Access Readers and Tokens
Jump to navigation
Jump to search
Identification and Authentication Methods
Overview
- Identification in this context means uniquely identifying each user who presents at an access terminal or reader
- Token ID
- Username/user ID
- Biometric
- Authentication means verifying that the user is who they claim they are
- Something they have (a token)
- Something they know (a password)
- Identification and authentication may be combined, but need to be considered separately.
Considerations for Access Control
- Method must be simple and reliable
- Users tend to bypass controls that are too burdensome
- Must not lock out legitimate users frequently
- Must not allow unauthorized users in to the extent possible
- Tailgating protection
- Pass-back protection
End to end session protocol
- Ideally, session is encrypted and authenticated at all levels
- User should know they are interacting with a legitimate terminal
- Token should know that it is talking to a legitimate reader
- Reader should not leak any secrets during transaction
- Secrets should not be subject to interception between reader and server/panel
- Physically secure wiring/network
- Secure/encrypted protocols
- Messages should be not be able to vulnerable to session replay
- Time stamping/serializing of messages
- Messages should not be subject to intentional or accidental alteration in transit
- Message CRC and cryptographic signing/MAC protocol
Types of tokens
Contactless (RFID)
Advantages
- No electrical connection to the outside world
- Can be mounted behind glass or inside a secure perimeter
- No keypad or contacts to require maintenance
Disadvantages
- Tokens can be interrogated be a third party
- Transactions can be snooped with RF listening gear.
Types of RFID Tokens
- Mifare
- Have read/write capability
- Basic encryption on-board
- Come unconfigured, all 'F' values
- Blocks of data are stored with encryption key after first write
- 1K,4K version available