13.07.2015 Views

HID Global Best Practices in Access Control White Paper_04-20-2012

HID Global Best Practices in Access Control White Paper_04-20-2012

HID Global Best Practices in Access Control White Paper_04-20-2012

SHOW MORE
SHOW LESS

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

<strong>Best</strong> <strong>Practices</strong> <strong>in</strong> <strong>Access</strong><strong>Control</strong>Table of Contents<strong>Best</strong> <strong>Practices</strong> <strong>in</strong> <strong>Access</strong> <strong>Control</strong> ........................................................................................................ 1Choos<strong>in</strong>g the Right Reader and Card Technology ............................................................................. 2Use Proper Key Management ............................................................................................................. 3Protect the Communications ............................................................................................................... 4Use Security Screws ........................................................................................................................... 5Prevention Us<strong>in</strong>g Antipassback .......................................................................................................... 5Use Additional Factors of Authentication ............................................................................................ 5M<strong>in</strong>d the Cards .................................................................................................................................... 6Protect the Cards ................................................................................................................................ 6Detection – The Second L<strong>in</strong>e of Defense ........................................................................................... 7Protect and Study the Security Logs ............................................................................................... 7System Upgrades and Migration Strategies .................................................................................... 8Conclusion .......................................................................................................................................... 8Appendix A: The Dangers of Us<strong>in</strong>g CSN-only Smart Card Readers .................................................. 9Introduction ...................................................................................................................................... 9Why Use Contactless Smart Cards? ............................................................................................... 9A False Sense of Security ............................................................................................................... 9How is a CSN Used for <strong>Access</strong> <strong>Control</strong>? ....................................................................................... 10The Most Commonly Used CARD Format Intensifies the Problem ............................................... 10Us<strong>in</strong>g the CSN Sacrifices Security for Interoperability ................................................................... 11Us<strong>in</strong>g the CSN is Inconvenient and May Add Hardware Costs ..................................................... 12Us<strong>in</strong>g the CSN Can Decrease Privacy .......................................................................................... 12CSN Emulation .............................................................................................................................. 12U.S. Government and International Organizations Recommendations ......................................... 12Cryptographers and Industry Expert Op<strong>in</strong>ions ............................................................................... 13Refut<strong>in</strong>g Commonly Held CSN Beliefs .......................................................................................... 13What About Encrypted CSNs? ................................................................................................... 13Chips with Programmable CSNs ................................................................................................ 13When Should a CSN Reader Be Used? ........................................................................................ 13


2IntroductionTo <strong>in</strong>sure that the ever-chang<strong>in</strong>g security requirements of a facility are met, a periodic review of asite’s access control system and its associated policies is a necessity. In fact, conduct<strong>in</strong>g anannual access control system review is the first step <strong>in</strong> establish<strong>in</strong>g a systematic process forassess<strong>in</strong>g the security of your organization; it is the pr<strong>in</strong>ciple best practice that provides theframework for all the other guidel<strong>in</strong>es.Once a yearly review process is <strong>in</strong> place, the fundamental best practices concept is that an effectivesecurity system uses a layered approach to security. A good analogy of this concept would be onewhere a home protected by a burglar alarm might use both glass break detectors and motionsensors to detect when an <strong>in</strong>truder enters the house.This white paper conta<strong>in</strong>s important guidel<strong>in</strong>es for all of the stakeholders <strong>in</strong> an access control<strong>in</strong>stallation <strong>in</strong>clud<strong>in</strong>g the facility owner, the system specifier, the <strong>in</strong>staller and the end user.Choos<strong>in</strong>g the Right Reader and Card TechnologyContactless smart cards are fast becom<strong>in</strong>g the technology of choice for access control applications.Security, convenience, and <strong>in</strong>teroperability are the three major reasons for this growth. S<strong>in</strong>ce thereare a wide variety of reader technologies be<strong>in</strong>g offered by today’s manufacturers, it is important tomake sure that the correct technology is chosen to match the desired level of security. Us<strong>in</strong>g agood, better, best grad<strong>in</strong>g system will help make the correct choice easier.Recogniz<strong>in</strong>g that there are many legacy card technologies still <strong>in</strong> use and that replac<strong>in</strong>g them withthe latest contactless smart card technology may be expensive or logistically difficult, implement<strong>in</strong>gthe recommendations <strong>in</strong>cluded <strong>in</strong> this paper will raise the level of security of an <strong>in</strong>stallation andshould be done regardless of the card technology employed.Relative Security of Commonly Used Card TechnologiesFigure 1 illustrates and ranks the relative strength of commonly used card technologies based onhow much publicly available <strong>in</strong>formation there is about the technical details of the card technologyand the degree of difficulty required to illegally read or copy from the technology. The higher thenumber, the more secure the technology:\Figure 1: Relative Security Levels of Commonly Used Card Technologies (lowest to highest)


