[edit] electronic lock/ computer idea

[Evan]

When I say "it is not possible to share the same swipe card between doors owned by two different people in a secure way" I mean something like the following: your employer owns one door and the other door is on your house or is owned by another employer. The same key is to be used for all doors. In this case the owners of the various doors do not trust each other. A swipe card does not work in this case because your employer (or rather the agent that installed the door for them) can read all information off of your card when you swipe it. They could then use that to make a copy of the card which will open the door on your house.

I am going to say this again politely -- it is evident that you have some familiarity with hardware systems, yet at the same time you have never been exposed to the hardware and software configurations of an integrated access control system...

First: Your employer would NEVER allow you to use your company issued ID card (on which is the mag stripe which allows you access to the facility) for any other use, it is their property and as such they can ask you to surrender it to them at any time for any reason... How would you then gain entry to your other locations if your card was suddenly taken one day because some executive decided to change the logo on the front of the card and they had a replacement card all ready for you... Having multiple employers means having multiple ID/access cards, that is just a fact of life...

Second: The mag stripe reader on the access control device is ONLY reading the one single track on which the access control information is encoded, not the entire card... It is not a multi-track reader like you would attach to your computer or find at a point of purchase system in a store... The access control system does not have the capacity to read any extra tracks off the card nor store them anywhere... As far as any "agents that installed the system" that is total crap because once the system is installed and commissioned only the owner of the system has access to the database and any service techs would be supervised while doing any work on it...

Third: If you understood anything about how mag stripe access control systems work you would have understood that if you are using a swipe card system you can have a few systems on the same card if that is all they are being used for and each system doesn't have to trust the other since they are encoded on separate tracks on the card... Since that is rarely the case and ID cards are often used for time clock purposes by employers in addition to access control you now have fewer tracks left over to use elsewhere...

Fourth: Using a swipe card lock on the front door of one's house is an investment more so than the $800 for a quality electronic lock device, you are looking at needing a card encoder, the software for the security database and a programming cable to interface the computer with the access control DB to the lock for updates when a card is lost or new ones added...

Another scenario would be a situation where various rooms of a building have different security levels. There are a hundred doors that are low security and are installed by untrusted civilian technicians. A dozen doors in the basement guard high security areas and must be installed by trusted technicians with security clearance. An employee has one key that can open all of the rooms they have permission to access. If a technician put bad stuff in one of the low security doors then the high security doors are not comprimised.

That is not a scenario that one would encounter in real life unless there were two entirely separate access control systems in place using the same credential between the two systems in different ways... I.E. the lower security system uses the mag stripe and the higher security uses RFID or a Smart Chip in the same card...

What "bad stuff" would a technician have put inside the door controller at the unsecured doorway ? How would this have any impact on the other independent system since one technology can not read the codes off the other ?

It is clear that you really aren't familiar with the actual planning and deployment that goes into an access control system... If these different areas in a facility are controlled by the same authority they are generally part of the same system just perhaps using more secure means of holding the doors closed on better rated doors than the "lower security" counterparts...

In your fantastical example scenario above it would be much easier to obtain the ID card of someone with access and duplicate the swipe card to gain entry to the high security areas... Much easier to do than trying to add some recording device to the lower security doorways and then trying the recorded codes until one is found which has clearance for the high security areas and doesn't require being in coordination with the "trusted" security technicians who service the system...

This sort of deal is easy to accomplish using cryptographic techniques and can be implemented using $2 microcontrollers (plus the price of all the other parts like interfaces and motors). Something resembling RFID can be used to interface to the lock, but it would also be possible to just have a couple of electrical terminals (eg. nails) sticking out of the lock and interface using something like the Dallas 1-wire protocol (which also supplies power). A bit of isolation circuitry would be needed in case some joker decides to hook it to a tesla coil or something.

Again you are showing your knowledge of hardware in general but not the specific purposes for which access control devices are designed and used for... The controller boards used in a door controller box are much larger and more robust than anything you could implement using a $2 anything... Door controller boxes are capable of operating multiple doors and have a back up power supply inside most of the time for emergency operation during a power outage... Some even contain memory units which can store a list of credentials for priority access privileges during a communication failure with the system controller and access database depending on the features and programming used in the design...

~~ Evan

[inverseentropy]

First: Your employer would NEVER allow you to use your company issued ID card (on which is the mag stripe which allows you access to the facility) for any other use, it is their property and as such they can ask you to surrender it to them at any time for any reason... How would you then gain entry to your other locations if your card was suddenly taken one day because some executive decided to change the logo on the front of the card and they had a replacement card all ready for you... Having multiple employers means having multiple ID/access cards, that is just a fact of life...

