The How and Why
Companies switch from proximity to smartcard systems
- By Tom Piston
- Feb 01, 2021
Richard Zerbib has worked for 10 years for Shaw
Systems & Integration, an electrical contracting
service out of Southfield, MI. Now a systems sales
engineer for the wired or wireless structured cabling,
life safety, security and card access, audio/
visual solutions and communications systems integrator, Zerbib
has been on the front lines of seeing how important systems security
has become a main concern of his customers.
In this time, Zerbib has found more customers worrying about
the security of their proximity-based card access systems. As he
explains it, RFID devices are typically used as contactless proximity
or smart card identification in tracking and access control
systems. These systems operate on the assumption that the token
is in close proximity to the reader. This proximity, or nearness, is
due to the physical limitations of the communication channel.
However, current RFID devices, particularly those operating at
125 kHz, are not suitable for secure identification. Proximity credentials
that operate at 125 kHz are vulnerable to cloning. Credential
holders have easy access to devices that make copies of their
cards at retail stores or by purchasing an inexpensive card cloner
on-line. This would allow copies to be given to unauthorized individuals
who could then gain entry using that employee’s identity.
As these facts have become better known, there has been a
drive by security directors to overcome these shortcomings by
moving to more secure, encrypted card technology like that offered
by NXP Semiconductors MIFARE DESFire EV2 based
A Shaw Systems & Integration customer, a leading financial
planning company who has been running 500 Farpointe Data
proximity readers on the front end of their access system from
provider Galaxy Control Systems showcased the problem. Once
the company learned about the improved security features of a
contactless smartcard system, and its added encryption, while
preserving the convenience of a contactless operation, they were
ready to upgrade. Learning that the Farpointe smart-card solution
could handle the same “ins and outs” plus support secure usage of
the company’s copiers and printers just like their present proximity
system, they were ready to move on. Then, once they discovered
that there was an easy upgrade path, the decision was confirmed.
Zerbib suggested that their best alternative would be a total replacement
of all proximity readers and credentials to the faster,
more secure smart-card technology rather than intermittently installing
the new system. “By doing it all at once,” Zerbib said, “we
could remove the possibility that the vulnerable, 125 kHz proximity
cards would continue to have to be ordered. Working with
Farpointe Data, we engineered a solution that would remove not
only all of the proximity credentials, it would also eliminate the
possibility that proximity credentials could ever be used again.”
As a result, the group decided to deploy Farpointe’s smartcard
technology which is based on the MIFARE DESFire EV2
platform to offer a globally accepted, secure and versatile access
control solution. DESFire EV2 credentials employ 128-bit AES
encryption, and at the time of the installation, represented the
most sophisticated and secure contactless smart cards available.
Farpointe’s Delta readers read DESFire credentials and are
easily installed in place of the original proximity readers. This
would give the customer the freedom to target different applications
with the same exact cards throughout.
Reviewing the program planning, the group soon realized that
it would take Shaw weeks to replace 500 plus readers, leading
to a revision of the proposal. They, instead, decided to first recredential
all customer employees with dual frequency cards that
combined both 125 kHz proximity and 13.56 MHz contactless
DESFireEV2 smartcard technologies.
Five thousand cards were ordered and all employees were soon
issued these new credentials. Once this was done, Shaw began replacing
the proximity readers with the Delta contactless smartcard
readers. Since the credentials were 125 kHz and 13.56 MHz,
they would continue to function on the older proximity readers
and the new smartcard readers as they were being installed.
This meant that once all of the readers were replaced, the customer could then order single technology smart cards, as the dual
frequency would no longer be required. An added security bene fit is that, once all of the proximity readers were replaced, there
was no possibility that proximity cards could ever be introduced
into the system again. To track usage of the copiers and printers,
Farpointe provided USB readers that allow the new DESFireEV2
credentials to serve the same function.
A QUICK REVIEW OF THE TECHNOLOGIES ADDED
As the customer was very concerned about increasing the security
of their access control system, let’s review what the migration
from proximity to smartcard technology has achieved.
