Contactless Access Credentials & Egress

Contactless Access Credentials & Egress 

THE business landscape changing so dramatically over the past few months — possibly irrevocably — the task for many in security, including for consultants, integrators, dealers and manufacturers. As businesses and organizations begin to reopen, many are rethinking the way they budget for security, including access control, video surveillance and intrusion Alarm.

It’s amazing that a microscopic virus from China could virtually bring the world to a standstill. The 2020 global pandemic has reshaped the way people work, learn and play on every conceivable level. In addition to the devastating impact on global health and safety, COVID-19 has infected the health of the global economy.

The growing call to return to work will surely accelerate many of the physical (not social) distancing, sterilization and occupancy issues that we are currently facing. Hopefully, modern medicine will rise to the challenge sooner than later with a COVID-19 vaccine, but this may take some time even with accelerated testing and approvals.

Commonly touched items that can cause the spread of coronavirus (and other infectious disease) can include things like elevator buttons, ATM and checkout keypads, door knobs and handles, keyboards and mice, and door/entry access control panels — just to name a few. When you think about all of the “touchable” items that you interact with each day it becomes a daunting task to stay away from them and feel safe, clean and virus-free. Well, it's no surprise that right now, businesses are feeling the need to provide solutions and upgrade their safety and security as the workforce begins to come back to the office or plan for that to happen soon.

Contactless credentials are the most common component used in an access control system and while many look alike externally, important differences exist. “Contactless credentials and touchless access control can help reduce the number of surfaces that people touch on campus and can help reduce contact transmission” said Arindam Bhadra founder SSA Integrate.

Credentials Overview

While other credential options exist, the most common choice is RFID 'contactless' types. Nearly 90% of systems use contactless cards or fobs built as unpowered devices that are excited and read when brought close to a reader unit. This 'wireless power' process is called resonant energy transfer.

In Proximity Reader technology the reader itself emits a field collected by the card, eventually reaching enough of a charge that temporarily powers a wireless data transfer between the two. The image below details typical internal components of the type, where the wire antenna collects energy, the capacitor stores it, and when full discharges ICC chip (credential) data back through the antenna to the reader:

In general, all contactless credentials work this way but the exact parameters like operating frequency, size of credential data, encryption, and format of the data greatly vary in the field. In the sections that follow, we examine these parameters in depth.

Contactless Credentials Dominated by Giants

One of the biggest differences in contactless credentials is the format of the data it contains, typically determined by the manufacturer. Upwards of three-quarters of contactless credentials use formats developed or licensed by HID Global and NXP Semiconductor.

HID Overview

Since the market began migrating away from 'magstripe' credentials in the early 1990's, HID Global gained marketshare with its 125 kHz "Prox" offerings. Now part of ASSA ABLOY, HID has become the most common security market credential provider, and OEM of products for access brands including Lenel, Honeywell, and Siemens. The company's best-known formats include:

·     "Proximity": an older 125 kHz format, but still regularly used and specified even in new systems

·      iClass: an HID Global specific 13.56 MHz 'smartcard'

HID is the most common choice for credentials in the US. Because of commanding market share, HID is able to license the use of its credential formats to a variety of credential and reader manufacturers. Even when marketing general 'ISO 14443 compliant' offerings, HID strictly follows "Part B" standards (vs Part "A" - described in more detail later).

NXP Overview

Formerly Phillips Semiconductor, Europe-based NXP offers a number of 'contactless' credential components used in a number of markets - security, finance, and industrial. With widespread adoption of ISO standards in credential specifications, NXP offers a catalog of types built to spec, including:

·    MIFARE PROX: NXP's 125 kHz format built on early drafts of ISO standards, but not as widely adopted as HID's "Proximity" lines

·  MIFARE/DESFire: an ISO Standards-based NXP 'smartcard' format, also operating on 13.56 MHz the 'DESFire' moniker was introduced in the early 2000s to distinguish the format from 'MIFARE Classic' credentials. DESFire credentials feature stronger encryption that required higher performing chips. The 'Classic' format fell under scrutiny for being vulnerable to snoop attacks, and DESFire countered this threat. Because these improvements were made only to credentials, and existing MIFARE readers could still be used, the new format became known as 'MIFARE/DESFire'.

Unlike HID, NXP's credential formats are 'license-free' and the according standards are available for production use for no cost. NXP manufacturers all ISO 14443 product to "Part A" standards. NXP's market share is largest outside the US, mostly attributed to the early (starting in ~1990's) adoption of HID Global formats inside the US, but the brand's formats are often the primary ones used in Europe and Asia for physical access control.

