Access control solutions for any commercial, retail, public or business environment. A variety of access control readers, doors, gates and devices allow us to deliver the right equipment, products and technology for every installation. Our access control management solutions allow you to control, track and manage access to any facility for improved employee and visitor management. We add value to your operations with managed access control and handle all phases of access control system layout and configuration, installation, maintenance, inspections and testing with our local service and support. The benefits of Access Control The best access control systems in the business Prevent unauthorized visitor access Restrict employee access to sensitive areas Easily manage access credentials Accommodate trusted vendors and suppliers Generate traffic reports by time-of-day, day-of-week and more Track entry/exit times by employee or department Retrieve audit data for review in case of a workplace incident Perform centralized lock-down in the event of an emergency security threat Administer your access control system remotely, or have our company manage it for you Enhance the way you protect your people, assets and facilities Call for free estimate. 401-828-2271
This Total Cost of Ownership (TCO) model uses the following assumptions:
•The base system is for a single site with 16 card readers and a requirement for ID badges, wireless locks, and video surveillance.
•The initial capital and installation costs for the IT hardware and software licenses have been included.
•Items common to all systems such as card readers, locks, wiring, cameras and recording devices have not been included.
•We have assumed that the customer purchases the software maintenance that allows them to remain on a supported version of the application and database for the entire five years.
•In the on-premise model, we have assumed a one-time refresh in the computing hardware and operating system.
•We have assumed a data center infrastructure cost of $75 per month for the on-premise solutions. This cost includes rack space for a 1U server along with a 2 Amp power budget and 5 Mbps bandwidth allocation.2
•We have used either the competitors’ hardware/software bundle or a direct quote from a prominent computer hardware provider based on the datasheet specifications to estimate the cost of computing hardware for the on-premise solutions.
•For the on-premise solutions, we have estimated IT management and database administration costs basis at $800 per year. This includes 16 hours of IT services for general administration, monitoring, patch management, system back-ups and database administration at $50 per hour.Many additional factors are often included in a complete TCO analysis, but we found that these vary so widely from organization to organization that they could not be included in a meaningful generic model. Thus, we excluded such considerations as:
•Organizational cost of server downtime, including lost productivity and explicit cost of IT and security staff time to remediate failed systems.
•Business risk cost of system unavailability, including lost revenues, liabilities due to service level agreements, and loss of good will.
•The costs for continuous threat monitoring, intrusion prevention, data security audits, and data privacy protections.1All systems were configured to be “feature equivalent”. For example, any required software options to support video integration, wireless locks and ID badging, were included but not the actual hardware. These figures are derived from actual quotes received from a co-location service in December of 2015. The Gartner IT Key Metrics Data study estimates the total cost of ownership for a physical WINTEL server is $8,260 per year.
We have found that for most classes of applications, the SaaS model for security management platforms is the clear operational and financial winner over on-premise, due primarily to the economies of scale introduced by hosted application services. It also provides significant availability and redundancy advantages over most server-based systems, which translates directly to increased business value . Figure 3 shows the conclusions of our study, which demonstrates that the Brivo Onair SaaS solution can be deployed for 34% less than a non-redundant and 74% less than a redundant on-premise solution. This is without factoring in the business impact and expense of server downtime, which can be considerable for many types of enterprises. Figure 3a shows the advantage of the Brivo SaaS solution against the best performing non-redundant and redundant competitive configuration.Figure 3: Five-yeartotal ownership cost and distribution for Brivo Onairand average results from competing solutions.Figure 3a: Five year TCO comparison of best performing non-redundant and redundant solutions.The following pages will examine the cost comparisons for the various solutions.Brivo OnairâTotal Cost Of Ownership (TCO)© 2018Brivo LLC. All rights reserved.8Benchmark ConfigurationA typical 16 door system was used as the benchmark for the purposes of this article. Figure 4 below depicts the SaaS configuration with cloud-hosted software. Figure 5 is a generic depiction of hardware and software required for the on-premise solution.Figure 4: Sixteen Door SaaS Based Figure 5: Sixteen Door Server Based The two charts below offer a comparison of the fully redundant and fault tolerant Brivo Onair cloud solution against a variety of non-redundant and redundant systems. For the on-premise solutions redundancy is achieved via back-up hardware and data synchronization software. As depicted below, the least expensive non-redundant option (the appliance) is considerably more expensive than the cloud solution, which incorporates redundancy and disaster recovery as an inherent component of the service. When provisions for redundancy are included, there is an enormous cost advantage for the Brivo cloud solution over the appliance and client/server-based configurations.Annual Cost Comparison With Non-Redundant On-Premise Solutions Brivo Onair Total Cost Of Ownership (TCO)
Annual Cost Comparison With Redundant On-Premise Solutions As should be expected, the charts below depict a wide variation in the distribution of costs between the various solutions. The majority of the expenses (54%) for the Brivo cloud solution are associated with the monthly subscriptions. These subscriptions incorporate the software and hardware expenses as well as operational costs for the overall platform. By comparison, 78% of the cost for the on-premise solution is tied up in on-premise and IT infrastructure. The total expenses over five years for the 16 door systems were calculated with the following results:Comparison Of Cost Distribution With Non-Redundant On-Premise Solutions Brivo Onair Total Cost Of Ownership (TCO)
