Securing Access Control
Making sure your customers are able to secure contactless card-based systems
- By Scott Lindley
- Mar 01, 2015
Just watching the news each night is reason
enough to explain why security professionals
worry about the security of their access
control systems. If the card system is hacked,
there can be major problems. At universities, years
of research can be tampered with or lost. At a hospital,
HIPPA rules are very stringent and the penalties
for having them breached can be severe. No
administrator wants to be responsible for causing
injury to an employee or visitor because somebody
gained unauthorized entry via the card system.
There are three main ways to assault a cardbased
electronic access control system—skimming,
eavesdropping and relay attacks. Skimming
occurs when the attacker uses an unauthorized
reader to access information on the unsuspecting
victim’s RFID card or tag without consent. As a result,
the attacker is able to read stored information
or modify information by writing to the credential.
From that point on, the attacker can control
when and where unauthorized entries may occur.
An eavesdropping attack occurs when an attacker
recovers the data sent during a transaction
between the legitimate reader and card. As a result,
the attacker can recover and store the data of interest.
From then on, the attacker can use this stored
data at will.
Lastly, RFID systems are potentially vulnerable
to an attack in situations in which the attacker relays
communication between the reader and a tag.
A successful relay attack lets an attacker temporarily
possess a “clone” of a token, thereby allowing
the attacker to gain the associated benefits. Some
sophisticated RFID credentials perform mutual
authentication and encrypt the subsequent communication.
An attacker, however, never needs
to know the plain-text data or the key material
as long as he can continue relaying the respective
messages. It is therefore irrelevant whether the
reader authenticates the token cryptographically,
or encrypts the data, since the relay attack cannot
be prevented by application layer security.
What’s scary about all this is that the equipment
to perpetrate the above attacks can be quite
inexpensive and is widely available. However, to
fully understand how to stop such assaults, we first
need to remind ourselves how RFID cards and
readers work.
Looking at the Technology
behind Readers and Cards
There are two basic contactless card based technologies—
proximity and smart card. Proximity takes
advantage of industry acknowledged norms, while
smart card readers typically make use of the international
standard for cards that are designated at
ISO/IEC 14443.
In operation, proximity readers typically generate
an electromagnetic field tuned to 125 kHz,
an internationally recognized radio frequency for
low power data communications. When a credential
enters this field, the credential’s internal radio
frequency integrated circuit (RFIC) is activated.
The RFIC then transmits its unique data back to
the reader as an encoded signal. In the case of Farpointe,
the encoding of this signal is comprised of
a data algorithm that uses a byte parity error detection
scheme.
A byte is a unit of data that is eight binary digits,
or bits, long. A parity bit, or check bit, is a bit
added to the end of a string of binary code (0’s and
1’s) that indicates whether the number of bits in
the string with the value one is even or odd.
There are two variants of parity bits: even parity
bit and odd parity bit. In the case of even parity,
the number of bits whose value is 1 in a given set
are counted. If that total is odd, the parity bit value
is set to 1, making the total count of 1s in the set an
even number. If the count of ones in a given set of
bits is already even, the parity bit’s value remains 0.
In the case of odd parity, the situation is reversed.
Instead, if the sum of bits with a value of 1 is odd,
the parity bit’s value is set to zero. And, if the sum
of bits with a value of 1 is even, the parity bit value
is set to 1, making the total count of 1s in the set
an odd number.
Bottom line - If an odd number of bits (including
the parity bit) are transmitted incorrectly, the
parity bit will be incorrect, thus indicating that
a parity error occurred in the transmission. The
data must be discarded entirely and re-transmitted
from scratch. In doing so, byte parity error detection
helps provides extremely fast, accurate and
secure transmissions.
To operate:
- Reader powers proximity card or tag.
- Card transmits access data (facility code, ID
number, etc.) to reader.
- Reader transmits access data to access controller
via an industry standard protocol.
