I ran across this today:

" Proximity cards typically do not include any personalized information, and
thus any person using the proper Proximity card can use it access the
protected asset. Therefore, Proximity card systems cannot be used to track
individuals ..."

That makes them just another brass key. My understanding is that *virtually
all* such cards have unique identifiers that allow the controller (and
software) to track who did what and when. Who's more correct today?

-John O

Their information starts off correct. . . Normal implementation of a prox
card does not contain personal information within the card. It DOES contain
a unique identifier (credential/serial number). The access control system
links that credential with a user to determine assigned access, create logs,
etc. So, a rogue or stand-alone reader can read the credential from a
normal prox card, but it can't determine WHO actually carries that card.
Even in that situation, if I see Joe Smith walk by every time credential
12345 is read, then I can start to create my own database

There are some single-point systems where (a) the reader only cares about
recognizing the general card format, or (b) only the credential is loaded
into the reader's access list, with no connection back to a central server.
In these situations, there is little or no tracking available. Then again,
certain prox cards can be re-programmed by the site, to include personal
information if they so desired.


"John O" <johno@#no^spam&heathkit.com> wrote in message
news:2FyFd.14145$_X7.11567@newssvr33.news.prodigy. com...
>I ran across this today:
>
> " Proximity cards typically do not include any personalized information,
> and thus any person using the proper Proximity card can use it access the
> protected asset. Therefore, Proximity card systems cannot be used to track
> individuals ..."
>
> That makes them just another brass key. My understanding is that
> *virtually all* such cards have unique identifiers that allow the
> controller (and software) to track who did what and when. Who's more
> correct today?
>
> -John O
>

> That makes them just another brass key.

Yep, albeit one you don't have to manually insert into a lock or deal with
duplicating.

Of course at the same time unlike the brass key anyone with a reader can
learn the card's identifier info and potentially forge it. Just ride in the
elevator a few times with people and their cards.

>
> Of course at the same time unlike the brass key anyone with a reader can
> learn the card's identifier info and potentially forge it. Just ride in
> the
> elevator a few times with people and their cards.
>

That idea struck me, too. Has that ever been in a movie? :-)

-John O

> Normal implementation of a prox card does not contain personal information
> within the card. It DOES contain a unique identifier (credential/serial
> number).

Ah, yes. They seem to have missed that distinction. Interestingly, or not,
this is from an article published by the US EPA.

-John O

Subject: Re: Access Control Info
Newsgroup: comp.home.automation
=> John O <= wrote:

>>
>> Of course at the same time unlike the brass key anyone with a reader can
>> learn the card's identifier info and potentially forge it. Just ride in
>> the
>> elevator a few times with people and their cards.
>>
>
>That idea struck me, too. Has that ever been in a movie? :-)


And the movies are all it will ever be in. You can not copy the identifier of a
prox card simply by riding in an elevator (no matter how much equipment you
have). Learn how prox cards are manufactured and the technology behind them and
you'll easily see why.

The whole "brass key" theory becomes moot when additional measures are
implemented, such as a valid code entered on a keypad reader after the card is
presented or a fingerprint scan *with* the card's acceptance.

On a side note, the US Government is implementing a new policy that *will* store
personal information on the access cards. They will have biometric information
such as fingerprint maps stored on it.


--
-Graham

Remove the 'snails' from my email

In article <41ff4b0b.179467610@schoolofhardknocks.edu>, alarmprosnail@snailgmail.com (G. Morgan) writes:
| Subject: Re: Access Control Info
| Newsgroup: comp.home.automation
| => John O <= wrote:
|
| >>
| >> Of course at the same time unlike the brass key anyone with a reader can
| >> learn the card's identifier info and potentially forge it. Just ride in
| >> the
| >> elevator a few times with people and their cards.
| >>
| >
| >That idea struck me, too. Has that ever been in a movie? :-)
|
|
| And the movies are all it will ever be in. You can not copy the identifier of a
| prox card simply by riding in an elevator (no matter how much equipment you
| have). Learn how prox cards are manufactured and the technology behind them and
| you'll easily see why.

Interesting. A few years back I asked about proximity card systems that
used a ZNP to prevent copying (either by an authorized user or by someone
employing covert means as above). In response I got a lot of laughter and
comments that such security concerns did not justify the cost of a two-way
communications system. From what you say, I take it that proximity systems
have matured to the point where this level of security is now standard?

Dan Lanciani
ddl@danlan.*com

> And the movies are all it will ever be in. You can not copy the
identifier of a
> prox card simply by riding in an elevator (no matter how much equipment
you
> have).

This has come up before. If it's RF it's insecure.

> The whole "brass key" theory becomes moot when additional measures are
> implemented, such as a valid code entered on a keypad reader after the
card is
> presented

Which a great many places DO NOT IMPLEMENT. All too often they just put in
the pickup sensors and nothing more. Anyone able to replicate the signal
the sensor wants can trivially bypass the security.

> On a side note, the US Government is implementing a new policy that *will*
store
> personal information on the access cards. They will have biometric
information
> such as fingerprint maps stored on it.

And they're not proximity cards.

In article <d6mdncQB9Mi5aHrcRVn-vg@speakeasy.net>, wkearney99@hotmail.com (wkearney99) writes:
| > And the movies are all it will ever be in. You can not copy the
| identifier of a
| > prox card simply by riding in an elevator (no matter how much equipment
| you
| > have).
|
| This has come up before. If it's RF it's insecure.

RF doesn't *have* to be insecure. A ZNP algorithm would allow a card to
prove that it knew a secret without actually disclosing that secret--perfect
for this kind of application. And there are certainly other ways of
accomplishing similar goals using symmetric or public-key crypto (with the
latter possibly itself implementing a form of ZNP). Of course, the more
roundabout the implementation the greater the chance that a weakness will
be introduced, so I'd prefer to see a direct ZNP.

Historically the problem with wireless proximity cards hasn't been the
fact that they don't use wires. The problem has been an unwillingness
on the part of the vendors to implement real security when they can
rely on proprietary data formats for obscurity.

Dan Lanciani
ddl@danlan.*com

On Thu, 13 Jan 2005 22:38:32 -0600, G Morgan <alarmprosnail@snailgmail.com> wrote:
> And the movies are all it will ever be in. You can not copy the identifier of a
> prox card simply by riding in an elevator (no matter how much equipment you
> have). Learn how prox cards are manufactured and the technology behind them and
> you'll easily see why.

Some cards are more secure than others. Many of them are simply an RF
"brass key" and they most definitely CAN be copied "simply by riding in
an elevator" with one. Complete circuits w/software and practical
experience have completely provden the concept.

> The whole "brass key" theory becomes moot when additional measures are
> implemented, such as a valid code entered on a keypad reader after the card is
> presented or a fingerprint scan *with* the card's acceptance.

Yup. "What you have plus what you know" is much more secure than "what
you have." (Of course, "what you have" includes most current biometric
security technology.)

sdb
--
Wanted: Omnibook 800 & accessories, cheap, working or not
sdbuse1 on mailhost bigfoot.com