Comparison Of Cost Distribution With Redundant On-Premise summary clearly shows that the SaaS solution is the most cost efficient option. SaaS solutions, owing mainly to the reduced operational and IT expenses, are generally able to provide a much greater variety of functions than server based solutions, which often charge additional fees for high availability and each piece of added functionality.The cost savings of using a SaaS solution for access control are clear. Extending the cost savings of a SaaS solution even further, the above example does not factor in less visible, yet just as important functionality such as automatic upgrades to applications and system software, active data protection measures and unlimited linear scalability. If this additional functionality were costed out, the SaaS solution takes an even greater leap forward in cost savings over the server-based solutions.Brivo Onair Total Cost Of Ownership (TCO)
Added Benefits Of The Brivo Onair SaaS Solution ..In addition to the direct cost advantage of the SaaS solution, there are a number of additional benefits, which have not been quantified in this study. The chart below provides a quick summary of the additional values inherent in the SaaS solution.The data represented thus far have primarily addressed the single-site case with 16 doors. Qualitatively, the SaaS solution fares even better in a multi-site application, primarily due to additional cost penalties that the server-based solution must pay during the initial setup, along with higher ongoing IT expenses due to the complexity of managing the security management applications over a far-flung network. The SaaS solution is particularly beneficial in this environment because, as a web application, it is intrinsically multi-site from the inception.Another major advantage to SaaS solutions over server-based solutions is scalability. Our analysis did not include the often-significant costs to enlarge on-premise solutions in terms of door capacity and administrative clients. Many server-based solutions require fixed client installations for each site, increasing the cost of acquisition and the on-going expense to manage remote client software. As mentioned with the case study example above, initial setup costs along with higher IT expenses during installation prove out the superiority of the SaaS model over server-based options.Brivo Onair Total Cost Of Ownership (TCO)
Conclusions: As we have shown, our study indicates that using a SaaS solution for a security management platform –specifically electronic access control, ID badging and video –provides major, demonstrable cost savings. In addition to ease of installation and ease of use, the market’s increasing awareness of the cost benefits of the cloud are driving the substantial growth in the installation of such systems.These findings have several implications for system integrators and end users. The first is that –other things being equal –both groups would be well advised to calculate the relative cost of any proposed physical security solutions before making a decision on what to offer a customer (in the case of integrators), or what to ultimately buy (in the case of end users). The second implication is that the savings provided by SaaS can also be extended to other security services, such as hosted video, intrusion detection, remote monitoring, and many others. This is an important implication for the vast majority of business owners, as most businesses are not large enough to be able to absorb the cost of dedicated server solutions into a larger IT infrastructure. What this means is that such business owners can expect to enjoy enterprise-grade service levels at lower TCO points than at any time in the history of electronic security.Brivo Onair Total Cost Of Ownership (TCO)
Introduction To insure that the ever-changing security requirements of a facility are met, a periodic review of a site’s access control system and its associated policies is a necessity. In fact, conducting an annual access control system review is the first step in establishing a systematic process for assessing the security of your organization; it is the principle best practice that provides the framework for all the other guidelines. Once a yearly review process is in place, the fundamental best practices concept is that an effective security system uses a layered approach to security. A good analogy of this concept would be one where a home protected by a burglar alarm might use both glass break detectors and motion sensors to detect when an intruder enters the house. This white paper contains important guidelines for all of the stakeholders in an access control installation including the facility owner, the system specifier, the installer, and the end user. Choosing the Right Reader and Card Technology Contactless smart cards are fast becoming the technology of choice for access control applications. Security, convenience, and interoperability are the three major reasons for this growth. Since there are a wide variety of reader technologies being offered by today’s manufacturers, it is important to make sure that the correct technology is chosen to match the desired level of security. Using a good, better, best grading system will help make the correct choice easier. Recognizing that there are many legacy card technologies still in use and that replacing them with the latest contactless smart card technology may be expensive or logistically difficult, implementing the recommendations included in this paper will raise the level of security of an installation and should be done regardless of the card technology employed. Relative Security of Commonly Used Card Technologies Figure 1 illustrates and ranks the relative strength of commonly used card technologies based on how much publicly available information there is about the technical details of the card technology and the degree of difficulty required to illegally read or copy from the technology. The higher the number, the more secure the technology: \ Figure’1:’Relative’Security’Levels’of’Commonly’Used’Card’ Technologies'(lowest’to’highest) 3 Magnetic stripe (magstripe) has the lowest security with its technical details being well documented by ISO standards. This technology typically uses little or no security protections. Additionally, offthe-shelf devices are widely available to encode magstripe cards. Although there are some techniques that can make magstripe more secure, widespread adoption of these techniques in the access control industry have not occurred due to the convenience, security, and increased memory available in contactless smart cards. 