• On All Site
  • Text Pages
  • Catalogue
  • News
  • News
    • Company news
    • IT news
  • About company
    • Company mission
    • Company structure
    • Team
    • Licenses and Certificates
    • Why our company
  • Services
    • DS Certification Authority
    • Custom Development
      • Software development
      • Hardware development
    • Consulting
    • Research
    • IT-outsourcing
  • Products
    • TOP 3
      • Social Card
      • Smart Reader Platform
      • PAC Crypto Readers
    • Software products
      • Secure Virtual Drive
      • Crypto Library
      • CryptoPhone
      • CryptoIM
    • Hardware products
      • IP-encryptor
      • cmToken
      • GOST Key Keeper
  • On-line Shop
    • Job opportunities
      • Open positions
      • Technologies
    • Contacts
      In section
      Social Card
      Smart Reader Platform
      PAC Crypto Readers

      		 Access Control System (1,65 M)
      Physical Access Control Crypto Readers

      Implementation of access control systems (ACS) assumes the realization of unambiguous identification of each user of the system. One of the most widespread methods of users’ identification is application of personal contactless cards. The contactless reader reads out the unique identifier of a card/user from the card in a distance of several centimeters, and transmits it through the internal interconnection link into the ACS controller, which "decides" about the access of the user into the controlled area on the basis of the authorization matrix. Therefore, security of the system is basically defined by the protection level of the interchanging protocol between a card and a reader from threats of card fake/emulation.

      Thus, the absolute majority of ACS, that are being installed in the territory of CIS today, either do not support cryptoprotection (i.e. store and transmit the card identifier in unprotected format), or use the non-public algorithms of cryptoprotection with the limited key length (usually 48-96 bits). The « closedness» of the algorithm means that its structure is the confidential information of the company-implementator, and the algorithm has not passed an independent audit of security (for example: Mifare Crypto1, EM Crypto, My-D Crypto). Thus, as a rule, easy-to-implement stream cipher is used, and its security is based on "privacy" of the conversion, therefore, after its reengineering, the task of the key retrieval moves from cryptanalytic field to engineering one. Another widespread weakness of popular ACS using cryptography cards (for example, MIFARE Standard) is nontransparency or total absence of keys handling subsystem.  The private keys of cards and readers are often assigned directly by the manufacturer; therefore, the security structure of the customer should assume the policy of absolute trust to the manufacturer.

      The upcoming trend of development of the modern ACS is the application of the contactless smart cards supporting approved cryptoalgorithms with known security indexes (for example, TripleDES or AES).

      The DESFire EV1 cards supporting cryptoalgorithms TripleDES (168 bit key) and AES (128 bit key) possess the greatest security index among the low-end contactless cards. Besides, these cards have a flexible file system and supporting of the mechanism of "transactions" that allows to create safe applications of micropayments on their basis. The MIFARE Ultralight C cards having lower price and supporting the TripleDES algorithm with a key length of 112 bits are also of interest.

      Cryptomach Ltd. offers own solution for cryptoprotection of contactless cards for access control systems. Our solution includes the system of the contactless smart readers supporting MIFARE DESFire and MIFARE Ultralight C cards, and also the auxiliary software which ensures flexible handling of the ACS key system and audit of appropriate processes. The main advantages of our solution are:

      • Creation of the key system is carried out by the customer directly;
      • Generation, storage and application of the working keys is fulfilled in the reader only (keys do not fall outside the reader in unprotected format);
      • Support up to 12 independent secure areas with independent key system in each area;
      • Single card is a conjoint permit for all secure areas;
      • Possibility of "transparent" integration into the existing or re-created ACS from different manufacturers.

      All  stated advantages of PAC Crypto Subsystem allows to eliminate the aforesaid problems, common for traditional solutions on the basis of RFID, and to create fully-featured security system on the basis of a wide range of existing ACS.