Today,13.56 MHz contactless smart cards are used to provide
increased security compared to 125 KHz proximity cards. One of
the first terms you will discover in learning about smart cards is
“MIFARE,” a technology from NXP Semiconductors. MIFARE
enables 2-way communications between the card and the reader.
MIFARE Classic was the original version of the MIFARE
standard used in contactless cards. It stores the card number on
one of its sectors, then encrypts the communication between the
card and reader to theoretically make it impossible or, at least,
very difficult to clone a card.
The newest MIFARE standard, DESFire EV2, includes a
cryptographic module on the chip in the card itself to add an
additional layer of encryption to the card/reader transaction.
This is among the higher standards of card security. MIFARE
DESFire EV2 protection is ideal for sales to providers wanting to
use secure multi-application smart cards in access management,
public transportation schemes or closed-loop e-payment applications.
They are fully compliable with the requirements for fast
and highly secure data transmission, flexible memory organization
and provide interoperability with existing infrastructures.
According to Zerbib, the MIFARE DESFire EV2 contactless integrated
circuit (IC) brings many more benefits. Cardholders can experience
convenient contactless ticketing while also being able to use
the same device for applications such as student ID, closed-loop payment
at vending machines, access management and loyalty programs.
System providers can offer or sell application space to third parties
without having to share the master key. A MIFARE DESFire EV2
product-based card can hold as many different applications as the
memory will support and new applications can be loaded after the
product is in the field. It’s like having an app store on a smart card.
One aspect of securing a card’s information is to make the internal
numbers unusable; they must be encrypted. To read them,
the system needs access to a secret key or password that provides
decryption. Modern encryption algorithms play a vital role in assuring
• Authentication: the origin of a message.
• Integrity: contents of a message have not been changed.
• Non-repudiation: the message sender cannot deny sending the
Here is how it works. The number is encrypted using an encryption
algorithm and an encryption key. This generates cipher
text that can only be viewed in its original form if decrypted with
the correct key. Today’s encryption algorithms are divided into
two categories: symmetric and asymmetric.
Symmetric-key ciphers use the same key, or secret, for encrypting
and decrypting a message or ffile. The most widely used
symmetric-key cipher is AES (Advanced Encryption Standard),
which is used by the government to protect classified information.
Another common symmetric cipher, noted for its high speed of
transaction, is the TEA (tiny encryption algorithm).
Asymmetric cryptography uses two different, but mathematically
linked, keys, one public and one private. The public key can
be shared with everyone, whereas the private key must be kept
secret. RSA (named after Misters Rivest, Shamir and Adleman)
is the most widely used asymmetric algorithm.
Additional encryption on the card, transaction counters and
other methods known in cryptography are then employed to
make cloned cards useless or enable the back office to detect a
fraudulent card and put it on a blacklist. Systems that work with
online readers only (i.e., readers with a permanent link to the
back office) are easier to protect than systems that have offline
readers, since real-time checks are not possible and blacklists cannot
be updated as frequently with offline systems.
In addition to the functionality for multiple applications,
smart credentials also increase the security of information kept
on the card and stored in the facility. Zerbib adds that Farpointe’s
Valid ID provides another anti-tamper feature available with contactless
smartcard readers, cards and tags. At manufacture, readers,
cards and tags are programmed with the Valid ID algorithm,
cryptographically ensuring the integrity of the sensitive access
control data stored on the card or tag.
With Valid ID, readers scan through the credential’s access control
data searching for data discrepancies, which may occur during
the counterfeiting, tampering or hacking of a contactless smartcard.
Valid ID is an additional layer of protection to what is already
available in smart card authentication, operating independently, in
addition to, and above this standard level of security. In use, Valid
ID allows a smartcard reader to effectively verify that the sensitive
access control data programmed to a card or tag is not counterfeit.
TRANSPARENT TO THE USERS
With all the immense changes to the inside of the access control system,
the one thing that surprised Zerbib is that no
employee ever reacted to the changes in the system.
“There was no downtime and nobody got locked
out. They never noticed.”
This article originally appeared in the January / February 2021 issue of Security Today.