125 kHz proximity (Prox) card technology and the use of the Card Serial Number (CSN) of a contactless smart card are better than magnetic stripe but are not as secure as contactless smart cards. Prox card devices that can copy and emulate (mimic) Prox cards have been demonstrated. Similarly, because there is no secure authentication of the CSN and the knowledge of the CSN workings are published as part of the ISO standards, CSN emulation is also easily accomplished. (For more details on the dangers of using CSN readers, see the Appendix that describes these dangers in greater detail.) Contactless smart cards, when properly implemented and deployed, offer the highest level of security and interoperability. These cards use mutual authentication and employ cryptographic protection mechanisms with secret keys. They may also employ special construction and electrical methods to protect against external attacks. Use Proper Key Management Key management deals with the secure generation, distribution, storage, and lifecycle management of cryptographic keys. This important subject deserves an entire white paper by itself, but here are a few of the essential key management best practices. Whenever there is a choice, choose a manufacturer that allows you to utilize your own cryptographic authentication key that is different that its other customers so you have a unique key for your facility or organization. Although it may be easier not to have the responsibility of managing and safeguarding your own keys, utilizing your own authentication keys will protect your organization from a key compromise that occurs in someone else’s readers purchased from the same manufacturer. Do not choose a manufacturer that stores the same key in all of its credentials. Extraction of the key from a single card compromises all of the cards in use. Use a manufacturer that uses diversified keys, which means that each card uses a different key that is cryptographically derived from a master key. Ideally this diversification would use a public scrutinized algorithm such as DES or AES. If offered a choice, use readers that protect their master key from being easily extracted from the reader. Reader manufactures that use a secure element such as a Trusted Platform Module (TPM), Secure Access Module (SAM), or other equivalent device to store cryptographic keys. Some manufacturers even go one step further and actually do all of the cryptographic operations inside the secure element making it even more difficult to compromise the integrity of the key or data. Be prepared to act quickly in case a key compromise does occur and know how to use the manufacturer’s procedures to roll or change the keys in both the readers and cards. Some manufacturers have the capability to move cryptographic data, such as keys as well as reader firmware upgrades, securely from a secure ‘vault’ on their premise directly into the secure element inside the reader using end-to-end security among trusted devices. 4 Protect the Communications The individual components of an access control system need to communicate with each other. Typical data includes card read messages, door unlock messages, audit trail data, cardholder privilege changes, and much more. Consequently, it is critical to protect this information exchange on the communications media on two levels. The actual communications medium, be it hard-wired or wireless, as well as the data content must be protected. When the communication takes place using wires, there are many different methods, interfaces and protocols to choose from. The most popular and de-facto industry standard is the Wiegand Protocol. This protocol became very popular because it is universally supported by almost all reader and panel manufacturers. More modern communication methods such as RS485 and TCP/IP offer more security and are therefore more desirable. If a perpetrator can get access to the wires used for communications between the reader and the upstream device, it may be possible to intercept messages; this could result in a loss of privacy as well as the possibility of replaying a previously captured message and unlocking the door. It may also be possible to simply send an ‘unlock’ message as well. That is why a secure protocol is important, ideally employing 1) mutual authentication to ensure that each device trusts the other device, 2) encryption, and 3) message replay protection. An additional reason to protect the wiring is to prevent a ‘denial of service’ attack in which the wires are cut or shorted together to interrupt communications. Another vulnerability due to unencumbered access to the wires can be initiated by the use of command cards used by some manufacturers to program the operating characteristics of readers. Typically, command cards are only accepted for a short time after power has been interrupted and then restored to prevent them from being used at any time. If the power wires to a reader are accessible, then a perpetrator would be able to interrupt the power to the reader so that command cards could be read in an attempt to put the reader in a state where cards are no longer read, creating a denial of service attack. An even more destructive denial of service attack can be launched in which the communication wires are connected to a high power source in an attempt to destroy the reader and/or the upstream device. To minimize these risks, installing the security systems wiring in conduit makes it more difficult to access the wires without being noticed due to the difficulty of identifying the correct conduit, not to mention the additional time required to compromise the wiring in the conduit. Even if the entire wire run is not fully enclosed in conduit, just using conduit in the most vulnerable publicly accessible areas is desirable. Additionally, bundling several wire runs together (ideally in conduit) to make it more difficult to identify the correct set of wires is also desirable. (Follow the manufacturer’s recommended installations. Some wiring, such as power wiring, may not be recommended to be in the same conduit as data communications wires.) It is particularly important to protect the wiring of outside readers that are located at the entrance to a premise. Additionally, avoid the use of readers with built-in connectors that make it easier to quickly swap out a reader and avoid the use of wire-nut connectors to connect the reader wire pigtails to the panel wiring. Instead, connect the wires in a more secure and permanent fashion, such as soldering with shrink-wrap tubing to cover the connections. 