Credentials and Access Technology

Special thanks to Michael Traniello (Technical Systems Group) and Vernon Meyer (HID Global) for providing an informative update on Credentials and Access Technology at the April ASIS Rochester meeting.

Click here for a recording of the meeting:  Credentials and Access Technology (April 2023)

Meeting slideshow:  https://asisrochester.org/images/downloads/credentials_and_access_technology_presentation.pdf

Michael Traniello introduced the topic by outlining the current landscape of credentials from magnetic stripe cards, proximity cards and fobs (referred to as Prox), smart cards/fobs with higher frequency communications and encryption, mobile and biometrics. Prox technology still represents the majority use but is being supplanted by smart and mobile technologies as companies and public institutions look to upgrade security, especially given the relative ease at which Prox technology can be copied.

The life cycles of credentials are long. For instance, Prox has been in use since the early 90’s and the investment to upgrade can be a significant “lift” especially for larger entities with multiple locations and many access points.

The key planning considerations in credential and access systems are:

1. What is being secured and the level of security required.
2. The credential ecosystem. Can one credential be used for:
   • Access control
   • Electronic locking
   • Vending/food service/timekeeping
   • Identification
3. Open technology to “futureproof” the solution.

Vernon Meyer explained the Credential Continuum – from 1^st Generation Prox to currently available 4^th Generation smart technology.

• 1^st Gen – Proximity (Prox) – sometimes referred to as 125kHz, is an unsecured communication between the card/fob and the reader. As mentioned, Prox can be copied and cloned by devices that are readily available in key kiosks or stand-alone devices.
• 2^nd Gen – These are the first credentials with 13.56 MHz communication and a standard exchange of secured information. The two main types are HID iCLASS and NXP MIFARE Classic. The issue with these credentials is that the standard secure information exchanged between the credential and reader has been made known in the public which allows “bad actors” to use this information to gain access to the credential information. Thus these are considered vulnerable – not easily attacked but those with knowledge can work to “hack” the credential.
• 3^rd Gen -- These credentials have 13.56 communications but are built with a higher level of encryption (DES) then the 2^nd generation credentials. There are no known breaches of this encryption technology. The main types are HID iCLASS SE and NXP DESFire EV1.
• 4^th Gen – These credentials use an even higher level of encryption (AES) and are software based making it extremely difficult to breach. Furthermore, they form the basis for use in both hard form and in mobile devices. The two main types are HID iCLASS SEOS and NXP DESFire EV3. Effectively it is like having an operating system built into the credential – providing layers of protection and future flexibility. Successful mutual exchange of the cryptographic key information between credential and authentication device (reader) is necessary before the security identification information is passed to the next step.

Vernon also outlined how credentials are often used beyond door access with other systems (transport, vending, IT access, etc.) so it is important to understand these relationships relative to updating credential and access technology. The credential can contain information segments, secured at different levels. For instance, the highest level of security and key exchange may be used for access into facilities but once inside, a lower level of security is used for other functions. Consultation is available to make systems operate with a single credential.

Mobile credentials and access are currently mostly used in hybrid environments along with traditional card based credentials. Mobile credentials have several advantages:  touchless, easily issued and revoked, use the highest level of security, provide natural two-factor authentication, and are generally not lost or forgotten. Many of the newer readers are mobile ready and some of the 3^rd generation readers can be upgraded for mobile capability.

Vernon explained how mobile access systems work – with the issuance of credentials administered through secure portals. There are several ways in which mobile credentials can communicate with readers – including using the phone in close range to a reader similar to a card, from a distance with a gesture (twist & go), or requiring the opening of the phone (thus providing two factor authentication). Mobile credentials work with BLE (Bluetooth energy) and in some cases with Apple NFC (Near Field Communications) with the use of a third party software (as required by Apple Wallet).

In 4^th generation credentials, there are several options for ownership of cryptographic keys – the “key data” exchanged between credential and reader prior to the exchange of identity data. Standard keys will fit 90+% of use cases in which the key is universal and provides maximum compatibility between credential and reader while still using the highest level of encryption. Elite keys are provided by the manufacture but are unique to a particular company/institution thus increasing security. Only credentials and readers exchanging the elite key will work. Private keys are owned and controlled by the particular company/institution. This last option puts the onus entirely on the company to maintain the complex key/encryption and should only be used in the highest of security cases with the understanding of the factors required to maintain the cryptographic key.

Biometric credential systems such as face recognition are in an early stage of adoption and often used for specialized secure areas in conjunction with a credential such as a card. This is due to cost and the additional time it may take for recognition. Biometrics add a layer of security by including something that is unique to the individual in identity verification. The biometrics are stored in coded format and not as an image.

Another factor in the security of access systems is the communication between the reader and the control panel to prevent threats such as “man in the middle” in which information from the reader is compromised before reaching the panel. The vast majority of reader to panel communication is via Wiegand protocol. Wiegand is a one way, non-encrypted communication. The newer protocol established as a standard in 2011 is OSDP (Open Supervised Device Protocol). It provides bi-directional communication and is encrypted making it much more resistant to attack and will allow for automated updates to readers. New access systems and upgrades should consider the use of the OSDP protocol.

Feel free to reach out to our speakers (Mike Traniello and Vernon Meyer) for more information concerning credentials and access technology.

ASIS Rochester Chapter Chairperson Victor Wainwright with speakers, Vernon Meyer (HID Global) and Michael Traniello (TSG Security).