April 18, 2016 Cards & Readers, Compatibility and Security · PDF fileCards & Readers,...

Cards & Readers,

Compatibility and Security

April 18, 2016

Jeremy Earles

Business Product Leader, Credentials and Readers

David Stallsmith

National Account Manager

Cards and Readers, Compatibility and Security

Agenda

• Credentials continuum – where does smart fit?

• What makes a smart card smart?

• Why don’t my readers read their cards?

• Who owns my keys?

• How you can control your own card destiny


“So in war, the way is to avoid what is strong and to strike at what is weak.”

The Art of WarLesson 6: Weak Points and StrongSun Tzu

“So in war, the way is to avoid what is strong and to strike at what is weak.”

The Art of WarSun Tzu


Security Technology in Credentials TodayS

ecu

rity

Se

cu

rity

125kHz

13.56MHz

PIN/Passwords

Keys

Mag Stripe

Proximity

Smart Cards

Biometrics

Multi-factor + +( )

₪¶ϖ¿ßƔϘϞѪᴕ‡∂


Multi-Tech Cards & Contact Chips

Prox chip

Smart chip

Contact

chip

Magnetic stripe


The Current Weak Link in Payments

>Credit card fraud


The Current Weak Link in Payments

70% since 2002

Credit card fraud


The Weakest Links in Access Control –

Magnetic stripe


What Is a Prox Card?


The Weakness in Access Control

125kHz Proximity


What Is a Contactless Smart Card?

₪¶ϖ¿ßƔϘϞѪᴕ‡∂


Data Storage: Secure Sectors

• Smart cards contain sectors or application areas, or “file drawers,” where data can be stored.

• Each sector or application area can be locked with it’s own key.

• Each “file drawer” can be used for different purposes.

Physical Access

Biometrics Vending

Transportation Logical Access

Cafeteria


Smart Cards: Big Advantages Over Proximity

� Higher Security

− Mutual Authentication

− Encryption

− Diversified Keys

� Data Storage

- Applications

� Mobile Capability

And it’s often less expensive!


So why can’t my reader read their card?

Lots of reasons!

1. Number formats

2. Card chip : reader compatibility

3. Encryption keys

Higher security requires more secrets

� Secrets protect users

� Secrets protect manufacturers’ businesses

Secrets or patented products are often called proprietary

� Apple iOS vs. Android

� Ford vs. GM

� Security industry insight - It’s all proprietary!


1. Number Formats

� Examples: 26 bit, Corporate 1000, CASI-RUSCO

� The old school method for making a system proprietary

– Worked well for mag stripe and prox cards

– Equally effective for contactless smart cards

� Card, reader and system manufacturers would license formats

– Number length

– Number shape

� Facility code, or not

� ID number range

– Card manufacturer would only sell a licensed format through the licensed vendor

� Prox card formats are often reverse engineered now

– Cards available from multiple vendors


2. Card Chips and Readers

� Allegion aptiQ readers read:

– NXP chips

– Card Serial Numbers from many chips

– Many types of Prox chips

� HID readers read:

– HID iCLASS, SE, Seos

– NXP chips

– Many types of Prox chips

� Readers by other mfrs. read:

– NXP chips

– FeliCa

– Prox and other smart chips


NXP Chips

NXP makes the MIFARE family

MIFARE Classic

� Mikron – 1994

� Fast, cheap, for transit fare collection

MIFARE DESFire EV1

� Latest version of MIFARE

� AES 128 encryption

MIFARE DESFire EV2

� Not available yet, announced Nov. 2013

– Ability to roll keys

– Card application key management

� Card owner gets control of all applications

MIFARE is not open source, but is a de facto standard for contactless cards


3. Contactless Smart Cards Have Encryption Keys

Latest and best path to proprietary card systems!

Higher security requires more secrets

Card data security relies on encryption

Encryption turns data into an unrecognizable form

� Many types of algorithms

– Crypto1, DES, 3DES, AES

� Usually involves a secret key (a long number)

– Card data encrypted with the key

– Reader knows the key and can decrypt data

Most contactless card data is static

� Must be encrypted at rest and in transit


Putting smart card

encryption into perspective

AES 128-bitencryption

Brute force attack scenario



2129 = 256-bit

Putting smart card encryption into perspective

Sniffing, Brute Force, & Replay Attacks

340,282,366,920,938,463,463,374,607,431,768,211,456

680,564,733,841,876,926,926,749,214,863,536,422,912

ounces of water

on Earthgrains of sand

in Sahara Desert

undecillion

x 2 =


Putting smart card encryption into perspective

Sniffing, Brute Force, & Replay Attacks

115,792,089,237,316,195,423,570,985,008,687,907,853,269,

984,665,640,564,039,457,584,007,913,129,639,936

grains of sand

in Sahara Desert

ounces of water on

Earth

atoms on

quattuorvigintillion

atoms in


Brute Force Attacks

�Fastest super computer: 10.51 petaflops(10.51 x 1015 operations / second)

