Access Readers and Tokens: Difference between revisions

Revision as of 00:59, 26 November 2011

Identification in this context means uniquely identifying each user who presents at an access terminal or reader
- Token ID
- Username/user ID
- Biometric

Authentication means verifying that the user is who they claim they are
- Something they have (a token)
- Something they know (a password)

Identification and authentication may be combined, but need to be considered separately.

Method must be simple and reliable
- Users tend to bypass controls that are too burdensome
Must not lock out legitimate users frequently
Must not allow unauthorized users in to the extent possible
- Tailgating protection
- Pass-back protection

@@ Line 20: / Line 20: @@
 **Tailgating protection
 **Pass-back protection
-====End to end session protocol====
-=====Considerations=====
-*Ideally, session is encrypted and authenticated at all levels
-**User should know they are interacting with a legitimate terminal
-**Token should know that it is talking to a legitimate reader
-**Reader should not leak any secrets during transaction
-**Secrets should not be subject to interception between reader and server/panel
-***Physically secure wiring/network
-***Secure/encrypted protocols
-*Messages should be not be able to vulnerable to session replay
-**Time stamping/serializing of messages
-*Messages should not be subject to intentional or accidental alteration in transit
-**Message CRC and cryptographic signing/MAC protocol
-=====Protocols and Session Flow=====
-*[[Example Message Flow]]
 ====Types of tokens====