Access Readers and Tokens: Difference between revisions

From ACCX Products Wiki
Jump to navigation Jump to search
 
(15 intermediate revisions by the same user not shown)
Line 2: Line 2:


====Overview====
====Overview====
*Identification in this context means uniquely identifying each user who presents at an access terminal or reader
Once upon a time, physical access control typically meant there was a person (security guard, receptionist, etc) whose job it was to watch the entrances to a restricted area and only let in people who were on a list or personally recognized by them as an authorized user. Technology solutions to the problem of controlling access came about both as a way to save money and as a way to better enforce policies.
**Token ID
 
It is important to recognize that controlling access requires both identification and authentication of people. A good discussion of this problem is here:
*[http://technet.microsoft.com/en-us/library/cc512578.aspx Microsoft Essay on Identification vs. Authentication]
*[http://en.wikipedia.org/wiki/Authentication#Authentication_vs._authorization Wikipedia Authorization and Authentication compared]
<B>Identification</B> in this context means uniquely identifying each user who presents at an access terminal or reader. Since the point of access control and physical security is to enforce a security policy, it is important to know which exact user is attempting to gain access to the resource in question. Some typical identification methods include:
*Token ID (i.e. a barcode,serial number, etc)
**Username/user ID
**Username/user ID
**Biometric
**Biometric ID (Typically only used in very high-end systems such as the [http://www.morphotrak.com/MorphoTrak/MorphoTrak/mt_AcTa.html Morphotrack products]


*Authentication means verifying that the user is who they claim they are
<B>Authentication</B> means verifying that the user is who they claim they are. They are logically separated, as our system  may present different choices or use different methods based on the user's identification. The "authorization" component may not be unique to eachj user either. (PIN codes for instance.) Authentication methods for users include:
**Something they have (a token)
*Something they have (a physical token)
**Something they know (a password)
**Something they know (a password or PIN)
**Something they are (biometrics/facial recognition/other trait)


*Identification and authentication may be combined, but need to be considered separately.  
====Considerations for Access Control====
Access control systems are put in place to increase security and to make securing the assets easy and convenient. Users tend to obey security policies if they are easy to follow and provide a recognizable benefit, such as making their home or workplace feel more secure. Some genberal guidelines for designing access control hardware and software systems include:


====Considerations for Access Control====
*Procedures must be simple and reliable
*Method must be simple and reliable
**Users tend to bypass controls that are too burdensome
**Users tend to bypass controls that are too burdensome
*Must not lock out legitimate users frequently
*Must not lock out legitimate users frequently
*Must not allow unauthorized users in to the extent possible
*Must not allow unauthorized users in to the extent possible
***Tailgating protection
*Must not generate excessive false alarms and trouble messages
***Pass-back protection


====End to end session protocol====
*Should provide easily-recognized benefits so that people want to use the system properly
Considerations
**Convenience
*Ideally, session is encrypted and authenticated at all levels
***Automatic opening of doors, integration with lighting along corridors
**User should know they are interacting with a legitimate terminal
***Remote unlock for after-hours access, workmen, etc.
**Token should know that it is talking to a legitimate reader
***Traffic control/elimination of solicitors
**Reader should not leak any secrets during transaction
***Visitor management
**Secrets should not be subject to interception between reader and server/panel
***Key auditing and revocation
***Physically secure wiring/network
***Secure/encrypted protocols
*Messages should be not be able to vulnerable to session replay
**Time stamping/serializing of messages
*Messages should not be subject to intentional or accidental alteration in transit
**Message CRC and cryptographic signing/MAC protocol


Protocols and Session Flow
*Software can provide for more advanced security features than traditional keys
*[[Example Message Flow]]
**Two-factor authentication an option (Token+PIN, PIN+Thumbprint, etc)
**SMS messaging/one-time PIN
**Tokens with unique ID that changes after each use
**Interactive applications (Smart phones, tablets)
*Protect against common failure modes
**Tailgating (multiple users entering on one token)
**Pass-back (Users passing their token to the outside so that someone else can use it)
**Alarms for doors left open/propped open, other policy violations


====Types of tokens====
====Types of tokens====
Line 49: Line 56:
*Transactions can be snooped with RF listening gear.
*Transactions can be snooped with RF listening gear.


======Types of RFID Tokens======
====Types of RFID Tokens====
Most of the commercial RFID vendors require an NDA and/or purchase commitment to get access to their detailed specifications.
There are at least two systems with widely-published specifications and products available from multiple vendors.
 
*EM4100/TK4100
**[http://www.yzrfid.com/download/ic%20cards/EM4100.pdf Vendor Spec Sheet]
**125Khz (Low Frequency) tags
**Read-only and read-write versions available
**26-64bits of data typical
**Writing tends to be slow
 
