and how you can benefit from Smart card technology without being tied to one manufacturer
Neill Williams, Director of Smart R Distribution, explains how end-users looking to upgrade their Access Control system, can do so by enhancing what they already have, rather than ‘rip and replace’.
“You have to know the past to understand the present.” Carl Sagan
The main objective of this article is to raise awareness as to how end-users can be in control of the future of their system by having ownership of the ‘keys’ built into the Access Control cards. Before explaining why and how this is achievable, I believe it would be useful to take a brief look at how card technology has evolved over the last 40 years or so.
In the beginning there was Magstripe Access Control card and reader technology. At the time of its introduction it had a ‘wow’ factor with many impressed that for the first time, a person’s access credentials could be loaded onto a plastic card and this could be done by an installer, systems integrator or the end-user. The card, however, was poor from a security point of view as card duplicators quickly became available online, enabling anyone to overwrite or copy a card.
In the 1980’s there was a big move towards using Wiegand cards because they offered a far higher level of security with proprietary encoding formats, i.e. the way that data is laid out on a card. An open format using 26 bits of Wiegand data was adopted as the de facto standard, but with access control system manufacturers looking for higher security reserved Wiegand formats of their own which were only sold to the system manufacturer who reserved it.
Wiegand technology was almost impossible to build in the first place, let alone copy and were more reliable in terms of reading a card swiped at any speed. However, the complexity of manufacture carried a penalty of lead times of up to 6-8 weeks and there were often gaps in the number range with cards failing at the point manufacture.
Wiegand swipe cards were replaced as the technology of choice by Proximity cards because, as well as being more secure than Magstripe, they were also much more convenient to use and could be programmed to order and supplied within 2 weeks. They provided very reliable reading without having to swipe a card through a reader and with no batteries in the cards, they were also very reliable and offered longevity.
With the expiry of some of the patents relating to Proximity card technology, we arrived at a situation where any manufacturer could produce compatible cards and readers. Furthermore, without the protection of patents and with the data being stored ‘in the open’, cards could easily be cloned. The criminal fraternity, for example, could perform a ‘man-in-the- middle’ attack and capture data by standing between a card and a reader, with the data, (i.e. the card’s ID number), being rewritten to another card or simply replayed by using some electronics.
Although card cloning can be an issue, it is widely accepted that for building security purposes, the best way to combat the threat is to use a second factor of authentication, e.g. a PIN or some form of biometric identification.
Contactless smart cards
With processing power becoming much faster as well as cheaper, we saw the development of contactless memory cards which are more commonly known as contactless Smart cards. These require a key to be embedded in the card and reader, which offers a real security improvement over the traditional ‘Beep and Click’ of proximity.
At the same time that the Access Control industry was embracing advances in technology, the ability to carry stored data on a piece of plastic was also being adopted by other market sectors and in particular, transport in terms of fare collection and ticketing. Hence the development of the MIFARE® card, which was designed as an electronic bus ticket and having recognised the potential for its wider use, the International Standards Organisation (ISO) decided to introduce a number of standards covering the technology.
The consequence of the introduction of these standards was that much of the proprietary nature of Proximity Access Control technology, (and Wiegand before it), which was based around the card formats, became virtually redundant. This was because anybody could now write virtually anything to a MIFARE® card, (or the now more advanced MIFARE® DESfire® card), as long as they followed the ISO standards.
CSN reading Vs Programmed cards
The standardisation, however, also gave us the Chip Serial Number or CSN, which meant whenever a card came within range of a compatible ISO 14443 reader, it would give out its chip serial number. This arguably makes it less secure than a Proximity technology based card, because if you can read it, you can copy it!
Contactless smart card technology was never intended to be used in this way. It was instead designed to have information in a sector of the card protected by secure keys and on the basis that if keys within a reader do not match the keys in a card, you would not be able to see the information, thus making it very difficult to copy.
Unsurprisingly, hackers soon realised they could easily copy the chip serial number of a MIFARE® card and so the technology does not offer any improvement in security compared to Proximity. With Proximity technology you get a fixed site code, standardisation on the card format and a sequential card number. This is often printed as a matching number on the outside of the card and so you always know which ones are which and can enrol cards in sequential batches, without having to present each card to a reader.
Although therefore using unprogrammed cards with CSN is cheaper, it’s much less convenient and issuing cards is certainly more time consuming if the CSN is not printed on the outside of the card. This is because every card has to be individually presented to an access control reader in order to capture the CSN and then allocate it to a person who is being authorised to use an Access Control solution.
It should be noted that there are two different sets of MIFARE chip serial numbers. The first are 32-bit serial numbers which, with limited number of possible configurations, have been repeatedly used by different manufacturers and as a result have become known as non-unique IDs (NUID). The second are a longer 56-bit Unique ID (UID) set of chip serial numbers, which offer billions of possible combinations of serial numbers.
Don’t be held to ransom – Own your own keys!
Access Control manufacturers and system integrators of Smart cards and readers have developed proprietary card and reader programming which further enhances the level of security and in this respect, they supply their cards with proprietary or custom keys. It is important to note that if you use cards with proprietary keys, you will only be able to order additional cards from the same manufacturer you originally decided to work with, whilst if you buy cards with custom keys, you will have to continue buying them from the original system supplier.
Simply put, having invested in a specific manufacturer’s readers and cards means that going forward you can only expand the system by ordering additional readers or cards from the same supplier. As a consequence, recent chip shortages have seen some end-users having to wait up to 11 weeks for delivery of new cards, as they have not had the option to seek out an alternative supplier.
How to free yourself from being tied to one supplier?
Installers of Access Control systems will have end-user clients currently using either Magstripe, MIFARE® or DESfire® cards, as well as those just using basic barcoded cards. Whichever cards they may be using, there is a solution available which harness a combination of existing technologies which will read and capture the data on each card presented to an existing end-user’s reader. The solution will then interact with a reader/writer which will write the captured data to a replacement card, but with the end users own keys.
The solution will also facilitate the addition of unrestricted keys to existing cards for those end-users who for whatever reason, do not wish to continue working with the original Access Control solution provider, but have a need to upgrade or expand the system. With the unrestricted keys sitting alongside non-proprietary or custom keys, the cards will be recognised by both the existing readers and any new readers sourced from another manufacturer, without the need to totally re-enter the IDs and credentials of everyone on the database.
We expect installers, system integrators and their end-user clients, regardless of the size of their existing Access Control, to be interested in this solution. However, it is likely to be of particular interest to businesses who employ large numbers of people, as it will allow them to replace existing readers at their own pace, as well as avoid the cost of having to buy and program new cards and with the added bonus of no plastic waste. As the chips in the cards cannot be recycled, continuing to use the same cards also avoids wastage of natural resources.
Want to know more? Speak to your card supplier or email email@example.com for free, no obligation advice on moving to owning your own keys.