More effective protection for your access control system with end-to-end security

Transcription

1 More effective protection for your access control system with end-to-end security By Jeroen Harmsen

2 The first article on end-to-end security appeared as long ago as The principle originated in ICT and is actually a design principle for computer networks. Because ICT and physical access control are becoming increasingly integrated, ICT principles are also being used more and more often in the world of physical access control as well. The security world is changing rapidly and articles about successful hacks are appearing every day. In addition, organizations are now being required to be increasingly open and accessible. What is more, systems also need to be connected to each other for management reasons and must be available from outside via internet connections. These combinations call for the continual adaptation of your security in line with the new reality, which includes your access control system. Below you will find a number of questions you could ask yourself. Are you aware of possible threats and risks? How long is it since you had a risk analysis carried out or are you aware of the consequences if social engineering is successfully applied? What are your 3 biggest risks and do you know how the security of your access control system is arranged? One thing is certain, your access control system will be safer and more resistant to threats if end-to-end security is used. In this document, we would like to tell you more about end-to-end security. What exactly does it entail? And what do you need to be aware of in the case of end-to-end security? In doing so, we will consider the various aspects, commonly-used terminology and various protection methods that form part of end-to-end security. The purpose of end-to-end security is to protect the interrelationship that exists between the individual components of an access control system against potential threats. As a result of this, you can rely on the fact that your access control system is secure and that the individual requesting access really is the person you want to grant access to. End-to-end security also ensures that the access information is not altered en-route. In order to achieve this, all of the components that make up the system must be properly protected. This document therefore discusses the individual components, the threats they are subject to and what action you can take in order to protect them. As a result, you will learn how to improve the effectiveness of your access control system, while limiting the risks but maintaining the ease of access. I CT and physical access control are becoming more and more interwoven. One of the reasons for this is that the server for the access control system is often located in the ICT department. Buildings are becoming more accessible to the public and as a result there is a greater need for sound Identity and Access Management. In addition to this, access control in the form of identification and authentication is becoming increasingly important for the use of applications. And confidential information, such as files, personal data or sales information, must be properly safeguarded. If you employ a suitable type of architecture for physical access control, you can also use it for ICT access control (otherwise known as logical access control). You can use the proven principles derived from IT in your access control system. These security principles are defined as the package of desired system characteristics, behaviour, design and implementation methods that endeavour to reduce the likelihood of threats and their associated impact, if a threat materializes. Security principles provide assistance in formulating requirements, in making decisions in relation to access control architecture and implementation and in detecting possible weaknesses in the system. By applying these nine principles you can easily use digital certificates (PKI), multi-factor authentication or encryption with the same card that you use for physical access control. You can read more about this in our paper: The importance of well-defined security principles. In addition, your security advisor can give you more information about this and can advise you and help you make the right choices. 3

3 What is end-to-end security? End-to-end security gives you absolutely certainty that your access control system is effectively protected from start to finish and will only grant entry to those to whom you wish to grant access. This can only happen if the information is not altered en-route. It is therefore a case of evaluating the authenticity and integrity of all components within your system: Authenticity Integral security check By implementing an additional check (requesting To achieve effective end-to-end security, it is necessary to check the protection of the entire chain. This a PIN code for example) in addition to the claim (such as the presentation of a card), you can be certain that a therefore extends further than simply checking the person claiming to be someone or something really is encryption technology of an access card. An effective what he/she is claiming to be. method is to examine the chain from the attacker s point of view. What are the weaknesses of the various Integrity components? What opportunities do these provide for Using encryption makes it impossible to alter the hacking? message that passes from component to component within your access control while it is en-route. Other encryption standard The constant changing of encryption technology has major consequences for access control systems. In many cases this is still not being recognized sufficiently. Faster computers will be able to crack passwords or encryption more quickly. Nowadays everyone realizes that a password has to be more complicated than six letters. But what they often do not realise is that today s encryption standard will probably be outdated in five years time. A welldesigned system is capable of adapting itself to this, now and in the future. The basic principle behind keys Access control systems use encryption. The Kerckhoff principle, which forms the basis of cryptography, therefore also applies to access control systems: the security of an encryption system must only depend on the confidentiality of the cryptographic keys used by the system. What isn t end-to-end security? The term end-to-end is being used more and more frequently. This has led to many misconceptions about the content and application of this term, such as: A good end-to-end access control system is, by definition, secure Unfortunately, this is not always the case. In addition to effective end-to-end security, additional measures, such as good employee training in matters relating to security, are also needed, in order to make your access control totally secure. End-to-end involves social hacking In the case of social hacking, the enemy builds up trust and then makes use of that trust in order to manipulate the behaviour of your access control system. For example, by pretending to be the help desk, as a result of which your receptionist hands over the access details. A countermeasure is to raise the awareness amongst colleagues, using methods such as role-playing, for example. This will only deliver more effective security for an individual component of the chain on which end-to-end security is focusing its attention, however. End-to-end security only concerns card technology Card technology is also only one of the security links in your access control system. As a result of popular hacks -involving the Public Transport chip card for example- this is often the first component that comes to people s minds when they think of end-to-end security. End-to-end security equates to procedures governing password management and administrator accounts Once again, ensuring the effective security of passwords and administrator accounts actually forms only a single component of end-to-end security, but it is extremely important. Because a technically perfect, secure access control system that still has the default password while it is connected to the ICT infrastructure, can result in leaks such as the one experienced by Google Australia with their building control system. Researchers hack building control system at Google Australia Leaks in access control systems attract less attention than security leaks in industrial systems. But when a hack involves a major name, such as Google, everyone - rightly - pays attention. Google Australia uses a building control system built on the Tridium Niagara AX platform. The main server is in the ICT department, while responsibility for the building control system resides with the security managers. As a result of poor communications between them, a patch released by Tridium was not installed on Google s system. As a result, hackers were able to retrieve the default password ( anyonesguess ) and penetrate the system. This hack could most probably have been prevented if attention had been paid to three issues in the field of security: The online availability of the system significantly increases its accessibility to potential enemies. No checks governing the procedures used to change the default passwords and log-in details are in place, or they have not been applied correctly. Patches and updates must always be installed in good time to minimize possible security breaches. 4 5

