Anti-Cloning Access Cards With End-To-End Encryption
1. Why is reading only UID not secure?
The Unique Identifier (UID) of a smartcard used to be considered as highly unique as specified by the ISO 14443 international standards. However, with the advancement of the card cloning technology today, it is considered unsafe to be totally dependent on the UID to uniquely identify a smartcard for card access control application.
2. Who is likely to clone or hack into access control smartcards?
Statistics show that 55 to 75% of corporate fraud are due to insiders. Employees motivated by greed are most likely to clone the access cards of senior executives to commit fraudulent acts for personal gain. Industrial espionage is often motivated by competitive forces to gain advantage into highly competitive businesses while spies spend millions to hack target victims’ accounts. On a lighter note, commercial and residential service providers like maintenance contractors and real estate agents often find it more convenient and cost effective to clone and use multiple cards, rather than approaching the employer for additional access cards.
3. How to secure an access control card against cloning and hacking?
To guarantee uniqueness of any access card, the contactless access control reader must read data that has been encrypted and stored in the card. The card reader must unlock the smartcard to gain access to the encrypted data. The encrypted data is read and decrypted with a secret key available only in an authorised smart card reader. Because the secret data is hidden from view and data transmission is in encrypted form, it makes the access card impossible to clone or hack.
4. Who should keep the encryption secret keys of a card access system?
Even more important than storing encrypted data with a strong encryption key is the issue of where and who to keep the keys. Should the key be entrusted to the boss or an employee? What if this person resigns, forgets or attempts to sabotage the company? In principle, secret keys should be robust and never made vulnerable by one or more persons. The solution is to use a professional, purpose built Secret Key Management System (SKeyMa). The seeds to create a master secret key can come from one or more persons, without any one person in the mix having knowledge or visibility of the actual master key. The master key that is generated is stored in a highly secure medium to ensure the highest possible level of security.
5. Why is end-to-end encryption crucial to an access control system?
User access cards are commonly passed around without much thought to security compromise. A highly secure access control system must protect against any such potential breach of security. The use of secure encryption keys to protect data stored in user access cards ensure that the cards cannot be cloned or hacked. Ensuring that user data is also encrypted while in transit to the access controller, and subsequently to the host is also very important to protect the secrecy and authenticity of every single transaction in the access control system. A system with such end-to-end encryption complies to the highest level of corporate security.