Australian spec looks to better secure contactless identity credentials
By Graeme Freedman, Principal, DotInDots
Concerns with the security and privacy of contactless smart card technology are nothing new. In recent years, the Internet has caught up with the physical access control industry and the PKI smart card industry, and some ‘dirty little secrets’ have been aired. For those of you who do not believe me, go to your browser and search “RFID hack clone,” “mifare hack,” or go to http://eBay.com.hk (Hong Kong) and search “RFID.”
In a matter of minutes you will find board-level schematics, source code and build-yourself kits that will allow you to clone many of the existing contactless devices used for physical access control and even transit. From eBay you can purchase shrink-wrapped product to clone the cards (with free shipping)! If you are a real nerd, you can Google “OpenPICC” or “OpenPCD” and purchase sophisticated portable devices that pretend they are real cards and readers and mount attacks on advanced smart cards.
None of this is new, but what is new is that a group in Australia under the direction of one of the largest government IT shops and most capable of agencies, have been looking at what to do about it.
The problem really stems from a combination of steam whistle technology and bad practices which have led us to the point where the options for access control systems are either proprietary or no longer fit for purpose.
Weigand–The majority of physical access control systems use the weigand protocol, which was first deployed a quarter of century ago. The weigand protocol is based around sending a 26-bit number up a piece of telephone wire. Weigand was designed for extreme cable lengths, not security. The problem is that it cannot support an end-to-end session or clear channel, and because of that, cannot easily support modern cryptography based authentication protocols that authenticate using longer and longer keys requiring a significant amount of protocol data. Even just the authorization records are moving to 128 bits RFC1422 GUID under the next round of FIPS 201. Weigand needs to be eventually replaced by modern structured wiring (e.g. Power over Ethernet and fibre optic for long distances) but this is going to take many years and we need a solution sooner.
No cryptography–Because the physical access control industry thinks that “Joe Average” cannot understand the radio frequency methods used, they mostly rely on the obscurity of the radio protocol rather than any secure methodology involving cryptography or keys. The vast majority of PACS systems do not secure or obscure the channel between the card and the reader, and as a result, it is easy for people to create cloning and replay devices … and to sell them on the eBay. Vendors will tell you they solve his problem by using a second factor of authentication, such as a PIN, but in a recent survey of PACS system suppliers found that a second factor was used in less than 1% of implementations.
Privacy–A solution involving “no cryptography” presents a privacy problem. It is overly simple to use a sniffer device to obtain a unique identification number from the card and then clone it.
Poor cryptography–When the physical access control industry has used cryptography, the tendency has been to use inexpensive, low-end cards. Those who did this now realize they got what they paid for! Many who deployed the MIFARE Classic using the crypto-1 protocol are now struggling to find a solution to a proprietary and publicly broken cryptographic cipher.
Speed–Because contactless cards are out of range of the device very quickly, and tap-n-go convenience is often a crucial requirement, any solution to the problems above must operate at less than 500 milliseconds, and preferably at less than 200 milliseconds (0.2 of a second). Most existing access control protocols operate on commercial product between 40 and 200 milliseconds. This speed requirement rules out most authentication protocols using asymmetric keys including all current PKI-based protocols.
No Standards–Currently the only authentication protocol which does not suffer from the above problems, and which is commercially available, is only available under license from a single vendor. Whilst there are general standards for authentication under ISO/IEC 9798, these are so generally described that they cannot guarantee interoperability between multiple suppliers, and have not been customized for PACS speed and performance
Protocol for Lightweight Authentication of ID (PLAID)
PLAID defines a standardized authentication protocol resolving the above issues that is capable of transitioning older Weigand-based solutions to modern solutions without relying on re-cabling, PKI, or anything other than commercial off-the-shelf smart cards, readers and public domain cryptographic libraries.
The intellectual property for PLAID is freely available to any manufacturer, government or other party under an irrevocable license from the Australian Commonwealth. The full specifications, license reference, source code and testing tools are available at http://www.govdex.gov.au. Steps are underway to standardize PLAID for Australian and International standards at which point the intellectual property will be assigned to those bodies.
PLAID was developed within an Australian Government smart card project operated by Centrelink, an agency responsible for the broad provision of social services in Australia. Centrelink has a very large footprint with more than 300 offices and 30,000 desktops needing secure, private, smart card based authentication for both logical and physical access using contactless protocols. Centrelink implemented a centralized, role-based ID management system some nine-years ago and is transitioning this system to support contactless smart cards which gave rise to the PLAID project.
PLAID, developed by cryptographer Glenn Mitchell and smart card developer Andrew Fisher, is a cryptographic and algorithmic method and associated source code that uses hybrid symmetric and asymmetric cryptography. There is no exposure of card or cardholder identifying information or any other information useful to an attacker, and every transaction is totally unique.
The protocol supports either single or dual-factor authentication with support for authentication of the smart card, the access control system record, and optionally, the cardholders PIN or biometric template.
The PLAID protocol is optimized for a fast mutual authentication between the smart card and devices or middleware using either contact or contactless smart card implementations. This has been tested on a wide variety of cards from the major card vendors resulting in transaction times between 160 and 300 milliseconds (0.16-0.3 seconds). Slightly longer times are experienced when authenticating large access control objects such as biometric templates.
The cryptography used is standards-based cryptographic ciphers commonly available on most programmable smart cards, computer systems and embedded devices. The protocol is consequently highly portable to existing cards and devices.
Different keys may be used by purpose (i.e., perimeter, logical access, computer room and administrative key sets) and maintenance of keys is possible by rolling onto a spare un-used key set already stored on the smart card. Work is planned for a reference implementation that includes SAM/HSM device code that demonstrates how to design a strong key management/key roll system using secure FIPS 120-2/3 devices.
In order to support simple transition between systems requiring different record types, multiple access control system records may also be authenticated by purpose (up to 65,536). Depending on the record requested by the reader, PLAID will authenticate just the record required for the particular environment. These records could for example be ALL of or one or more Weigand numbers; a U.S. Federal FASC-N staff number; a FIPS 201 CHUID, a RFC 1422 GUID record; an ISO/IEC 7812 card number; a biometric template or any other numbering system required by the environment. Unlike existing systems, these records are never exposed in the clear.
The protocol also supports a 256-bit session key that is provided for the next smart card operation. PLAID is extremely fast, and may be used as a bootstrap protocol to set up the card with a secure session to support subsequent higher-level protocols or operations. This for example can be used to protect a public certificate accessed in the next operation from exposure of its otherwise publicly available attributes.
The PLAID reference source code also implements a number of generic countermeasures that may usefully be included in operational implementations.
Finally, PLAID has been evaluated in the public domain for some three years now and has been available under open license since February 2009. The long public evaluation has resulted in improvements particularly in the reference implementation, but has failed to identify any fatal flaw in the protocol.