Access Readers and Tokens: Difference between revisions

From ACCX Products Wiki
Jump to navigation Jump to search
 
(4 intermediate revisions by the same user not shown)
Line 2: Line 2:


====Overview====
====Overview====
In the beginning, physical access control typically meant a person (security guard, receptionist, etc) whose job it was to watch the entrances to a restricted area and only let in people who were on a list or personally recognized by them as an authorized user. Technology solutions to the problem of controlling access came about both as a way to save money on guards, and as a way to better enforce policies. It is important to recognize that controlling access requires both identification and authentication of people. A good discussion of this problem is here:
Once upon a time, physical access control typically meant there was a person (security guard, receptionist, etc) whose job it was to watch the entrances to a restricted area and only let in people who were on a list or personally recognized by them as an authorized user. Technology solutions to the problem of controlling access came about both as a way to save money and as a way to better enforce policies.  
*[http://technet.microsoft.com/en-us/library/cc512578.aspx Microsoft Essay on Identification vs. Authoentication]


It is important to recognize that controlling access requires both identification and authentication of people. A good discussion of this problem is here:
*[http://technet.microsoft.com/en-us/library/cc512578.aspx Microsoft Essay on Identification vs. Authentication]
*[http://en.wikipedia.org/wiki/Authentication#Authentication_vs._authorization Wikipedia Authorization and Authentication compared]
   
   
<B>Identification</B> in this context means uniquely identifying each user who presents at an access terminal or reader. Since the point of access control and physical security is to enforce a security policy, it is important to know which exact user is attempting to gain access to the resource in question. Some typical identification methods include:
<B>Identification</B> in this context means uniquely identifying each user who presents at an access terminal or reader. Since the point of access control and physical security is to enforce a security policy, it is important to know which exact user is attempting to gain access to the resource in question. Some typical identification methods include:
Line 11: Line 13:
**Biometric ID (Typically only used in very high-end systems such as the [http://www.morphotrak.com/MorphoTrak/MorphoTrak/mt_AcTa.html Morphotrack products]
**Biometric ID (Typically only used in very high-end systems such as the [http://www.morphotrak.com/MorphoTrak/MorphoTrak/mt_AcTa.html Morphotrack products]


<B>Authentication</B> means verifying that the user is who they claim they are. It is important to logically separate these, as our system  may present different choices or use different methods for different users. Other problems that come up are uses with the same user-selected PIN, etc. Authentication methods for users include:
<B>Authentication</B> means verifying that the user is who they claim they are. They are logically separated, as our system  may present different choices or use different methods based on the user's identification. The "authorization" component may not be unique to eachj user either. (PIN codes for instance.) Authentication methods for users include:
*Something they have (a physical token)
*Something they have (a physical token)
**Something they know (a password or PIN)
**Something they know (a password or PIN)
Line 17: Line 19:


====Considerations for Access Control====
====Considerations for Access Control====
*Method must be simple and reliable
Access control systems are put in place to increase security and to make securing the assets easy and convenient. Users tend to obey security policies if they are easy to follow and provide a recognizable benefit, such as making their home or workplace feel more secure. Some genberal guidelines for designing access control hardware and software systems include:
 
*Procedures must be simple and reliable
**Users tend to bypass controls that are too burdensome
**Users tend to bypass controls that are too burdensome
*Must not lock out legitimate users frequently
*Must not lock out legitimate users frequently
*Must not allow unauthorized users in to the extent possible
*Must not allow unauthorized users in to the extent possible
*Must not generate excessive false alarms and trouble messages
*Should provide easily-recognized benefits so that people want to use the system properly
**Convenience
***Automatic opening of doors, integration with lighting along corridors
***Remote unlock for after-hours access, workmen, etc.
***Traffic control/elimination of solicitors
***Visitor management
***Key auditing and revocation
*Software can provide for more advanced security features than traditional keys
**Two-factor authentication an option (Token+PIN, PIN+Thumbprint, etc)
**Two-factor authentication an option (Token+PIN, PIN+Thumbprint, etc)
**SMS messaging/one-time PIN
**SMS messaging/one-time PIN
Line 28: Line 43:
**Tailgating (multiple users entering on one token)
**Tailgating (multiple users entering on one token)
**Pass-back (Users passing their token to the outside so that someone else can use it)
**Pass-back (Users passing their token to the outside so that someone else can use it)
**Doors left open/propped open
**Alarms for doors left open/propped open, other policy violations


====Types of tokens====
====Types of tokens====
Line 66: Line 81:


