Physical Access Control System (PACS)

An access card is a user ID that contains some information – a key that opens a door or access to resources. It is difficult to imagine the modern world without contact and contactless identification technologies.

The use of bank cards (with a magnetic stripe, cards with an EMV chip, contactless payments PayPass, payWave); RFID cards for transport, entertainment and loyalty programs: the issuance of MHI policies and social cards of Muscovites, and, of course, cards of physical access and logical access to the computer and IT resources of the company are the most striking examples of the widespread use of access cards.

At the same time,” card ” is a rather conditional concept, because the identifier can be in the form of a key ring, tag, tag, etc.The time is not far off when mobile phones or other devices that support NFC technology will be used as identifiers.

That is why the issue of security of data transfer from the ID to the reader is more relevant than ever. The degree of risk of copying information from cards and cloning them increases daily, and this forces a more conscious approach to the choice of technologies that provide secure identification.
Vulnerability of access cards

As a rule, vulnerability is assessed by three main threats identified during the operation of contactless cards: data privacy, replay and cloning of access cards.

Vulnerability of confidential data

The vulnerability of confidential data, when the ID is stored in plain text and is not protected from reading in any way, makes the access card and the entire system the most vulnerable, allowing attackers to gain not only access to the object, but also information about the cardholder. The problem is solved by using the encryption algorithms DES, 3DES, and AES.
Repeat playback

Since the same information is transmitted every time the card is read, it can be intercepted, recorded, and replayed to gain access to the room. Mutual authentication of the access card and the reader serves as protection against replay.

Cloning (copying) access cards

The most common way to bypass access control is to clone cards by the programmer without the cardholder noticing. If the information is stored on the card in the public domain and is not protected from unauthorized reading (for example, in Em-Marine standard cards), the access card can be copied.

The attacker reads data from the card using a compact and very affordable duplicator device. To do this, you only need to approach the card, send a signal to it from the duplicator that simulates the reader’s signal, receive a response signal from the card, write it to the device’s memory, and then to the card form.

However, with the help of the software, you can configure access differentiation (key diversification), which will ensure greater reliability of PACS using such cards.

Security of access cards

Among all radio frequency technologies, 125 kHz cards are the most vulnerable in terms of the above parameters. However, cards of not all standards are susceptible to such a simple hack, many modern identifiers are protected from such threats with the help of advanced technologies. For example, the protection of 13.56 MHz access cards is provided by mutual authentication between the card and the reader, the process of which occurs in encrypted form with the formation and confirmation of the diversification key.

The issue of security of identification technologies is no less relevant than the analysis and evaluation of the functionality and capabilities of the system at the software level. Therefore, let’s look at ways to protect access cards in more detail.

DES, 3DES, AES encryption

DES, 3DES, AES symmetric block encryption algorithms, where the same key is used for both encryption and decryption of the message, while the key length remains constant.

DES: Key length 56 bits (and 8 parity bits), block size 64 bits, was a US national standard (ANSI X3. 92, 1977). Modern computers are hacked by a complete search in a reasonable time.
Triple DES (ANSI X9.52), 3DES – triple encryption with 3 (sometimes two) different keys of 56 bits. With a high level of protection, it has a rather low performance.
AES (originally Rijndael, proposed by Joan Diemen of Proton World International and Vincent Ridgeman of the Belgian Katholieke Universiteit Leuven): variable key length up to 256 bits. AES is a new national standard in the United States, and was chosen based on testing results from several candidates, because it combines simplicity and high performance.

“Rijndael has demonstrated good resistance to implementation attacks, in which a hacker attempts to decode an encrypted message by analyzing the external manifestations of the algorithm, including power consumption and execution time. Usually, the ability to resist them is provided by special coding, to equalize the level of energy consumption. AES can be easily protected from such attacks because it relies mainly on Boolean operations. In addition, it perfectly passed all tests with smart cards and in hardware implementations. The algorithm is largely inherent in internal parallelism, which makes it easy to ensure efficient use of processor resources. ” – says Richard Smith, PhD, lead engineer at Secure Computing Corporation.

