The use of contactless smart cards and RFID fobs for building access control aids security through manageability, while maintaining convenience. Card-based digital identity credentials can easily be invalidated or updated in a centralised physical access management system when someone loses their card or leaves the organisation, and various restrictions can be applied to control how and when doors may be used by individuals.
Unfortunately the actual security of the RFID door access card and key-fob technology used is not always considered, resulting in the widespread use of insecure card technologies that expose organisations to significant risk. These same cards are often used for other applications, such as on-demand printing of sensitive documents, without further consideration around security!
There are now low cost, hand-held, card duplication kits available on eBay that can be used to quickly and easily make clones of many types of RFID credentials used for building access. Other equipment is also available that allows RFID access cards to be read unnoticed from a distance, and their comms intercepted, emulated and even relayed over the internet.
Older standards of RFID credential rely on a simple manufacturer chip serial number or a programmed identification number which is not protected from being read by any reader. These can also be copied and re-written to another card without restriction. More recent standard RFID credentials store additional identity information securely, and this can only be read following mutual authentication with authorised readers.
These newer RFID card technologies tend to be based on secure 13.56MHz technology governed by ISO-14443 or ISO-15693, some with additional layers of data encryption and various different methods of encryption key management.
| Technology | Chip serial number (CSN/UID) | Programmed ID number | Mutual authentication & encrypted data transfer between card and reader |
| 125kHz EM/Prox etc. 13.56MHz LEGIC Prime |
Can be copied | Can be copied | x |
| MIFARE Classic | Can be copied | Can be copied | Flawed |
| iCLASS SE/SEOS | ✓ | ✓ | ✓ |
| MIFARE DESFire EV1/2 | ✓ | ✓ | ✓ |
| LEGIC Advant | ✓ | ✓ | ✓ |
125kHz EM/Prox + LEGIC Prime
These technologies provide a very basic level of RFID identification using freely readable ID numbers. Cards and fobs can be easily cloned and replicated, even without access to the original physical article.
13.56MHz MIFARE Classic
In addition to a freely readable chip serial number, identification data can be stored in fixed password protectable memory areas (or blocks). Available with either 1K or 4K bytes of overall storage, there is a simple key system for controlling read and/or write access to each block. Authentication and encrypted communications between the card and reader relies on a flawed algorithm, making it possible for cards and fobs to be cloned.
13.56MHz iCLASS SE/SEOS
Available with various memory capacities from 256 up to 16K bytes, the older iCLASS SE cards make use of an HID proprietary encryption algorithm, based on DES, with mutual authentication between card and reader, while iCLASS SEOS employs 128 bit AES encryption and diversified session keys. Additional layers of security can be provided by using HID’s Secure Identity Object concept, while SEOS is designed to make identity credentials portable, allowing a common ID to be used on Android and IOS platforms, via NFC & Bluetooth, as well as on smart cards. HID typically owns and manages the access and encryption keys.
13.56MHz MIFARE DESFire EV1/2
Available with 2K, 4K or 8K byte memories with a flexible file system that and can support up to 28 (or for the EV2 version an unlimited number of) different applications and up to 32 files per application. Secure open encryption standards supported include: 56-bit, 112-bit, 168-bit DES/3K3DES or 128-bit AES, with mutual three pass authentication between card and reader. Organisations can encode DESFire credentials themselves using their own bespoke access and encryption keys, thereby avoiding any reliance on third parties to protect critical card encoding information.
13.56MHz LEGIC Advant
Available with 256, 1K & 4K byte memories that can accommodate up to 12, 59 or 127 separate applications. Stored data encryption options include AES128, AES256, 3DES and LEGIC encryption with mutual authentication and data transfer encryption between card and reader using various algorithms according to the card chosen. ISO 15693 standard cards are available that provide extended reading ranges of up to 70cm, while LEGIC Advant virtualized credentials are available for use on other media, such as credit cards and NFC Smartphones.
Other security considerations
While cards are often printed for use as photo ID, users should be wary of cards that have the access control ID information printed on them. ID numbers and other printed codes may potentially be used to produce or obtain duplicate RFID credentials, even from a photograph of a card.
It’s important to ensure that RFID credential security features of a particular technology are fully exploited, rather than relying on default ‘off-the-shelf’ configurations. This means asking questions about how keys and secure IDs are generated, assigned and re-used.
Some organisations should consider whether a reliance on several third parties in their supply chain in keeping RFID credential encoding information confidential poses an unacceptable risk.
Proprietary RFID credentials not only lock organisations in to limited supply options, but may depend on an unproven ‘security through obscurity’ design, rather than rigorously validated open security standards.
Standard RFID credential technologies can be combined with other smart card security credentials in a single ID card for door access, IT log-on, cashless vending and other identity and access applications. Implemented properly, these can significantly increase overall security and reduce lost cards, card ‘sharing’ and door ‘tailgating’.
Summary
Up-to-date RFID technology standards do provide highly secure, highly manageable and cost effective solutions for door access control applications, but some consideration of the appropriate standards and utilization of the extensive security features is essential.
For help in selecting the most appropriate RFID credentials for your physical access control requirements contact Smartcard Focus. With a highly experienced in-house R&D team providing in-depth technical support, Smartcard Focus has become the trusted source for many different smart card technologies to customers worldwide.