Historically, card based access control systems were built around a card with a magnetic stripe. These cards required a swipe action through a magnetic card reader to gain access to a door. This technology had a number of disadvantages, including an inconvenience factor, a high wear rate, and very low security. It was these disadvantages that led to the development of a new contactless proximity technology, allowing cards to be read without physically contacting the reader.
Proximity readers work by constantly emitting a short range RF field. When a proximity card comes within range of this field, an integrated chip within the card is powered up and the chip transmits a card number back to the reader. Not all proximity cards are born equal however, and it is important that the differences are weighed up before making a decision about which technology to adopt.
The first of the proximity technologies was 125kHz. When a 125kHz card is powered up, it immediately begins to transmit its card number. In effect, this is very similar to the way the old mag-stripe readers worked. The problem is that being a proximity system, it is possible to create a device that will ‘power up’ a card from a distance, then read the data that is being transmitted. Once you have this, you can easily reproduce the card, making as many copies as you like. In many cases, you can even create cards in the same series with different numbers.
The one advantage of 125kHz is that due to the lower power requirements and small amount of data being transmitted, it offers a good read range (of around 10cm) and a short read time, allowing users to present, swipe, or wave their card in the general direction of the reader to get a successful read.
The Mifare standard was originally created as a ticketing solution for transport systems, and at the same time addressed the security issues in 125kHz technology by enabling two way communication between the card and reader. This saw the introduction of card encryption and the ability to store data on the card.
Most Mifare technologies store the card number in one of the storage areas on the card, known as sectors. When the card approaches the RF field of the reader, the card and reader begin a secure communication session using shared encryption keys. Once this is established, the card number is transmitted and the communication session is closed off. This process happens very quickly, however it does take slightly longer than a 125kHz based system and means that generally, a Mifare card cannot be simply swiped or waved at a card reader, but must be presented. Also, the two way process requires more energy than 125kHz, meaning a slightly reduced read range of around 7cm.
Along with the added security, the additional storage space on the card can be used for many applications, such as offline locking systems or the storage of credit for pay as you go systems.
Mifare comes in many forms, each with their own advantages and disadvantages.
All Mifare cards come with a built-in CSN or card serial number. This electronic number is presented in much the same way as 125kHz in that it is not encrypted and can be read by a larger range of devices easily purchased on the open market. For instance, many smart phones are able to read this information, making it an even less secure method than most 125kHz systems. CSN is generally used where there is a requirement to read Mifare cards from a number of different access control systems, or from third party cards such as pay as you go cards. While it offers great flexibility, it is very insecure.
Mifare Classic was the first version of the Mifare standard. It stores the card number on one of its sectors, then encrypts the communication between the card and reader, theoretically making it impossible, or at least very difficult to copy a card. Unfortunately, a security flaw was discovered in the Mifare Classic standard which meant that with the right knowledge and hardware, a card could still be copied or another card in the series created.
This is ICT’s implementation of the Mifare standard. Card data is protected with a diversified authentication key and encrypted with an AES256 algorithm, effectively plugging the known security flaw in the Mifare standard. These cards are not as secure as DESFire but still provide high security against cloning.
The newest of the Mifare standards, Mifare DESFire includes a cryptographic module on the card itself to add an additional layer of Triple DES encryption to the card / reader transaction. This is the highest standard of card security currently available, however it does come with some disadvantages. The additional cryptographic module requires more energy to operate, resulting in a further reduced read range of 1-2cm. This means that when implementing DESFire technology, it is critical that it is done with some simple user education in order to avoid frustration. A DESFire card must be firmly presented to the reader and held in place until access is granted. Waving or swiping a DESFire card will not result in a successful read. Educate users to think of the card reader as a security guard – when requesting access, the reader needs to be shown your credentials, much like a security guard might inspect an ID card.
All cards are made up of a site code and a card number. The site code is designed to be unique to a particular site or building, meaning that a card from one building would not allow access at another building, even if the card number was the same.
With 125kHz, there are so many producers of cards world-wide and a relatively small number of site codes available, that it is possible - or even likely - that many legitimate versions of the same card exist. On the other hand, with ICT Secured Mifare and Mifare DESFire cards, every site is registered with its own globally unique site code, and every card produced is recorded in our secure database. This ensures that duplicate cards are never created.
ICT also offers the ability for an integrator or end user to purchase a reserved set of encryption keys. This effectively gives the organization its own entire set of globally unique site codes and card numbers. Optionally, the integrator or end user can encode their own cards at their site as they require them. This is still a managed system, ensuring that duplicates cannot be made.