3Magnetic stripe (magstripe) has the lowest security with its technical details be<strong>in</strong>g well documentedby ISO standards. This technology typically uses little or no security protections. Additionally, offthe-shelfdevices are widely available to encode magstripe cards. Although there are sometechniques that can make magstripe more secure, widespread adoption of these techniques <strong>in</strong> theaccess control <strong>in</strong>dustry have not occurred due to the convenience, security, and <strong>in</strong>creased memoryavailable <strong>in</strong> contactless smart cards.125 kHz proximity (Prox) card technology and the use of the Card Serial Number (CSN) of acontactless smart card are better than magnetic stripe but are not as secure as contactless smartcards. Prox card devices that can copy and emulate (mimic) Prox cards have been demonstrated.Similarly, because there is no secure authentication of the CSN and the knowledge of the CSNwork<strong>in</strong>gs are published as part of the ISO standards, CSN emulation is also easily accomplished.(For more details on the dangers of us<strong>in</strong>g CSN readers, see the Appendix that describes thesedangers <strong>in</strong> greater detail.)Contactless smart cards, when properly implemented and deployed, offer the highest level ofsecurity and <strong>in</strong>teroperability. These cards use mutual authentication and employ cryptographicprotection mechanisms with secret keys. They may also employ special construction and electricalmethods to protect aga<strong>in</strong>st external attacks.Use Proper Key ManagementKey management deals with the secure generation, distribution, storage, and lifecycle managementof cryptographic keys. This important subject deserves an entire white paper by itself, but here area few of the essential key management best practices.Whenever there is a choice, choose a manufacturer that allows you to utilize your owncryptographic authentication key that is different that its other customers so you have a unique keyfor your facility or organization. Although it may be easier not to have the responsibility of manag<strong>in</strong>gand safeguard<strong>in</strong>g your own keys, utiliz<strong>in</strong>g your own authentication keys will protect yourorganization from a key compromise that occurs <strong>in</strong> someone else’s readers purchased from thesame manufacturer.Do not choose a manufacturer that stores the same key <strong>in</strong> all of its credentials. Extraction of the keyfrom a s<strong>in</strong>gle card compromises all of the cards <strong>in</strong> use. Use a manufacturer that uses diversifiedkeys, which means that each card uses a different key that is cryptographically derived from amaster key. Ideally this diversification would use a publicly scrut<strong>in</strong>ized method such as SP800-108,a NIST Special Publication titled "Recommendation for Key Derivation Us<strong>in</strong>g PseudorandomFunctions."Customers should consider a manufacturer that allows for updat<strong>in</strong>g and ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g a secure andconsistent data model throughout a credential’s life cycle. To read more about secure data modelsplease see <strong>HID</strong> <strong>Global</strong>’s “iCLASS SE <strong>White</strong> <strong>Paper</strong>.”If offered a choice, use readers that protect their master key from be<strong>in</strong>g easily extracted from thereader. Reader manufactures that use a secure element such as a Trusted Platform Module (TPM),Secure <strong>Access</strong> Module (SAM), or other equivalent device to store cryptographic keys. Somemanufacturers even go one step further and actually do all of the cryptographic operations <strong>in</strong>sidethe secure element mak<strong>in</strong>g it even more difficult to compromise the <strong>in</strong>tegrity of the key or data.