Yes, but keep in mind that I am not talking about mag stripe cards. I'm talking about electronic tokens with a microchip. It is not uncommon to use the same access token for multiple purposes: I use my state issued driver's license to enter a bar or to board a plane and the state doesn't get uppity about it. If your employer wants you to use a token issued by them then that's their call but if they allow you to use your own token then that works too.

Second: The mag stripe reader on the access control device is ONLY reading the one single track on which the access control information is encoded, not the entire card... It is not a multi-track reader like you would attach to your computer or find at a point of purchase system in a store... The access control system does not have the capacity to read any extra tracks off the card nor store them anywhere... As far as any "agents that installed the system" that is total crap because once the system is installed and commissioned only the owner of the system has access to the database and any service techs would be supervised while doing any work on it...

As long as you trust the service techs who installed the door enough to allow them the possibility of access to every door in the building then this is fine. Otherwise you must consider the possibility that they decided to install a reader that can read all tracks on the card.

Third: If you understood anything about how mag stripe access control systems work you would have understood that if you are using a swipe card system you can have a few systems on the same card if that is all they are being used for and each system doesn't have to trust the other since they are encoded on separate tracks on the card... Since that is rarely the case and ID cards are often used for time clock purposes by employers in addition to access control you now have fewer tracks left over to use elsewhere...

See above response.

Fourth: Using a swipe card lock on the front door of one's house is an investment more so than the $800 for a quality electronic lock device, you are looking at needing a card encoder, the software for the security database and a programming cable to interface the computer with the access control DB to the lock for updates when a card is lost or new ones added...

I'm not planning on using a card reader, I am planning on using tokens with microchips which communicate with the door via a direct wired connection (probably through a pair of nails protruding from the door). The software is to be open sourced so it doesn't cost anything. The programming cable can just be a standard $20 FTDI serial cable connected to one of the access tokens.

Another scenario would be a situation where various rooms of a building have different security levels. There are a hundred doors that are low security and are installed by untrusted civilian technicians. A dozen doors in the basement guard high security areas and must be installed by trusted technicians with security clearance. An employee has one key that can open all of the rooms they have permission to access. If a technician put bad stuff in one of the low security doors then the high security doors are not comprimised.

That is not a scenario that one would encounter in real life unless there were two entirely separate access control systems in place using the same credential between the two systems in different ways... I.E. the lower security system uses the mag stripe and the higher security uses RFID or a Smart Chip in the same card...

What "bad stuff" would a technician have put inside the door controller at the unsecured doorway ? How would this have any impact on the other independent system since one technology can not read the codes off the other ?

I'm sure that one could find card readers capable of reading all stripes off of the card.

It is clear that you really aren't familiar with the actual planning and deployment that goes into an access control system... If these different areas in a facility are controlled by the same authority they are generally part of the same system just perhaps using more secure means of holding the doors closed on better rated doors than the "lower security" counterparts...

In your fantastical example scenario above it would be much easier to obtain the ID card of someone with access and duplicate the swipe card to gain entry to the high security areas... Much easier to do than trying to add some recording device to the lower security doorways and then trying the recorded codes until one is found which has clearance for the high security areas and doesn't require being in coordination with the "trusted" security technicians who service the system...

Again, I'm not talking about swipe cards, I'm talking about microchips. Every major microcontroller vendor offers chips with a protection feature that makes it impossible to clone the chip without taking it apart. Even if a chip was to be cloned, a cryptographic rolling code system can ensure that as soon as one of the duplicates is used the other is invalidated. Theft of keys is still a possibility, but this is also a problem with any system.

This sort of deal is easy to accomplish using cryptographic techniques and can be implemented using $2 microcontrollers (plus the price of all the other parts like interfaces and motors). Something resembling RFID can be used to interface to the lock, but it would also be possible to just have a couple of electrical terminals (eg. nails) sticking out of the lock and interface using something like the Dallas 1-wire protocol (which also supplies power). A bit of isolation circuitry would be needed in case some joker decides to hook it to a tesla coil or something.

Again you are showing your knowledge of hardware in general but not the specific purposes for which access control devices are designed and used for... The controller boards used in a door controller box are much larger and more robust than anything you could implement using a $2 anything... Door controller boxes are capable of operating multiple doors and have a back up power supply inside most of the time for emergency operation during a power outage... Some even contain memory units which can store a list of credentials for priority access privileges during a communication failure with the system controller and access database depending on the features and programming used in the design...

~~ Evan

OK, the CPU is $2, everything else of course costs the same as it would for a traditional electronic system. There is no centralized controller box needed, the unit is fully contained within the door, which I believe is how the basic version of Cliq works. Memory for storing credentials and access logs is built into the microcontroller. Of course it would also be possible to network the devices if centralized control is desired, otherwise administration commands can be stored to a key which just needs to be touched to each door in order to send the desired commands (eg. grant or revocation of privileges or gathering of logs).

