Whitepaper: Access Control System Technology OverviewAN ESTIMATED 70% OF ALL INSTALLED ACCESS SYSTEMS IN NORTH AMERICA LACK ENCRYPTED SECURITY BETWEEN CARDS, READERS and ACCESS PANELS
Most access control systems dealers and end users are familiar with proximity cards, card readers and Wiegand access control panels. These commercial security systems and components have been the preferred industry standard since the mid 1990’s when they started to displace proprietary panels and old card technologies like mag stripe and barium ferrite. Folks were fascinated by these new readers that “beeped” when you held a “prox” card “near” a reader. Proximity (RFID) technology became cool and its access control use grew like wildfire.
Beginning in the early to mid 90’s 125 kHz proximity cards became the standard for cards and readers used in access control systems. And during the 1990’s and early 2000’s the 26 bit card format dominated the market. This was because the vast majority of access control panels could handle the 26 bit format and so it became a “defacto” standard for cards, readers and panels.However, the 26 bit proximity card format is limited to just 256 facility codes (0-255) and a card ID range of 0 thru 65,535. The available number range is quite limited when you think of how many doors and systems were, and are, in use. Because of the limited combinations, card duplication was, and still is, rampant today.
Imagine back to the early days of card access system installations, in the early 90’s, when the concept was new to installers just like it was to end users, an installer would call customer service at the leading card manufacturer(s) to place an order for cards. The installer would say “I need to order some of the Proximity cards” and the Card Manufacturer would say “what facility code and starting badge ID do you need?”…to which the Installer would say “I don’t really know, not sure about all that”…or maybe they would just say “how about facility code 1 or 3 or something? And lets start with Badge ID 1000”….well you can imagine as system installations grew by the hundreds and then the 1000’s the number of companies using the same facility codes and the same Badge ID ranges started to have serious duplication. On top of this, nobody was even tracking what numbers had been used. And one other important note is that many access systems employ a function called “degraded mode” which causes a system, in certain instances, to totally ignore the facility code.
As more and more systems were deployed, and proximity cards and badge use grew rapidly, the manufacturers of the access control software and panels (OEM’s) started thinking they should have their own card formats, to differentiate from 26 bit. The reasons were, better control over their own users and supply of cards (exclusivity), combined with more number combinations available in formats like 36 bit Simplex® or 37 bit AMAG®. This served a dual purpose, making the system more proprietary to the OEM (forcing the customer to come back to the OEM for cards) and also giving the OEM a story that because the card supply was more “restricted”, it somehow implied “more security” and would prevent number duplication. There was also the advent of the 35 bit Corporate 1000® format, a format designed for large end users that wanted better assurance of no number duplication and that wanted to better control their card sourcing.
The fatal flaw in the second reason is the fact that virtually all of the 125 KHz proximity systems deployed had (and still to this day have) ZERO security in the RF transmission between the card and reader. Essentially the readers broadcast an ID number totally “in the clear” meaning even a freshman engineer at a University could capture and replicate ID numbers or “clone” proximity cards. Many folks today are aware of the weakness of proximity cards but a great many still think the products are “secure”. Card cloners have struck fear into many large end users and many have started to upgrade their cards and readers.
Back to the growth of proximity and in the early 2000’s, more and more OEM’s deployed their own “proprietary” card formats to maintain control of their customer base. Some of these format types include the following: ADT® 37 bit A901058A, AMAG A10701 32 bit, AMAG S10401 37 bit, AWID 26 bit, CASI Rusco (GE CASI) C10106 40 bit, Continental C10202 36 bit, DSX D10202 33 bit, Honeywell® Quadrakey 32 bit, HID C1000 35 bit, JCI C10001 Johnson Controls 34 bit, LENEL 36 bit, Northern Computer N10002 34 bit, Simplex S12906 36 bit, and many more.
These all sound impressive with many different bit (26, 33, 35, etc) lengths and fancy names, but in fact, other than having lots of number ranges to choose from, they are really no more secure than the basic 26 bit format because the number is typically still broadcast “in the clear” and can be cloned or copied. This is further exacerbated by the vast number of resellers of many proximity card formats (exclusivity is gone), further increasing the risk of duplication and putting downward price pressure on the cards – all of which hurt the integrator, and of course mostly the lack of security which hurts the end user.