4Be prepared to act quickly <strong>in</strong> case a key compromise does occur and know how to use themanufacturer’s procedures to roll or change the keys <strong>in</strong> both the readers and cards. Somemanufacturers have the capability to move cryptographic data, such as keys as well as readerfirmware upgrades, securely from a secure ‘vault’ on their premise directly <strong>in</strong>to the secure element<strong>in</strong>side the reader us<strong>in</strong>g end-to-end security among trusted devices.Protect the CommunicationsThe <strong>in</strong>dividual components of an access control system need to communicate with each other.Typical data <strong>in</strong>cludes card read messages, door unlock messages, audit trail data, cardholderprivilege changes, and much more. Consequently, it is critical to protect this <strong>in</strong>formation exchangeon the communications media on two levels. The actual communications medium, be it hard-wiredor wireless, as well as the data content must be protected.When the communication takes place us<strong>in</strong>g wires, there are many different methods, <strong>in</strong>terfaces andprotocols to choose from. The most popular and de-facto <strong>in</strong>dustry standard is the WiegandProtocol. This protocol became very popular because it is universally supported by almost all readerand panel manufacturers. More modern communication methods such as RS485 and TCP/IP offermore security and are therefore more desirable.If a perpetrator can get access to the wires used for communications between the reader and theupstream device, it may be possible to <strong>in</strong>tercept messages; this could result <strong>in</strong> a loss of privacy aswell as the possibility of replay<strong>in</strong>g a previously captured message and unlock<strong>in</strong>g the door. It mayalso be possible to simply send an ‘unlock’ message as well. That is why a secure protocol isimportant, ideally employ<strong>in</strong>g 1) mutual authentication to ensure that each device trusts the otherdevice, 2) encryption, and 3) message replay protection.An additional reason to protect the wir<strong>in</strong>g is to prevent a ‘denial of service’ attack <strong>in</strong> which the wiresare cut or shorted together to <strong>in</strong>terrupt communications. Another vulnerability due to unencumberedaccess to the wires can be <strong>in</strong>itiated by the use of command cards used by some manufacturers toprogram the operat<strong>in</strong>g characteristics of readers. Typically, command cards are only accepted for ashort time after power has been <strong>in</strong>terrupted and then restored to prevent them from be<strong>in</strong>g used atany time. If the power wires to a reader are accessible, then a perpetrator would be able to <strong>in</strong>terruptthe power to the reader so that command cards could be read <strong>in</strong> an attempt to put the reader <strong>in</strong> astate where cards are no longer read, creat<strong>in</strong>g a denial of service attack. An even more destructivedenial of service attack can be launched <strong>in</strong> which the communication wires are connected to a highpower source <strong>in</strong> an attempt to destroy the reader and/or the upstream device.To m<strong>in</strong>imize these risks, <strong>in</strong>stall<strong>in</strong>g the security systems wir<strong>in</strong>g <strong>in</strong> conduit makes it more difficult toaccess the wires without be<strong>in</strong>g noticed due to the difficulty of identify<strong>in</strong>g the correct conduit, not tomention the additional time required to compromise the wir<strong>in</strong>g <strong>in</strong> the conduit. Even if the entire wirerun is not fully enclosed <strong>in</strong> conduit, just us<strong>in</strong>g conduit <strong>in</strong> the most vulnerable publicly accessibleareas is desirable. Additionally, bundl<strong>in</strong>g several wire runs together (ideally <strong>in</strong> conduit) to make itmore difficult to identify the correct set of wires is also desirable. (Follow the manufacturer’srecommended <strong>in</strong>stallations. Some wir<strong>in</strong>g, such as power wir<strong>in</strong>g, may not be recommended to be <strong>in</strong>the same conduit as data communications wires.) It is particularly important to protect the wir<strong>in</strong>g ofoutside readers that are located at the entrance to a premise.Additionally, avoid the use of readers with built-<strong>in</strong> connectors that make it easier to quickly swap outa reader and avoid the use of wire-nut connectors to connect the reader wire pigtails to the panelwir<strong>in</strong>g. Instead, connect the wires <strong>in</strong> a more secure and permanent fashion, such as solder<strong>in</strong>g withshr<strong>in</strong>k-wrap tub<strong>in</strong>g to cover the connections.


5Use Security ScrewsAlways utilize security screws that require special tools to remove a reader and other securitycomponents. If the correct tool is not available, then it makes it nearly impossible to remove thereader without caus<strong>in</strong>g damage to the screws. This damage may be noticed alert<strong>in</strong>g security of apotential <strong>in</strong>trusion attempt – especially if policy dictates that readers be physically exam<strong>in</strong>ed on aperiodic basis. (Physical exam<strong>in</strong>ation of readers should be <strong>in</strong>cluded on guard tours.) It also has theeffect of mak<strong>in</strong>g the removal process more difficult, and slow<strong>in</strong>g down the removal <strong>in</strong>creases thepossibility that the perpetrator will be noticed.Prevention Us<strong>in</strong>g AntipassbackAnother best practice that may be feasible is to program the access control host software to refusegrant<strong>in</strong>g access to a cardholder that is already <strong>in</strong>side the facility, which will prevent a duplicate cardfrom enter<strong>in</strong>g the facility. This mechanism, referred to as antipassback, is available <strong>in</strong> many accesscontrol systems. Note that this feature requires two readers at the door – an ‘<strong>in</strong>’ reader and an ‘out’reader. One additional benefit of us<strong>in</strong>g antipassback is that it prevents a user from us<strong>in</strong>g their cardwith others follow<strong>in</strong>g through an open door (tailgat<strong>in</strong>g).Use Additional Factors of AuthenticationIt is generally accepted that multiple factors of authentication consist<strong>in</strong>g of someth<strong>in</strong>g you have(e.g., a card), someth<strong>in</strong>g you know (e.g., a password), and someth<strong>in</strong>g you are (e.g., a biometric)<strong>in</strong>creases the probability that the person present<strong>in</strong>g his card at a reader is the same person thatwas <strong>in</strong>itially issued the card. Ideally the use of all three factors is best but just add<strong>in</strong>g one additionalfactor can be effective. A relatively <strong>in</strong>expensive, easy-to-use second factor is a password, whichcan be achieved with the use of card readers with built-<strong>in</strong> keypads. Keypad readers are idealsolutions for environments where additional layers of security are required – such as <strong>in</strong> a lab orcorporate research environment and the perimeter entrances to a facility.Readers with a built-<strong>in</strong> keypad m<strong>in</strong>imize the likelihood that a lost card can be picked up and simplyused to enter a facility. It also m<strong>in</strong>imizes the threat of card clon<strong>in</strong>g. Ideally, the password should bechanged periodically, or if a common password is utilized, change it every day to <strong>in</strong>crease theeffectiveness. Note that some systems store the actual password <strong>in</strong>side the card itself. Althoughthis is generally effective if the card technology is secure, it is better to have the password stored onthe host.The use of biometric readers to <strong>in</strong>sure that the person present<strong>in</strong>g the card is actually the sameperson that was issued the card can be used <strong>in</strong> environments where an even higher level ofsecurity is required. A similar solution is to use hand-held biometric fobs that only emit RFID carddata after a biometric authentication has occurred. These types of devices actually help to <strong>in</strong>creaseprivacy and cannot be surreptitiously read without the user’s permission s<strong>in</strong>ce the access controlcredential cannot be read until the biometric authentication process has taken place.If the use of multiple factors presents throughput or convenience obstacles, consider only requir<strong>in</strong>gmultiple factors of authentication outside of normal bus<strong>in</strong>ess hours where the risk of unauthorizedentries are highest or automatically turned on when there is an elevated ‘threat level’.


