As we move into 2017 it is widely known that most legacy access control cards and smart cards in the industry are easily copied and cloned.  But it is important to remember that even if you are using a secure technology (like EV1), cards can still be copied if there is careless use of the smart card ‘Keys’.  

Not only can you buy traditional card cloning machines, but you can now also buy open hardware to exploit poorly written code that extracts AES smart card keys in a matter of minutes. If these smart card keys become known, then ID cards can be recreated (even if businesses are using the highly secure EV1 technology).  

There is also the realisation in the industry that when many thousands of cards are issued with a common numbering scheme and key structure, that effective key management and lifecycle strategies need to be developed.

So the question is - how to we ensure that our smart cardkeys remain secure and uncompromised at all times?

To increase key security at the manufacturer level, leading smart card providers can offer a secure object, which is written to the smart card using a separate set of keys.  Although this provides customers with a layer of protection, if these keys become known the system security is still ‘at risk’ as cards can be freely created.  So to mitigate against this vulnerability, UK-based Lumen ID, a leader in smart card deployments, recommends that customers look internally at their ‘Key Generation Ceremony’ and process.  

Very often smart card migration project success involves ensuring that smart cardkey structure and code is both written and managed in the most secure, anonymous and auditable way.  Because after all, isn’t it audit that drives behaviour? Questions such as how the keys are generated, how they are kept secret and how they are disseminated in global corporate environments, require robust answers to ensure that access control security is maintained.  

An end-to-end security management process for securing and protecting smart card keys can be easily achieved using multiple, independent factors such as:

1) The generation of a private, anonymous key structure that’s only known by the customer
2) Key rotation
3) Credential management software for the allocation of unique identifiers and to connect to existing Access Control Systems & databases.
4) Use of encrypted card printers & credential encoders

1)    Generation of an anonymous, private key structure.

Although customers are assigned random and unique shipping ‘keys’ by the card manufacturer, it is important that keys can then be subsequently changed by the customer to an anonymous keyset; thus ensuring the utmost level of security and autonomy.

Historically smart cards where supplied completely personalised, with all of the information necessary for the card to function initially included within the card.  For security & costs reasons however, the growing trend now is for most cards to be supplied minimally personalised, with further personalisation then required on-site.  
 
The first step in the deployment of a truly secure smart card credential starts with the creation of a unique, private key structure that never leaves the clients secure area. During the customer’s initial ‘key generation ceremony’ Lumen ID recommends that smart card keys and passwords never exist in human readable form.

They should never be written down and indeed no one person should know the pre-curser to re-generate the keys. It is best practice to create a keyset that is derived using multiple paraphrases from numerous members of security staff. This ensures ‘distribution of trust’ as no one person knows the complete passphrase.  From the combined passphrases a unique customer keyset is then created, along with a set of secure ‘Key Configuration’ cards (eg. Admin and KEY change cards) that are used to initiate readers and other security devices so that they can all operate seamlessly using the same keyset. The benefit here is that the manufacturer only knows the initial card shipping keys.  But because they don’t know the customers active cards and the unique paraphrase cards, the keys will always remain anonymous.  

2)    Key rotation.

It is recommended that Keys be capable of being changed periodically and recreated by the customer as and when required.  Smart card suppliers should never be able to recreate the customer’s active keys ensuring a degree of separation from the key management process.   Opt for secure readers that can be used across different platforms and which allow key rotation.  New keys should be capable of being distributed securely into the system using a secure reader key change configuration card.

At Lumen ID we also recommend that keys do not reside on the access control readers directly.

This rationale is also supported by recent government standards bodies for access control in the UK - CPNI (Centre for the Protection of National Infrastructure) and NIST (National Institute of Standards & Technology),in the USA. These bodies emphasise the importance of not holding keys in the reader in case it’s stolen with keys examined and extracted over time.  Instead they recommend that keys should be held in the secure location of an access control door control panel.

As an added layer of security and to eradicate any risk of key extraction or interface replaying, then Lumen ID recommends the use of a smart `Cipher box‘ (that sits between the card reader and the door control panel) to independently hold the keys.

3)    Credential management software to allocate unique identifiers to the credential.

Ensuring key autonomy is made further difficult for enterprise level customers that often have problems such as the use of multiple card technologies and multiple access control systems per region.  How can they create a common global credential that’s unique and highly secure, irrespective of its regional environmental differences?   
This is achieved using a top level credential management software interface that talks to the SQL databases of multiple access control systems.  The credential management interface remotely manages the allocation of unique identifiers to the global credential.  It controls all the key elements in the end-to-end credential solution including; ‘Printer Encoders ’and ‘Card Number Ranges’.  It also provides a full audit trail of credential/key management actions and provides real time alerts of prohibited actions for command and control.  

4)    Opt for encrypted card readers &printer encoders to provide on-card data protection.

Encrypted card printers/encoders which hold the customers private keys directly in the SAM of the encoder are also now available.  When used in collaboration with key configuration cards and credential management software, printer encoders can successfully allocate a unique identifier to ID cards and ensure that on-card key/data protection is digitally assigned to an end access control credential.

Conclusion:
Securing credential key structure and ensuring distribution of trust at all levels of the access control credential process is essential. A robust, continual audit procedure should be put in place to ensure that keys are never compromised.   As manufactures and suppliers have no knowledge of the keys generated as part of this anonymous process, it is also essential that they are created and managed in a systematic, secure and auditable fashion. When choosing a smart card solutions provider ensure that they have the software tools available to allocate a unique ID to the credential, program the credential and vitally to provide a secure audit trail as to the ongoing validity of the credential.

Dr George Redpath is a joint managing director at Lumen ID. With over 30 years’ experience of global, enterprise level, smart card deployments, Lumen ID has developed the experience and software tools to ensure that secure credential management and audit processes’ exist for customers worldwide.