There are calculations showing that to search for a 256-bit key by a full search method, the energy of our entire galaxy will not be enough at its optimal use. For real-world tasks, 128 bits are sufficient.

The use of encryption algorithms DES, 3DES, AES allows you to protect access cards from unauthorized access to confidential data.

Mutual authentication

If there is a mutual authentication algorithm, the access card, getting into the reading zone, provides the reader with its unique CSN number and the generated 16-bit random number. In response, the reader, using a Hash algorithm, creates a diversification key that must match the key recorded on the card. If there is a match, the card and the reader exchange 32-bit responses, after which the reader “makes” a decision about the validity of the card. Thus, protection is provided against repeated reproduction of information.

Key diversification

Key diversification is necessary in systems that use access cards that are not sufficiently protected from cloning. As a rule, this applies to low-frequency cards of the Em-Marine standard. With the help of the software, you can configure access control, which will provide greater reliability of the PACS.

Variants of differentiation:

“card-door” – access to certain premises can be allowed only to certain employees, whose card data is entered in the corresponding database. Then an attacker with a duplicate access card of an office worker will not be able to enter the premises of a high level of protection;
“card-time” – after the end of the working day, as well as on weekends and holidays, access to the territory of the enterprise and/or to computer networks may be prohibited for all employees;
“re-pass” – such a distinction will not only prevent an intruder with a clone of the card of an employee who is already present at the workplace from entering the building, but also will not allow the employees themselves to pass outsiders on their card;
“exit without entry” – with this policy, the system will not allow the exit of an attacker who entered without identification after an employee of the enterprise, but will not be able to exit using the cloned card of an employee who has already left the workplace.

Additional protection

In addition to the traditional methods of card protection: mutual authentication of devices, data encryption and the use of diversification keys, the market offers solutions that provide an additional level of security when transferring data from the ID to the reader.

Among them, we should highlight the Secure Identity Object (SIO) technology, which has become widespread in iCLASS SE devices. SIO provides multi-level data protection and is an electronic container for storing data in any of the card formats.

Briefly about the technology: during the encoding of the card, it is bound to the unique identifier of the carrier UID, followed by the certification of the recorded information with an electronic signature. Assigning a UID and having an electronic signature eliminates the possibility of copying information and hacking the card’s security.

“Secure Identity Object (SIO) can be used on any access card, including smart cards and mobile devices, because it is based on standards for implementation, exciting new applications for NFC-compatible mobile phones,” says Dr. Selva Silvaraetem, Senior Vice President and Chief Engineer of HID Global. – SIO will also allow users to add security levels, configure security protection, and extend system capabilities without having to rebuild the device and application infrastructure.”

Classification of access cards

A wide range of access card applications provokes the active development of this market segment, offering a large range for all possible end-user requests.

By form

Modern access cards can differ dramatically not only in size, but also in shape: starting from the plastic card itself, ending with all sorts of key rings, keys, tablets, etc.

Even if we talk about ordinary plastic cards, they are thin (0.8 mm) and thick (1.6 mm). Thin cards are designed for printing on them with a sublimation printer, which allows you to apply any images to the cards (photos of employees, logos, etc.). If necessary, you can also apply images to thick cards, but this will require a laminator and laminate stickers.
By the principle of action

According to the principle of operation, access cards are contact and contactless (proximity cards). Contactless cards provide greater usability (there is no need for line of sight and a specific card position), have a longer reading distance, are generally resistant to environmental influences, and have a longer service life. However, in some cases, the contact method of reading, as well as regular replacement of cards, increase the level of security (for example, bank cards).

By reading distance

The reading range is also in a fairly wide range from 0 (contact access cards) to 300 meters (active contactless cards).