*Mifare
*Mifare
**13.56Mhz (High Frequency) tags
**Have read/write capability
**Have read/write capability
**Basic encryption on-board
**Basic encryption on-board
***Come unconfigured, all 'F' values
***Come unconfigured, all 'F' values store in data blocks
***Blocks of data are stored with encryption key after first write
***Blocks of data are stored with encryption key after first write
**1K,4K version available
**1K,4K version available
**NXP, other vendors sell token and reader chips
***[http://www.nxp.com/products/identification_and_security/smart_card_ics/mifare_smart_card_ics/ NXP Mifare site]
**Mifare Code and libraries
***[https://github.com/adafruit/Adafruit-PN532 Adafruit PN532 Arduino code]
***[http://www.libnfc.org/ LibNFC]
====Security Problems with RFID====
As a rule, RFID products follow a broad set of physical and low-level signalling standards while using proprietary encryption and authentication techniques. This means that only the most basic security features (such as a "license plate" read of a card's serial number) are broadly compatible between vendors. It also means that security vulnerabilities probably exist in all of these systems.
=====Mifare Classic Vulnerabilities=====
*[http://www.doc.ic.ac.uk/~mgv98/MIFARE_files/report.pdf Practical attacks on the Mifare Classic (2008)]
*[http://www.sos.cs.ru.nl/applications/rfid/main.html? Radboud University RFID Project]
=====Signalling/other Vulnerabilities=====
The proprietary nature of most vendor's systems also means that transport layer for messages between readers and devices often defaults to a simple, non-encrypted protocol such as [http://www.accxproducts.com/wiki/index.php?title=Interface_Options#Wiegand_Interface Wiegand signalling]. Below are some resources for these vulnerabilities.
*[http://www.defcon.org/html/links/dc-archives/dc-15-archive.html Access Control Hacking (Defcon 15) with Zac Franken]
*[http://www.crypto.com/papers/humancambridgepreproc.pdf Toward a Broader View of Security Products - Matt Blaze]
=====RFID Debug tools=====
*[http://www.proxmark.org/ Proxmark - FPGA-based RFID debugger]
*[http://www.rfideas.com/ RFIDeas - Makers of universal readers, card identification tools, etc.]
*[http://hackaday.com/2011/09/26/barebones-pic-rfid-tag/ Bare-bones RFID tag and passive tag cloning]

Latest revision as of 08:55, 14 May 2012

Identification and Authentication Methods

Overview

Once upon a time, physical access control typically meant there was a person (security guard, receptionist, etc) whose job it was to watch the entrances to a restricted area and only let in people who were on a list or personally recognized by them as an authorized user. Technology solutions to the problem of controlling access came about both as a way to save money and as a way to better enforce policies.

It is important to recognize that controlling access requires both identification and authentication of people. A good discussion of this problem is here:

Identification in this context means uniquely identifying each user who presents at an access terminal or reader. Since the point of access control and physical security is to enforce a security policy, it is important to know which exact user is attempting to gain access to the resource in question. Some typical identification methods include:

  • Token ID (i.e. a barcode,serial number, etc)
    • Username/user ID
    • Biometric ID (Typically only used in very high-end systems such as the Morphotrack products

Authentication means verifying that the user is who they claim they are. They are logically separated, as our system may present different choices or use different methods based on the user's identification. The "authorization" component may not be unique to eachj user either. (PIN codes for instance.) Authentication methods for users include:

  • Something they have (a physical token)
    • Something they know (a password or PIN)
    • Something they are (biometrics/facial recognition/other trait)

Considerations for Access Control

Access control systems are put in place to increase security and to make securing the assets easy and convenient. Users tend to obey security policies if they are easy to follow and provide a recognizable benefit, such as making their home or workplace feel more secure. Some genberal guidelines for designing access control hardware and software systems include:

  • Procedures must be simple and reliable
    • Users tend to bypass controls that are too burdensome
  • Must not lock out legitimate users frequently
  • Must not allow unauthorized users in to the extent possible
  • Must not generate excessive false alarms and trouble messages
  • Should provide easily-recognized benefits so that people want to use the system properly
    • Convenience
      • Automatic opening of doors, integration with lighting along corridors
      • Remote unlock for after-hours access, workmen, etc.
      • Traffic control/elimination of solicitors
      • Visitor management
      • Key auditing and revocation
  • Software can provide for more advanced security features than traditional keys
    • Two-factor authentication an option (Token+PIN, PIN+Thumbprint, etc)
    • SMS messaging/one-time PIN
    • Tokens with unique ID that changes after each use
    • Interactive applications (Smart phones, tablets)
  • Protect against common failure modes
    • Tailgating (multiple users entering on one token)
    • Pass-back (Users passing their token to the outside so that someone else can use it)
    • Alarms for doors left open/propped open, other policy violations

Types of tokens

Contactless (RFID)
Advantages
  • No electrical connection to the outside world
  • Can be mounted behind glass or inside a secure perimeter
  • No keypad or contacts to require maintenance
Disadvantages
  • Tokens can be interrogated be a third party
  • Transactions can be snooped with RF listening gear.

Types of RFID Tokens

Most of the commercial RFID vendors require an NDA and/or purchase commitment to get access to their detailed specifications. There are at least two systems with widely-published specifications and products available from multiple vendors.

  • EM4100/TK4100
    • Vendor Spec Sheet
    • 125Khz (Low Frequency) tags
    • Read-only and read-write versions available
    • 26-64bits of data typical
    • Writing tends to be slow
  • Mifare
    • 13.56Mhz (High Frequency) tags
    • Have read/write capability
    • Basic encryption on-board
      • Come unconfigured, all 'F' values store in data blocks
      • Blocks of data are stored with encryption key after first write
    • 1K,4K version available
    • NXP, other vendors sell token and reader chips
    • Mifare Code and libraries

Security Problems with RFID

As a rule, RFID products follow a broad set of physical and low-level signalling standards while using proprietary encryption and authentication techniques. This means that only the most basic security features (such as a "license plate" read of a card's serial number) are broadly compatible between vendors. It also means that security vulnerabilities probably exist in all of these systems.

Mifare Classic Vulnerabilities
Signalling/other Vulnerabilities

The proprietary nature of most vendor's systems also means that transport layer for messages between readers and devices often defaults to a simple, non-encrypted protocol such as Wiegand signalling. Below are some resources for these vulnerabilities.

RFID Debug tools