Access Control Basics: Cards and Readers
This primer on magnetic stripe, proximity and smart card access control technology will help you select the right system for your institution.
The most common access card worldwide is a proximity card. Proximity cards contain a computer chip that receives radio frequency energy from the reader, and its processor transmits the card number to the reader. These cards do have limitations, however. They transmit at a low, limited frequency range and lack additional security features such as two-way communication, memory space and processing power for other applications. The data is also transmitted unencrypted, leaving it more susceptible to attacks.
Smart cards are some of the newer technologies in the access control industry. These can be contact or contactless smart cards. A contact smart card contains an embedded microprocessor chip. These are most often used for logical access – secure computer log-on, data encryption or document signing if PKI is involved. A contactless smart card is essentially a mini-computer. It holds a microprocessor, memory, software programs, security and more. It gets its power from electromagnetic radio waves from the reader, similar to proximity cards. Custom card number formats can be used to lengthen the standard 26-bit format. This adds a layer of security, but make sure that your reader can manage custom or nonstandard formats.
Smart cards offer a faster, more-capable processor, more memory, rewriteable and lockable memory, the ability to store and run software applications like cashless payment or secure log-on to computers, and the capacity to hold applications like biometric data. They are more secure than proximity cards because they are built in ways that make it difficult to extract data. Also, their over-the-air data communication is encrypted and more secure. Surprisingly, they now cost the same as proximity cards.
Select the Right Reader
Aside from the card, there are a number of considerations that go into the reader that will allow access. Be wary of CSN readers. They simply read the card serial number and then pass the data along for a yes/no decision. It is no more secure than a proximity card, regardless of what type of card you are using. Mutual authentication allows for a two-way dynamic between card and reader by using symmetric encryption. In these types of systems, the card and reader must first establish that each knows a shared secret encryption before any real data is shared.
Some security vendors will use a single encryption key for all of their customers. This isn’t what you want. Choose a vendor that is able to issue a unique encryption key for each customer to ensure maximum security. The same goes for manufacturers providing your cards. Some manufacturers store the same encryption key in all of their cards, meaning if a single card has the encryption extracted, all cards in the corporation may be compromised. A manufacturer that uses diversified keys, ideally using a public-scrutinized algorithm such as DES or AES, is best. Additionally, it is important that the manufacturer offers the ability to roll, or change, the encryption keys stored in readers and cards. This
can help regain security if a key compromise occurs.
Exit readers can also come in handy and not just for security purposes. With this type of system, an employee must badge in and badge out each day. This way the system can track or limit who is in the building at any given moment. This aids in a campus being able to monitor all of the personnel on premises in case of an emergency and also allows payroll to pay attention to who is putting in their full time each week.
“If you require card-in and card-out, through the software you can do what is called time in attendance,” says Greg Birman, Service Manager for Xentry Systems Integration. “They can utilize that for payroll – when someone got in and when someone got out – or as a way to audit salary employees to make sure you’re getting your 8 hours a day out of them.”
Got Questions? Ask Your Security Provider
There is much more that can potentially go into access control, but a security provider will be able to answer the advanced questions. To start, however, make sure you know what degree of layered security you want, how sophisticated you want your cards to be, and ensure that your reader will use mutual authentication. Soon enough you’ll be sleeping soundly knowing that your campus is more secure.
Jonathan Blackwood is an editor for Corporate TechDecisions, aimed at bringing important information to tech decision makers in the corporate world. Jonathan joined Tech Decisions in 2014 and specializes in technologies that help to innovate and improve business practices for companies of all sizes.