Access control by Nedap Security Management

Use of Mifare in access control systems
In a press release on 12 March 2008, the Digital Security Group at Radboud University Nijmegen claimed that it was able to clone the Mifare Classic contactless access pass.

The contactless Mifare Classic chip card was developed in the mid 1990s by NXP (formerly Philips Semiconductors) based on the knowledge and technology available at the time. Partly as a result of its low cost price and multifunctional usability, the card is a relatively popular means of identification for use in technologies including access control systems.

There are two different ways in which the Mifare Classic can be used in access control systems . Firstly, the unique CSN (Card Serial Number) of a Mifare card (unencrypted) can be read and used in order to identify an individual. The second method involves reading encrypted information from one of the sectors. A (concealed) key is used to write and read this information. The same key must be used in both the card reader and the card for it to be possible to read the information from the sector and, on the basis of this information, to determine whether or not a person will be granted access. The Mifare readers that operate according to this principle are somewhat more expensive than CSN readers.

The Mifare card was hacked using the Jacobs Method, in which a Mifare reader is continuously bombarded with incorrect data. The responses of the reader are used to draw up a table that can be used to retrieve the Mifare key. Once the Mifare key has been retrieved, it is easy to read information from the sectors and thus make clones of a Mifare card.

The news could suggest that the CSN is in fact secure. Unfortunately, this is not the case. The research carried out by the University of Nijmegen involved the use of portable RFID equipment. Using this type of equipment, it is easy to reproduce a unique CSN number and send this to the reader.

Nedap resolves Mifare security breach
Nedap plans to protect its Mifare readers against the cracking method recently presented by Radboud University Nijmegen by means of introducing a software patch.

Nedap's new software is able to detect this cracking method, subsequently causing the reader to temporarily disconnect. The reader also sends an alert to the security system, meaning that appropriate measures can then be taken. All Nedap clients with an Upgrade Assurance agreement will be automatically issued with this new software.

Over the past few years, Nedap has acquired a unique position within the field of security. Readers, controllers and the embedded and server software are all fully developed in-house. As a result, Nedap has complete control over all of the components used in its security system and is able to respond more rapidly to changing market situations.

Conclusion
The extent of the risk presented by the possibility of cloning the Mifare Classic card in terms of the security of buildings and premises, partly depends on the additional measures in place. Modern access control systems offer a range of functions for the purpose of minimising the risks associated with cloned cards or the loss of a card. Examples of these are the use of the card in combination with pin codes, Anti-passback, video verification and biometrics. In light of recent developments, it is therefore advisable to have a new risk analysis carried out.

For many years now, Nedap has been providing systems that meet the highest possible security requirements. In addition to readers for all types of encryption such as Mifare DESFire and Mifare Plus, the AEOS Security Management system supports all known security measures.

Related information
Please consult the Mifare Advice document (pdf) and the pressrelease of Radboud Universiteit.

For further information, please contact your certified business partner or Nedap.