4 Find the weakest link In end-to-end security, it s important to consider that the chain is only as strong as its weakest link. That is why it is essential that an access control system is always evaluated in its entirety, so as to discover where that weakest link can be found. The components and their communications The following components and their mutual communications are of importance when evaluating the end-to-end security of your access control system: Cards / biometrics Cards form an important part of access control systems and many different types of cards are available. The type of data encryption employed can also differ greatly between those different types. In the text box entitled Card technologies we have included an explanation of a number of different types of cards. Card-Reader transmission The transmission of information between the card and the reader provides an opportunity for hacking. This could take the form of eavesdropping or skimming, or could involve pretending to be someone else (spoofing). Encryption is an effective security technique that can be used to counter this. The most secure method is to only have this encryption card decoded by the controllers, because they are usually located on the secure side of the building. Card technologies The most commonly used card technology is Mifare from NXP semiconductors. Different versions have different forms of encryption: Classic This card makes use of NXP s own encryption. This can be hacked within ten seconds, however, using a laptop. What is more, this card can also be cloned. Plus Readers / antennas The reader reads the card details and converts it into a wired signal. The reader therefore does not really have to do anything with the information that is on the card. This means that there is no need for decoding to take place in the reader. After all, allowing decoding to take place in the reader would only create a security risk, because the keys for decoding are also held on the reader. This is a risk that must not be underestimated, although many of the solutions in use provide only limited options. Reader-Controller transmission The same risks of hacking by eavesdropping, skimming or spoofing that apply in relation to card-reader transmission also apply here. It is therefore important to take care that you are not using a generic protocol such as the popular Wiegand protocol as this is very susceptible to hacking. Mifare Plus supports 128-bit AES encryption, but so does Mifare Classic. This is ideal for upgrading, but this card is not protected against brute force and crypto-analysis attacks. DESFire This card incorporates 3DES and AES encryption. AES is the successor to 3DES, which itself was the successor to DES encryption. DESFire is still widely used, although nowadays it is primarily DESFire EV1 that is used. DESFire EV1 Controllers Controllers are vulnerable in the chain, because a lot of information is stored there. Fortunately, controllers are usually installed on the secure side of the building, which provides them with a certain degree of protection. Have you stored the decoding keys in the controllers? If so, it is important to ensure that no controllers can be stolen (including those for any outbuildings). The keys should be stored within the controller, in a secure vault that cannot be hacked, such as in a SAM module. This is the successor to DESFire, it provides 128-bit AES encryption. DESFire EV2 This card is the successor of DESFire EV1 and is capable of storing different keys for different applications. Controller-Server transmission The connection between the controller and the server is usually established by means of a TCP/IP connection on the secure, internal (separate) company network (VPN). Encryption is important here too. Server The server determines all access rights and transmits these to the controllers. It is therefore important to ensure that an effective firewall is in place and that the server is housed in a physically secure room. Make sure that security managers do not forget to update the server - as happened in the case involving Google - because the server is physically located in the ICT room.

