Reader and Card Security Considerations

pic2

It should come as no surprise that not all access control systems are created equal. An Access Control System is made up of many elements, beginning with  a  panel  which  incorporates  a feature set designed to facilitate proper verification and enrolment procedures. The panel should also enable continued credential maintenance procedures for the maintenance of both the approved credential lists and unauthorised credential lists.

Perhaps the most important component of any access control system is the selection of smart reader and card technology. With so many different types of smart readers and card technologies available, it is often difficult to know what to choose. Which combination smart reader and card technology will minimise the chances of someone successfully presenting false credentials with a view to gaining access, or the ability to compromise communications within the system through hacking and cloning of authorised credentials and reader data?

Choosing the right technology, one which has a level of security commensurate with your level of security risk, is vitally important.

Proper risk analysis is the key to ensuring that the right Smart Reader choice is made. For example, some Smart Reader products, such as 125Khz prox or CSN/UID readers, offer no protection against hacking and cloning cards.

Others readers are based on technology platforms that have, at some point, been compromised. However, the level of sophistication required to compromise the technology is sufficiently high enough that it does represent a threat to medium level security applications. Alternatively, new counter measures many  have been incorporated into the existing platform   to insure that it once again provides sufficient protection for medium security applications.

Then there are the high security smart reader and card systems which are designed using technology platforms that support higher encryption standards which are considered safe for protecting sensitive and classified data.

As is  the  case  with  any  security  design, a balance must be struck between ease of maintenance and use and the degree of security provided based on the perceived level of risk. In the case of access control systems, the decision to implement a more user friendly, easier to maintain system often comes at a cost to the integrity of the system’s security, especially where reader technology is an ‘off- the-shelf’ solution chosen primarily because of factors such as how easily components can be purchased, maintained, replaced. The cheaper and more readily available the components of a system are, the lower the level of security they are likely to provide. Furthermore, it is often the case that ‘off-the-shelf’ access control systems are much easier to administer because such systems offer little or no encryption, hence minimal security.

BQT Solutions are uniquely different in that their miPASS card and reader systems offer economical “off the shelf” convenience with  the  right  level  of  encryption  and  security  for both medium and high risk security applications.

They can also provide tailored Smart Reader and Card systems with custom “secret” keysets and/or encoders and configuration software for larger organisations or classified installations.

Encryption

Card Readers communicate between the access Credential and the Reader through radio frequency and also to the Access Control Panel via a protocol such as Wiegand. For a security risk analysis to be considered complete, an examination of both of these methods of communication is required in order to assess the how easily data in the system could be compromised. This risk assessment then determines the appropriate technology platform and encryption standard.

BQT Solutions advise that medium security products such as their miPASS 2 secure card and reader system, which include modern MIFARE® Crypto1® encryption, may be implemented at a similar budget to non-encrypted technology such as such as 125Khz prox or CSN/UID readers, eliminating the need to expose an organisation to the kinds of hacking and cloning security risk associated with cheaper systems.

The standard of card and smart reader encryption for high security applications requires a higher level of encryption such as Triple DES (3DES) and AES which have been approved by organisations such as the US Department of Commerce, National Institute of Standards and Technology (NIST) for the protection of sensitive and confidential data.

BQT Solutions miPASS 3 secure card and reader system provides a suitable “off the shelf” solution which implements Triple DES (3DES) encryption between the card and the reader to protect against hacking and cloning of these communications.

BQT Solutions also offer a smart reader range that has custom keys and output formats, as well as a choice of platform, encryption standard (as available for the platform) and output protocol. These readers offer MIFARE® Classic with Crypto1® encryption, MIFARE® DESFire® EV1 with DES, 3DES or AES encryption and/ or MIFARE Plus® with AES encryption. Output protocols offered as standard include Wiegand and both plain and AES encrypted RS485 with plain or encrypted OSDP as a further option.

Smart Reader Output (Communication With The Access Control Panel)

Most access control panels on the market today communicate data from the smart reader as Wiegand protocol. This communication is unencrypted, plain text and may be hacked and replicated to allow unauthorised access. Many models in the range of BQT Solutions readers include the option of RS485 protocol communications encrypted with AES. Data from the reader is then sent to a High Security Module (HSM) installed next to the Access Control Panel in a secure area and decrypted back to Wiegand data for use in the Access Control Panel.

Other Security Features

Diversified keys  and  Random  UID  enhance a Smart Reader and Card System’s security and integrity, making hacking and cloning of systems more difficult. Many BQT Solutions products include Diversified Keys and Random UID techniques within feature sets, providing additional peace of mind.

Other  Authentication

It has often been noted among security experts that the strength of an access control system is not the back-end, which grants access based on a string of data that it receives, but on the authentication and verification of the individual seeking access. Essentially, this means that the security risk is mitigated at the Smart Reader.

As there are cost implications to each additional factor of authentication, most organisations determine the authentication and verification processes based on the constraints of time and of money and take a zonal approach to increasing factor authentication as the security risk or value of property being protected increases.

The Multifactor approach to security is strongest at three factor authentication and verification providing three key ingredients:-

  •   What you ARE – (Biometric Information e.g. a fingerprint)
  •   What you HAVE – (A credential such as a Smart Card)
  •   What you KNOW – (A PIN, kept secret)

Backend Security Procedures and Controls

An Access Control System is only as strong  as its weakest component or procedure.   Just as important as the technology selection are the procedures that are implemented around enrolment, and suspension of system users and custody of credentials. System lists of authorised and unauthorized issued credentials should be strictly maintained on an on-going basis, strong policies should be adopted with regard to lost/ stolen cards and practices such as tailgating and card sharing should be prohibited.

BQT Solutions

BQT Solutions has a range of smart reader products that cover all applications and risk levels from low to high and critical risk applications and multiple factor authentication readers are available. Their technology is installed at over 3,500 sites globally and is trusted for some of the most high risk security applications in the world. They offer both “off the  shelf”  secure smart reader and card systems and tailored solutions which can be specified for any security application.

For more information visit www.bqtsolutions.com or call +61 (0)2 8817  2800

%d bloggers like this: