Understanding the Need for Encryption

Learn why modern encryption algorithms play a vital role in assuring data security.

By Scott Lindley

Most security professionals are not aware that one of the leading gateways for hackers to attack their cyber systems is through their own physical security systems, especially their wired cameras or contactless card access control systems. Let’s look at the latter. When a 125KHz proximity card gets powered-up by getting in “proximity” of a reader, it immediately begins to transmit its fixed binary code number.

As a result, it’s also possible to use a device that will stealthily power up the card from a distance to read and record its internal data. That easily, the attacker can use the card’s information to let unauthorized people in.

Adding to the problem is that Wiegand, the industry standard over-the-air protocol commonly used to communicate credential data from a card to an electronic access reader, is no longer inherently secure due to its original obscure and non-standard nature. ID harvesting has become one of the most lucrative hacking activities.

But, now there is an even bigger problem. To get into IT and critical infrastructure operational technology (OT) systems, hackers simply use card/reader protocol to enter a facility via the public access computer system (PACS), thereby accessing specific computers. Then, those computers act as a gateway to the target’s internal Internet, be it the IT or OT system. Thus, using the physical access control system, hackers steal sensitive data or program a computerized controller to raise the temperature of a blast furnace to unsafe levels.

The Need for Encryption
Therefore, one aspect of securing the card’s information is to make the internal numbers unusable; they must be encrypted. To read them, the system needs access to a secret key or password that provides decryption. Modern encryption algorithms play a vital role in assuring data security:

  • Authentication: the origin of a message.
  • Integrity: contents of a message have not been changed.
  • Non-repudiation: the message sender cannot deny sending the message.

Here is how it works. The number is encrypted using an encryption algorithm and an encryption key. This generates cipher text that can only be viewed in its original form if decrypted with the correct key. Today’s encryption algorithms are divided into two categories: symmetric and asymmetric.

The newest of the Mifare standards, Mifare DESFire EV1, includes a cryptographic module on the card itself to add an additional layer of encryption to the card/reader transaction. This is amongst the highest standard of card security currently available.

Symmetric-key ciphers use the same key, or secret, for encrypting and decrypting a message or file. The most widely used symmetric-key cipher is Advanced Encryption Standard (AES), which is used by the government to protect classified information.

Asymmetric cryptography uses two different, but mathematically linked, keys, one public and one private. The public key can be shared with everyone, whereas the private key must be kept secret. RSA was first described in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman of the Massachusetts Institute of Technology. It is the most widely used asymmetric algorithm.

Adding Encryption into an Access Control System
Today,13.56MHz smart cards are used to provide increased security compared to 125KHz proximity cards. One of the first terms you will discover in learning about smart cards is Mifare, a technology from NXP Semiconductors. Mifare enables two-way communications between the card and the reader.

Mifare Classic was an original version of the Mifare standard used in contactless cards. It stores the card number on one of its sectors, then encrypts the communication between the card and reader to theoretically make it impossible or, at least, very difficult to clone a card. Unfortunately, a security flaw was discovered in the Mifare Classic standard which meant that, with the right knowledge and hardware, a card could still be cloned or another card in the series created.

The newest of the Mifare standards, Mifare DESFire EV1, includes a cryptographic module on the card itself to add an additional layer of encryption to the card/reader transaction. This is amongst the highest standard of card security currently available. MIFARE DESFire EV1 protection is therefore ideal for sales to providers wanting to use secure multi-application smart cards in access management, public transportation schemes or closed-loop e-payment applications. They are fully compliable with the requirements for fast and highly secure data transmission, flexible memory organization and provide interoperability with existing infrastructures.

***
Scott Lindley is President of Farpointe Data, a DORMA Group Company.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Security Is Our Business, Too

For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Commercial Integrator + Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add to your bottom line.

A FREE subscription to the top resource for security and integration industry will prove to be invaluable.

Subscribe Today!

Get Our Newsletters