5 Key management Of all the components discussed above, key management is probably the most troublesome component of end-to-end security, because it influences all kinds of other aspects: systems, user training and the communications between organizations and departments. Key management means the creation, exchange, storage, use and changing of cryptographic keys in a security system. Cryptographic protocols, key servers and certificate servers and standard procedures are required to do this properly. Configuration card and secure transport Central key management The card producer is usually responsible for key Whenever your organization changes a key, you management but it can also be organized internally. don t, of course, want to have to visit every door and Special software is needed for this in both cases. If you location to let the system know that a new key is being take new keys into use, it is important that everyone used. That is simply not necessary in the case of key involved is aware of this. Good communication management. If situations such as this are arranged between the organization and the card producer is correctly, central key management ensures safe therefore essential. The keys are transferred using distribution with fewer risks when updating to a new a so-called configuration card - a card on which the key, is easy to manage and is less costly. (mother) key has been saved - which is delivered by secure transport. Same cards, different key Cards are able to store multiple keys. As a result, cards can be used longer and your organization can change the key without having to have new cards within the period concerned. The more keys that can be stored on a single card, the longer the organization can keep using the cards that have been supplied. The key can be changed as a preventative measure or as a necessity if a key has been hacked. Continuous adjustment to developments As a result of risks, an access control system may have a number of weak points. Taking account of this in advance when choosing an access control system can therefore avoid a whole host of problems. Risks with securing access control systems Updating card readers remotely From the point of view of end-to-end security, it has The risks above increase the likelihood that new been established that the security of an access control card technologies will be required during the service system is always susceptible to a number of risks: life of the total system. That is why it is increasingly important to have the facility to update card readers Security methods are being hacked continuously. to new technologies remotely. For example, when an This is borne out by the fact that, since the card update from Mifare Classic to Mifare DESFire EV1 or technology of Mifare Classic has been hacked, the EV2 is required, or if an NFC (Near Field Communication) phone has to be used as an access card. newer technology of Mifare DESFire 3DES has now also been hacked. The chance of this happening with new cards too is ever present. Effective key management In view of the current risks, effective key management is increasingly important. That is the reason Nowadays, hacked default protocols can be shared more easily via the Internet. why in symmetrical cryptography (usual nowadays), the key to decoding and to encoding is the same. So Secret keys can become public for a number of if you know the key, you can read cards and create reasons (a stolen controller for example). them as well. This situation is therefore not without an element of risk. It is therefore important that keys are difficult to access in the SAM module. They must also be easy to change if hacked. But effective key management also means that keys are not stored in the memory on the controllers, but in proper vaults - SAM modules on the controllers. 8 9

6 Conclusion In order to guarantee the security of the people and objects located inside the building, access control systems must ensure that unauthorized individuals do not have access to a building. It is therefore extremely important to use end-to-end security to ensure that the access control system itself is secure and cannot be hacked. A number of measures are indispensable in that regard: Ensure effective key management Simple changing via software Always store keys on the secure side of Because an access control system is always used for buildings and never in the card readers the longer term, it is almost certain that new security themselves. technologies will be introduced during the service life of the system. Ensure that the card readers, Store keys in an electronic vault controllers and server can easily be updated to new (SAM module). software, in order to provide your system with the latest security technology. This will prevent you being Ensure that new keys can be forced to invest in new hardware prematurely. taken into use centrally. Nedap Security Management Nedap Security Management develops technological solutions to make your customers everyday activities easier. To do this, we develop solutions that are tailored to the customer s requirements instead of providing standard systems. This customer-oriented approach enabled us to develop AEOS - the first software-based platform for security management. And that is a process that is never complete; we simply keep on innovating, improving and developing our solutions further. There s simply no other way. The market is changing and the customer demands are changing along with it. That s why AEOS changes along with them. Always work with multiple keys on a card so that it is easy to change keys. Ensure that communications between all components are secure. Change all default passwords to individual passwords. Train employees to prevent social hacking. Always install updates and patches as soon as they are available. Some specific situations require specific security measures. In that case, you are better-off making an appointment with an expert. He will be able to work with you to draw up a risk profile and safety analysis. Based on this, he can give you advice about the security of access control systems for specific zones or for the entire system. Nedap houses experts on the subject of end-toend security. We d be happy to set up a meeting to help you find the best solution to secure your security system. Jeroen Harmsen Business Development T. +31 (0) E. jeroen.harmsen@nedap.com 10

7