Ensuring security with card-based access control systems

April 16, 2015

Lady at Door[1]
Photos courtesy Farpointe Data

By Scott Lindley
For buildings, the security of access control systems is critical. If a card system is hacked, there can be major problems. For example, at a university, years of research can be tampered with or lost. At a hospital, federal and provincial security rules are stringent and the penalties for having them breached can be severe. No administrator wants to be ultimately responsible for causing injury to an employee or visitor because unauthorized entry was gained via the card system.

There are three main ways to assault a card-based electronic access control system—skimming, eavesdropping, or relay attacks. The first type occurs when the attacker uses an unauthorized reader to access information on the unsuspecting victim’s radio frequency identification (RFID) card or tag without consent. As a result, the attacker is able to read stored information or modify data by writing to the credential. From that point on, the attacker can control when and where unauthorized entries may occur.

An eavesdropping attack occurs when an attacker recovers the data sent during a transaction between the legitimate reader and card. As a result, the attacker can recover and store the data of interest. The attacker can then use this stored data at will.

Lastly, RFID systems are potentially vulnerable to an attack in situations where the attacker relays communication between the reader and a tag. A successful relay attack lets an attacker temporarily possess a ‘clone’ of a token, allowing the attacker to gain the associated benefits. Some sophisticated RFID credentials perform mutual authentication and encrypt the subsequent communication. An attacker, however, never needs to know the plain-text data or the key material as long as he or she can continue relaying the respective messages. It is therefore irrelevant whether the reader authenticates the token cryptographically, or encrypts the data, since the relay attack cannot be prevented by application layer security.

What is scary about this is the equipment used to perpetrate these types of attacks can be inexpensive and widely available. However, to fully understand how to stop such assaults, building and design professionals first need to understand how RFID cards and readers work.

Technology behind readers and cards
There are two basic contactless card-based technologies—proximity and smartcard. Proximity takes advantage of industry acknowledged norms, while smart card readers typically make use of the international standard for such cards, which is designated at International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 14443, Identification Cards–Contactless Integrated Circuit Cards: Proximity Cards.

In operation, proximity-readers typically generate an electromagnetic field that is tuned to 125 kHz—an internationally recognized radio frequency for low-power data communications. When a credential enters this field, then the credential’s internal RFIC is activated. The RFIC then transmits its unique data back to the reader as an encoded signal. The encoding of this signal typically comprises of a data algorithm that uses a byte-parity error-detection scheme.

A byte is a unit of data that is eight binary digits, or bits, long. A parity bit, or check bit, is a bit added to the end of a string of binary code (0s and 1s) indicating whether the number of bits in the string with the value one is even or odd.

There are two variants of parity bits—even and odd. In the case of even parity, the bits with a value of 1 in a given set are counted. If that total is odd, the parity bit value is set to 1, making the total count of 1s in the set an even number. If the count of 1s in a given set of bits is already even, the parity bit’s value remains 0. In the case of odd parity, the situation is reversed. Instead, if the sum of bits with a value of 1 is odd, the parity bit’s value is set to 0. If the sum of bits with a value of 1 is even, the parity bit value is set to 1, making the total count of 1s in the set an odd number.

P-640-H[2]
A combination keypad/card reader provides two-factor validation—something the user knows, and something the user has.

Overall, if an odd number of bits (including the parity bit) are transmitted incorrectly, the parity bit will be incorrect, thus indicating a parity error occurred in the transmission. The data must be discarded entirely and re-transmitted from scratch. In doing so, byte parity error detection helps provide extremely fast, accurate, and secure transmissions.

To operate:

Now, smartcard technology will be reviewed. In operation, smartcard-readers typically generate an electromagnetic field tuned to 13.56 MHz. When a credential enters this field, the credential’s internal RFIC is activated. The RFIC then transmits its unique data back to the reader as an encoded modulated signal.

Smartcard-readers are typically able to read the sector (i.e. access control) data and/or unique card serial number (CSN) from ISO/ICE 14443-compliant smartcard credentials. Meeting the ISO standard, the cards are quite often programmed at the manufacturer with the brand’s compatible secure key. During the validation process, the credential’s secure key is challenged by the reader. If the secure keys match, the reader will read the card’s sector data; if the secure keys do not match, the reader may only read the credential’s CSN.

For example, to operate:

How can security be improved?
First of all, it should be noted these types of attacks are infrequent. However, with this in mind, there is a range of tools to negate skimming, eavesdropping, and relay attacks.

PSC-1[3]
Proximity cards are the most popular card used in access control applications.

The security of proximity cards is increasing. One of the easiest solutions is to provide two-factor validation of the person wanting to enter. Not only must a person have something (e.g. authorized card or tag), but he or she must also know the personal identification number (PIN). Especially for those higher-security areas, a card-reader with an integrated keypad can be specified. To enter, the individual presents their card, gets a flash and beep, and then enters the PIN on the keypad. The electronic access control system then prompts a second beep on the reader, and the individual is authorized to enter.

Integrators can also provide a high-security ‘handshake,’ or code, between the card, tag, and reader to help prevent credential duplication and ensure customer’s readers will only collect data from specially coded credentials. In a sense, it is the electronic security equivalent of a mechanical key management system, in which a customer’s organization is the only one that has the key they use. Such keys are only available through the installing contractor, and another company is never provided with the same key.

In the electronic access control scenario, no other company will have the reader/card combination a customer can get from the building owner via the installer. Only its reader will be able to read their card or tag and their reader will read no other card or tag.

Smartcard systems, while often a cost comparable to proximity card systems, may be more secure and can be used for applications beyond access control, such as library checkouts or a hospital cafeteria.

Delta-3[4]
Smartcard-readers have several options that can increase card security.

Regarding smartcards, customers should be informed about MIFARE, which is based on NXP semiconductor’s technology. MIFARE is available on all smartcards sold in North America, regardless of manufacturer, as it is the security standard. Specifiers have a choice of a MIFARE-protected card or not, however, for security, one should choose smartcards with MIFARE.

There are a series of MIFARE security levels. Manufacturers can provide a quick run-through so the right level of security is specified for customers. Typically, to minimize costs, security contractors will choose a relatively inexpensive smartcard and concentrate security efforts in the back office.

Additional encryption on the card, transaction counters, and other methods known in cryptography are then employed to make cloned cards useless or enable the back office to detect a fraudulent card and put it on a blacklist. It is important to remember systems working solely with online readers (i.e. devices with a permanent link to the back office) are easier to protect than systems with offline readers, since real-time checks are not possible and blacklists cannot be updated as frequently with offline systems.

Delta ISO 1k[5]
Smartcards, for most applications, may provide higher security than proximity cards.

Another precaution that can be taken involves the aforementioned security handshake between the smartcard and reader. This adaption works exactly the same with smartcard solutions as it does with proximity systems.

A card validation option can also be employed. In this enhancement, the cards and readers are programmed with a fraudulent data detection system. The reader will scan through the credential’s data in search of discrepancies in the encrypted data, which normally occurs during credential cloning. Such a validation feature is an additional layer of protection.

Conclusion
When designing secure spaces, the doors, hardware, and access control systems are paramount. However, this framework is only acceptable when steps are taken to prevent hacking. As an electronic security contractor, a concern is the security of customer’s contactless card access control systems as they are. When planning a new system, it is imperative all aspects of customers’ security and safety are examined.

Scott Lindley[6]Scott Lindley is a 25-year veteran of the contactless card access control provider industry. Since 2003, he has been president of Farpointe Data, a DORMA Group company, which has become a global partner for premium radio frequency identification (RFID) systems, including proximity, smart, and long-range solutions for access control professionals around the world. Lindley was previously director of RFID products at Keri Systems and sales manager, North America, for Motorola Indala. He can be contacted by e-mail at scottl@farpointedata.com.

Endnotes:
  1. [Image]: http://www.constructioncanada.net/wp-content/uploads/2015/04/Lady-at-Door.jpg
  2. [Image]: http://www.constructioncanada.net/wp-content/uploads/2015/04/P-640-H.jpg
  3. [Image]: http://www.constructioncanada.net/wp-content/uploads/2015/04/PSC-1.jpg
  4. [Image]: http://www.constructioncanada.net/wp-content/uploads/2015/04/Delta-3.jpg
  5. [Image]: http://www.constructioncanada.net/wp-content/uploads/2015/04/Delta-ISO-1k.jpg
  6. [Image]: http://www.constructioncanada.net/wp-content/uploads/2015/04/Scott-Lindley.jpg

Source URL: https://www.constructioncanada.net/ensuring-security-with-card-based-access-control-systems/