Now, let’s review smart card technology. In operation,
smart card readers typically generate an
electromagnetic field tuned to 13.56 MHz. When
a credential enters this field, the credential’s internal
RFIC is activated. The RFIC then transmits
its unique data back to the reader as an encoded
modulated signal.
Smartcard readers are typically able to read the
sector (access control) data and/or unique card serial number (CSN) from ISO/ICE 14443 compliant
smart card credentials. Meeting the ISO standard,
the cards are quite often programmed at the
manufacturer with the brand’s compatible secure
key. During the validation process, the credential’s
secure key is challenged by the reader. If the secure
keys match, the reader will read the card’s sector
data; if the secure keys don’t match, the reader may
only read the credential’s CSN.
For example, to operate:
- Reader and credential share and compare secure
keys.
- Keys match - reader collects sector data (long
beep).
- Keys do not match - reader collects card serial
number (CSN) (quick beep).
Knowing This, How Can We Improve
Security?
The security integrator has a range of tools to negate
skimming, eavesdropping and relay attacks.
Looking at increasing the security of proximity
cards first, one of the easiest solutions is to provide
customers with 2-factor validation of the person
wanting to enter. Not only must that person
have something—the authorized card or tag—but
they must also know something, a PIN. For those
higher security areas especially, you can select a
card reader with an integrated keypad. To enter,
the individual presents their card, gets a flash and
beep, and then enters their PIN on the keypad.
The electronic access control system then prompts
a second beep on the reader, and the individual is
authorized to enter.
Integrators can also provide a high-security
handshake, or code, between the card, tag and
reader to help prevent credential duplication and
ensure that your customers’ readers will only collect
data from these specially coded credentials.
In a sense, it’s the electronic security equivalent of
a mechanical key management system, in which
your customer’s organization is the only one that
has the key they use. Such keys are only available
through you, the installing integrator and you
never provide another company with the same key.
In the electronic access control scenario, no
other company will have the reader/card combination
that your customer can get from you. Only
their reader will be able to read their card or tag
and their reader will read no other card or tag.
How about smart card systems? At a cost comparable
to proximity card systems, smart card
systems may be more secure and can be used for
applications beyond access control, such as library
checkouts, the hospital cafeteria and so on.
Regarding smart cards, inform your customers
about “MIFARE,” which is based upon NXP
Semiconductor’s technology. (Others may look for
France’s Inside Technologies. The idea is very much
the same so we’ll discuss MIFARE.) We could go
into a deep technological explanation but, suffice it
to say, MIFARE is the gateway to a series of security
levels. That’s a whole new article in itself. Ask
your manufacturer for a quick run-through so you
can pick the right level of MIFARE security for your
customer. Typically, to minimize costs, systems integrators
will choose a relatively inexpensive smart
card such as a MIFARE Classic card and concentrate
security efforts in the back office.
Additional encryption on the card, transaction
counters and other methods known in cryptography
are then employed to make cloned cards useless
or enable the back office to detect a fraudulent
card and put it on a blacklist. Remember that systems
that work with online readers only, such as
readers with a permanent link to the back office,
are easier to protect than systems that have offline
readers, since real-time checks are not possible
and blacklists cannot be updated as frequently
with offline systems.
Another thing that can be done is the same that
was explained earlier regarding proximity cards in
which the integrator can provide a security handshake
between the smart card and reader. This
adaption works exactly the same with smart card
solutions as it does with proximity systems.
You also can propose a card validation option.
In this enhancement, the cards and readers are
programmed with a fraudulent data detection system.
The reader will scan through the credential’s
data in search of discrepancies in the encrypted
data, which normally occurs during credential
cloning. Such a card validation feature is yet an additional
layer of protection.
Work with Your Customer
As an electronic security integrator, you must be
as concerned with the security of your customers’
contactless card access control systems as they are.
When planning a new system, it’s imperative that
you consider all aspects of your customers’ security
and safety with your customer. Ask what you
can do to help them avoid breeches of security.
This article originally appeared in the March 2015 issue of Security Today.