6M<strong>in</strong>d the CardsA perpetrator may use surreptitiously obta<strong>in</strong>ed cards for nefarious purposes. One way to do this isto claim that a card was lost when it really wasn’t. Make sure that lost cards are voided immediately.Another way for a perpetrator to fraudulently obta<strong>in</strong> cards is through gray market sources such aseBay or even legitimate card resellers. There are several best practices to prevent this. First, makesure that only issued cards are valid; don’t have spare cards pre-validated and ready to hand out.Some access control systems can also generate a different message than just denied <strong>in</strong> the case ofpresented card <strong>in</strong> an ID number range that haven’t been entered <strong>in</strong> the system. When an illegallyobta<strong>in</strong>ed card is used, if the message generated by the access control system was ‘Card out ofrange’ <strong>in</strong>stead of simply ‘Denied’, it should signal more urgency to be <strong>in</strong>vestigated. Similarly, cardsus<strong>in</strong>g a different data format that are reported as ‘Unrecognized’, as well as cards with the wrongfacility code are also <strong>in</strong>dications that illegally obta<strong>in</strong>ed cards are be<strong>in</strong>g presented to the system.Therefore, any messages reported by the host access control system with wrong formats, wrongsite codes, or out of range should be immediately <strong>in</strong>vestigated.Don’t succumb to the argument made by alternate card suppliers that proprietary card formats aremore expensive and are an attempt by manufacturers to keep you from buy<strong>in</strong>g cards from opensources. The use of proprietary formats offered by an OEM or one that is exclusive to a particularsite isa desirable best practice.Cards with proprietary formats are much more difficult to fraudulently obta<strong>in</strong> as compared to the<strong>in</strong>dustry-standard open-format 26-bit Wiegand format and proprietary cards typically provideprovisions for non-duplication of card numbers. Some manufacturers’ readers can even be set toignore ‘foreign’ cards completely, which will also present an obstacle to us<strong>in</strong>g cards obta<strong>in</strong>ed on theopen market.As described earlier, never use contactless smart card readers that solely rely on the card serialnumber such as CSN readers. It doesn’t make sense to use a contactless smart card with<strong>in</strong>creased security over legacy card technologies and ignore the security capabilities built-<strong>in</strong>to thecard. Some companies advocate these types of readers because they do not requireimplementation of security mechanisms which may not be available for license to that readermanufacturer and typically add additional costs which makes the readers more expensive. Us<strong>in</strong>gCSN readers is analogous to us<strong>in</strong>g a high security reader on a glass door.Protect the CardsCardholders should be <strong>in</strong>structed not to wear their badges <strong>in</strong> prom<strong>in</strong>ent view when outside thepremises and be aware of people approach<strong>in</strong>g them attempt<strong>in</strong>g to perform a ‘bump and clone’ <strong>in</strong>which an attempt is made to try and surreptitiously read their card us<strong>in</strong>g an electronic skimm<strong>in</strong>gdevice. For contactless smart cards operat<strong>in</strong>g at 13.56 MHz, there are many companies that sellRFID shield<strong>in</strong>g devices that are packaged <strong>in</strong>to a card holder that are very convenient to use thatprevents these k<strong>in</strong>ds of attacks.Another best practice is to avoid putt<strong>in</strong>g any identify<strong>in</strong>g data on the card that gives an <strong>in</strong>dication asto the location or address of the facility to make it harder to identify where a lost card can be used.Of course, many companies put their company logo on their cards but organizations should balancethis requirement with the disadvantage of <strong>in</strong>clud<strong>in</strong>g artwork that reveals the company’s location.For companies with multiple facilities at different physical locations, do not use the same facilitycode (also known as site code) data <strong>in</strong> all of the cards so that a lost card can be used at any of thelocations.