US vs the World

Because of NXP Semiconductor’s strength in EMEA and the lack of licensing, MIFARE, DESFire, and the associated derivatives are popular outside the US.

However, HID Global's strongest markets are in the Americas, especially in the US. Despite the additional cost of licensing compliant credentials and readers, the company also produces products that use the unlicensed NXP formats and has equal or greater operability as a result.

125 kHz vs 13.56 MHz

The credential's RF frequency factors a key role in its performance. Because readers can only scan credentials operating at specific matching frequencies, this attribute is the first to consider. If frequency and format do not match, credentials are simply not read. The chart below shows the frequency of popular formats:

Perhaps the biggest difference between 125 kHz and 13.56 MHz frequencies is credential security. 125 kHz formats do not support encryption and are easily snooped or spoofed. However, 13.56 MHz formats are encrypted (usually 128 bit AES or greater) and credential data can only be read by a device that is specifically given the key to do so. 

Deciphering Credential Types

One of the most challenging jobs for integrators and end users alike is simply identifying which credential a system is using. The market is crowded with hundreds of options with no guarantees of compatibility for items that all appear to be a blank white card. The image below details four different credential types with dramatically different performance and security characteristics, yet they all look the same to the untrained eye:

For contactless types, you must know three attributes that are not typically clearly printed or overtly labeled on the credential:

·     Format Name: This designates how and how much data the credential transmits, usually defined by an ISO standard for Wiegand formats. For example H10301 is the typical 26 bit format, H10304 is HID's Wiegand 37 bit, and so on. The best way to confirm the format used by a card is to locate a box label of existing cards (See image below 'Card Format Details') to interpret the raw hexadecimal output as a specific format. If card boxes are not available, researching the credential type used by checking the format used in the Access Control Management Software application, typically in the cardholder and reader configuration settings.

·       Facility Code: This attribute is NOT printed on the card in most cases. This piece of information is also typically found on box labels but can be decoded using the same online calculators for format name. In certain cases, access systems must be configured to accept specific facility codes and some low-end systems may limit acceptable codes to one specific number. Without knowing this code, credentials are not sure to work.

·       Card ID/Serial Number (CSN/UID): In many cases, the ID number is embossed or printed on the card. This number is the 'unique ID' that ties a user to a specific badge. While concurrent numbers are not an issue, redundant numbers are, and the same Card ID and Facility Coded credential cannot be issued twice in the same system. The image below shows.

Interestingly, the Sales Order/Batch Number information printed on the card is often not used by the access system at all and is only printed to assist in researching the origin of the card as shipped to a specific distributor, end user, or dealer.

In some cases, a card vendor or distributor will 'read' an unknown card for a fee, but turn around times may take several business days.

Often, the box for cards currently in production is often the quickest, easiest way to gather all three pieces of this information, if not a reordering part number, as shown below:

The ISO/IEC 14443 Division

Very little separates HID's iClass from NXP's MIFARE offerings, and if not for ambiguous interpretation of an ISO standard, they would 'look' the same to most readers. However, because early versions of the standard left room for differentiation, HID and NXP designed their 'compliant' standards with a different encryption structure.

The end result is both versions of credential claim 'ISO 14443 Compliance', but are not entirely interchangeable. To reconcile this difference, ISO revised 14443 to include parts 'A and/or B' to segregate the two offerings. The default, basic serial number of cards is readable in both A & B parts, but any encoded data on the card is unreadable between the two because the original standard left room for implementation ambiguity.

In general, because there is no licensing cost in using 'Part A' standards, many low-cost, non-US target market, and new reader products start here. However, readers marketed specifically in the US or from vendors with a broader global market license use 'Part B' compliance common to HID.

For example, this TSDi reader supports 14443-A, but not 14443-B, meaning in practical terms in does not support HID's 13.56 MHz iClass formats, but does support NXP's 13.56 MHz MIFARE/DESFire formats:

In contrast, HID iClass readers support both 'A' and 'B' along with the non-ISO specific 'CSN' such that either type of credentials will work with these readers:

13.56 MHz Smartcard Interoperability

While the 'Part A & B' division in ISO 14443 separates formats from being the same, it does not always mean they are unusable with each other. Portions of ISO 14443 are the same in both parts, including the 'Card Serial Number'. For some access systems, this is the unique number that identifies unique users, and because this number is not encoded, it will register in 'non-standard' readers:

·    CSN/UID String: Essentially the card's unique identifier is readable because it is not stored in the deep 'encrypted' media. Many simple EAC platforms use only this number to define a user, and instead use the internal database to assign rights, schedules, and privileges.