By identification technology

Depending on the identification technologies provided by the system, there are:

  • access cards that use a barcode;
  • access cards that use a magnetic stripe;
  • RIFD cards;
  • smart cards;
  • multi-technology (including biometric) access cards.

The first two technologies are most often used as an additional means of protection in combined access cards. And the leading technology in this segment of PACS, of course, is RIFD (Radio Frequency Identification) – radio frequency identification.

RIFD cards

An RFID card is essentially a data carrier (transponder) from which information is read and recorded via radio signals. RFID cards are also called RFID tags or RFID tags.

RFID tags

Speaking about radio-frequency identification technology in security and access control systems, it is impossible not to mention that the simplest passive RIFD tags are often used to protect goods from theft. For these purposes, it is quite enough to have a single-bit transponder, which, when it enters the reading zone, signals that it is in it.

In addition, various RIFD tags in the form of capsules can be sewn under the skin of pets to identify them in the PACS.
The advantages of RFID-cards

Contactless access cards based on Radio Frequency Identification technology allow you to quickly access the system without requiring a specific position of the label in space. In addition, RIFD cards allow you to work in an aggressive environment, perform identification at a long distance and have a long service life.

Thanks to the use of modern technologies, RIFD cards can contribute to the construction of two-factor identification systems (multi-technology access cards), and can also solve additional tasks if a smart card based on radio frequency identification is used.

Classification of RFID cards

RFID cards are divided into:

Passive RFID cards do not have their own power supply. They operate from an electric current induced in the card antenna by the electromagnetic signal of the reader. As a result, they have a minimum range, which, however, is quite enough for most systems. The cost of passive RFID tags is minimal.
Active RFID cards have their own power supply, which allows you to significantly increase the range of action, and also, due to the better quality of radio signal transmission, use active RFID tags in a more aggressive environment (where the radio frequency signal is much more interference), for example, in conditions of high humidity (including water) or the presence of metal in the immediate vicinity (car, ship and other metal structures). However, improving the technical characteristics of the work entails an increase in the size of the RFID card, as well as a significant increase in its cost.
Semi-passive (semi-active) RFID cards, also known as Battery Assisted Passive or BAP. They have their own power supply, but its operation is rarely (and only partially) aimed at improving the transmission of the radio signal. Radio frequency identification, as a rule, is carried out on the same principle as in passive RFID cards. And the power supply energy is directed to other functions of the access card. For example, powering various sensors (for subsequent data loading via the reader), providing power to card protection systems, or powering a microchip in smart cards.

The type of memory

There are also three categories of RFID cards:

  • Read Only – Read Only (RO);
  • For reading and writing data – Read and Write (RW);
  • For single write and multiple read-Write Once Read Many (WROM).

By operating frequency

The most common types are:

Low-frequency proximity cards (125 kHz)
High-frequency RIFD cards (13.56 MHz)
UHF access cards.

Low-frequency proximity cards (125 kHz)

Low Frequency (LF) RIFD cards operate at 125 kHz. In fact, the proximity card is a remote electronic pass with a built-in microchip that has a unique identification code, which is widely used in both physical and logical access control systems for contactless radio frequency identification.

The exchange of information between the card and the proximity reader is carried out using an open protocol, which makes the proximity card quite vulnerable to intruders.

However, low-frequency RIFD cards work equally effectively at a distance with both street and room readers; they do not require clear positioning of the object and have a low cost. Such access cards are made, most often in the form of a plastic card. Thick cards with a slot for the holder – Slamhell-have become particularly popular in the PACS.

Among the manufacturers of proximity cards, the most famous are: HID, Indala, EM-Marine, Angstrom. At the same time, EM-Marine is certainly the leader in terms of the volume occupied in the security systems market.
Proximity cards Em-Marine

Proximity cards Em-Marine is one of the most common formats used for contactless radio frequency identification. Developed by the company EM Microelectronic-Marin (Switzerland, G. Marin). Identifiers are issued in the form of cards, keychains, bracelets, etc.

Proximity cards Em-Marine belong to the category of passive, because they do not have a built-in power supply. Em-Marine cards cannot be overwritten. The interaction between the card and the proximity reader occurs at a frequency of 125 kHz, the range of action can be from 5 to 70 cm. Each card has 64 bits of memory, 40 of which are occupied by a unique identification code

The most common chips are EM4100, EM4102 and TK4100.

The popularity of equipment based on the Em-Marine format is partly due to their lower cost, unlike other standards (HID or Mifare).
High-frequency RIFD cards (13.56 MHz)

High-frequency RIFD cards – High Frequency (HF) – operate at a frequency of 13.56 MHz. Among the manufacturers of high-frequency access cards, the leaders are HID iCLASS SE and Seos, Mifare.

Thanks to a wider bandwidth, high-frequency RIFD cards allow you to provide a greater level of security and performance. Access cards operating at a frequency of 13.56 MHz allow you to implement mutual authentication between the card and the reader, as well as use data encryption algorithms.

Most manufacturers additionally chip high-frequency access cards to provide additional features and increase the level of security. For this reason, high-frequency RIFD cards are often equated with smart cards, which is not quite true from a technical point of view, since not every smart card works on radio frequency identification technology and not every access card with a frequency of 13.56 MHz can be considered a smart card.

Another advantage of high-frequency RIFD cards is the presence of the world standard ISO14443, in contrast to low-frequency access cards that are not subject to standardization.
UHF access cards (860-960 MHz)

Ultra – high Frequency access cards – Ultra High Frequency (UHF) – operate at a frequency of 860-960 MHz (Currently, the UHF frequency range 863-868 MHz is open for free use in the Russian Federation-the so-called “European” range.)

Using UHF RIFD cards allows you to significantly increase the reading distance. Most often, UHF technologies are used to organize remote reading of RIFD tags when passing vehicles. In addition, ultra-high-frequency access cards can be used in multi-technological solutions for organizing the entrance to the territory and the entrance to the building on a single card.

“There is a growing demand for UHF readers with high-performance applications where vehicles and other moving objects need to be identified automatically using passive RFID tags. Support for the Rain RFID standard (UHF EPC Gen II) allows the manufacturer to take a leading position in the RFID arena” – says Maarten Midgwaart, General Director of the Nedap Identification Systems branch in the Americas.

Smart Cards

Smart access cards (smart cards) or chip cards are plastic cards that have a built-in chip, and often a microprocessor and an operating system that controls the device and access to objects in its memory.

Types of smart access cards

The classification of “smart” cards is based on several criteria:

1) by the method of data exchange with the reader:

contact smart cards with the ISO7816 interface have a contact area with several small contact lobes;
contact smart cards with a USB interface are most often used for authentication in the logical access system, interact with usb readers;
contactless smart cards that communicate with readers via RFID technologies at frequencies of 125 kHz and 13.56 MHz according to ISO14443 and ISO15693 standards;
with a dual interface that works with different types of readers.

2) by type of integrated circuit:

memory cards intended only for storing information;
microprocessor cards that additionally contain a program or OS that allows you to convert data according to a certain algorithm, protecting the stored information during its transmission, reading, writing;
cards with cryptographic logic that use cryptographic algorithms to increase the degree of data protection.

3) by scope of application:

  • access control (PACS);
  • public transport;
  • telephony;
  • finance, banking;
  • health care;
  • loyalty programs, etc.

Advantages of smart cards

Plastic smart cards have clear advantages in the field of information security. Smart card security issues are regulated by many international and proprietary standards. The most common:

  • ISO15408-a set of rules related to the security of digital systems;
  • Federal Information Processing Standards (FIPS) – national standards of the United States in the field of information security;
  • FIPS-140-Requirements for cryptographic mechanisms;
  • EMV – joint standard of Europay, MasterCard and VISA for card payment systems;
  • Industry standards: GlobalPlatform, EPC, JavaCard, etc.