7Another best practice is to have a policy that lost cards need to be reported as soon as possible.And make it a policy that when a card is reported lost, it is immediately removed from the system.As an alternative, consider mak<strong>in</strong>g the cost for a replacement card high enough so that acardholder will th<strong>in</strong>k twice about be<strong>in</strong>g careless. Of course, this policy may actually discourage acardholder from immediately report<strong>in</strong>g a lost card <strong>in</strong> the hope that it might be found.Detection – The Second L<strong>in</strong>e of DefenseBuy readers with a tamper detect mechanism that provides a signal when the reader has beenremoved from the wall. Almost every panel manufacturer provides the ability to monitor this alarmsignal and report when a reader is tampered with. If the panel supports ‘supervision’, anothermethod that can be used by <strong>in</strong>stallers is to <strong>in</strong>clude an additional pair of wires that are connectedtogether through a resistor at the reader. This loop can be monitored by the panel us<strong>in</strong>g a techniquecalled ‘supervision’ that can detect when the wires are cut, shortened, or other changes <strong>in</strong> theelectrical characteristics of the wires are made. Of course the panel must support this capability.Immediately <strong>in</strong>vestigate tamper alarms even if they are momentary and return to normal. You mightactually detect the perpetrator <strong>in</strong> action or f<strong>in</strong>d that a foreign device has been <strong>in</strong>stalled <strong>in</strong> an attemptto monitor and/or modify the communications between a reader and the upstream device. If thereader is controll<strong>in</strong>g a sensitive location, such as a perimeter door, have it and the door monitoredby CCTV. Some access control systems can automatically switch the view<strong>in</strong>g monitor to the doorwith the tamper alarm as well as tag the video history log with the event for later review. And, if youare us<strong>in</strong>g your own company-specific cryptographic keys that are stored <strong>in</strong> a reader, realize that areader that has been removed from the wall might have had the cryptographic keys extracted fromthe reader, which compromises the entire security of your <strong>in</strong>stallation.Many reader manufacturers also have the capability of send<strong>in</strong>g ‘health’ messages (also referred toas ‘heartbeat’ or ‘I am Alive’ messages) on a periodic basis to the upstream device.This functionality can also be used to detect when the wires are cut and does not require anyadditional wires to get this protection. If these periodic messages are set to occur faster than itwould take to <strong>in</strong>stall a rogue listen<strong>in</strong>g device, then the panel would notice and report the<strong>in</strong>terruption. Ideally these messages would be set to occur as fast as every second. Monitor<strong>in</strong>ghealth messages also provides additional benefits s<strong>in</strong>ce they will detect reader malfunctions. It isbetter to know when a reader is not work<strong>in</strong>g before somebody compla<strong>in</strong>s (usually <strong>in</strong> the middle ofthe night when they cannot get <strong>in</strong> the door).For converged physical and logical access control systems, geographic monitor<strong>in</strong>g is available. Forexample, if a person has just come <strong>in</strong> through a door at a site <strong>in</strong> Buffalo but is try<strong>in</strong>g to log <strong>in</strong>to hiscomputer <strong>in</strong> Denver, then obviously there is a problem. Another benefit <strong>in</strong> converged systems is tonot allow a person to log onto his computer if he hasn’t used his card at a perimeter reader. Thissimple concept will get people to change their behavior and not tailgate when they are deniedaccess dur<strong>in</strong>g the computer log-on process.Protect and Study the Security LogsThe audit trail of the transactions (i.e., security logs) should be protected as it conta<strong>in</strong>s verysensitive data, such as who is go<strong>in</strong>g through what doors at what times, card numbers, and muchmore. If audit trails are electronically stored, keep them encrypted and secure. If they are pr<strong>in</strong>tedout, shred them when done. (If any of this data is available from a remote site over the network, orfor that matter, if the server is accessible or uses the public Internet, make sure that a properpenetration [PEN] test is performed by a reliable third-party.)


