Re: HID Proximity Cards: Decoded Versus Undecoded Outputs?

[Nomen Nescio <nobody@xxxxxxxxx>]

Will said:

>Can someone explain the difference between an HID proximity card's decoded
>and undecoded outputs?    My guess is that number printed on the card is an
>undecoded output, and it's just there to make it easier for humans to type
>in a number to a software application.    Probably the real number is on the
>card as is longer or more complex format?    How many digits are there and
>in what format (e.g., alphanumeric only).
>
>I saw a demo on TV recently of some guy who using a home made circuit board
>was able to swipe any person in his vicinity's prox cards, then record that
>and play it back to get access through any prox reader.   Pretty scary
>stuff, and it's obviously not a very secure architecture if they are sending
>out numbers in a way that doesn't use some kind of private and public key
>exchange.
>
>We are thinking of using the proximity cards as part of a two factor
>authentication system to login to computers, which is why I would like to
>understand the length and structure of the number on the card.   We would be
>using PCPROX readers.

The standard prox card is 26 bits, but HID offers formats of other lengths.

It is unlikely that someone will compromise your system by emulating a prox
card.  At the very least, they would need to know which card numbers are
valid, then construct an emulator.

However, if this is a concern, look into the HID iCLASS  smart cards.
These provide an encrypted link between card and reader, and because they
are smart cards, the data capacity and authentication capabilities are far
greater than a standard prox card.   I don't know specifically what's
available for computer security applications, but surely someone has
implemented what you are looking for with contactless smart cards.

- badenov