Multi-technology (combined) access cards

Multi-technology access cards use several identification technologies at once, for which they are often called combined. For example, a multi-technology card can combine multiple radio frequency chips; or a radio frequency chip, a magnetic stripe, and a pin smart chip. In fact, the range of different combinations is extremely large, so there is no clear classification for multi-technology access cards.

Use of combined cards

Most often, multi-technology devices are used to gradually transition from one technology to another: from older to newer, from less secure to more secure. At the same time, when replacing readers is more expensive, it is better to start upgrading the PACS with replacing cards with multi-technological ones. That is, immediately change all the cards that users have to combined. And readers to change in stages. This approach will avoid large one-time costs.

Until the modernization is completed, readers of two different technologies will work at the facility. A multi-technology card is needed so that the user can use it to pass the access point with both new readers and old ones.

If the object, in terms of total cost, more cards-install multi-technology readers, and then replace the access cards. In addition to upgrading the PACS, combined cards can be used on objects that fundamentally use different authentication technologies for different access points. For example, when the same card is used for access to a parking lot (contactless identification from a long distance) and to premises (normal proximity cards are enough).

Multi-technology (combined) cards are also suitable for building two-factor authentication systems, but they rarely become the basis of this system: to improve the level of security, developers prefer to combine access cards with other security technologies. The exception, perhaps, is only biometric cards.

Advantages of multi-technology cards

The main advantage of multi-technology cards is the ability to access through points using various authentication systems. And in the case of system modernization-a successful gradual transition from outdated technologies without reducing the current level of security and user discomfort.

Biometric access cards

Modern biometric cards can be divided into two groups according to their properties:
Cards with biometric data

Cards that contain information about the owner’s biometric data: a fingerprint, an iris, and / or a person’s face – are usually designed to identify an individual.

They are used in passports, visas, etc. Given the rapid growth in popularity of such solutions in order to increase the level of security, especially in Europe, cards with biometric data increase their own functionality. For example, the long – term visa required in the UK-Biometric Residence Permits (BRP) – is not only an identity card, but can also be used as a social card.

At the same time, with regard to biometrics, the card is only a carrier of information, and user verification is carried out, if necessary, using separate biometric systems.

ards with biometric authentication

Cards with biometric authentication are quite a new product in the PACS market. This innovative development of Zwipe is a multi-technology card that combines RIFD technology with a built-in fingerprint scanner, which allows you to implement a perfectly protected contactless access card. So in Norway, a contactless payment card Zwipe with a built-in fingerprint sensor has already appeared, developed with the support of MasterCard and successfully tested by Sparebanken DIN.

Multi-technology universal biometric card

smartmetric has released multi-technology smart cards for physical and logical access with a built-in biometric reader.

To implement access to a computer network (logical access), a smart chip is used, and access to a building or room (physical access) is carried out using RFID technology. Both the smart chip and the radio frequency function are activated only after successful identification of the owner by fingerprint using the scanner built into the card. The access card also includes light indicators that are used to visually indicate the successful completion of biometric identification.

smartmetric’s use of super-thin electronics allowed the company to create a card that has a built-in battery, but does not exceed the size and thickness of a standard credit card.

“We are very pleased that we have been able to leverage years of research and development we have committed to creating the world’s first universal biometric card that provides an enhanced level of security,” says Haya Hendrik, President and CEO of smartmetric.

How the Zwipe biometric card works

When registering a fingerprint, the sensor sends data to the Zwipe processor, where the pattern is stored in the processor’s permanent non-volatile memory, and therefore even the absence of a battery will not cause it to be damaged or deleted. Verification of the user’s fingerprint is provided by a fingerprint scanner with 3D technology, powered by its own power source (standard CR2032 battery).

Until biometric authentication is successful, radio frequency communication between the card transponder and the reader is blocked. The radio frequency session lasts as long as the authorized user’s finger is on the card sensor. When the finger is removed from the sensor, the connection to the reader is broken.