8The security logs are <strong>in</strong>valuable after a security-related event has occurred because they mightprovide clues as to who the perpetrator was. But that is not the only time to study the logs.Periodically look at the logs <strong>in</strong> an attempt to see patterns of events that don’t make sense. Evenbetter yet, use computer software to analyze the logs for suspicious behavior patterns. Forexample, a cardholder requires a f<strong>in</strong>ite amount of time to travel between entry po<strong>in</strong>ts and if thesame card is used at two different locations <strong>in</strong> a very short time, this could <strong>in</strong>dicate that a clonedcard is be<strong>in</strong>g used.System Upgrades and Migration StrategiesChoose a manufacturer who has a strong portfolio of migration products and strategies <strong>in</strong>clud<strong>in</strong>gmulti-technology cards <strong>in</strong> which both the legacy credential and the new credential technology canco-exist on the same card. Similarly, multi-technology readers capable of read<strong>in</strong>g both the legacycredential and the new replacement higher security credential are useful <strong>in</strong> a migration strategy.And often a comb<strong>in</strong>ation of these products may be necessary to effectively migrate <strong>in</strong> the shortest,most convenient, and cost effective manner.Technology migrations must <strong>in</strong>clude a technology term<strong>in</strong>ation plan as well. Mean<strong>in</strong>g, once migratedto the new technology, readers must be made <strong>in</strong>capable of read<strong>in</strong>g the old cards. And, if Mulit-Technology cards have been employed <strong>in</strong> your strategy, it is important to Change or Roll the mediakeys once the technology migration is complete. This will best enable a secure transaction at thedoor.Note: See <strong>HID</strong> <strong>Global</strong>’s “Migration <strong>White</strong> <strong>Paper</strong>” for an <strong>in</strong>-depth explanation of migration strategiesand solutionsConclusionFollow<strong>in</strong>g as many of these best practices as feasible – with attention to appropriate levels ofsecurity – will result <strong>in</strong> a system that better fulfills its <strong>in</strong>tended function with less possibility of be<strong>in</strong>gcompromised. And these are just a few best practices to look for. There are many additional bestpractices that have not been discussed <strong>in</strong> this paper, such as the use of security mechanisms onthe card (like holograms) and other tamper evident technologies and much more. This paper will becont<strong>in</strong>ually expanded to <strong>in</strong>clude additional best practices for organizations to effectively balancecost, convenience and security when deploy<strong>in</strong>g an access control system. Please set a book markwhere you downloaded this document and check back for later versions.


9Appendix A: The Dangers of Us<strong>in</strong>g CSN-only Smart Card ReadersIntroductionSome manufacturers, <strong>in</strong> an attempt to sell a ‘universal’ reader capable of read<strong>in</strong>g almost anycontactless smart card technology, actually disable all of the built-<strong>in</strong> security mechanisms <strong>in</strong> orderto achieve their goal. Read<strong>in</strong>g only the CSN of a contactless smart card actually provides a falsesense of security analogous to <strong>in</strong>stall<strong>in</strong>g a high security door without any lock<strong>in</strong>g mechanism.These readers, referred to as ‘CSN readers’, only read the card’s serial number which, as per ISOstandards, must NOT be protected by any security s<strong>in</strong>ce they are needed by the reader to be ableto detect when more than one card is presented to a reader at the same time. This process,referred to as anticollision, takes place before the card and reader mutually authenticate each other.Because the ISO specifications are a publicly available document, details of how this anticollisionprocess works can be used by a perpetrator to build a device to clone (simulate) the CSN of acontactless smart card.Understand<strong>in</strong>g this misuse of the CSN is critical for users of the technology to ensure that accesscontrol security is maximized. If implemented and deployed properly, contactless smart cardsrepresent one of the most secure identification technologies available today.Why Use Contactless Smart Cards?The most modern contactless smart cards <strong>in</strong>corporate advanced state-of-the-art securitymechanisms. Before a reader can beg<strong>in</strong> a dialogue with a card, it uses mutual authentication toensure that both the reader and card can ‘trust’ each other. Only after this process occurs is thereader allowed to access the data stored <strong>in</strong>side the card. This data is protected by cryptographicalgorithms and secret keys so that if the data were somehow extracted or even spied on, it can bevery difficult to decipher and utilize.As with 125 kHz Prox technology, contactless smart cards are convenient for users who merelypresent their cards near a reader. In addition, users do not have to carefully <strong>in</strong>sert the card <strong>in</strong>to aslot or worry about proper orientation. This also m<strong>in</strong>imizes the physical wear-and-tear on both thecard and the reader, the potential for vandalism, and environmental elements.Amplify<strong>in</strong>g the convenience of contactless smart cards is their capability to support more than oneapplication at a time. For example, a s<strong>in</strong>gle card can be used for the dual purposes of open<strong>in</strong>g adoor and logg<strong>in</strong>g on to a computer.Contactless smart cards also provide greater and ever-<strong>in</strong>creas<strong>in</strong>g amounts of memory, enhanc<strong>in</strong>gthe sophistication of applications. Enough memory is available to store biometric templates andeven photos, enabl<strong>in</strong>g additional factors for user authentication. Such authentication of both thecard and user <strong>in</strong>creases the security and likelihood that the person us<strong>in</strong>g the card is <strong>in</strong>deed theauthorized user of that card.A False Sense of SecurityTo understand why us<strong>in</strong>g the serial number of contactless smart cards provides a false sense ofsecurity, it is first important to understand some basic def<strong>in</strong>itions and contactless smart cardmechanisms.