====Security Problems with RFID====
====Security Problems with RFID====
As a rule, RFID products follow a broad set of physical and low-level signalling standards while using proprietary encryption and authentication techniques. This means that only the most basic security features (such as a "license plate" read of a card's serial number) are broadly compatible between vendors. It also means that security vulnerabilities probably exist in all of these systems.
=====Mifare Classic Vulnerabilities=====
*[http://www.doc.ic.ac.uk/~mgv98/MIFARE_files/report.pdf Practical attacks on the Mifare Classic (2008)]
*[http://www.doc.ic.ac.uk/~mgv98/MIFARE_files/report.pdf Practical attacks on the Mifare Classic (2008)]
*[http://www.sos.cs.ru.nl/applications/rfid/main.html? Radboud University RFID Project]
=====Signalling/other Vulnerabilities=====
The proprietary nature of most vendor's systems also means that transport layer for messages between readers and devices often defaults to a simple, non-encrypted protocol such as [http://www.accxproducts.com/wiki/index.php?title=Interface_Options#Wiegand_Interface Wiegand signalling]. Below are some resources for these vulnerabilities.
*[http://www.defcon.org/html/links/dc-archives/dc-15-archive.html Access Control Hacking (Defcon 15) with Zac Franken]
*[http://www.defcon.org/html/links/dc-archives/dc-15-archive.html Access Control Hacking (Defcon 15) with Zac Franken]
*[http://www.crypto.com/papers/humancambridgepreproc.pdf Toward a Broader View of Security Products - Matt Blaze]
=====RFID Debug tools=====
*[http://www.proxmark.org/ Proxmark - FPGA-based RFID debugger]
*[http://www.rfideas.com/ RFIDeas - Makers of universal readers, card identification tools, etc.]
*[http://hackaday.com/2011/09/26/barebones-pic-rfid-tag/ Bare-bones RFID tag and passive tag cloning]

Latest revision as of 08:55, 14 May 2012

Identification and Authentication Methods

Overview

Once upon a time, physical access control typically meant there was a person (security guard, receptionist, etc) whose job it was to watch the entrances to a restricted area and only let in people who were on a list or personally recognized by them as an authorized user. Technology solutions to the problem of controlling access came about both as a way to save money and as a way to better enforce policies.

It is important to recognize that controlling access requires both identification and authentication of people. A good discussion of this problem is here:

Identification in this context means uniquely identifying each user who presents at an access terminal or reader. Since the point of access control and physical security is to enforce a security policy, it is important to know which exact user is attempting to gain access to the resource in question. Some typical identification methods include:

  • Token ID (i.e. a barcode,serial number, etc)
    • Username/user ID
    • Biometric ID (Typically only used in very high-end systems such as the Morphotrack products

Authentication means verifying that the user is who they claim they are. They are logically separated, as our system may present different choices or use different methods based on the user's identification. The "authorization" component may not be unique to eachj user either. (PIN codes for instance.) Authentication methods for users include:

  • Something they have (a physical token)
    • Something they know (a password or PIN)
    • Something they are (biometrics/facial recognition/other trait)

Considerations for Access Control

Access control systems are put in place to increase security and to make securing the assets easy and convenient. Users tend to obey security policies if they are easy to follow and provide a recognizable benefit, such as making their home or workplace feel more secure. Some genberal guidelines for designing access control hardware and software systems include:

  • Procedures must be simple and reliable
    • Users tend to bypass controls that are too burdensome
  • Must not lock out legitimate users frequently
  • Must not allow unauthorized users in to the extent possible
  • Must not generate excessive false alarms and trouble messages
  • Should provide easily-recognized benefits so that people want to use the system properly
    • Convenience
      • Automatic opening of doors, integration with lighting along corridors
      • Remote unlock for after-hours access, workmen, etc.
      • Traffic control/elimination of solicitors
      • Visitor management
      • Key auditing and revocation
  • Software can provide for more advanced security features than traditional keys
    • Two-factor authentication an option (Token+PIN, PIN+Thumbprint, etc)
    • SMS messaging/one-time PIN
    • Tokens with unique ID that changes after each use
    • Interactive applications (Smart phones, tablets)
  • Protect against common failure modes
    • Tailgating (multiple users entering on one token)
    • Pass-back (Users passing their token to the outside so that someone else can use it)
    • Alarms for doors left open/propped open, other policy violations

Types of tokens

Contactless (RFID)
Advantages
  • No electrical connection to the outside world
  • Can be mounted behind glass or inside a secure perimeter
  • No keypad or contacts to require maintenance
Disadvantages
  • Tokens can be interrogated be a third party
  • Transactions can be snooped with RF listening gear.

Types of RFID Tokens

Most of the commercial RFID vendors require an NDA and/or purchase commitment to get access to their detailed specifications. There are at least two systems with widely-published specifications and products available from multiple vendors.

  • EM4100/TK4100
    • Vendor Spec Sheet
    • 125Khz (Low Frequency) tags
    • Read-only and read-write versions available
    • 26-64bits of data typical
    • Writing tends to be slow
  • Mifare
    • 13.56Mhz (High Frequency) tags
    • Have read/write capability
    • Basic encryption on-board
      • Come unconfigured, all 'F' values store in data blocks
      • Blocks of data are stored with encryption key after first write
    • 1K,4K version available
    • NXP, other vendors sell token and reader chips
    • Mifare Code and libraries

Security Problems with RFID

As a rule, RFID products follow a broad set of physical and low-level signalling standards while using proprietary encryption and authentication techniques. This means that only the most basic security features (such as a "license plate" read of a card's serial number) are broadly compatible between vendors. It also means that security vulnerabilities probably exist in all of these systems.

Mifare Classic Vulnerabilities
Signalling/other Vulnerabilities

The proprietary nature of most vendor's systems also means that transport layer for messages between readers and devices often defaults to a simple, non-encrypted protocol such as Wiegand signalling. Below are some resources for these vulnerabilities.

RFID Debug tools