5 Use Security Screws Always utilize security screws that require special tools to remove a reader and other security components. If the correct tool is not available, then it makes it nearly impossible to remove the reader without causing damage to the screws. This damage may be noticed alerting security of a potential intrusion attempt – especially if policy dictates that readers be physically examined on a periodic basis. (Physical examination of readers should be included on guard tours.) It also has the effect of making the removal process more difficult, and slowing down the removal increases the possibility that the perpetrator will be noticed. Prevention Using Antipassback Another best practice that may be feasible is to program the access control host software to refuse granting access to a cardholder that is already inside the facility, which will prevent a duplicate card from entering the facility. This mechanism, referred to as antipassback, is available in many access control systems. Note that this feature requires two readers at the door – an ‘in’ reader and an ‘out’ reader. One additional benefit of using antipassback is that it prevents a user from using their card with others following through an open door (tailgating). Use Additional Factors of Authentication It is generally accepted that multiple factors of authentication consisting of something you have (e.g., a card), something you know (e.g., a password), and something you are (e.g., a biometric) increases the probability that the person presenting his card at a reader is the same person that was initially issued the card. Ideally the use of all three factors is best but just adding one additional factor can be effective. A relatively inexpensive, easy-to-use second factor is a password, which can be achieved with the use of card readers with built-in keypads. Keypad readers are ideal solutions for environments where additional layers of security are required – such as in a lab or corporate research environment and the perimeter entrances to a facility. Readers with a built-in keypad minimize the likelihood that a lost card can be picked up and simply used to enter a facility. It also minimizes the threat of card cloning. Ideally, the password should be changed periodically, or if a common password is utilized, change it every day to increase the effectiveness. Note that some systems store the actual password inside the card itself. Although this is generally effective if the card technology is secure, it is better to have the password stored on the host. The use of biometric readers to insure that the person presenting the card is actually the same person that was issued the card can be used in environments where an even higher level of security is required. A similar solution is to use hand-held biometric fobs that only emit RFID card data after a biometric authentication has occurred. These types of devices actually help to increase privacy and cannot be surreptitiously read without the user’s permission since the access control credential cannot be read until the biometric authentication process has taken place. If the use of multiple factors presents throughput or convenience obstacles, consider only requiring multiple factors of authentication outside of normal business hours where the risk of unauthorized entries are highest or automatically turned on when there is an elevated ‘threat level’. 6 Mind the Cards A perpetrator may use surreptitiously obtained cards for nefarious purposes. One way to do this is to claim that a card was lost when it really wasn’t. Make sure that lost cards are voided immediately. Another way for a perpetrator to fraudulently obtain cards is through gray market sources such as eBay or even legitimate card resellers. There are several best practices to prevent this. First, make sure that only issued cards are valid; don’t have spare cards pre-validated and ready to hand out. Some access control systems can also generate a different message than just denied in the case of presented card in an ID number range that haven’t been entered in the system. When an illegally obtained card is used, if the message generated by the access control system was ‘Card out of range’ instead of simply ‘Denied’, it should signal more urgency to be investigated. Similarly, cards using a different data format that are reported as ‘Unrecognized’, as well as cards with the wrong facility code are also indications that illegally obtained cards are being presented to the system. Therefore, any messages reported by the host access control system with wrong formats, wrong site codes, or out of range should be immediately investigated. Don’t succumb to the argument made by alternate card suppliers that proprietary card formats are more expensive and are an attempt by manufacturers to keep you from buying cards from open sources. The use of proprietary formats offered by an OEM or one that is exclusive to a particular site is a desirable best practice. Cards with proprietary formats are much more difficult to fraudulently obtain as compared to the industry-standard open-format 26-bit Wiegand format and proprietary cards typically provide provisions for non-duplication of card numbers. Some manufacturers’ readers can even be set to ignore ‘foreign’ cards completely, which will also present an obstacle to using cards obtained on the open market. As described earlier, never use contactless smart card readers that solely rely on the card serial number such as CSN readers. It doesn’t make sense to use a contactless smart card with increased security over legacy card technologies and ignore the security capabilities built-into the card. Some companies advocate these types of readers because they do not require implementation of security mechanisms which may not be available for license to that reader manufacturer and typically add additional costs which makes the readers more expensive. Using CSN readers is analogous to using a high security reader on a glass door. Protect the Cards Cardholders should be instructed not to wear their badges in prominent view when outside the premises and be aware of people approaching them attempting to perform a ‘bump and clone’ in which an attempt is made to try and surreptitiously read their card using an electronic skimming device. For contactless smart cards operating at 13.56 MHz, there are many companies that sell RFID shielding devices that are packaged into a card holder that are very convenient to use that prevents these kinds of attacks. Another best practice is to avoid putting any identifying data on the card that gives an indication as to the location or address of the facility to make it harder to identify where a lost card can be used. Of course, many companies put their company logo on their cards but organizations should balance this requirement with the disadvantage of including artwork that reveals the company’s location. For companies with multiple facilities at different physical locations, do not use the same facility code (also known as site code) data in all of the cards so that a lost card can be used at any of the locations. 