      The functional specifications of the system:

      • Possibility of flexible handling of a key system;
      • 3DES and AES cryptographic algorithms are supported;
      • Protocol of interchanging with a card is cryptoprotected;
      • Keys of each card are unique;
      • Two-factor authentication: card + PIN-code of the owner (option);
      • Independent key system for each access area;
      • Possibility of independent change of keys in different access areas;
      • Change of the working keys of readers by means of "transport" cards;
      • Joint operation of old and new keys during upgrade of key system;
      • Backup of the working keys;
      • Independent administration of each access area;
      • Distribution and monitoring of authorities of ACS operators;
      • Distribution of authorities of service readers at the stage of their initialization;
      • Support of widespread communications protocols with ACS controllers;
      • Possibility of stage-by-stage transition to cryptoprotected cards in operating ACS.

      PAC Crypto Subsystem system hardware is developed on Smart Crypto Reader platform and includes three types of readers:

      • "Executive" - It is intended for authentication of a card and transmission of its code to ACS controller. It supports the import mechanisms of the area working keys. It can be initialized only for one access area.
      • "Master" - It is intended for backup storage of the working keys and implementation of the service functions: creation of the user's cards, their initialization by the keys of access area, export of working keys to transport cards. It can support up to 12 access areas simultaneously. It can fulfill functions of the Executive reader.
      • "Root" - It is intended for generation of master keys of access areas and creation of transport cards. It is the functional enhancement of the Master reader. Only one Root reader should be used in each access area!

      "Executive" readers are accomplished in a case for a wall mounting, "Root" and "Master" readers are the service readers and are made for desktop usage.

      The service reader allows fulfilling of the configuration (limitation) of its functionality at a stage of the primary initialization executed by the Customer. Thanks to this, the organizational and technological separation of staff's, using these readers, authorities is possible. The separation of the following authorities is available at configuration level:

      • generation of working keys;
      • export of working keys to other readers;
      • initialization of new user's cards;
      • update of access keys to area on a user's card;
      • reading and verification of user's cards.

      Besides, each reader allows to delimit authorities of operators by authorization on the basis of PIN-code (password). For this purpose it is possible to define two PIN-codes: "Administrator" and «Security Officer» at the stage of primary initialization of the reader. The functional separation of authorities is fulfilled as follows:

      • "Administrator": configuration of readers and handling of working keys;
      • «Security Officer»: issuing and handling of cards;
      • "Operator" (without authorization): operation in a monitoring mode.

      In addition to readers the system includes the software for OS Windows  2000/XP/2003/2008/Vista, intended for customization of the system, handling of the readers and integration with third-party ACS software. The system software functions include:

      • Logging of all processes in the system;
      • Initialization of all readers by the Customer's parameters;
      • Initiation and registration of user's cards;
      • Initiation and registration of "transport" (service) cards;
      • Invalidation (erasing) of cards;
      • Handling of access areas on the users' cards;
      • Handling of generation/export/import of working keys on the service readers;
      • Reading and verification of cards.

      The system software includes the set of applications implementing the main functional roles:

      • Database (DB) of system of the cryptoprotection subsystem (MS SQL 2005);
      • Manager of readers;
      • Manager of user's cards;
      • Manager of working keys;
      • "Controller" of cards (demonstration).

      And also tools of integration with ACS software of third-party developers :

      • Scripts and stored procedures for creation of DB of necessary structure;
      • Libraries of direct handling of readers (managed and unmanaged versions);
      • Library of business transactions flow (handling of the reader and DB support);
      • Library of business transactions flow with user interface support.

      We were guided by two principles while creating our system: support of uncompromising security and simplicity of service.

       

      ← Back
      -- -- - - - - - - -- - - - - -- - -- - - - - - -- - -- - - - - - - - - -- ------------ ---- -- - -- - - - - -- - - -- - - -- - - - - -- - -- - - - - - - -- - - - - -- -- --- -- --- -- --
      NewsAbout companyServicesProductsOn-line ShopJob opportunitiesContacts
      Copyright © 2009 Cryptomach LTD. All rights reserved.
      Development: Rireg.net