Today’s heightened cyber and physical threat climate means there is a greater need for protecting staff and customers along with intellectual property and sensitive information. Additional countermeasures must be implemented in order to guard against unauthorised physical access to an organisation by criminals, competitors, activists, terrorists, foreign intelligence agencies and media.

Access control systems, like all digital systems, need to be protected against the threat of snooping, attack and cloning of credential information. Gone are the days when a 125Khz Proximity Card and Reader system (or other systems that have been previously compromised) could provide peace of mind against these threats.

The key to achieving a secure system and to eliminate, or at least reduce, the possibility of snooping, hacking and cloning is to ensure data (both held and transmitted) is encrypted with approved crypto standards such as 3DES and AES.

There are four key areas which require encryption when it comes to access control, these include:

  1. Protection of the data on the credential (card),
  2. Protection of the RF transmission between the Credential and the Smart Reader,
  3. Protection of the data within the Smart Reader, and;
  4. Protection of the data between the Smart Reader and the Access Control Panel “ACP”.

Protection of the data on the credential, during transmission between the card and the Smart Reader is achieved using a common-criteria certified open technology such as; MIFARE® DESFire® EV1 & EV2 and MIFARE Plus™ with techniques such as diversified keys and random UID.

Securing data on the reader requires both hardware and software protection techniques involving the NXP® chip and other encryption methods and countermeasure techniques. Ensuring the integrity of the data communication between the smart reader and the ACP can be achieved using RS485 communication with AES encrypted proprietary or Open Source Data Protocol “OSDP”.

The use of encrypted OSDP works very well where the ACP is OSDP enabled, however, many of the older panels on the market and in use today use insecure Wiegand inputs as the communication protocol between the card reader and the Access Control Panel. In this case, a decoder (sometimes called an HSM (High Security Module)) is mounted in the secure next to the ACP to decode the AES encrypted proprietary or OSDP communication to Wiegand protocol for use by the ACP.

An advanced access control manufacturer can also offer a Wiegand to AES encrypted RS485 OSDP convertor and an RS485 OSDP to Wiegand convertor set to allow most other manufacturer’s Wiegand output Smart Readers to have secure, AES encrypted data communication to help guard against replay attacks.

Finally, the most critical part of any access control system is the smart reader and credential solution. A secure, therefore, a cost-effective upgrade to your organisation’s system can, in many cases, be achieved without a costly ACP upgrade or replacement.


Author: Geoff Cleaves – Chief Executive Officer (CEO) & Director at MaxSec Group Limited / BQT Solutions