HID Proximity Cards: Decoded Versus Undecoded Outputs?

Can someone explain the difference between an HID proximity card's decoded and undecoded outputs? My guess is that number printed on the card is an undecoded output, and it's just there to make it easier for humans to type in a number to a software application. Probably the real number is on the card as is longer or more complex format? How many digits are there and in what format (e.g., alphanumeric only).

I saw a demo on TV recently of some guy who using a home made circuit board was able to swipe any person in his vicinity's prox cards, then record that and play it back to get access through any prox reader. Pretty scary stuff, and it's obviously not a very secure architecture if they are sending out numbers in a way that doesn't use some kind of private and public key exchange.

We are thinking of using the proximity cards as part of a two factor authentication system to login to computers, which is why I would like to understand the length and structure of the number on the card. We would be using PCPROX readers.

Reply to
Loading thread data ...

The standard prox card is 26 bits, but HID offers formats of other lengths.

It is unlikely that someone will compromise your system by emulating a prox card. At the very least, they would need to know which card numbers are valid, then construct an emulator.

However, if this is a concern, look into the HID iCLASS smart cards. These provide an encrypted link between card and reader, and because they are smart cards, the data capacity and authentication capabilities are far greater than a standard prox card. I don't know specifically what's available for computer security applications, but surely someone has implemented what you are looking for with contactless smart cards.

- badenov

Reply to
Nomen Nescio

There is no decoded and undecoded outputs in the HID Proximity format you mention. At its simplest the prox card has a chip inside it creating a pulse output. There are many physical forms of "active cards" and "passive cards" and fobs and "lick and sticks" etc. The unique card number is programmed into the chip inside the card. The HID Proximity format has become an industry standard so many manufacturers use it since the HID patent expired. So the chip inside the card creates the same type output as the original Wiegand pulse-generating cards that used bits of wire inside the card and no chips. So that's it. It is a pulse. The "pulse" can be different lengths. There is the standard 26 bit format, meaning a "pulse" of 26 pieces or bits of on or off data. In that output format you have the card number, the facility code or site code etc. (because the nomeclature varies a lot). To make it more interesting one can vary the location of the start bit location and scramble things up a little. Different access control manufactureres have their own formats. Continental Instrumants 36 bit, Card Key 35 bit, Infographic Systems 34 bit, CEM 33 bits etc. Therefore what is printed on the card may be the actual card number output or something else not at all related to the card number in any way. When you get the cards from the manufacturer there is a sheet that cross references what is printed on the card versus the actual output. You can certainly defeat the security of a card access system by using a device like the one you saw on TV. You don't even have to be cleaver enough to build your own device, you can buy it complete and ready to use right off of the Internet and start spoofing. I don't think that one would install simple weigand cards on a facility where high security was a concern. There are other technologies besides weigand. One step up would be to use the Indala reader. Indala is now a part of HID. You get a more unique communications going between the card and the reader that makes it a bit more difficult to spoof. HID is not stupid. They do make cards that you can't easily spoof and formats that are unique. The HID iCLASS format, combined with an Elite class reader and Corporate 1000 format would pretty much rule out spoofing or duplication completely. The iCLASS would mean what the spoofer read would not work when "played back" to the reader. It is unique evey time (well the challenge repeats every 1.5 million years or some ridiculously long time) because there is a two way communication going. The Elite ties the reader and the card together so even another iCLASS card won't be acknoledged. And the Corporate 1000 means HID will never produce another card with that number on it so there are no duplicates ever produced by HID. Does it worry anyone in the industry that Weigand Prox format cards can be spoofed? I don't know. If you put a reader on a glass door and have a strike on a door lock I think not. A prox card is not like a door key that works 24/7/365. For the most part a card is programmed to work normal business hours on a limited set of doors. Even if you spoofed a card and antipassback was in play you couldn't just spoof a card of a random person passing by and then walk in. In most cases the bad guy wanting in will pick up a rock and smash out the glass. If the bad guy is a bit more resourceful or skilled he will pick or pry the lock. I have never been made aware of a successful (or unsuccessful) spoof attack in real life. If I do I'll try and post the video clip of the guy here because I am sure there will be one. There are almost always other sorts of security measures to have to get around like cameras, or in the reader itself, like PIN numbers, biometric interfaces, face matching, etc. Remember we're only talking about Weigand Prox formats. There are other formats like MiFare, RFID etc. I think the career of a Weigand Prox format spoofer would be very short. But don't let me disabuse anyone here from a career choice. I know some guys that work with prison ministries and they hear from the inmates that the food is good and the sex is great.

"Will" wrote in message news:xYOdnVhXn_wZH4DYnZ2dnUVZ snipped-for-privacy@giganews.com...

Reply to
Roland Moore

Apparently when the prox card is activated / read by a reader, it is transmitting its private key by some electromagnetic pulse technology and that private key is unencrypted. The way the security engineer on TV did the demonstration, his circuit board emitted the same generic signal required to get the prox card to activate and release its key. Because this key was unecrypted, he was able to read it and save it for later playback. He then took the device he had created and when he presented it to a card reader at a door, his device played back the unecrypted key that he had previously captured and the door unlocked.

They made a big deal that all it would have taken was for a person with this device to swipe by the pocket that you have your card in, and you would never know you have compromised the card. So I don't think that the person doing this would need to know anything about which cards were valid. They would only need to find an opportunity to walk by one person coming out of an office and get close enough to a purse or wallet to read a signal.

As the other poster says, probably you would want to limit the use of the "breakable" HID technology to entrances during business hours, and complement these with some additional technology. I guess as long as you understand the limits of the technology, and build other protections around it, you are okay.

That's great to know about thanks. Would that be compatible with older applications like Passpoint? How many bits are in the cards used in the standard Passpoint package, and how many in iClass?

Reply to

One basic enhancement is to require something you have plus something you know. In short, require a user name and password PLUS the card. It's not perfect but it's better than just a card, which might even be stolen without any special hardware.

Reply to
Robert L Bass

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.