and to read the title seal of the transport ticket, - data security means (SECU) suitable for calculating the expected title seal according to a predetermined security algorithm (MAA) by the first sealing key (KC1) and the data thus drawn, to be checked (VER) the authenticity of the title seal thus calculated by comparison with the read title seal, and - means (INH) capable of inhibiting the processing the ticket and / or the ti transport itself in case of authenticity not confirmed by said control. 2. Installation according to claim 1, characterized in that the authorization center (CA) further comprises - second security means (SECUCA) suitable for calculating at least a first authorization seal (S1) according to a security algorithm predetermined (MAACA) by a sealing key and - second means of verification (VERCA) of the authenticity of the first authorization seal (su), the authorization request from the processing station (PT) is also accompanied by '' a second session key (KS2) encrypted by the first encryption / decryption means (ENCP) as a function of a second basic key (KB2) and a first authorization seal (S1), calculated according to the first security algorithm (MAA) under the first and second session keys (KS1 and KS2), said first authorization-seal then being encrypted by the first encryption / decryption means (ENCP) under the sum or exclusive of the first and second keys of s ession (KS1 e KS2), in that the second encryption / decryption means (ENCA) decrypt the second encrypted session key (KS2) thus received as a function of the second base key (KB2) previously stored in the second means of storage (STOA), in that the second security means (SECUCA) calculate the first authorization seal (S1) according to the second security algorithm (MAACA) under the key formed by the first and second session keys (KS1 and KS2) thus transmitted by the processing station (PT) and decrypted at the authorization center (CA), said first authorization seal (S1) thus calculated and encrypted by the second encryption / decryption means (ENCA) under the sum or exclusive of the first and second session keys (KS1 and KS2), in that the authorization center (CA) verifies the authenticity of the first encrypted authorization seal (S1) thus received by comparison with the first encrypted authorization seal ( S1) ai nsi calculated, in case of unconfirmed authenticity of the first encrypted authorization seal thus received (S1) by said verification, the authorization request is refused, while in case of confirmed authenticity of the first authorization seal (S1) by said verification, the authorization center (CA) then transmits to the processing station (PT) the second sealing key (KC2) encrypted by the second encryption / decryption means as a function of the second session key (KS2), and a second authorization seal (S2), resulting from the security calculation according to the second security algorithm (MAACA) under the first and second sealing keys (KC1 and KC2), the second authorization seal (S2) then being encrypted by the second encryption / decryption means (ENCA) under the sum or exclusive of the first and second sealing keys (KC1 and KC2), in that the first encryption / decryption means (ENCP) decipher the second key encryption seal (KC2) thus received as a function of the second session key (KS2), in that the first security means (SECU) calculate the second authorization seal (S2) according to the first security algorithm (MAA) under the key formed from the first and second sealing keys (KC1 and KC2) thus transmitted encrypted by the authorization center and encrypted at the processing station, said second authorization seal (S2) thus calculated then being encrypted by the sum or exclusive of the first and second sealing keys (KC1 and KC2), in that the processing station (PT) verifies the authenticity of the second encrypted authorization seal (S2) thus received by comparison with the second encrypted authorization seal (S2 ) so calculated; in that in the event of unconfirmed authenticity of the second encrypted authorization seal thus received (S2) by said verification, the authorization request is refused, while in the event of confirmed authenticity of the second authorization seal (S2) by said verification, the second sealing key (KC2) thus decrypted is finally stored in the first storage means (STO). 3. Installation according to claim 1 or claim 2, characterized in that the processing station (PT) comprises means suitable for cooperating with removable storage means, in that the removable storage means comprise a memory containing the first or the first and second basic keys (KB1 and KB2) encrypted respectively according to a first or first and second master keys (KM1 and KM2) and processing means suitable for verifying the authenticity of the confidential code - associated with said removable storage means, and in that in response to a request for loading a basic key accompanied by a confidential code specific to the memory card, emanating from the processing station which cooperate with the removable storage means, said processing means verify the confidential code thus received, and in that the removable storage means load the first or the first and second basic keys (KB1 and KB2) encrypted in the first storage means (STO) in the event of the authenticity of the confidential code confirmed by verification, and in that the first encryption / decryption means (ENCP) decrypt the first or the first and second basic keys (KB1 and KB2) encrypted thus stored as a function of the first or the first and second master keys (KM1 and KM2) previously stored in the first storage means (STO) in a non-public site. 4. Installation according to claim 3, characterized in that the first or the first and second basic keys (KB1 and KB2) are loaded encrypted according to one or more first and second master keys (KM1 and KM2) in the first storage means (STO), in that the first or first and second basic keys (KB1 and KB2) encrypted thus loaded are decrypted by the first encryption / decryption means (ENCP) according to the first or first and second master keys (KM1 and KM2) previously stored in the first storage means in a protected, non-public site. 5. Installation according to claim 3 or claim 4, characterized in that the first or the first and second and second master keys (KM1 and KM2) are loaded encrypted according to one or more first and second manufacturer keys (KF1 and KF2) in the first storage means, in that the first or first and second master keys (KM1 and KM2) encrypted thus loaded are decrypted by the first encryption / decryption means (ENCP) as a function of the first or first and second manufacturer keys (KF1 and KF2) previously stored in the first storage means (STO) in a protected, non-public site. 6. Installation according to any one of the preceding claims, characterized in that the processing station (PT) is further equipped with means suitable for counting the number of inhibitions of processing of transport tickets, to compare said number thus counted to a predetermined value and to prohibit the operation of the processing station in the event that said number exceeds the predetermined value. 7. Installation according to any one of the preceding claims, characterized in that the first and second storage means (STO and STOA) comprise a volatile memory. 8. Installation according to any one of the preceding claims, characterized in that the removable storage means comprise a memory card of the EEPROM type. 9. Installation according to any one of the preceding claims, characterized in that the first or the first and second session keys (KS1 and KS2) are pseudo-random keys. 10. Installation according to any one of the preceding claims, characterized in that the first and second encryption-decryption means (ENCP and ENCA) encrypt / decrypt the data according to a DES type algorithm. 11. Installation according to any one of the preceding claims, characterized in that the security algorithm (MAA) is a data compression algorithm. 12. Installation according to claim 11, characterized in that the security means (SECU) compress the data according to an algorithm of the MAA type. 13. Installation according to any one of the preceding claims, characterized in that the different keys each include an identifier of a predetermined length suitable for specifying the reference, the use and the state of each key.