7 Another best practice is to have a policy that lost cards need to be reported as soon as possible. And make it a policy that when a card is reported lost, it is immediately removed from the system. As an alternative, consider making the cost for a replacement card high enough so that a cardholder will think twice about being careless. Of course, this policy may actually discourage a cardholder from immediately reporting a lost card in the hope that it might be found. Detection – The Second Line of Defense Buy readers with a tamper detect mechanism that provides a signal when the reader has been removed from the wall. Almost every panel manufacturer provides the ability to monitor this alarm signal and report when a reader is tampered with. If the panel supports ‘supervision’, another method that can be used by installers is to include an additional pair of wires that are connected together through a resistor at the reader. This loop can be monitored by the panel using a technique called ‘supervision’ that can detect when the wires are cut, shortened, or other changes in the electrical characteristics of the wires are made. Of course the panel must support this capability. Immediately investigate tamper alarms even if they are momentary and return to normal. You might actually detect the perpetrator in action or find that a foreign device has been installed in an attempt to monitor and/or modify the communications between a reader and the upstream device. If the reader is controlling a sensitive location, such as a perimeter door, have it and the door monitored by CCTV. Some access control systems can automatically switch the viewing monitor to the door with the tamper alarm as well as tag the video history log with the event for later review. And, if you are using your own company-specific cryptographic keys that are stored in a reader, realize that a reader that has been removed from the wall might have had the cryptographic keys extracted from the reader, which compromises the entire security of your installation. Many reader manufacturers also have the capability of sending ‘health’ messages (also referred to as ‘heartbeat’ or ‘I am Alive’ messages) on a periodic basis to the upstream device. This functionality can also be used to detect when the wires are cut and does not require any additional wires to get this protection. If these periodic messages are set to occur faster than it would take to install a rogue listening device, then the panel would notice and report the interruption. Ideally these messages would be set to occur as fast as every second. Monitoring health messages also provides additional benefits since they will detect reader malfunctions. It is better to know when a reader is not working before somebody complains (usually in the middle of the night when they cannot get in the door). For converged physical and logical access control systems, geographic monitoring is available. For example, if a person has just come in through a door at a site in Buffalo but is trying to log into his computer in Denver, then obviously there is a problem. Another benefit in converged systems is to not allow a person to log onto his computer if he hasn’t used his card at a perimeter reader. This simple concept will get people to change their behavior and not tailgate when they are denied access during the computer log-on process. Protect and Study the Security Logs The audit trail of the transactions (i.e., security logs) should be protected as it contains very sensitive data, such as who is going through what doors at what times, card numbers, and much more. If audit trails are electronically stored, keep them encrypted and secure. If they are printed out, shred them when done. (If any of this data is available from a remote site over the network, or for that matter, if the server is accessible or uses the public Internet, make sure that a proper penetration [PEN] test is performed by a reliable third-party.) 8 The security logs are invaluable after a security-related event has occurred because they might provide clues as to who the perpetrator was. But that is not the only time to study the logs. Periodically look at the logs in an attempt to see patterns of events that don’t make sense. Even better yet, use computer software to analyze the logs for suspicious behavior patterns. For example, a cardholder requires a finite amount of time to travel between entry points and if the same card is used at two different locations in a very short time, this could indicate that a cloned card is being used. System Upgrades and Migration Strategies Choose a manufacturer who has a strong portfolio of migration products and strategies including multi-technology cards in which both the legacy credential and the new credential technology can co-exist on the same card. Similarly, multi-technology readers capable of reading both the legacy credential and the new replacement higher security credential are useful in a migration strategy. And often a combination of these products may be necessary to effectively migrate in the shortest, most convenient, and cost effective manner. Conclusion Following as many of these best practices as feasible, with attention to appropriate levels of security, will result in a system that better fulfills its intended function with less possibility of being compromised. And these are just a few best practices to look for. There are many additional best practices that have not been discussed in this paper, such as the use of security mechanisms on the card (like holograms) and other tamper evident technologies and much more. This paper will be continually expanded to include additional best practices for organizations to effectively balance cost, convenience and security when deploying an access control system. Please set a book mark where you downloaded this document check back for later versions. 9 Appendix A: The Dangers of Using CSN-only Smart Card Readers Introduction Some manufacturers, in an attempt to sell a ‘universal’ reader capable of reading almost any contactless smart card technology, actually disable all of the built-in security mechanisms in order to achieve their goal. Reading only the CSN of a contactless smart card actually provides a false sense of security analogous to installing a high security door without any locking mechanism. These readers, referred to as ‘CSN readers’, only read the card’s serial number which, as per ISO standards, must NOT be protected by any security since they are needed by the reader to be able to detect when more than one card is presented to a reader at the same time. This process, referred to as anticollision, takes place before the card and reader mutually authenticate each other. Because the ISO specifications are a publicly available document, details of how this anticollision process works can be used by a perpetrator to build a device to clone (simulate) the CSN of a contactless smart card. Understanding this misuse of the CSN is critical for users of the technology to ensure that access control security is maximized. If implemented and deployed properly, contactless smart cards represent one of the most secure identification technologies available today. Why Use Contactless Smart Cards? The most modern contactless smart cards incorporate advanced state-of-the-art security mechanisms. Before a reader can begin a dialogue with a card, it uses mutual authentication to ensure that both the reader and card can ‘trust’ each other. Only after this process occurs is the reader allowed to access the data stored inside the card. This