Secure Physical Access Control Enhanced Reader
Implementation of physical access control systems (PACS) assumes the realization of unambiguous identification of each user of the system. One of the most widespread methods of users’ identification is application of personal contactless cards. The contactless reader reads out the unique identifier of a card/user from a card in a distance of several centimeters, and through the interconnection link transmits it into the PACS controller, which "decides" about the access of the user into the controlled area on the basis of the authorization matrix. Therefore, security of the system is basically defined by the protection level of the protocol of interchanging between a card and a reader from threats of card fake/emulation.
Thus, the absolute majority of PACS installed in the territory of CIS today, either does not support cryptographic protection (i.e. store and transmit the card identifier in the insecure way), or uses the "proprietary" cryptographic algorithms with the limited key length (usually 48-96 bits). The «closeness» of the algorithm means that its structure is the confidential information of corespondent vendor, and the algorithm has not passed an independent audit of security (for example: Mifare Crypto1, EM Crypto, My-D Crypto). Thus, as a rule, easy-to-implement stream cipher is used, and its firmness is based on "privacy" of the conversion, therefore, after its re-engineering, the task of the key retrieval moves from cryptanalytic field to engineering one. Another widespread weakness of popular PACS using cryptography cards (for example, MIFARE Standard) is non-transparency or total absence of keys handling subsystem. The private keys of cards and readers are often defined directly by the manufacturer; therefore, the security structure of the customer should assume the policy of absolute trust to the manufacturer.
The upcoming trend of development of the modern PACS is the application of the contactless smart cards supporting approved cryptography with known strength level (for example, Triple-DES or AES).
The MIFARE DESFire EV1 cards supporting cryptographic algorithms TripleDES (168 bit key) and AES (128 bit key) possess the greatest protection index among the low-end contactless cards. Besides, these cards have a flexible file system and supporting of the mechanism of "transactions" that allows to create safe applications of micro payments on their basis. The MIFARE Ultralight C cards having lower price and supporting the TripleDES algorithm with a key length of 112 bits are also of interest.
Microcrypt Technologies Ltd. offers own solution for cryptographic protection of contactless cards for monitoring and access control systems. Our solution includes system of the contactless intellectual readers supporting MIFARE DESFire and MIFARE Ultralight C cards, and also the auxiliary software which ensures flexible handling of PACS key system and audit of appropriate processes. The main advantages of our solution are:
All stated advantages of SPACER allows to eliminate the aforesaid problems, common for traditional solutions on the basis of RFID, and to create fully-featured system of security on the basis of a wide range of existing PACS.
The main functional specifications of the system:
SPACER system hardware is developed on Smart-RF Platform platform and includes three types of readers:
"Executive" readers are fulfilled in a housing for wall mounting, "Root" and "Master" readers are the service readers and are made for desktop usage.
The service reader allows fulfilling of the configuration (limitation) of its functionality at a stage of the primary initialization executed by the Customer. Thanks to this, the organizational-technological separation of staff's authorities using these readers is possible. The separation of the following authorities is available at configuration level:
Besides, each reader allows to divide authorities of operators by authorization on the basis of PIN-code (password). For this purpose it is possible to define two PIN-codes: «Administrator» and «Security Officer» at the stage of primary initialization of the reader. The functional separation of authorities is fulfilled as follows:
Except readers the system includes the software for OS Windows 2000/XP/2003/2008/Vista, intended for customization of the system, handling of the readers and fine integration with indirect ACS software. The system software functions include:
The system software includes the range of applications realizing the main functional roles:
And also tools of integration with indirect developers of PACS software:
We were guided by two principles while creating our system: support of uncompromising security and simplicity of service.