Access Readers and Tokens

Identification and Authentication Methods

Overview

• Identification in this context means uniquely identifying each user who presents at an access terminal or reader
  • Token ID
  • Username/user ID
  • Biometric

• Authentication means verifying that the user is who they claim they are
  • Something they have (a token)
  • Something they know (a password)

• Identification and authentication may be combined, but need to be considered separately.

Considerations for Access Control

• Method must be simple and reliable
  • Users tend to bypass controls that are too burdensome
• Must not lock out legitimate users frequently
• Must not allow unauthorized users in to the extent possible
  • • Tailgating protection
    • Pass-back protection

End to end session protocol

• Ideally, session is encrypted and authenticated at all levels
  • User should know they are interacting with a legitimate terminal
  • Token should know that it is talking to a legitimate reader
  • Reader should not leak any secrets during transaction
  • Secrets should not be subject to interception between reader and server/panel
    • Physically secure wiring/network
    • Secure/encrypted protocols
• Messages should be not be able to vulnerable to session replay
  • Time stamping/serializing of messages
• Messages should not be subject to intentional or accidental alteration in transit
  • Message CRC and cryptographic signing/MAC protocol

Types of tokens

Contactless (RFID)

Advantages

• No electrical connection to the outside world
• Can be mounted behind glass or inside a secure perimeter
• No keypad or contacts to require maintenance

Disadvantages

• Tokens can be interrogated be a third party
• Transactions can be snooped with RF listening gear.

Types of RFID Tokens

• Mifare
  • Have read/write capability
  • Basic encryption on-board
    • Come unconfigured, all 'F' values
    • Blocks of data are stored with encryption key after first write
  • 1K,4K version available