·    Encoded Read/Write: However, the vast majority of storage within the card is encrypted and unreadable unless compliant readers are used. Especially for access systems using the credential itself for storage (e.g.: Salto, Hotel Systems) and for multi-factor authentication (e.g.: biometrics) high security deployments, the simple CSN is not sufficient.

The CSN Loophole

In terms of security, not all credential details are encrypted. The 'Card Serial Number' (defined by ISO standards) for 13.56 MHz cards can often be read regardless of underlying format, modulation method, or encryption. The CSN may be usable as a unique ID by the system, but the full data set of the credential will not be available.

For smaller systems with only a few doors and a hundred or fewer cardholders, using the CSN as the primary ID is common due to the ease of enrollment in using CSNs as unique badge numbers. However, for high-security sites where access identity encryption is required by standard or when credentials are used for multiple integrated systems, using CSNs to identify issued cardholders is often not approved. Rather, the card's encrypted data is required instead.

Form Factor

Credential shapes are not just limited to cards or fobs. The size and method of hosting a credential can include stickers, tokens, cell-phone cases, or even jewellery.

The form factor of the credential often is an important consideration in overall durability and service life. For example, while a white PVC card may be ideal to print an ID badge on and hang from a lanyard, it can easily be bent or broken in a rough environment. A key fob, while unsuitable for printing a picture on, is designed to be durable enough to withstand abuse, harsh environment exposures, and even submersion in water.

The right form factor choice should be dictated by the user and the user's environment, and generally, all major credential types have numerous form factor options to suit.

Touchless Switches

Touchless wall switch makes opening a door simple and germ free. Blue LED back-lighting highlights the switch at all times, other than during activation. This provides a visual reference of the switch’s location in low light conditions. Its low-profile design makes it blend into your wall.

Encryption in Access Control

Encryption in Access Control

In the process of sending information from sender to receiver, an unauthorized user may work in an active way (update it) or passive way (read or delay in sending). There must be some techniques which assures receiver that whatever information received from authorized user as well as must be same as sent from sender side, in addition to this receiver never make Denial of service. Nowadays sharing of information or resources is a very common thing from single user to the network to the cloud. When information is moving from one node to another node, security is a big challenge. When information is stored on the user’s computer, it is under control but when it is in movement user lose control over it. In the world of security, to convert information from one form to another form, Encryption is used, so that only authorized party will able to read. Encryption is a technique for any security-conscious organization.

Access control is one of the techniques for security for providing integrity and confidentiality. Its main task is to regulate the sharing of resources or information. Access control denotes whether a particular user has rights to perform particular operation on particular data. Access control policies define the users’ permission in order to provide security. These policies are defined according to an access control model. It prevents unauthorised sharing of resources or information. It also secures data against internal attacks and disclosure, leakage of information to cyberterrorist.

As an RFID access card gets close to its reader, it begins to wirelessly transmit its binary code. If using 125KHz proximity, then the wireless protocol is typically Wiegand, an older technology that can no longer provide the security needed today. In a worst case scenario, hackers could simply lift that fixed Wiegand clear text, retransmit it to the card reader and, from there, physically enter the facility and thereby the network, allowing these characters free rein to target the IT system. Data encryption is part of good practice and is, indeed, an opportunity for the security industry.

Mostly Access control is user identification to do a specific job, provide authentication, then provide that person the right to access data This is just like granting an individual permission to log in to network using name and password, allowing then to use resources after confirming whether they have permit to do particular job. So, how to provide permission to a particular user to perform their task? Here access control is used.

There are three major elements to access control system encryption:

Authentication: Determining whether someone is, in fact, who they say they are. Credentials are compared to those on file in a database. If the credentials match, the process is completed and the user is granted access. Privileges and preferences granted for the authorized account depend on the user’s permissions, which are either stored locally or on the authentication server.    The settings are defined by an administrator. For example, multifactor authentication, using a card plus keypad, has become commonplace for system logins and transactions within higher security environments.

