Access Readers and Tokens

From ACCX Products Wiki
Revision as of 08:55, 14 May 2012 by Arclight (talk | contribs) (→‎Signalling/other Vulnerabilities)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Identification and Authentication Methods

Overview

Once upon a time, physical access control typically meant there was a person (security guard, receptionist, etc) whose job it was to watch the entrances to a restricted area and only let in people who were on a list or personally recognized by them as an authorized user. Technology solutions to the problem of controlling access came about both as a way to save money and as a way to better enforce policies.

It is important to recognize that controlling access requires both identification and authentication of people. A good discussion of this problem is here:

Identification in this context means uniquely identifying each user who presents at an access terminal or reader. Since the point of access control and physical security is to enforce a security policy, it is important to know which exact user is attempting to gain access to the resource in question. Some typical identification methods include:

  • Token ID (i.e. a barcode,serial number, etc)
    • Username/user ID
    • Biometric ID (Typically only used in very high-end systems such as the Morphotrack products

Authentication means verifying that the user is who they claim they are. They are logically separated, as our system may present different choices or use different methods based on the user's identification. The "authorization" component may not be unique to eachj user either. (PIN codes for instance.) Authentication methods for users include:

  • Something they have (a physical token)
    • Something they know (a password or PIN)
    • Something they are (biometrics/facial recognition/other trait)

Considerations for Access Control

Access control systems are put in place to increase security and to make securing the assets easy and convenient. Users tend to obey security policies if they are easy to follow and provide a recognizable benefit, such as making their home or workplace feel more secure. Some genberal guidelines for designing access control hardware and software systems include:

  • Procedures must be simple and reliable
    • Users tend to bypass controls that are too burdensome
  • Must not lock out legitimate users frequently
  • Must not allow unauthorized users in to the extent possible
  • Must not generate excessive false alarms and trouble messages
  • Should provide easily-recognized benefits so that people want to use the system properly
    • Convenience
      • Automatic opening of doors, integration with lighting along corridors
      • Remote unlock for after-hours access, workmen, etc.
      • Traffic control/elimination of solicitors
      • Visitor management
      • Key auditing and revocation
  • Software can provide for more advanced security features than traditional keys
    • Two-factor authentication an option (Token+PIN, PIN+Thumbprint, etc)
    • SMS messaging/one-time PIN
    • Tokens with unique ID that changes after each use
    • Interactive applications (Smart phones, tablets)
  • Protect against common failure modes
    • Tailgating (multiple users entering on one token)
    • Pass-back (Users passing their token to the outside so that someone else can use it)
    • Alarms for doors left open/propped open, other policy violations

Types of tokens

Contactless (RFID)
Advantages
  • No electrical connection to the outside world
  • Can be mounted behind glass or inside a secure perimeter
  • No keypad or contacts to require maintenance
Disadvantages
  • Tokens can be interrogated be a third party
  • Transactions can be snooped with RF listening gear.

Types of RFID Tokens

Most of the commercial RFID vendors require an NDA and/or purchase commitment to get access to their detailed specifications. There are at least two systems with widely-published specifications and products available from multiple vendors.

  • EM4100/TK4100
    • Vendor Spec Sheet
    • 125Khz (Low Frequency) tags
    • Read-only and read-write versions available
    • 26-64bits of data typical
    • Writing tends to be slow
  • Mifare
    • 13.56Mhz (High Frequency) tags
    • Have read/write capability
    • Basic encryption on-board
      • Come unconfigured, all 'F' values store in data blocks
      • Blocks of data are stored with encryption key after first write
    • 1K,4K version available
    • NXP, other vendors sell token and reader chips
    • Mifare Code and libraries

Security Problems with RFID

As a rule, RFID products follow a broad set of physical and low-level signalling standards while using proprietary encryption and authentication techniques. This means that only the most basic security features (such as a "license plate" read of a card's serial number) are broadly compatible between vendors. It also means that security vulnerabilities probably exist in all of these systems.

Mifare Classic Vulnerabilities
Signalling/other Vulnerabilities

The proprietary nature of most vendor's systems also means that transport layer for messages between readers and devices often defaults to a simple, non-encrypted protocol such as Wiegand signalling. Below are some resources for these vulnerabilities.

RFID Debug tools