[Evan]

Yes, but keep in mind that I am not talking about mag stripe cards. I'm talking about electronic tokens with a microchip. It is not uncommon to use the same access token for multiple purposes: I use my state issued driver's license to enter a bar or to board a plane and the state doesn't get uppity about it. If your employer wants you to use a token issued by them then that's their call but if they allow you to use your own token then that works too.

Your state issued driver's license is issued to you by the state for that purpose -- to be used as identification... Many of them now have a 3d barcode on the back so that they can be validated by entities authorized by the state government who need to be able to check an ID for authenticity (police departments, drinking establishments, airlines, etc) but that information and capability is not open to everyone...

You really wouldn't be able to integrate such an ID card into an access control system as all of the information on the card is considered public information and available to people with a valid reason to request it...

So you are developing a system based on a fragile technology which would have to be kept dry at all times so as not to short it out and would not hold up very well to actual real world use...

Why you would want a system that is "universal" for access control purposes is baffling... Not only would you have problems unless you use ridiculously long numbers, it would be like all door locks using the same keyway world wide... How many locks would you need until the "randomness" duplicates itself... How much memory would be needed in the locks and keys in order to accommodate a large access control system with credentials numbering in the tens of thousands ?

As long as you trust the service techs who installed the door enough to allow them the possibility of access to every door in the building then this is fine. Otherwise you must consider the possibility that they decided to install a reader that can read all tracks on the card.

Reading the extra information on the other tracks of the card is worthless to the access control system, the software in its database won't recognize it and it doesn't record the information off the card, it only reads the credential code, checks it against a list and gives a go/no go for the lock and records the event in the database... Unknown credentials are just that unknown and they are logged as such but information would only be recorded IF the credential was encoded the same way but with a different and thus incorrect facility code...

How does what a service tech does at the time of installation have any bearing on how secure the system is after the owner takes it over... It is not like they can create secret credentials which can not be deleted or disabled in the system, the owner has all the power over that... Typically the system technicians who come out to do service use a service tech credential which is only active while it is needed and when it is returned to the building security or facilities office it is deactivated until it is needed for use again...

I'm not planning on using a card reader, I am planning on using tokens with microchips which communicate with the door via a direct wired connection (probably through a pair of nails protruding from the door). The software is to be open sourced so it doesn't cost anything. The programming cable can just be a standard $20 FTDI serial cable connected to one of the access tokens.

There are already some "contact" type systems out there... The reader heads on the door require much more frequent maintenance as the electric current flowing through the contacts tends to attract dirt... Even mag stripe readers need to be cleaned with a cleaning card periodically to keep them working properly... The type of interface you are proposing would not stand up to environmental conditions and would be adversely affected by cleaning chemicals...

I'm sure that one could find card readers capable of reading all stripes off of the card.

And the point of that would be ? The access control system would ignore the extraneous information as it has no capacity to record it... The covert recording of all the information on all tracks of a card would require a system with a lot more bandwidth to be able to transmit and receive all of that information as fast as the short credential ID string and door address that is transmitted intentionally, as well as being able to have a place and capacity in the access logs to record all of that information each time a credential is used... The systems are just NOT designed that way...

Again, I'm not talking about swipe cards, I'm talking about microchips. Every major microcontroller vendor offers chips with a protection feature that makes it impossible to clone the chip without taking it apart. Even if a chip was to be cloned, a cryptographic rolling code system can ensure that as soon as one of the duplicates is used the other is invalidated. Theft of keys is still a possibility, but this is also a problem with any system.

Right, but with your system the theft of the key would have to be addressed at EACH LOCK it was valid at (which is an issue that exists with off-line access control systems also)... With a centrally controlled system it only has to be addressed at a terminal with access privileges to modify the access control database and NOT at each individual door... Why would someone want a system that was so labor intensive to add new credentials and remove lost or revoked credentials ?

OK, the CPU is $2, everything else of course costs the same as it would for a traditional electronic system. There is no centralized controller box needed, the unit is fully contained within the door, which I believe is how the basic version of Cliq works. Memory for storing credentials and access logs is built into the microcontroller. Of course it would also be possible to network the devices if centralized control is desired, otherwise administration commands can be stored to a key which just needs to be touched to each door in order to send the desired commands (eg. grant or revocation of privileges or gathering of logs).

Umm... I hate to tell you this, but a centralized controller and system monitor is very necessary to have an access control system that offers any true protection... It centralizes the ability to add and remove credentials, without requiring the system administrator to have to visit each door to do so...

Without a central system, attempts to tamper with the devices will not become known until the locks are polled by someone periodically... That polling would be labor intensive to go to each lock in the system and return that information to a central database to be compiled... It is my experience that off-line locks (non-centralized un-networked) are usually only polled after some extraordinary event has taken place and who was opening what and when needs to be accounted for...

