SMART CARDS
“These systems operate on the assumption that the token is in close proximity to the reader.”
tomer could then order single technology smart cards, as the dual frequency would no longer be required. An added security ben- efit is that, once all of the proximity readers were replaced, there was no possibility that proximity cards could ever be introduced into the system again. To track usage of the copiers and printers, Farpointe provided USB readers that allow the new DESFireEV2 credentials to serve the same function.
A QUICK REVIEW OF THE TECHNOLOGIES ADDED
As the customer was very concerned about increasing the se- curity of their access control system, let’s review what the mi- gration from proximity to smartcard technology has achieved. Today,13.56 MHz contactless smart cards are used to provide increased security compared to 125 KHz proximity cards. One of the first terms you will discover in learning about smart cards is “MIFARE,” a technology from NXP Semiconductors. MIFARE enables 2-way communications between the card and the reader.
MIFARE Classic was the original version of the MIFARE standard used in contactless cards. It stores the card number on one of its sectors, then encrypts the communication between the card and reader to theoretically make it impossible or, at least, very difficult to clone a card.
The newest MIFARE standard, DESFire EV2, includes a cryptographic module on the chip in the card itself to add an additional layer of encryption to the card/reader transaction. This is among the higher standards of card security. MIFARE DESFire EV2 protection is ideal for sales to providers wanting to use secure multi-application smart cards in access management, public transportation schemes or closed-loop e-payment applica- tions. They are fully compliable with the requirements for fast and highly secure data transmission, flexible memory organiza- tion and provide interoperability with existing infrastructures.
According to Zerbib, the MIFARE DESFire EV2 contactless in- tegrated circuit (IC) brings many more benefits. Cardholders can ex- perience convenient contactless ticketing while also being able to use the same device for applications such as student ID, closed-loop pay- ment at vending machines, access management and loyalty programs. System providers can offer or sell application space to third parties without having to share the master key. A MIFARE DESFire EV2 product-based card can hold as many different applications as the memory will support and new applications can be loaded after the product is in the field. It’s like having an app store on a smart card.
One aspect of securing a card’s information is to make the in- ternal numbers unusable; they must be encrypted. To read them, the system needs access to a secret key or password that provides decryption. Modern encryption algorithms play a vital role in as- suring data security.
• Authentication: the origin of a message. 30
• Integrity: contents of a message have not been changed.
• Non-repudiation: the message sender cannot deny sending the
message.
Here is how it works. The number is encrypted using an en-
cryption algorithm and an encryption key. This generates cipher text that can only be viewed in its original form if decrypted with the correct key. Today’s encryption algorithms are divided into two categories: symmetric and asymmetric.
Symmetric-key ciphers use the same key, or secret, for en- crypting and decrypting a message or file. The most widely used symmetric-key cipher is AES (Advanced Encryption Standard), which is used by the government to protect classified information. Another common symmetric cipher, noted for its high speed of transaction, is the TEA (tiny encryption algorithm).
Asymmetric cryptography uses two different, but mathemati- cally linked, keys, one public and one private. The public key can be shared with everyone, whereas the private key must be kept secret. RSA (named after Misters Rivest, Shamir and Adleman) is the most widely used asymmetric algorithm.
Additional encryption on the card, transaction counters and other methods known in cryptography are then employed to make cloned cards useless or enable the back office to detect a fraudulent card and put it on a blacklist. Systems that work with online readers only (i.e., readers with a permanent link to the back office) are easier to protect than systems that have offline readers, since real-time checks are not possible and blacklists can- not be updated as frequently with offline systems.
In addition to the functionality for multiple applications, smart credentials also increase the security of information kept on the card and stored in the facility. Zerbib adds that Farpointe’s Valid ID provides another anti-tamper feature available with con- tactless smartcard readers, cards and tags. At manufacture, read- ers, cards and tags are programmed with the Valid ID algorithm, cryptographically ensuring the integrity of the sensitive access control data stored on the card or tag.
With Valid ID, readers scan through the credential’s access con- trol data searching for data discrepancies, which may occur during the counterfeiting, tampering or hacking of a contactless smart- card. Valid ID is an additional layer of protection to what is already available in smart card authentication, operating independently, in addition to, and above this standard level of security. In use, Valid ID allows a smartcard reader to effectively verify that the sensitive access control data programmed to a card or tag is not counterfeit.
TRANSPARENT TO THE USERS
With all the immense changes to the inside of the access control sys- tem, the one thing that surprised Zerbib is that no
employee ever reacted to the changes in the system.
“There was no downtime and nobody got locked
out. They never noticed.”
Tom Piston is the East Coast Sales Manager at Farpointe Data.
JANUARY/FEBRUARY 2021 | SECURITY TODAY