Integrity: This ensures that digital information is uncorrupted and can only be accessed or modified by those authorized to do so. To maintain integrity, data must not be changed in transit; therefore, steps must be taken to ensure that data cannot be altered by an unauthorized person or program. Should data become corrupted, backups or redundancies must be available to restore the affected data to its correct state.  Measures must also be taken to control the physical environment of networked terminals and servers because data consistency, accuracy and trustworthiness can also be threatened by environmental hazards such as heat, dust or electrical problems. Transmission media (such as cables and connectors) should also be protected to ensure that they cannot be tapped; and hardware and storage media must be protected from power surges, electrostatic discharges and magnetism.

Non-repudiation: This declares that a user cannot deny the authenticity of their signature on a document or the sending of a message that they originated. A digital signature – a mathematical technique used to validate the authenticity and integrity of a message, software or digital document – is used not only to ensure that a message or document has been electronically signed by the person, but also to ensure that a person cannot later deny that they furnished it, since a digital signature can only be created by one person.

Here is Encryption Algorithms

1. AES

The Advanced Encryption Standard (AES) is the algorithm trusted as the standard by the U.S. Government and numerous organizations.

Although it is extremely efficient in 128-bit form, AES also uses keys of 192 and 256 bits for heavy duty encryption purposes.

AES is largely considered impervious to all attacks, with the exception of brute force, which attempts to decipher messages using all possible combinations in the 128, 192, or 256-bit cipher. Still, security experts believe that AES will eventually be hailed the de facto standard for encrypting data in the private sector. AES-128, AES-192 and AES-256 module is FIPS 140-2 certified. “FIPS mode” doesn't make Windows more secure. It just blocks access to newer cryptography schemes that haven't been FIPS-validated.

2. Twofish

Computer security expert Bruce Schneier is the mastermind behind Blowfish and its successor TrueCrypt. Keys used in this algorithm may be up to 256 bits in length and as a symmetric technique, only one key is needed.

Twofish is regarded as one of the fastest of its kind, and ideal for use in both hardware and software environments. Like Blowfish, Twofish is freely available to anyone who wants to use it. As a result, you’ll find it bundled in encryption programs such as PhotoEncrypt, GPG, and the popular open source software TrueCrypt.

3. Triple DES

Triple DES was designed to replace the original Data Encryption Standard (DES) algorithm, which hackers eventually learned to defeat with relative ease. At one time, Triple DES was the recommended standard and the most widely used symmetric algorithm in the industry.

Triple DES uses three individual keys with 56 bits each. The total key length adds up to 168 bits, but experts would argue that 112-bits in key strength is more like it.

Despite slowly being phased out, Triple DES still manages to make a dependable hardware encryption solution for financial services and other industries.

Here is How Encryption Works

Encryption consists of both an algorithm and a key. Once a number is encrypted, the system needs to have a key to decrypt the resultant cyphertext into its original form. There are two varieties of algorithms— private (symmetric) and public (asymmetric).

Private key encryption uses the same key for both encryption and decryption. Be aware—if the key is lost or intercepted, messages may be compromised. Public key infrastructure (PKI) uses two different but mathematically linked keys. One key is private and the other is public.

With PKI, either key can be used for encryption or decryption. When one key is used to encrypt, the other is used to decrypt. The public portion of the key is easily obtained for all users. However, only the receiving party has access to the decryption key allowing messages to be read. Systems may use private encryption to encrypt data transmissions but use public encryption to encrypt and exchange the secret key.

Using one or both these algorithms, access credential communications may be encrypted. Many modern cards support cryptography. Look for terms such as 3DES, AES (which the government uses to protect classified information), TEA and RSA.

Adding Encryption to an Access Control System

Integrators should consider 13.56 MHz smart cards to increase security over 125 KHz proximity cards. One of the first terms you will discover in learning about smart cards is “Mifare,” a technology from NXP Semiconductors.

The newest of the Mifare standards, DESFire EV1, includes a cryptographic module on the card itself to add an additional layer of encryption to the card/reader transaction. This is amongst the highest standard of card security currently available. DESFire EV1 protection is therefore ideal for sales to customers wanting to use secure multi-application smart cards in access management, public transportation schemes or closed-loop e-payment applications.

Valid ID is a relatively new anti-tamper feature available with contactless smartcard readers, cards and tags. Embedded, it adds yet an additional layer of authentication assurance to traditional Mifare smartcards. Valid ID enables a smartcard reader help verify that the sensitive access control data programmed to a card or tag is indeed genuine and not counterfeit.