10CSN: CSN refers to the unique card serial number of a contactless smart card. All contactlesssmart cards conta<strong>in</strong> a CSN as required by the ISO specifications 14443and 15693. CSNs aretypically 32 to 64 bits long.The CSN goes by many other names <strong>in</strong>clud<strong>in</strong>g UID (Unique ID), CUID (Card Unique ID), and ofcourse CSN (Card Serial Number). It is important to note that the CSN can always be read withoutany security or authentication as per the ISO requirements.Th<strong>in</strong>k of the CSN us<strong>in</strong>g the analogy of the identify<strong>in</strong>g number on a house. It is important foreveryone to be able to read the house number to f<strong>in</strong>d it. Similarly, the CSN is used to uniquelyidentify a card when more than one card is presented at a reader at the same time. Moreover,nobody can get <strong>in</strong> to your house or get <strong>in</strong> to a smart card without us<strong>in</strong>g the correct key.Anticollision: Anticollision is part of the communications protocol used by contactless smart cardsto uniquely identify a card when more than one card is presented at a reader at the same time. Itprovides the ability to communicate with several contactless smart cards simultaneously. This isespecially important <strong>in</strong> long-range readers, as illustrated by Figure 2: Anticollision.Figure 2: Anticollision The ISO standards require that every contactless smart card have a unique CSN and thesestandards describe several methods to implement anticollision. It must be po<strong>in</strong>ted out that the CSNwas never <strong>in</strong>tended by ISO to be used for any purpose other than anticollision.How is a CSN Used for <strong>Access</strong> <strong>Control</strong>?CSN readers are readers that use the CSN of a contactless smart card <strong>in</strong>stead of the credentialdata stored <strong>in</strong> the secure area of the card. When a card is presented to the reader, it reads the CSNand typically extracts a subset of the CSN, converts it to a 26-bit Wiegand or other output format,and then outputs this data to an upstream device such as a panel or host computer.The Most Commonly Used CARD Format Intensifies the ProblemThere are many card formats available and formats are comprised of multiple fields. The mostcommonly used format conta<strong>in</strong>s a total of 26-bits and <strong>in</strong>cludes a site code field (8-bits), a cardnumber field (16-bits), and two parity bits.The site code field (also called a facility code) is usually the same for all cards at a given site and isused to ensure that cards from different facilities <strong>in</strong> the same geographic area can be dist<strong>in</strong>guishedfrom each other. Without this field, cardholders with the same card number might be able to accessfacilities for which they do not have authorization. The card number field uniquely identifies eachcardholder and the parity bits are used to detect data communication errors.


12Us<strong>in</strong>g the CSN is Inconvenient and May Add Hardware CostsCSNs are non-consecutive numbers that are <strong>in</strong> a random order. Therefore, referr<strong>in</strong>g to a cardholderby its CSN makes it impossible to group employees by card number ranges such as 1-100.Furthermore, as discussed above, it is desirable to use all of the bits required to represent the entireCSN. A 32-bit CSN would be represented as a number with as many as 10 digits and a 64-bit CSNrequires as many as <strong>20</strong> digits. Even us<strong>in</strong>g the hexadecimal notation to enter, CSNs still require aperson to type up to 16 characters to add or change a card.With an enrollment reader, the process of add<strong>in</strong>g cards to a system can be simplified s<strong>in</strong>ce the CSNof a card can be automatically read <strong>in</strong>stead of be<strong>in</strong>g typed. However, this <strong>in</strong>troduces morecomplexity to the system, requir<strong>in</strong>g additional access control software and hardware enrollmentreaders. Moreover, if a cardholder’s privileges have to be changed, an enrollment reader is of nouse when the card is not available.Us<strong>in</strong>g the CSN Can Decrease PrivacyBecause read<strong>in</strong>g only the CSN of a contactless smart card requires less power, read distances areoften greater. This is because the power-hungry cryptography circuitry <strong>in</strong>side the contactless smartcard is not used. Greater read distances, coupled with no authentication or security, make the cardsfar less secure from illegal activities at even greater distances.In addition, us<strong>in</strong>g the CSN gives the false impression that a particular reader’s performance isgreater than it actually is. This may be doubly mislead<strong>in</strong>g for users because the CSN reader may beless expensive and offer better read distances than a reader that fully implements the securityprotections available with contactless smart card technology.CSN EmulationAn earlier section identified additional security threats based upon the availability of <strong>in</strong>formationrequired to illegally read or copy a card technology. It concluded that us<strong>in</strong>g the CSN of acontactless smart card is low security because it is well documented by ISO standards and nosecurity is used to authenticate a CSN. Many smart card development tools such as protocolanalyzers can emulate an ISO 14443 or 15693 CSN. Furthermore, universities are also teach<strong>in</strong>gthe ISO protocols and students are writ<strong>in</strong>g firmware to emulate CSNs. What better way to provethat a student correctly understands the ISO protocol than to actually create firmware to emulate aCSN and fool a reader to prove that the firmware actually works?U.S. Government and International Organizations RecommendationsA US Government report recommends not us<strong>in</strong>g the CSN for identification purposes s<strong>in</strong>ce “…us<strong>in</strong>gthe CSN as a unique identifier works only for 14443A, and for 14443B it [may] be a random numberthat changes every time and will be discussed <strong>in</strong> a future version of the specification.”The International Civil Aviation Organization also warns, “There is no protection <strong>in</strong> use of a CSNbecause this is often set <strong>in</strong> software by chip manufacturers and can be changed.”


