A white paper from RWE is currently causing more than a few waves in the access control market (you can download it here). Together with the Security Research Lab in Berlin, the company published it recently under the very appropriate title of ʺEstablishing Security Best Practices in Access Controlʺ. It describes the way in which RWE is moving in the direction of a secure access control system in a process being applied company-wide.

Matthias Erler of GIT SECURITY questioned Dr. Andreas Rohr of RWE Group Security as Cyber Forensic Manager about the background and details of this project.

GIT SECURITY: Dr. Rohr, you have started a process for the introduction of secure access control at RWE. What drove you to this move?

Andreas Rohr: First of all, one cannot undertake such a process alone, but one particularly needs the experience of the operative divisions. A new risk analysis became necessary against the background of the security weaknesses of various RFID technologies used in access control that have been published recently. The motivation to consider a new architecture was twofold; firstly the security considerations but also the wish to be independent of a particular integrator or manufacturer. It was therefore not sufficient for us to simply change out the RFID technology that was being used by another that is rated as safe today. Primarily we want to avoid getting in a similar situation again in the future and not letting our security be based solely on one security feature. Apart from that, our aim was a complete redesign to enable the flexible support of all applications that make use of a company ID.

What applications are you referring to and what are their dimensions within RWE?

Andreas Rohr: We‘re talking primarily about the access control system and the cashless payment system in the canteen. But certificates for security training are also included, which are legal obligations. Also accounting and time atten­dance recording are processed with the use of company IDs. A further component is so-called strong authorization with the use of certificates that are in a PKI smart card chip in the ID.

With regard to the scale, at RWE we‘re talking about a division with more than 150 locations in over ten countries with a total of 70,000 employees and a further 40,000 IDs for external employees (e.g. services or visitors).

RWE carried out an assessment in 2010 with regard to RFID security. What was the result?

A. Rohr: This was a security analysis of the technologies on the market with a focus on the publicized weak points e.g. from Hitag 1, HID prox, Mifare Classic and Legic Prime. This made it clear to us that these approaches, driven by convenience - coupled with advertised but not disclosed ‚security features‘ (security-by-obscurity) - were not leading in the right direction, that is, they were simply not secure. In addition it must be mentioned that a consistent security concept is necessary to secure an object or individual asset. In this sense, the use of RFID-based access control can only be one component of the whole building-related security concept.

Could you give us an example?

Andreas Rohr: You would certainly not secure a wooden door with cryptographically secure RFID technology, for example. The level of protection aimed for should on the one hand be correspondent to the (technical) security measures and on the other hand be in accordance with the protection requirements of the secured area. To increase the level of protection one can extend the usage of an RFID-based card through the incorporation of further factors such as knowledge (PIN) or possession (biometric features). Beyond this one could check the logging data for technically correct authorization but potential illegal usage - such as with cloned cards.

What features must a system demonstrate from your point of view so that it can be considered safe?

Andreas Rohr: An indication of the secure architecture of an access control system - as described in the white paper - is the readiness of the manufacturer to lay it open to testing and evaluation - if necessary covered by a non-disclosure agreement (NDA). Thus the actual security is based on the consistent use of open and well investigated standard cryptographic algorithms (in contrast of obscure mechanisms). Said another way, the architecture should be rateable as secure right from its inherent design. The real security level is then dictated by cryptokey management. This includes the secure generation of keys, their secure distribution over the affiliated Secure Authentication Modules (SAM) as well as their use in the personalization environment of access cards. The ability to create all master keys ourselves is seen as essential at RWE, so the key hierarchy does not start outside RWE as is common with some integrators.