data is protected by cryptographic algorithms and secret keys so that if the data were somehow extracted or even spied on, it can be very difficult to decipher and utilize. As with 125 kHz Prox technology, contactless smart cards are convenient for users who merely present their cards near a reader. In addition, users do not have to carefully insert the card into a slot or worry about proper orientation. This also minimizes the physical wear-and-tear on both the card and the reader, the potential for vandalism, and environmental elements. Amplifying the convenience of contactless smart cards is their capability to support more than one application at a time. For example, a single card can be used for the dual purposes of opening a door and logging on to a computer. Contactless smart cards also provide greater and ever-increasing amounts of memory, enhancing the sophistication of applications. Enough memory is available to store biometric templates and even photos, enabling additional factors for user authentication. Such authentication of both the card and user increases the security and likelihood that the person using the card is indeed the authorized user of that card. A False Sense of Security To understand why using the serial number of contactless smart cards provides a false sense of security, it is first important to understand some basic definitions and contactless smart card mechanisms. 10 CSN: CSN refers to the unique card serial number of a contactless smart card. All contactless smart cards contain a CSN as required by the ISO specifications 14443and 15693. CSNs are typically 32 to 64 bits long. The CSN goes by many other names including UID (Unique ID), CUID (Card Unique ID), and of course CSN (Card Serial Number). It is important to note that the CSN can always be read without any security or authentication as per the ISO requirements. Think of the CSN using the analogy of the identifying number on a house. It is important for everyone to be able to read the house number to find it. Similarly, the CSN is used to uniquely identify a card when more than one card is presented at a reader at the same time. Moreover, nobody can get in to your house or get in to a smart card without using the correct key. Anticollision: Anticollision is part of the communications protocol used by contactless smart cards to uniquely identify a card when more than one card is presented at a reader at the same time. It provides the ability to communicate with several contactless smart cards simultaneously. This is especially important in long-range readers, as illustrated by Figure 2: Anticollision. Figure’2:’Anticollision The ISO standards require that every contactless smart card have a unique CSN and these standards describe several methods to implement anticollision. It must be pointed out that the CSN was never intended by ISO to be used for any purpose other than anticollision. How is a CSN Used for Access Control? CSN readers are readers that use the CSN of a contactless smart card instead of the credential data stored in the secure area of the card. When a card is presented to the reader, it reads the CSN and typically extracts a subset of the CSN, converts it to a 26-bit Wiegand or other output format, and then outputs this data to an upstream device such as a panel or host computer. The Most Commonly Used CARD Format Intensifies the Problem There are many card formats available and formats are comprised of multiple fields. The most commonly used format contains a total of 26-bits and includes a site code field (8-bits), a card number field (16-bits), and two parity bits. The site code field (also called a facility code) is usually the same for all cards at a given site and is used to ensure that cards from different facilities in the same geographic area can be distinguished from each other. Without this field, cardholders with the same card number might be able to access facilities for which they do not have authorization. The card number field uniquely identifies each cardholder and the parity bits are used to detect data communication errors. 11 If the 26-bit Wiegand protocol is being used, the 16-bit card number field is extracted from the CSN and the site code field is usually created from a pre-programmed number stored in the reader. Because the smart card manufacturer preprograms the CSN, using only a small portion of the CSN is utilized. This introduces the likelihood that there will be duplicate card numbers. Statistically, out of every 65,535 cards, there will be at least one duplicate. This is why it is desirable to use a card format with more bits in the card number field. Some manufacturers offer a card format that uses both a larger card number field and includes an additional OEM field together with the site code field. Keep in mind that the issue of duplicate card numbers is not limited to the Wiegand protocol. It occurs in any protocol that uses a reduced number of bits derived from the CSN to represent a card number. Using the CSN Sacrifices Security for Interoperability To create a low-cost, universal reader capable of reading any manufacturer’s contactless smart card, reading the CSN is the easiest and sometimes the only way to achieve interoperability. One or more of the following reasons are at the heart of the problem: 1. The inclusion of the hardware chip containing the security algorithms adds cost. 2. The reader manufacturer may have to pay a license fee for the security algorithms or the reader manufacturer may not even be able obtain a license. 3. The security keys to the contactless smart cards are not available. Using a low-cost, universal reader that does not avail itself of the security features that contactless smart cards offer will compromise the security of the facility or area where it is used. As noted earlier, the three major reasons to use contactless smart cards are security, convenience, and interoperability. Figure 3 illustrates how using the CSN compromises these three key reasons. Diagram C: Using Smart Card with CSN Reduces Security Security Convenience Interoperability Using Smart Card w/Security (Ideal Balance) Using Smart Card w/CSN (Reduced Security) Figure’3:’Using’Smart’Card’with’CSN’Reduces’Security 12 Using the CSN is Inconvenient and May Add Hardware Costs CSNs are non-consecutive numbers that are in a random order. Therefore, referring to a cardholder by its CSN makes it impossible to group employees by card number ranges such as 1 – 100. Furthermore, as discussed above, it is desirable to use all of the bits required to represent the entire CSN. A 32-bit CSN would be represented as a number with as many as 10 digits and a 64-bit CSN requires as many as 20 digits. Even using the hexadecimal notation to enter, CSNs still require a person to type up to 16 characters to add or change a card. With an enrollment reader, the process of adding cards to a system can be simplified since the CSN of a card can be automatically