D.I.Y. Smart Card Encoding and Reader Mangement … · D.I.Y. Smart Card Encoding and Reader...
Transcript of D.I.Y. Smart Card Encoding and Reader Mangement … · D.I.Y. Smart Card Encoding and Reader...
D.I.Y. Smart Card Encoding and Reader Mangement for the
University Market
Robert M. Gailing
SMART Contactless IDentity and Security Solutions
We're Making Identity Cards Safe, Again!
What is a contactless smart card?
What makes it safer than another ID card technology?
What is encryption /cryptography? What is mutual authentication?
Why should you deploy it on your campus?
Open Platform / Closed Platform Open Architecture...WTF?
Open Platform Closed Platform
Definition - In computing, an open platform describes a software system which is based on open standards, such as published and fully documented external application programming interfaces (API) that allow using the software to function in other ways than the original programmer intended, without requiring modification of the source code. Using these interfaces, a third party could integrate with the platform to add functionality
The opposite is a closed platform.
What Smart Cards are in the US Market Today?
DIY Card and Reader Management? What Does it Mean?
Create, and manage, your own secure solution designed by, or with, you for your unique situation.
Manage security keys on the card and reader
Rotate keys
Change key version
Speed of deployment. You want, or need, to make a change or update quickly.
Add new application
Transportation
Food, etc.
Add biometric
LOWER PER CARD COSTS!
Why Do It Yourself?
Higher Security Options
Freedom
Flexibility
Quicker time to deploy
$ave Money
Single Common CardMultiple Applications
Logical Access
Production Control
Cafeteria/Meal
Copy Machines
IDentity CardPoint-of-Sale
Cashless Vending
Time & Attendance
Banking
Physical Access/Parking
MIFARE® DESFire® EV1/ EV2
Supports many different applications for the Campus and around town, too.
Example: Multi-application Options –Campus Card
Pick the applications you want and add them to your card
Bus / Train Car Rental Bike Rental
Theater SportsConcertGym
Coffee Retail Book StoreFood
Transport Card (MIFARE)
Current
Upgrade
Laundry
Benefits of Contactless Smart Cards
Usability
DESFire has a flexible file system whereby up to 28 applications can run simultaneously and each application can have up to 16 files. This means that if there are spaces left by some applications, others can use them.
The practical result for this is that a University can use their ID cards for more applications and get a faster communication between the card and the reader. Students then only need a single ID card for use across a whole cashless campus solution, access control systems,
transport, gym memberships etc.
Security
The encryption used on the DESFire cards is predominantly 128-bit up to 256 Bit AES encryption (Although TripleDES is also available, we would advise the AES option as the most secure). AES stands for Advanced Encryption Standard and the 128/ 256 Bit refers to length of the key used. This standard has been adopted by the US military and it is estimated that at the projected technology improvements, will remain secure until at least the year 2030.
Encryption / Cryptography
The ingredient that makes the cards secure
The Secret Key
Today's smart cards, and smart card, readers have a special relationship. A Marriage of sorts.
They share a SECRET.
A Key!
When they get together, the two must share this key. If they agree (mutual-authentication), they tell the IDs information to the host.
What is the importance of this key?
In order for you to add, change, delete anything with your card and reader system, you need this key!
Why should you own and manage the key yourself?
Remember this marriage? Well, image that you and/ or your partner's secret was also known, or owned and controlled by a third party? What's happened to that secret now?
Card Reader
What keys do you want to use? Default manufacturer keys (OK for many smaller organizations) Custom keys
If you are using custom keys, Do you want all sites to use the same keys?
Who do you want to manage the keys (the supplier, in-house,
other)?If you are managing your own keys, how will you keep them secure and safe from loss?
If keys become un-known so that you cannot issue new cards/readers, you may have to change all readers and cards to go with a new key scheme
1234
Understanding Security Keys /
Key Management for Cards
A CSN is like Your House Number…..Anyone Can Read It!
If the Number is Inside Your House …… You Need A Key!
Keys. FAQs
What do they look like?
Where do they come from?
How many are there?
Who controls it?
Where is it stored and how?
How Safe is the Information?
As shown above, even with a supercomputer, it would take 1 billion billion years to crack the 128-bit AES key using brute force attack. This is more than the age of the universe (13.75 billion years). If one were to assume that a computing system existed that could recover a DES key in a second, it would still take that same machine approximately 149 trillion years to crack a 128-bit AES key. EETimes Mohit Arora, Sr. Systems Engineer & Security Architect, Freescale Semiconductor 5 /2012
Decisions, Decisions, Decisions...
How do I move forward?
Do I need to change my access control system?
What are my options for migration?
Does my current vendor understand this enough to help me get there?
Develop a Strategy
Examine the long term goals of the campus and community
Look outside for partnering opportunites to further reduce your per card cost.
DO IT YOURSELF? YES!
COMPATIBLE PRINTER W/ENCODER
ENCODING SOFTWARE APPLICATION
MIDDLEWARE
USB READER / WRITER
CARDS
Field Configurable Access Card Readers
DataWriter
Basic or
Ultimate for
configuration
Server
Kiosks
With the Client/Server version, kiosks for encoding cards can be deployed. Designed for users to present their badge at the kiosk terminal in order for the card to be automatically updated.
Very useful to rotate keys, or change from CSN to encoded number when cards are already deployed.
How Do I Get the Students Cards Updated?
DataWriter workstation
on Android
Wifi NFC
Server
An Android workstation has been developed enabling the encoding button using a smartphone equipped with an NFC chip
Mobility
Web-Based Credentialing
Choice of card technology
Mifare classic, Mifare DESFire EV1/EV2, HID iClass, EM, HID Prox, …
Choice of graphic models (Front / back)
Customizing printing
Drag & drop data files to print on each card
Customizing encoding
Drag & drop data files to encode on each card
Production in real time or not
cards are printed on end user site or on central site
ID Printing Server
Student
Remote Printer at Card Office
4
1
32
1. The end user sends the order on the server via
personalized user interface
2. Transfers the order to Server
3. Cards are print to remote card office
4. Student picks up card or is mailed
Web-Based Credentialing
Point of Sale
Now that you have migrated away from mag stripe, how do you manage your point-of-sale systems with the new card?
Simple. Just exchange your mag stripe readers with a USB contactless smart card readers configured to read your secure data.
Working withThird-Party's
The local transportation agency uses similar smartcard technology and wants to reduce costs and not provide cards.
How to third-parties add their application to my
card without sharing their secret key?
Local businesses such as parking lots or copy/ship centers would like to accept the student card for payment?
How do you set them up to accept the students ID card?
Known University Smart Card ProgramsU of Michigan
U of Penn
U of A
Int'l Student Identity CardMST
QUESTIONS?
Contact Me
Robert GailingSMARTContactless Identity and Security SolutionsSanta Ana, CA949-514-8844 x [email protected]