Encrypted Cards and Readers Inhibit Hackers

Whether you need to guard against state sponsored terrorists or the neighborhood teen from hacking the electronic access control systems that you implement, security today starts with encryption. But, that’s just a beginning. To take steps that will further hinder hackers, ask for your manufacturer’s Cybersecurity Vulnerability Checklist.

While many believe that opening their network to cloud services might welcome greater risks, these studies and common mishaps suggest otherwise. Lack of employee education or defined cyber security policies, gaps in physical security and insufficient system maintenance contribute to the greatest number of threats.

How Connected Applications are Shaping Up to Be More Secure

Cloud is not all or nothing. Cloud services can be added to complement an on-premises system and its infrastructure. This can include using cloud applications to store long-term evidence, instead of on local servers or on external storage devices which can end up in the wrong hands. Cloud services can also play a critical role in disaster recovery.

In case servers are damaged by a fire or natural disaster, a full system back-up can be restored using cloud services so operations can continue without delay. Organizations can connect on-premises systems to cloud services to strengthen security and minimize internal and external threats. Here is how.

Automating Updates to Avoid Known Vulnerabilities

Many vulnerabilities that hackers prey on are quickly identified and fixed by vendors in software version updates. Even when an IT team sets scheduled updates in a closed environment, it might not happen fast enough to prevent a breach. The perk of deploying cloud services is that system updates are facilitated by the vendor. As soon as the latest versions and fixes are available, the client will have access to them. This helps to ensure that their systems are always protected against known vulnerabilities.

Considering Security in the Selection of Your Cloud Service Provider

All cloud solutions are not created equally. To identity the most secure cloud services, it’s important for organizations to take a closer look at the vendor’s security policies and built-in security mechanisms. This should include encrypted communications, data protection capabilities, and strong user authentication and password protection.

These mechanisms help protect organizations against hackers and other internet- based attacks. From an internal standpoint, they also ensure only those with defined privileges will be able to access or use resources, data and applications.

Organizations should also look at the back-end cloud platform on which the services are built. Tier-one cloud providers such as Microsoft have a global incident response team that works around the clock to mitigate attacks. The company also builds security into its cloud platform from the ground up, embedding mandatory security requirements into every phase of the development process. Top cloud providers also go out of their way to comply with international and industry-specific compliance standards, and participate in rigorous third-party audits which test and verify security controls.

NFC to Be More Secure

Nowadays a set of short range wireless technologies is use for public transport, opeing a door or parking lot it’s called NFC (Near Field Communication). These chips are most compatible with devices due to they are formatted in NFC Data Exchange Format (NDEF) and implemented standards published by NFC forum. Their content can be encrypted and some examples are NTAG212, NTAG213, NTAG215 y NTAG216. MIFARE is the NXP Semiconductors-owned trademark and it covers proprietary technologies based upon various levels of the ISO/IEC 14443, incorporating some encryption standards (AES and DES/Triple-DES) and also an older proprietary encryption algorithm.

Conclusion

Access Control is the primary thing for security and is used to protect private and confidential data from attack. Basic access control understanding helps us to manage information security. Four basic models are discussed here. Apart from these four, several models have been developed to increase authenticity, integrity, confidentiality. Another way to provide security is the encryption which uses mathematical algorithm with proper to key to perform operation. Both encryption and access control are used for privacy and to prevent unauthorized users from accessing some object. That data will be in motion so copy or deletion will be possible. With ACL, you can just allow or reject access on a software level not on physical storage. Encryption is used to provide confidentiality of data but data may be access by untrusted entity. Access control is used to provide limited access to the particular entity to particular user as defined by owner.

Note: FIPS (Federal Information Processing Standard) 140-2 is the benchmark for validating the effectiveness of cryptographic hardware. If a product has a FIPS 140-2 certificate you know that it has been tested and formally validated by the U.S. and Canadian Governments.
What is the difference between FIPS 140-2 and FIPS 197 certification? FIPS 197 certification looks at the hardware encryption algorithms used to protect the data. FIPS 140-2 is the next, more advanced level of certification. FIPS 140-2 includes a rigorous analysis of the product's physical properties.
FIPS 140-2 requires that any hardware or software cryptographic module implements algorithms from an approved list. The FIPS validated algorithms cover symmetric and asymmetric encryption techniques as well as use of hash standards and message authentication

References

G.Wang,Q.Liu,J.Wu “Hierarchical attribute-based encryption for fine-grained access control in cloud storage services”2010

M.Green,G.Ateniese “Identity-based proxy re-encryption”2007