read instead of being typed. However, this introduces more complexity to the system, requiring additional access control software and hardware enrollment readers. Moreover, if a cardholder’s privileges have to be changed, an enrollment reader is of no use when the card is not available. Using the CSN Can Decrease Privacy Because reading only the CSN of a contactless smart card requires less power, read distances are often greater. This is because the power-hungry cryptography circuitry inside the contactless smart card is not used. Greater read distances, coupled with no authentication or security, make the cards far less secure from illegal activities at even greater distances. In addition, using the CSN gives the false impression that a particular reader’s performance is greater than it actually is. This may be doubly misleading for users because the CSN reader may be less expensive and offer better read distances than a reader that fully implements the security protections available with contactless smart card technology. CSN Emulation An earlier section identified additional security threats based upon the availability of information required to illegally read or copy a card technology. It concluded that using the CSN of a contactless smart card is low security because it is well documented by ISO standards and no security is used to authenticate a CSN. Many smart card development tools such as protocol analyzers can emulate an ISO 14443 or 15693 CSN. Furthermore, universities are also teaching the ISO protocols and students are writing firmware to emulate CSNs. What better way to prove that a student correctly understands the ISO protocol than to actually create firmware to emulate a CSN and fool a reader to prove that the firmware actually works? U.S. Government and International Organizations Recommendations A US Government report recommends not using the CSN for identification purposes since “… using the CSN as a unique identifier works only for 14443A, and for 14443B it [may] be a random number that changes every time and will be discussed in a future version of the specification.” The International Civil Aviation Organization also warns, “There is no protection in use of a CSN because this is often set in software by chip manufacturers and can be changed.” 13 Cryptographers and Industry Expert Opinions Both cryptographers and industry experts also warn of the dangers of using the CSN to identify a cardholder. David Engberg of Corestreet Ltd. said, “The serial number has no cryptographic or protocol-level protections to prevent an attacker from asserting the same serial number as any real card. By implementing ISO 14443 directly, an attacker can imitate any desired CSN.” Bruno Charrat, CTO of Inside Contactless, concurs with David Engberg, adding, “As soon as there is no security in the communications, you can clone a card and then enter anywhere you want! It is as simple as that.” In an article from Security Technology & Design, Greg Young, Technical Sales Manager for RFI Communications & Security Systems, warns against the assumption that contactless smart cards offer more secure transmission than 125 kHz Prox cards. “They can be more secure, but they’re not necessarily more secure,” he said. “Many manufacturers are touting readers that read multiple types of smart card technology —MIFARE, iCLASS—when really all they’re reading is the serial number sent unencrypted from the card, in the same way Prox is. Unless you make sure that what you’re reading is from a secure sector on the card that can be truly encrypted, and there is a handshake procedure between the reader and the card before transmission, what you’re getting is no more secure than proximity technology.” Refuting Commonly Held CSN Beliefs What About Encrypted CSNs? Encrypted CSNs offer no real protection from cloning and replay attacks. Chips with Programmable CSNs The statement – ‘The CSN is a unique serial number permanently written into the device’s nonvolatile memory at the factory; it cannot be modified and is guaranteed to be unique for all devices.’ – is not always true. Some contactless smart cards have programmable CSN. For example, one vendor’s contactless smart card chip data sheet states: “The CSN is written at time of manufacture, but part of it can be customer-accessible and customer-writable, on special request.” Similarly, another manufacturer’s data sheet states: “The CSN is defined by the customer during personalization … it is usually unique… may be set to any value.” Clearly, we see that there is no guarantee of the authenticity of a CSN and CSN reader’s compromise security. When Should a CSN Reader Be Used? CSN readers are very useful as a temporary solution to migrate from one smart card manufacturer to another. A single reader can be used to read both the existing cards using its CSN and the new replacement cards using full security and authentication. This provides a window of time to replace the cards. When all of the existing cards have been replaced, the reader can then be instructed to turn off its CSN reading capability. For maximum security, it is best to keep the replacement time period as short as possible. 14 Conclusion Using the CSN for anything other than its intended use severely reduces the security of a contactless smart card. In other words, CSN is really an acronym for Compromizable Serial Number. When implementing and deploying contactless smart card technology, always consider the following: 1. Contactless smart cards are secure when used properly. 2. Using the CSN of a contactless smart card bypasses the security built into smart cards. Understanding the security risks associated with using the CSN instead of reading the data protected by security mechanisms will help ensure that the proper protections are in place for both personnel and property.
AAA Alarms announces the design and release of the industries first and only Security System designed for Ultra High Security Application Facilities, Ultra High Risk Standards, which incorporates the requirement of IRIS Scan in order to disarm the security system.
Technology from IRIS ID has been integrated into a 250 Point UL Listed, High Security Addressable Security Controller to now require the presentation of valid IRIS Scan, in order to disarm the system and report an opening by user, to the AAA UL Central Monitoring Station. This first in kind technology is the first known application in the US.
For years, the UL Security industry for Jewelry, Precious Metals, and Department of Defense applications has issued standards (UL 681 and UL2050) in an attempt at making the security systems as secure as possible. However, ALL Central Station Monitored Security systems have utilized a simple PINPAD disarm sequence. So no matter how many detectors or sensors, the whole system can fail by an unauthorized person acquiring the PIN CODE either overtly or Covertly (Hidden Camera), as has been done with Bank ATMs in "Skimming".
