Access Readers and Tokens: Difference between revisions

From ACCX Products Wiki
Jump to navigation Jump to search
Line 18: Line 18:
*Must not lock out legitimate users frequently
*Must not lock out legitimate users frequently
*Must not allow unauthorized users in to the extent possible
*Must not allow unauthorized users in to the extent possible
***Tailgating protection
**Tailgating protection
***Pass-back protection
**Pass-back protection


====End to end session protocol====
====End to end session protocol====

Revision as of 23:58, 25 November 2011

Identification and Authentication Methods

Overview

  • Identification in this context means uniquely identifying each user who presents at an access terminal or reader
    • Token ID
    • Username/user ID
    • Biometric
  • Authentication means verifying that the user is who they claim they are
    • Something they have (a token)
    • Something they know (a password)
  • Identification and authentication may be combined, but need to be considered separately.

Considerations for Access Control

  • Method must be simple and reliable
    • Users tend to bypass controls that are too burdensome
  • Must not lock out legitimate users frequently
  • Must not allow unauthorized users in to the extent possible
    • Tailgating protection
    • Pass-back protection

End to end session protocol

Considerations
  • Ideally, session is encrypted and authenticated at all levels
    • User should know they are interacting with a legitimate terminal
    • Token should know that it is talking to a legitimate reader
    • Reader should not leak any secrets during transaction
    • Secrets should not be subject to interception between reader and server/panel
      • Physically secure wiring/network
      • Secure/encrypted protocols
  • Messages should be not be able to vulnerable to session replay
    • Time stamping/serializing of messages
  • Messages should not be subject to intentional or accidental alteration in transit
    • Message CRC and cryptographic signing/MAC protocol
Protocols and Session Flow

Types of tokens

Contactless (RFID)
Advantages
  • No electrical connection to the outside world
  • Can be mounted behind glass or inside a secure perimeter
  • No keypad or contacts to require maintenance
Disadvantages
  • Tokens can be interrogated be a third party
  • Transactions can be snooped with RF listening gear.
Types of RFID Tokens
  • Mifare
    • Have read/write capability
    • Basic encryption on-board
      • Come unconfigured, all 'F' values
      • Blocks of data are stored with encryption key after first write
    • 1K,4K version available