�Operations required per combination check: 1,000 (optimistic, assume for now)

�Combination guesses / second = (10.51 x 1015) / 1000 = 10.51 x 1012

�Seconds in one year = 31,536,000

�Years to crack AES with 128-bit Key = (3.4 x 1038) / [(10.51 x 1012) x 31536000] = 1,020,000,000,000,000,000 years (billion billion)



The Security of Smart Technology

Mutual

authenticationKey

diversification

� The cardand reader communicate back and forth

� Each verifies that the other is legitimate

Encryption

₪¶ϖ¿ßƔ

ϘϞѪᴕ‡∂

Smart

Technology

� Each card has a unique key, so transactions are unique

� Prevents compromise of the entire population

� Card and readercommunicate in “secret code”

� An algorithm prevents the ability to discern the communication


Whose Key Is It?

• Standard keys

• Most manufacturers use the same keys in all their cards and readers

• Makes ordering easy

• Fancy cards can be read by other institutions’ readers

• If standard key is compromised, cards have to be replaced; readers have to be

reflashed

• Custom keys

• Unique for each institution

• Readers and cards have custom part numbers from manufacturer

• Cards cannot be read by others’ readers


More on Custom Keys

Who controls the Custom Keys?

� Typically the manufacturer

� Easy to manage

� Hard to change to another vendor

What if Allegion gave the keys to the institution?

� Cards and readers could be ordered in typical manner

� Allegion keeps the keys in a digital vault – as secure as our standard key

� Keys used as directed by institution

� - OR -

� Institution could take the keys to other card and reader vendors

� Some card issuance systems support custom keys

� Requires key management – Be Careful!


How Do I Use Custom Keys?

1. We recommend NXP-based cards

2. Start with manufacturer programming of cards and readers

Now you have options!

� Shop for alternative card, reader and lock vendors

� Securely share your keys with them so they can program cards and readers

� - OR -

� Do your own programming

� Explore card issuance software with contactless smart card programming

� Datacard, AsureID, Lenel, many others

� Keep configuration cards for flashing readers on short notice


• Cards with Custom Access Control Keys should be

programmable by other systems

• Check with your integrator for options

• Will your card and reader manufacturer give you

your key?

• This is the path to future flexibility

• Get yourself free for industry innovations of the

future, from many different companies

Make sure you get all the smart card security you’re

paying for!

Final Thoughts


QUESTIONS?

Jeremy Earles

Business Product Leader, Credentials and Readers

David Stallsmith

National Account Manager


Are Card Serial Numbers Interoperable?

Card Serial Number (CSN) / UID

• Electronically stamped into chip at manufacture

• Every reader can read the CSN/UID (almost)

• Creates interoperability

• Workaround to secrets and licenses

• Not considered very secure

• MIFARE ran out of unique “UIDs”

• Who knew 4,294,967,296 was too small?

• MIFARE DESFire EV1 has 72,057,594,037,927,940 (quadrillion) UIDs

• iCLASS has CSN

• Seos has “dynamic” CSN – changes every transaction

• Not an interoperable number!


Overview

Title: Cards and Readers, Compatibility and Security – Can’t They All Just Get Along?

Presenters: David Stallsmith, Allegion

Jeremy Earles, Allegion

Date/Time: Monday, April 18, 2016 11:00 am - 12:00 pm

Contactless smart card technology has greatly improved the security of campus cards, but it has raised real questions about card and reader compatibility. Institutions are very concerned that the card system devices they buy today will work with the devices and systems they will implement in the future. Not just for cryptographers, this session will encourage audience participation as it explores the concepts surrounding the words “keys” and “proprietary” and how they relate to card technology selection and management.

Agenda:

• Credentials continuum – where does smart fit?

• What makes a smart card smart?

• Define Proprietary vs. Open Architecture

• Why don’t they work together?

• Who owns my keys?

• What can I do about it?


Open Architecture

Access control app

Entire card locked down

Other apps must be developed by card

company partner (limiting your choices)

Company B

Space for other

apps by any

vendor

Open

Closed


Smart Card Alliance

promotes open architecture

• Smart Card Alliance is a not-for-profit, multi-industry association working to advance the understanding, adoption, use and widespread application of smart card technology.

Their educational materials state:

“Given the expanding nature of contactless environments, it is very important to choose open architectures that provide for flexibility and security.”

www.SmartCardAlliance.org

April 18, 2016 Cards & Readers, Compatibility and Security · PDF fileCards & Readers,...

Documents

Transcript of April 18, 2016 Cards & Readers, Compatibility and Security · PDF fileCards & Readers,...