Now, for the first time, by utilizing advanced Identity authentication, AAA Alarms cannot be disarmed without an authorized user's Eyes being presented to the keypad.
Iris Recognition Technology
- Stable – the unique pattern in the human iris is formed by 10 months of age, and remains unchanged throughout one’s lifetime
- Unique – the probability of two rises producing the same code is nearly impossible
- Flexible – iris recognition technology easily integrates into existing security systems or operates as a standalone
- Reliable – a distinctive iris pattern is not susceptible to theft, loss or compromise
- Non-Invasive – unlike retinal screening, iris recognition is non-contact and quick, offering unmatched accuracy when compared to any other security alternative, from distances as far as 12? to 16?
Traditional Notions of Establishing Identity
Historically, identity or authentication conventions were based on things one possessed (a key, a passport, or identity credential), or something one knew (a password, the answer to a question, or a PIN.) This possession or knowledge was generally all that was required to confirm identity or confer privileges. However, these conventions could be compromised – as possession of a token or the requisite knowledge by the wrong individual could, and still does, lead to the valid disarming of a high security system.
The Emergence of Biometrics
To bind identity more closely to an individual and appropriate authorization, a new identity convention is becoming more prevalent. Based not on what a person has or knows, but instead on what physical characteristics or personal behavior traits they exhibit, these are known as biometrics – measurements of behavioral or physical attributes – how an individual smells, walks, signs their name, or even types on a keyboard, their voice, fingers, facial structure, vein patterns or patterns in the iris.
Biometric Appeal of Iris Recognition
Of all the biometric technologies used for human authentication today, it is generally conceded that iris recognition is the most accurate. Coupling this high confidence authentication with factors like outlier group size, speed, usage/human factors, platform versatility and flexibility for use in identification or verification modes – as well as addressing issues like database size/management and privacy concerns – iris recognition has also shown itself to be exceedingly versatile and suited for large population applications.
FIRST IN CLASS, FIRST IN TIME INTEGRATION WITH UL SECURITY SYSTEM AND CENTRAL STATION MONITORING:
Although the IRIS ID technology has existed for over 15 years, it has now been integrated for security system usage, rather than for just unlocking doors.
The Biology Behind the Technology
Like a snowflake, the iris – the externally visible colored ring around the pupil – of every human eye is absolutely unique, exhibiting a distinctive pattern that forms randomly in utero in a process called chaotic morphogenesis. In fact, it’s estimated the chance of two iris (irides) being identical is 1 in 1078.
The Advantage of Iris Recognition
Iris recognition is an attractive technology for identity authentication for several reasons.
- The smallest outlier population of all biometrics. Few people can’t use the technology., as most individuals have at least one eye. In a few instances even blind persons have used iris recognition successfully, as the technology is iris pattern-dependent, not sight dependent.
- Iris pattern and structure exhibit long-term stability. Structural formation in the human iris is fixed from about one year in age and remains constant (barring trauma, certain rare diseases, or possible change from special some ophthalmologic surgical procedures) over time. So, once a individual is enrolled, re-enrollment requirements are infrequent. With other biometric technologies, changes in voice timbre, weight, hairstyle, finger or hand size, cuts or even the effect of manual labor can trigger the need for re-enrollment.
- Ideal for Handling Large Databases. Iris recognition is the only biometric authentication technology designed to work in the 1-n or exhaustive search mode. This makes it ideal for handling applications requiring management of large user groups, such as a National Documentation application might require.. Large databases are accommodated without degradation in authentication accuracy. IrisAccess platforms integrate well with large database back ends like Microsoft SQL and Oracle 9i.
- Unmatched Search Speed in the one to many search mode is unmatched by any other technology, and is limited not by database size, but by hardware selected for server management. In a UK Government-commissioned study, Iris ID’s IrisAccess platform searched records nearly 20 times faster than the next fastest technology. Iris ID has developed a high speed matching engine, IrisAccelerator™, designed to deliver 10 million+ matches per second.
- Versatile for the One to Many, One to One, Wiegand and Token Environments. While initially designed to work in one-to-many search mode, iris recognition works well in 1-1 matching, or verification mode, making the technology ideal for use in multifactor authentication environments where PINs, or tokens like prox or smartcards are used. In a token environment, many privacy issues related to biometric database management are moot, as the user retains control of biometric data – a small template of 512 bytes per iris.
- Safety and Security Measures In Place. Iris recognition involves nothing more than taking a digital picture of the iris pattern (from video), and recreating an encrypted digital template of that pattern. 512-byte iris templates are encrypted and cannot be re-engineered or reconstituted to produce any sort of visual image. Iris recognition therefore affords high level defense against identity theft, a rapidly growing crime. The imaging process involves no lasers or bright lights and authentication is essentially non-contact.
- Convenient, Intuitive User Interface. Using the technology is an almost intuitive experience, requiring relatively little cooperation from subjects. Proximity sensors activate the equipment, which incorporates mirror-assisted alignment functionality. Audio auto-positioning prompts, automated image capture, and visual and audio authentication decision-cueing completes the process.
AAA Alarms is Rhode Island’s leading provider of security to Department of Defense Contractors,