But there was a movement afoot by the mid 2000’s.European security influence started making its way to the US market in the way of 13.56 MHz contactless technologies which provided higher data rates and secure or encrypted transaction capability. Today these products are known as contactless smart cards and include such technology or product names as MIFARE®, MIFARE DESFire®, iCLASS®, and LEGIC®. These are all similar technologies that rely on mutual authentication and encryption methods to provide a more secure transaction than traditional proximity. While there are differences and uniqueness to each of these contactless technologies, as long as they are used in a secure mode, they are much better than traditional proximity. Today it is estimated that approximately 20% of systems utilize secure contactless cards, a strikingly low percentage. This means there is a massive migration opportunity, roughly 70% of the overall installed base ready for leading companies to upgrade.
Anyone installing a new system today should be using a contactless smart card product, that employs security measures, and preferably a diversified keying scheme. Any dealer that continues offering the 30 year old proximity technology for new and add on installs, is doing a serious disservice to their customer and really should not consider themselves a security dealer, perhaps just an integrator.
For savvy companies that want to take a leading position, 3millID would advocate that any installations of readers should now at least read the existing proximity cards but also provide an upgrade or migration path to the latest secure technologies that provide encrypted data protection on the card, in the transmission to the reader, and between the reader and access control panel. This simply provides end to end security from card to reader to panel. Why would we be offering anything less to our customers as the standard? If they want to downgrade for cost reasons (which are marginal anyway), they can make that choice, but as security professionals we should not be leading or offering unsecure technologies without thorough explanation as experienced security consultants. Moreover, if they have the budget, true security conscious end users should rip and replace their infrastructure and eliminate the use of traditional proximity cards and readers. Think about it, if anyone can clone a proximity card at a local grocery store kiosk, how is that providing security to your customers?
3millID has a comprehensive offering to address this issue which provides benefits to the security integrator as well as the end user (thru the integrator).3millID offers the latest DESFire EV2/EV3 Secure Envelope card and reader solutions providing encryption on par with internet type financial transactions. These solutions employ mutual authentication, diversified keys and some form of DES, 3DES or AES encryption of data to provide true security on the cards and “over the air” to the reader.
In addition to proximity and contactless smart card technologies, 3millID is a leader in Mobile Credentials and Readers that provide compatibility with the new Security Industry Association standard OSDP (Open Supervised Device Protocol), and the traditional Wiegand technology.OSDP was created by SIA (the security industry association) to provide a new standards based communication technology capable of providing true security between card readers and access panels. This standard is expected to supplant the Wiegand communication that is responsible for 99% of all installed access systems in use in North America today. And, you guessed it, Wiegand provides no security and savvy folks can “sniff” the Wiegand lines due to the lack of security.Because SIA has created an industry standard with the OSDP specifications, there is already wide adoption of the standard and it is the new preferred “secure” communication between cards and readers, finally upgrading our 30 year old Wiegand standard.
Incidentally, security industry research groups project Mobile credentials are expected to make up 20% of the access credential market within 4 years. 3millID utilizes proven encryption technology with an industry leading 10 million plus transactions.
Again, savvy security users that are using the technology of today and tomorrow deploy solutions utilizing OSDP (which can provide encryption of the data passed from the card reader to the access panel), secure Mobile Credentials and Secure Envelope DESFire EV2 credentials. Most of the leading OEM’s now offer, or soon will offer, panels capable of supporting OSDP reader technology. The security industry’s leading access control software company, LENEL®, already offers a complete end to end security solution of BlueDiamond™ Card Readers, DESFire EV2 cards and OSDP compliant panels.3millID is a technology partner with UTC on the LENEL BlueDiamond offering.
However, 3millID also manufactures its own readers that are system agnostic and will work on virtually any installed base of Wiegand access systems and provide compatibility for future upgrade with industry compliant SIA standard OSDP panels providing the perfect migration reader for virtually any installation of existing proximity cards and readers to secure DESFire or Bluetooth Mobile Credentials.
In consulting with leading security integrators, 3millID advocates employing a similar strategy to that of the early to mid 90’s integrators, but with true encrypted security.Provide a solution that is based on industry standards for system compatibility but provide cards and data formats that remain unique and secure for the end customer.This strategy lets the integrator provide true security but also makes them “sticky” to the customer with respect to ongoing credential purchases for recurring revenue.
3millID are experts at offering tailored product and training programs to savvy integrators that want to take a leading position in bringing higher security to their customer, while preserving higher margins and recurring revenue for their business. And we do this with industry best lead times and outstanding customer service.
3millID looks forward to the opportunity to assist your company just as we already do with many of the leading global companies.
About 3millID Corporation
3millID is a card and reader manufacturer based in Colorado with manufacturing operations in Colorado and Wales, United Kingdom.
Any trademarks referenced in the above content are property of their respective owners.