So how would the system signify a need for maintenance ? I.E. the battery is running low... What interface device would you propose for that ? Also what would power the locking device cycling ? How would you guarantee functionality for life safety purposes ? If your cryptology can not be broken (which is doubtful if your devices were adopted by a large enough demographic) then why would someone try to attack it and not go after the weakest link in the door ? Life safety access control devices used on fire rated doors usually require a manual override by the AHJ (keyed override cylinder) why would someone play with the electronics when they could gain entry through that cylinder ?

Aside from the rather obvious administration issues with your system and the amount of labor it would take to poll the locks daily in higher security applications, what market would you focus this product on ?

~~ Evan

[inverseentropy]

Why you would want a system that is "universal" for access control purposes is baffling... Not only would you have problems unless you use ridiculously long numbers, it would be like all door locks using the same keyway world wide... How many locks would you need until the "randomness" duplicates itself... How much memory would be needed in the locks and keys in order to accommodate a large access control system with credentials numbering in the tens of thousands ?

How much memory for tens of thousands of codes? Two bytes. But for security the codes would be more like 8 bytes long for 18446744073709551616 differs. That would be about 4 billion keys before any would likely share the same code.

Reading the extra information on the other tracks of the card is worthless to the access control system, the software in its database won't recognize it and it doesn't record the information off the card, it only reads the credential code, checks it against a list and gives a go/no go for the lock and records the event in the database... Unknown credentials are just that unknown and they are logged as such but information would only be recorded IF the credential was encoded the same way but with a different and thus incorrect facility code...

I was thinking specifically of a situation where someone decided to make a *modified* circuit in order to skim the codes. A magstripe card has something on the order of 100 bytes of data. A one megabyte memory chip could therefore store the data of 10000 card swipes. This is not using the official circuitry, this is stuff that could potentially be added by an untrustworthy technician at installation time. The data could be read off at any time via radio link.

There are already some "contact" type systems out there... The reader heads on the door require much more frequent maintenance as the electric current flowing through the contacts tends to attract dirt... Even mag stripe readers need to be cleaned with a cleaning card periodically to keep them working properly... The type of interface you are proposing would not stand up to environmental conditions and would be adversely affected by cleaning chemicals...

I don't buy this argument. The lock I have on my door now is metal and hasn't corroded. The sink in my bathroom is repeatedly exposed to cleaning chemicals but has not corroded. Electrical current only flows when a key is in contact. Also there is a the possibility of using radio link (cryptography ensures that nothing can be gained by snooping on the radio link). The disadvantages of this include higher cost, potential interference, and the fact that it would not be possible to power the door lock using power from the key.

Right, but with your system the theft of the key would have to be addressed at EACH LOCK it was valid at (which is an issue that exists with off-line access control systems also)... With a centrally controlled system it only has to be addressed at a terminal with access privileges to modify the access control database and NOT at each individual door... Why would someone want a system that was so labor intensive to add new credentials and remove lost or revoked credentials ?

Yes, this situation would be labor intensive. Centralized control can be available as an option for those who wish for such a feature.

Aside from the rather obvious administration issues with your system and the amount of labor it would take to poll the locks daily in higher security applications, what market would you focus this product on ?

The same market that Assa Cliq targets. Their system comes as a basic model that is confined to the door and which is upgradable to an advanced configuration that allows for networking to a centralized control. I propose a similar situation. The advantage of what I am proposing is that the protocol will be made public and therefore the security of the system can be publicly reviewed. There are plenty of cryptographic algorithms and protocols that have withstood decades of intensive public review. Additionally the system I propose has the advantage of allowing the possibility of having a single key, owned by the user, that could be used for a multitude of applications. If it is against corporate policy to use a user-supplied key for whatever reason then so be it, but at least there is the option.

[Evan]

I don't buy this argument. The lock I have on my door now is metal and hasn't corroded. The sink in my bathroom is repeatedly exposed to cleaning chemicals but has not corroded. Electrical current only flows when a key is in contact. Also there is a the possibility of using radio link (cryptography ensures that nothing can be gained by snooping on the radio link). The disadvantages of this include higher cost, potential interference, and the fact that it would not be possible to power the door lock using power from the key.

Ever look at the faucets in a public restroom if they are operated by hand motion sensing rather than pushing down on a manual timed valve ? They are usually tarnished because of the ions in the chemical cleaner being attracted to the small electric current that flows through the faucet from the batteries that operate the solenoid to turn the flow of water on and off...

The sink in your bathroom does not have any even small amount of electrical potential acting on it and you probably use rather tame consumer grade cleaners in your home bathroom, not the industrial grade stuff you would find in use in commercial and institutional settings where your locks would likely be installed...

~~ Evan