printer friendly version

Think your smartcards are secure?

As we move into 2017, it is widely known that most legacy access control cards and smartcards in the industry are easily copied and cloned. But it is important to remember that even if you are using a secure technology (like EV1), cards can still be copied if there is careless use of the smart card ‘keys’.

Not only can you buy traditional card cloning machines, but you can now also buy open hardware to exploit poorly written code that extracts AES smartcard keys in a matter of minutes. If these smartcard keys become known, then ID cards can be recreated (even if businesses are using the highly secure EV1 technology).

There is also the realisation in the industry that when many thousands of cards are issued with a common numbering scheme and key structure, effective key management and lifecycle strategies need to be developed. So the question is – how do we ensure that our smartcard keys remain secure and uncompromised at all times?

To increase key security at the manufacturer level, leading smartcard providers can offer a secure object, which is written to the smartcard using a separate set of keys. Although this provides customers with a layer of protection, if these keys become known the system security is still ‘at risk’ as cards can be freely created. So, to mitigate against this vulnerability, Lumen ID recommends that customers look internally at their ‘Key Generation Ceremony’ and process.

Very often smartcard migration project success involves ensuring that smartcard key structure and code is both written and managed in the most secure, anonymous and auditable way. Because after all, isn’t it audit that drives behaviour? Questions such as how the keys are generated, how they are kept secret and how they are disseminated in global corporate environments, require robust answers to ensure that access control security is maintained.

An end-to-end security management process for securing and protecting smartcard keys can be easily achieved using multiple, independent factors such as:

1. The generation of a private, anonymous key structure that’s only known by the customer.

2. Key rotation.

3. Credential management software for the allocation of unique identifiers and to connect to existing access control systems and databases.

4. Use of encrypted card printers and credential encoders.

1. Generation of an anonymous, private key structure

Although customers are assigned random and unique shipping ‘keys’ by the card manufacturer, it is important that keys can then be subsequently changed by the customer to an anonymous keyset; thus ensuring the utmost level of security and autonomy.

Historically, smartcards were supplied completely personalised with all the information necessary for the card to function included within the card. For security and costs reasons however, the growing trend now is for most cards to be supplied minimally personalised, with further personalisation then required on-site.

The first step in the deployment of a truly secure smartcard credential starts with the creation of a unique, private key structure that never leaves the client’s secure area. During the customer’s initial ‘key generation ceremony’ Lumen ID recommends that smartcard keys and passwords never exist in human readable form. They should never be written down and indeed no one person should know the pre-curser to regenerate the keys.

It is best practice to create a keyset that is derived using multiple paraphrases from numerous members of security staff. This ensures ‘distribution of trust’ as no one person knows the complete passphrase. From the combined passphrases, a unique customer keyset is then created, along with a set of secure ‘Key Configuration’ cards (eg. Admin and Key change cards) that are used to initiate readers and other security devices so that they can all operate seamlessly using the same keyset.

The benefit here is that the manufacturer only knows the initial card shipping keys. But because they don’t know the customer’s active cards and the unique paraphrase cards, the keys will always remain anonymous.

2. Key rotation

It is recommended that keys be capable of being changed periodically and recreated by the customer as and when required. Smartcard suppliers should never be able to recreate the customer’s active keys, ensuring a degree of separation from the key management process. Opt for secure readers that can be used across different platforms and which allow key rotation. New keys should be capable of being distributed securely into the system using a secure reader key change configuration card.

At Lumen ID, we also recommend that keys do not reside on the access control readers directly. This rationale is also supported by recent government standards bodies for access control in the UK – CPNI (Centre for the Protection of National Infrastructure) and NIST (National Institute of Standards & Technology), in the USA. These bodies emphasise the importance of not holding keys in the reader in case it’s stolen and keys examined and extracted over time. Instead they recommend that keys should be held in the secure location of an access control door control panel.

As an added layer of security and to eradicate any risk of key extraction or interface replaying, Lumen ID recommends the use of a smart ‘Cipher box‘ (that sits between the card reader and the door control panel) to independently hold the keys.

3. Credential management software to allocate unique identifiers to the credential

Ensuring key autonomy is made further difficult for enterprise customers that often have problems such as the use of multiple card technologies and multiple access control systems per region. How can they create a common global credential that’s unique and highly secure, irrespective of its regional environmental differences?

This is achieved using a top level credential management software interface that talks to the SQL databases of multiple access control systems. The credential management interface remotely manages the allocation of unique identifiers to the global credential. It controls all the key elements in the end-to-end credential solution including; ‘Printer Encoders’ and ‘Card Number Ranges’. It also provides a full audit trail of credential/key management actions and provides real-time alerts of prohibited actions for command and control.

4. Opt for encrypted card readers and printer encoders

Encrypted card printers/encoders which hold the customer’s private keys directly in the SAM of the encoder are also now available. When used in collaboration with key configuration cards and credential management software, printer encoders can successfully allocate a unique identifier to ID cards and ensure that on-card key/data protection is digitally assigned to an end access control credential.

Conclusion

Securing credential key structure and ensuring distribution of trust at all levels of the access control credential process is essential. A robust, continual audit procedure should be put in place to ensure that keys are never compromised. As manufactures and suppliers have no knowledge of the keys generated as part of this anonymous process, it is also essential that they are created and managed in a systematic, secure and auditable fashion. When choosing a smartcard solution provider, ensure they have the software tools available to allocate a unique ID to the credential, program the credential and vitally, to provide a secure audit trail as to the ongoing validity of the credential.

Share this article:

Further reading: