[Message Prev][Message Next][Thread Prev][Thread Next][Message Index][Thread Index]

Re: HID Proximity Cards: Decoded Versus Undecoded Outputs?



"Nomen Nescio" <nobody@xxxxxxxxx> wrote in message
news:158138288b0f6c1858305b5371bf0171@xxxxxxxxxxxx
> It is unlikely that someone will compromise your system by emulating a
prox
> card.  At the very least, they would need to know which card numbers are
> valid, then construct an emulator.

Apparently when the prox card is activated / read by a reader, it is
transmitting its private key by some electromagnetic pulse technology and
that private key is unencrypted.    The way the security engineer on TV did
the demonstration, his circuit board emitted the same generic signal
required to get the prox card to activate and release its key.    Because
this key was unecrypted, he was able to read it and save it for later
playback.    He then took the device he had created and when he presented it
to a card reader at a door, his device played back the unecrypted key that
he had previously captured and the door unlocked.

They made a big deal that all it would have taken was for a person with this
device to swipe by the pocket that you have your card in, and you would
never know you have compromised the card.      So I don't think that the
person doing this would need to know anything about which cards were valid.
They would only need to find an opportunity to walk by one person coming out
of an office and get close enough to a purse or wallet to read a signal.

As the other poster says, probably you would want to limit the use of the
"breakable" HID technology to entrances during business hours, and
complement these with some additional technology.    I guess as long as you
understand the limits of the technology, and build other protections around
it, you are okay.


> However, if this is a concern, look into the HID iCLASS  smart cards.
> These provide an encrypted link between card and reader, and because they
> are smart cards, the data capacity and authentication capabilities are far
> greater than a standard prox card.   I don't know specifically what's
> available for computer security applications, but surely someone has
> implemented what you are looking for with contactless smart cards.

That's great to know about thanks.     Would that be compatible with older
applications like Passpoint?    How many bits are in the cards used in the
standard Passpoint package, and how many in iClass?

--
Will




alt.security.alarms Main Index | alt.security.alarms Thread Index | alt.security.alarms Home | Archives Home