ID Card Access Control Systems
Let’s consider the latter. When a 125kHz proximity card is powered up by getting in “proximity” of a reader, it immediately begins to transmit a fixed binary code number.
As a result, it’s also possible to use a device that will stealthily power up the card from a distance to read and record its internal data. An attacker can then easily use the card’s information to let unauthorized people in.
Adding to the problem is that Wiegand, the industry standard over-the-air protocol commonly used to communicate credential data from a card to an electronic access reader, is no longer inherently secure due to its original obscure and nonstandard nature. Hence, ID harvesting has become one of the most lucrative hacking activities.
Yet now there is an even bigger problem. To get into IT and critical infrastructure operational technology (OT) systems, hackers simply use the card/reader protocol to enter a facility via the public access computer system (PACS), thereby accessing specific computers. Those computers then act as a gateway to the target’s internal Internet, be it the IT or OT system.
Thus, using the physical access control system, hackers steal sensitive data or program a computerized controller to raise the temperature of a blast furnace to unsafe levels.
One aspect of securing the card’s information is to make the internal numbers unusable; encryption must be applied. To read them, the system needs access to a secret key or password that provides decryption. Modern encryption algorithms play a vital role in assuring data security:
- Authentication — the origin of a message.
- Integrity — contents of a message have not been changed.
- Nonrepudiation — the message sender cannot deny sending the message.
Here is how it works. The number is encrypted using an encryption algorithm and an encryption key. This generates cipher text that can only be viewed in its original form if decrypted with the correct key.
Today’s encryption algorithms are divided into two categories: symmetric and asymmetric.
Symmetric-key ciphers use the same key, or secret, for encrypting and decrypting a message or file. The most widely used symmetric-key cipher is the Advanced Encryption Standard (AES), which is used by the government to protect classified information.
Asymmetric cryptography uses two different but mathematically linked keys — one public and one private. The public key can be shared with everyone, whereas the private key must be kept secret. The RSA algorithm was first described in 1977 by MIT’s Ron Rivest, Adi Shamir and Leonard Adleman. It is the most widely used asymmetric algorithm.