Securing Access Control

Making sure your customers are able to secure contactless card-based systems

Just watching the news each night is reason enough to explain why security professionals worry about the security of their access control systems. If the card system is hacked, there can be major problems. At universities, years of research can be tampered with or lost. At a hospital, HIPPA rules are very stringent and the penalties for having them breached can be severe. No administrator wants to be responsible for causing injury to an employee or visitor because somebody gained unauthorized entry via the card system.

There are three main ways to assault a cardbased electronic access control system—skimming, eavesdropping and relay attacks. Skimming occurs when the attacker uses an unauthorized reader to access information on the unsuspecting victim’s RFID card or tag without consent. As a result, the attacker is able to read stored information or modify information by writing to the credential. From that point on, the attacker can control when and where unauthorized entries may occur.

An eavesdropping attack occurs when an attacker recovers the data sent during a transaction between the legitimate reader and card. As a result, the attacker can recover and store the data of interest. From then on, the attacker can use this stored data at will.

Lastly, RFID systems are potentially vulnerable to an attack in situations in which the attacker relays communication between the reader and a tag. A successful relay attack lets an attacker temporarily possess a “clone” of a token, thereby allowing the attacker to gain the associated benefits. Some sophisticated RFID credentials perform mutual authentication and encrypt the subsequent communication. An attacker, however, never needs to know the plain-text data or the key material as long as he can continue relaying the respective messages. It is therefore irrelevant whether the reader authenticates the token cryptographically, or encrypts the data, since the relay attack cannot be prevented by application layer security.

What’s scary about all this is that the equipment to perpetrate the above attacks can be quite inexpensive and is widely available. However, to fully understand how to stop such assaults, we first need to remind ourselves how RFID cards and readers work.

Looking at the Technology behind Readers and Cards

There are two basic contactless card based technologies— proximity and smart card. Proximity takes advantage of industry acknowledged norms, while smart card readers typically make use of the international standard for cards that are designated at ISO/IEC 14443.

In operation, proximity readers typically generate an electromagnetic field tuned to 125 kHz, an internationally recognized radio frequency for low power data communications. When a credential enters this field, the credential’s internal radio frequency integrated circuit (RFIC) is activated. The RFIC then transmits its unique data back to the reader as an encoded signal. In the case of Farpointe, the encoding of this signal is comprised of a data algorithm that uses a byte parity error detection scheme.

A byte is a unit of data that is eight binary digits, or bits, long. A parity bit, or check bit, is a bit added to the end of a string of binary code (0’s and 1’s) that indicates whether the number of bits in the string with the value one is even or odd.

There are two variants of parity bits: even parity bit and odd parity bit. In the case of even parity, the number of bits whose value is 1 in a given set are counted. If that total is odd, the parity bit value is set to 1, making the total count of 1s in the set an even number. If the count of ones in a given set of bits is already even, the parity bit’s value remains 0. In the case of odd parity, the situation is reversed. Instead, if the sum of bits with a value of 1 is odd, the parity bit’s value is set to zero. And, if the sum of bits with a value of 1 is even, the parity bit value is set to 1, making the total count of 1s in the set an odd number.

Bottom line - If an odd number of bits (including the parity bit) are transmitted incorrectly, the parity bit will be incorrect, thus indicating that a parity error occurred in the transmission. The data must be discarded entirely and re-transmitted from scratch. In doing so, byte parity error detection helps provides extremely fast, accurate and secure transmissions.

To operate:

  1. Reader powers proximity card or tag.
  2. Card transmits access data (facility code, ID number, etc.) to reader.
  3. Reader transmits access data to access controller via an industry standard protocol.

Now, let’s review smart card technology. In operation, smart card readers typically generate an electromagnetic field tuned to 13.56 MHz. When a credential enters this field, the credential’s internal RFIC is activated. The RFIC then transmits its unique data back to the reader as an encoded modulated signal.

Smartcard readers are typically able to read the sector (access control) data and/or unique card serial number (CSN) from ISO/ICE 14443 compliant smart card credentials. Meeting the ISO standard, the cards are quite often programmed at the manufacturer with the brand’s compatible secure key. During the validation process, the credential’s secure key is challenged by the reader. If the secure keys match, the reader will read the card’s sector data; if the secure keys don’t match, the reader may only read the credential’s CSN.

For example, to operate:

  1. Reader and credential share and compare secure keys.
  2. Keys match - reader collects sector data (long beep).
  3. Keys do not match - reader collects card serial number (CSN) (quick beep).

Knowing This, How Can We Improve Security?

The security integrator has a range of tools to negate skimming, eavesdropping and relay attacks.

Looking at increasing the security of proximity cards first, one of the easiest solutions is to provide customers with 2-factor validation of the person wanting to enter. Not only must that person have something—the authorized card or tag—but they must also know something, a PIN. For those higher security areas especially, you can select a card reader with an integrated keypad. To enter, the individual presents their card, gets a flash and beep, and then enters their PIN on the keypad. The electronic access control system then prompts a second beep on the reader, and the individual is authorized to enter.

Integrators can also provide a high-security handshake, or code, between the card, tag and reader to help prevent credential duplication and ensure that your customers’ readers will only collect data from these specially coded credentials. In a sense, it’s the electronic security equivalent of a mechanical key management system, in which your customer’s organization is the only one that has the key they use. Such keys are only available through you, the installing integrator and you never provide another company with the same key.

In the electronic access control scenario, no other company will have the reader/card combination that your customer can get from you. Only their reader will be able to read their card or tag and their reader will read no other card or tag.

How about smart card systems? At a cost comparable to proximity card systems, smart card systems may be more secure and can be used for applications beyond access control, such as library checkouts, the hospital cafeteria and so on.

Regarding smart cards, inform your customers about “MIFARE,” which is based upon NXP Semiconductor’s technology. (Others may look for France’s Inside Technologies. The idea is very much the same so we’ll discuss MIFARE.) We could go into a deep technological explanation but, suffice it to say, MIFARE is the gateway to a series of security levels. That’s a whole new article in itself. Ask your manufacturer for a quick run-through so you can pick the right level of MIFARE security for your customer. Typically, to minimize costs, systems integrators will choose a relatively inexpensive smart card such as a MIFARE Classic card and concentrate security efforts in the back office.

Additional encryption on the card, transaction counters and other methods known in cryptography are then employed to make cloned cards useless or enable the back office to detect a fraudulent card and put it on a blacklist. Remember that systems that work with online readers only, such as readers with a permanent link to the back office, are easier to protect than systems that have offline readers, since real-time checks are not possible and blacklists cannot be updated as frequently with offline systems.

Another thing that can be done is the same that was explained earlier regarding proximity cards in which the integrator can provide a security handshake between the smart card and reader. This adaption works exactly the same with smart card solutions as it does with proximity systems.

You also can propose a card validation option. In this enhancement, the cards and readers are programmed with a fraudulent data detection system. The reader will scan through the credential’s data in search of discrepancies in the encrypted data, which normally occurs during credential cloning. Such a card validation feature is yet an additional layer of protection.

Work with Your Customer

As an electronic security integrator, you must be as concerned with the security of your customers’ contactless card access control systems as they are. When planning a new system, it’s imperative that you consider all aspects of your customers’ security and safety with your customer. Ask what you can do to help them avoid breeches of security.

This article originally appeared in the March 2015 issue of Security Today.

Featured

Featured Cybersecurity

Webinars

New Products

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3