Reader and Card Security Considerations
An Access Control System is made up of many elements, from selection of a panel with a feature set to allow proper verification and enrolment procedures as well as continued credential maintenance procedures for the maintenance of approved credential lists and unauthorised credential lists.
Perhaps the most important component is selection of Smart Reader and Card technology that provides adequate security to address the risk of false credentials being presented or other communications compromise through hacking and cloning of authorised credentials and reader data.
Choosing the right technology for the security risk is vitally important
Proper risk analysis is the key to ensuring that the right Smart Reader choice is made, some Smart Reader products such as 125Khz prox or CSN/UID readers offer no protection against hacking and cloning cards. Others are based on technology platforms that have been compromised but the level of sophistication is such or other counter measures are installed that make the technology platform sufficient for medium security applications. Then there are the high security smart reader and card systems which are designed using technology platforms that support higher encryption standards which are considered safe for protecting sensitive and classified data.
Many Access Control System designs are founded on ease of maintenance and use, often that comes at a cost to the system integrity especially where reader technology is chosen based primarily on ease of buying and administering an off the shelf solution that offers little or no encryption, hence little security.
BQT Solutions miPASS card and reader systems offer economical “off the shelf” convenience with the right level of encryption and security for both medium and high risk security applications. We can also provide tailored Smart Reader and Card systems with custom “secret” keysets and/or encoders and configuration software for larger organisations or classified installations.
Card Readers communicate between the access Credential and the Reader through radio frequency and also to the Access Control Panel via a protocol such as Wiegand. For a Security risk analysis to be considered complete an examination of both of these methods of communication is required to assess the risk of data compromise and hence the appropriate technology platform and encryption standard.
Card and Reader technology such as 125Khz Prox, Card Serial CSN & UID and some proprietary systems on the market offer no encryption and are easily hacked and cloned. BQT Solutions advise that medium security products such as our miPASS 2 Secure Card and Reader System which include modern MIFARE® Crypto1® encryption may be implemented at a similar budget to non-encrypted technology, now there is really no reason to expose an organisation to this type of hacking and cloning security risk.
The standard of Card and Smart Reader encryption for high security applications requires a higher level of encryption such Triple DES (3DES) and AES which have been approved by organisations such as the US Department of Commerce National Institute of Standards and Technology (NIST) for the protection of sensitive and confidential data.
BQT Solutions miPASS 3 Secure Card and Reader system provides a suitable “off the shelf” solution which implements Triple DES (3DES) encryption between the Card and the Reader to protect against hacking and cloning of these communications.
BQT Solutions also offer a Smart Reader range that has custom keys and output formats as well as a choice of platform, encryption standard (as available for the platform) and output protocol. These readers offer MIFARE® Classic with Crypto1® encryption, MIFARE® DESFire® EV1 with DES, 3DES or AES encryption and/or MIFARE Plus® with AES encryption. Output protocols offered as standard include Wiegand and both plain and AES encrypted RS485.
Smart Reader Output (communication with the Access Control Panel)
Most access control panels on the market today communicate data from the Smart Reader as Wiegand protocol, this communication is unencrypted plain text and may be hacked and replicated to allow unauthorised access. Many models of BQT Solutions readers have the option of RS485 protocol communications encrypted with AES. Data from the reader is then sent to a High Security Module (HSM) installed next to the Access Control Panel in a secure area and decrypted back to Wiegand data for use in the Access Control Panel.
Other Security Features
Diversified keys and Random UID enhance a Smart Reader and Card System’s security and integrity making hacking and cloning of systems more difficult. Many BQT Solutions products include Diversified Keys and Random UID techniques within feature sets, providing additional peace of mind.
It has often been noted among security experts that the strength of an access control system is not the back-end which grants access based on a string of data that it receives but on the authentication and verification of the individual seeking access. Essentially, this means that the security risk is mitigated at the Smart Reader.
As there are cost implications to each additional factor of authentication, most organisations determine the authentication and verification processes based on the constraints of time and of money and take a zonal approach to increasing factor authentication as the security risk or value of property protected increases.
The Multifactor approach to security is strongest at three factor authentication and verification providing three key ingredients:-
- What you ARE (Biometric Information e.g. a fingerprint)
- What you HAVE (A credential such as a Smart Card)
- What you KNOW (A PIN, kept secret)
Backend Security Procedures and Controls
An Access Control System is only as strong as its weakest component or procedure. Just as important as the technology selection are the procedures that are implemented around enrolment, and suspension of system users and custody of credentials. System lists of authorised and unauthorised issued credentials should be strictly maintained on an on-going basis, strong policies should be adopted with regard to lost/stolen cards and practices such as tailgating and card sharing should be prohibited.
BQT Solutions has a range of Smart Reader products that cover all applications and risk levels from low to high risk applications and multiple factor authentication readers are available. Our technology is installed at over 3,500 sites globally and is trusted for some of the most high risk security applications in the world.
We offer both “off the shelf” secure Smart Reader and Card systems and tailored solutions which can be specified for any security application.