An end-to-end secure access control system

Finding the weakest link

An access control system is like a chain made up of several links: the access badge, the reader, the access control unit hosting the credentials’ database, the door opener, the encoding terminal, the software managing the users’ access rights, and so on.

In this chain the weakest link has long been the access badge. Using the UID of basic cards, or MIFARE Classic® cards that are not well secure, jeopardizes the whole security of a building. On the contrary, a modern contactless smartcard used as a badge offers a certified high intrinsic security (such as EAL4+, or EAL5). In this case, if a weaker link can be found elsewhere in the system, no ‘hacker’ will waste his time trying to break the card.

Hiding the key

In a classic scheme, the reader must perform a cryptographic authentication to ensure a card is authentic. This operation generally relies on symmetric algorithms: they are faster and the cards are cheaper. This means that the reader and the card both know the same secret key. Pulling off the reader, dissecting it until the secret key is discovered, enables to create as many counterfeit cards as desired.

To thwart this attack, the key should be stored in every reader, in a secured component with EAL4+ certification (or more). A SAM (Secure Access Module) is such a component: it is a SIM-sized smartcard. A SE (Secure Element) can also play this role: the chip is directly soldered on the PCB. This approach has the drawback to lead to an extra charge for each reader.

Pay attention to whom you trust!

As it becomes impossible to recover a secret key stored in a SAM- or a SE- equipped reader, the communication between the reader and the cards cannot be the weakest link anymore. The weakest one becomes the communication between the reader and the access control unit. Once the reader is pulled off the wall, the hacker can replace it with another one that will inject valid badge numbers on a Dataclock, Wiegand or non-secured RS485 link.

As the reader is considered secure, the access control unit receives each number considering they come from a valid badge. But they just come from a replay of a previous communication or a downright faking.

Seeking for quality instead of quantity

Seeking to secure each link of a complex chain is far too costly and dramatically increases the complexity of site administration and operation. The KISS principle (Keep It Simple, Stupid) is good to follow: it is much better not to secure anything at all, the two ends of the chain excepted. The intermediate links then become passive -or we could say ‘transparent’-. Their security level no longer is important since they are crossed only by an end-to-end secure flow.

In practice, the ‘reader’ -a device that is just in charge to obtain data- should be replaced by a ‘coupling device’. This means to replace the ‘reader’ by an electronic object that does not have any application’s logic. It is then a simple gateway between the contactless card and the application that runs on the host system. The host system will take place in the access control unit. They both will be physically protected -in a technical cabinet located in a secured area- far from the door to be controlled.

SpringCard solution is FunkyGate PC/SC

Our FunkyGates are wall readers that become PC/SC coupling devices in a snap, just by changing the firmware. They communicate with the access control unit over Ethernet (TCP/IP protocol) or using a dedicated RS-485 bus. They can be implemented thanks to a standard PC/SC driver, available under Linux and Windows, or in a lower implementation level that is based on the CCID standard. This solution enables to target better performances or to overcome limitations of operating systems.

Our FunkyGate-IP PC/SC over Ethernet also exists in a POE (Power-Over-Ethernet) version, in which the network cables carry electrical power. That reduces installation costs.

How to implement an end-to-end secure system?

Once the coupling device is installed, the access control unit is placed in a secure area, and the communication between both is ensured, there is one main thing remaining concerning the application level: embedding in the control unit the functional authentication of the Badge and secure reading of its identifier. It is also a good idea to upgrade the hardware platform to add a SAM or a SE to store the keys -a much cheaper solution than the one with a SAM or an OS per reader, since a access control unit controls many doors!

SpringCard engineers are experts in the implementation of smart cards and in the writing of robust applications to reach the best of security configuration. Do not hesitate to call on them to design your own security architecture or implement it in your access control units.

Published on 3/14/2017