It is not possible to delete or change the template of the registered fingerprint, which means that only its owner can use the card.

Since standard Prox or Mifare chips are used as a RIFD component, Zwipe access cards allow you to make an existing PACS much more secure. At the same time, the process of biometric authentication of the user in the system takes less than 1.5 seconds.

Advantages of Zwipe biometric cards

Protection of biometric data. Biometric data is stored on the card as a digital template, which is part of Zwipe’s proprietary fingerprint hashing algorithm and has no value for any other fingerprint application. In addition, the data in the processor is locked to guarantee the confidentiality of the firmware and template. Thus, there is no need to create and protect a specialized database.

A simple transition from a conventional PACS to a biometric one. Zwipe’s multi-tech biometric cards can work with existing readers. Thus, the system becomes biometric without replacing the already installed equipment.

High level of security. Only the cardholder can activate it to work with the reader.

Flexible usage options. Combined Zwipe biometric cards have all the advantages of contactless RIFD cards, and, as a result, a wide range of applications. It should also be taken into account that the card can be programmed and formatted for the tasks of a specific user.

“Zwipe biometric cards are a product that creates a previously non-existent demand in a new market where there are practically no competitors. They are not intended to completely displace card products (given the cost) or biometric terminals. Their niche is absolutely new opportunities in the field of PACS, leading the integrator away from traditional low-profit markets with many players.

So, through Zwipe, it is easy to provide two-factor authentication in data centers, research institutes, medical offices and laboratories, cash transaction areas, depositories, airports, correctional facilities, where traditional means of access restriction have been used for years. At the same time, as mentioned above, this will not require any investment in infrastructure, qualification training or attracting IT resources.

In addition, in addition to the classic PACS, the new product can be found in a number of other areas of application: government and social projects, VIP cards, loyalty cards in the service sector, personal medical records, etc. By and large, the application options are limited exclusively to the imagination of the customer or integrator.”

Prospects for the development of biometric access cards

The biometric card allows you to quickly implement a two-factor authentication system for both physical and logical access control systems. And there can be no monopoly in promising segments.

IDEX ASA has announced that the development of a flexible polymer sensor for biometric smart cards and other access cards has been successfully completed. The touch biometric sensor is designed for access cards with the ISO ID-1 form factor: it is thin enough and flexible enough for this format, and, at the same time, strong enough to withstand operation in the mode of a typical payment card or smart access card. Thus, the prospect of biometric cards from different manufacturers appearing on the PACS market is obvious.

“The ability to easily integrate a flexible, low-cost polymer touch sensor into industry-standard 0.76 mm thick plastic cards, and to do so in a way that the technology is effectively replicated in large production volumes, is an important technical achievement for the IDEX research and development team. In addition, this is an important breakthrough for the security market, in particular for the segment responsible for payment protection and individual access by ID, ” says Hemant Mardia, CEO of IDEX.

IDEX’s flexible fingerprint sensor for creating biometric cards is now undergoing a comprehensive “real-life” testing program.IDEX expects the first mass deliveries of its fingerprint sensors for access cards to begin in the second half of 2016.

Popular access cards

Despite the progressive development of technologies, in modern access control systems, RFID cards are most often used as an identifier, working on an open data transfer protocol at a frequency of 125 kHz, produced under the brands EM Marin (EM4100, EM4102, TK4100), HID Prox and Indala. At the same time, the popularity of low-frequency proximity cards, mainly based on the Em-Marine format, is explained by their lower cost.

However, with the growth of requirements for PACS, their price recedes into the background.

“An ID today is more than a pass to a room. Today, a single identifier is increasingly used, which provides access to both the building and office premises, as well as to corporate information and management of the IT environment. This requires additional measures from the card manufacturer to ensure secure identification”

Therefore, more and more often in access control systems, more secure high-frequency RFID cards or multi-technological solutions are used, allowing not only to upgrade the outdated PACS, but also to implement a two-factor authentication system.