The How and Why

Companies switch from proximity to smartcard systems

Richard Zerbib has worked for 10 years for Shaw Systems & Integration, an electrical contracting service out of Southfield, MI. Now a systems sales engineer for the wired or wireless structured cabling, life safety, security and card access, audio/ visual solutions and communications systems integrator, Zerbib has been on the front lines of seeing how important systems security has become a main concern of his customers.

ACCESS SYSTEMS

In this time, Zerbib has found more customers worrying about the security of their proximity-based card access systems. As he explains it, RFID devices are typically used as contactless proximity or smart card identification in tracking and access control systems. These systems operate on the assumption that the token is in close proximity to the reader. This proximity, or nearness, is due to the physical limitations of the communication channel.

However, current RFID devices, particularly those operating at 125 kHz, are not suitable for secure identification. Proximity credentials that operate at 125 kHz are vulnerable to cloning. Credential holders have easy access to devices that make copies of their cards at retail stores or by purchasing an inexpensive card cloner on-line. This would allow copies to be given to unauthorized individuals who could then gain entry using that employee’s identity.

As these facts have become better known, there has been a drive by security directors to overcome these shortcomings by moving to more secure, encrypted card technology like that offered by NXP Semiconductors MIFARE DESFire EV2 based RFID credentials.

A Shaw Systems & Integration customer, a leading financial planning company who has been running 500 Farpointe Data proximity readers on the front end of their access system from provider Galaxy Control Systems showcased the problem. Once the company learned about the improved security features of a contactless smartcard system, and its added encryption, while preserving the convenience of a contactless operation, they were ready to upgrade. Learning that the Farpointe smart-card solution could handle the same “ins and outs” plus support secure usage of the company’s copiers and printers just like their present proximity system, they were ready to move on. Then, once they discovered that there was an easy upgrade path, the decision was confirmed.

PROXIMITY READERS

Zerbib suggested that their best alternative would be a total replacement of all proximity readers and credentials to the faster, more secure smart-card technology rather than intermittently installing the new system. “By doing it all at once,” Zerbib said, “we could remove the possibility that the vulnerable, 125 kHz proximity cards would continue to have to be ordered. Working with Farpointe Data, we engineered a solution that would remove not only all of the proximity credentials, it would also eliminate the possibility that proximity credentials could ever be used again.”

As a result, the group decided to deploy Farpointe’s smartcard technology which is based on the MIFARE DESFire EV2 platform to offer a globally accepted, secure and versatile access control solution. DESFire EV2 credentials employ 128-bit AES encryption, and at the time of the installation, represented the most sophisticated and secure contactless smart cards available.

Farpointe’s Delta readers read DESFire credentials and are easily installed in place of the original proximity readers. This would give the customer the freedom to target different applications with the same exact cards throughout.

Reviewing the program planning, the group soon realized that it would take Shaw weeks to replace 500 plus readers, leading to a revision of the proposal. They, instead, decided to first recredential all customer employees with dual frequency cards that combined both 125 kHz proximity and 13.56 MHz contactless DESFireEV2 smartcard technologies.

Five thousand cards were ordered and all employees were soon issued these new credentials. Once this was done, Shaw began replacing the proximity readers with the Delta contactless smartcard readers. Since the credentials were 125 kHz and 13.56 MHz, they would continue to function on the older proximity readers and the new smartcard readers as they were being installed.

This meant that once all of the readers were replaced, the customer could then order single technology smart cards, as the dual frequency would no longer be required. An added security bene fit is that, once all of the proximity readers were replaced, there was no possibility that proximity cards could ever be introduced into the system again. To track usage of the copiers and printers, Farpointe provided USB readers that allow the new DESFireEV2 credentials to serve the same function.