13Cryptographers and Industry Expert Op<strong>in</strong>ionsBoth cryptographers and <strong>in</strong>dustry experts also warn of the dangers of us<strong>in</strong>g the CSN to identify acardholder. David Engberg of Corestreet Ltd. said, “The serial number has no cryptographic orprotocol-level protections to prevent an attacker from assert<strong>in</strong>g the same serial number as any realcard. By implement<strong>in</strong>g ISO 14443 directly, an attacker can imitate any desired CSN.”Bruno Charrat, CTO of Inside Contactless, concurs with David Engberg, add<strong>in</strong>g, “As soon as thereis no security <strong>in</strong> the communications, you can clone a card and then enter anywhere you want! It isas simple as that.”In an article from Security Technology & Design, Greg Young, Technical Sales Manager for RFICommunications & Security Systems, warns aga<strong>in</strong>st the assumption that contactless smart cardsoffer more secure transmission than 125 kHz Prox cards. “They can be more secure, but they’re notnecessarily more secure,” he said. “Many manufacturers are tout<strong>in</strong>g readers that read multipletypes of smart card technology – MIFARE, iCLASS – when really all they’re read<strong>in</strong>g is the serialnumber sent unencrypted from the card, <strong>in</strong> the same way Prox is. Unless you make sure that whatyou’re read<strong>in</strong>g is from a secure sector on the card that can be truly encrypted, and there is ahandshake procedure between the reader and the card before transmission, what you’re gett<strong>in</strong>g isno more secure than proximity technology.”Refut<strong>in</strong>g Commonly Held CSN BeliefsWhat About Encrypted CSNs?Encrypted CSNs offer no real protection from clon<strong>in</strong>g and replay attacks.Chips with Programmable CSNsThe statement – ‘The CSN is a unique serial number permanently written <strong>in</strong>to the device’snonvolatile memory at the factory; it cannot be modified and is guaranteed to be unique for alldevices.’ – is not always true.Some contactless smart cards have programmable CSN. For example, one vendor’s contactlesssmart card chip data sheet states: “The CSN is written at time of manufacture, but part of it can becustomer-accessible and customer-writable, on special request.”Similarly, another manufacturer’s datasheet states: “The CSN is def<strong>in</strong>ed by the customer dur<strong>in</strong>gpersonalization …it is usually unique…may be set to any value.”Clearly, we see that there is no guarantee of the authenticity of a CSN and CSN reader’scompromise security.When Should a CSN Reader Be Used?CSN readers are very useful as a temporary solution to migrate from one smart card manufacturerto another. A s<strong>in</strong>gle reader can be used to read both the exist<strong>in</strong>g cards us<strong>in</strong>g its CSN and the newreplacement cards us<strong>in</strong>g full security and authentication. This provides a w<strong>in</strong>dow of time to replacethe cards. When all of the exist<strong>in</strong>g cards have been replaced, the reader can then be <strong>in</strong>structed toturn off its CSN read<strong>in</strong>g capability. For maximum security, it is best to keep the replacement timeperiod as short as possible.


14Us<strong>in</strong>g the CSN for anyth<strong>in</strong>g other than its <strong>in</strong>tended use severely reduces the security of acontactless smart card. In other words, CSN is really an acronym for Compromisable SerialNumber. When implement<strong>in</strong>g and deploy<strong>in</strong>g contactless smart card technology, always considerthe follow<strong>in</strong>g:1. Contactless smart cards are secure when used properly.2. Us<strong>in</strong>g the CSN of a contactless smart card bypasses the security built <strong>in</strong>to smart cards.Understand<strong>in</strong>g the security risks associated with us<strong>in</strong>g the CSN <strong>in</strong>stead of read<strong>in</strong>g the dataprotected by security mechanisms will help ensure that the proper protections are <strong>in</strong> place for bothpersonnel and property.hidglobal.com© <strong>20</strong>12 <strong>HID</strong> <strong>Global</strong>. All rights reserved. <strong>HID</strong>, the <strong>HID</strong> logo, and Genu<strong>in</strong>e <strong>HID</strong> are trademarks or registered trademarks of <strong>HID</strong> <strong>Global</strong> <strong>in</strong> the U.S. and/or other countries. All othertrademarks, service marks, and product or service names are trademarks or registered trademarks of their respective owners.Revision 1.2

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!