A QUICK REVIEW OF THE TECHNOLOGIES ADDED

As the customer was very concerned about increasing the security of their access control system, let’s review what the migration from proximity to smartcard technology has achieved. Today,13.56 MHz contactless smart cards are used to provide increased security compared to 125 KHz proximity cards. One of the first terms you will discover in learning about smart cards is “MIFARE,” a technology from NXP Semiconductors. MIFARE enables 2-way communications between the card and the reader.

MIFARE Classic was the original version of the MIFARE standard used in contactless cards. It stores the card number on one of its sectors, then encrypts the communication between the card and reader to theoretically make it impossible or, at least, very difficult to clone a card.

The newest MIFARE standard, DESFire EV2, includes a cryptographic module on the chip in the card itself to add an additional layer of encryption to the card/reader transaction. This is among the higher standards of card security. MIFARE DESFire EV2 protection is ideal for sales to providers wanting to use secure multi-application smart cards in access management, public transportation schemes or closed-loop e-payment applications. They are fully compliable with the requirements for fast and highly secure data transmission, flexible memory organization and provide interoperability with existing infrastructures.

According to Zerbib, the MIFARE DESFire EV2 contactless integrated circuit (IC) brings many more benefits. Cardholders can experience convenient contactless ticketing while also being able to use the same device for applications such as student ID, closed-loop payment at vending machines, access management and loyalty programs. System providers can offer or sell application space to third parties without having to share the master key. A MIFARE DESFire EV2 product-based card can hold as many different applications as the memory will support and new applications can be loaded after the product is in the field. It’s like having an app store on a smart card.

One aspect of securing a card’s information is to make the internal numbers unusable; they must be encrypted. To read them, the system needs access to a secret key or password that provides decryption. Modern encryption algorithms play a vital role in assuring data security. • Authentication: the origin of a message. • Integrity: contents of a message have not been changed. • Non-repudiation: the message sender cannot deny sending the message.

Here is how it works. The number is encrypted using an encryption algorithm and an encryption key. This generates cipher text that can only be viewed in its original form if decrypted with the correct key. Today’s encryption algorithms are divided into two categories: symmetric and asymmetric.

Symmetric-key ciphers use the same key, or secret, for encrypting and decrypting a message or ffile. The most widely used symmetric-key cipher is AES (Advanced Encryption Standard), which is used by the government to protect classified information. Another common symmetric cipher, noted for its high speed of transaction, is the TEA (tiny encryption algorithm).

Asymmetric cryptography uses two different, but mathematically linked, keys, one public and one private. The public key can be shared with everyone, whereas the private key must be kept secret. RSA (named after Misters Rivest, Shamir and Adleman) is the most widely used asymmetric algorithm.

Additional encryption on the card, transaction counters and other methods known in cryptography are then employed to make cloned cards useless or enable the back office to detect a fraudulent card and put it on a blacklist. Systems that work with online readers only (i.e., readers with a permanent link to the back office) are easier to protect than systems that have offline readers, since real-time checks are not possible and blacklists cannot be updated as frequently with offline systems.

In addition to the functionality for multiple applications, smart credentials also increase the security of information kept on the card and stored in the facility. Zerbib adds that Farpointe’s Valid ID provides another anti-tamper feature available with contactless smartcard readers, cards and tags. At manufacture, readers, cards and tags are programmed with the Valid ID algorithm, cryptographically ensuring the integrity of the sensitive access control data stored on the card or tag.

With Valid ID, readers scan through the credential’s access control data searching for data discrepancies, which may occur during the counterfeiting, tampering or hacking of a contactless smartcard. Valid ID is an additional layer of protection to what is already available in smart card authentication, operating independently, in addition to, and above this standard level of security. In use, Valid ID allows a smartcard reader to effectively verify that the sensitive access control data programmed to a card or tag is not counterfeit.

TRANSPARENT TO THE USERS

With all the immense changes to the inside of the access control system, the one thing that surprised Zerbib is that no employee ever reacted to the changes in the system. “There was no downtime and nobody got locked out. They never noticed.”

This article originally appeared in the January / February 2021 issue of Security Today.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3