Study: Access Control Best Practices
Establishing Security Best Practices in Access Control
- Read Whitepaper
A white paper from RWE is currently causing more than a few waves in the access control market (you can download it here). Together with the Security Research Lab in Berlin, the company published it recently under the very appropriate title of ʺEstablishing Security Best Practices in Access Controlʺ. It describes the way in which RWE is moving in the direction of a secure access control system in a process being applied company-wide.
Matthias Erler of GIT SECURITY questioned Dr. Andreas Rohr of RWE Group Security as Cyber Forensic Manager about the background and details of this project.
GIT SECURITY: Dr. Rohr, you have started a process for the introduction of secure access control at RWE. What drove you to this move?
Andreas Rohr: First of all, one cannot undertake such a process alone, but one particularly needs the experience of the operative divisions. A new risk analysis became necessary against the background of the security weaknesses of various RFID technologies used in access control that have been published recently. The motivation to consider a new architecture was twofold; firstly the security considerations but also the wish to be independent of a particular integrator or manufacturer. It was therefore not sufficient for us to simply change out the RFID technology that was being used by another that is rated as safe today. Primarily we want to avoid getting in a similar situation again in the future and not letting our security be based solely on one security feature. Apart from that, our aim was a complete redesign to enable the flexible support of all applications that make use of a company ID.
What applications are you referring to and what are their dimensions within RWE?
Andreas Rohr: We‘re talking primarily about the access control system and the cashless payment system in the canteen. But certificates for security training are also included, which are legal obligations. Also accounting and time attendance recording are processed with the use of company IDs. A further component is so-called strong authorization with the use of certificates that are in a PKI smart card chip in the ID.
With regard to the scale, at RWE we‘re talking about a division with more than 150 locations in over ten countries with a total of 70,000 employees and a further 40,000 IDs for external employees (e.g. services or visitors).
RWE carried out an assessment in 2010 with regard to RFID security. What was the result?
A. Rohr: This was a security analysis of the technologies on the market with a focus on the publicized weak points e.g. from Hitag 1, HID prox, Mifare Classic and Legic Prime. This made it clear to us that these approaches, driven by convenience - coupled with advertised but not disclosed ‚security features‘ (security-by-obscurity) - were not leading in the right direction, that is, they were simply not secure. In addition it must be mentioned that a consistent security concept is necessary to secure an object or individual asset. In this sense, the use of RFID-based access control can only be one component of the whole building-related security concept.
Could you give us an example?
Andreas Rohr: You would certainly not secure a wooden door with cryptographically secure RFID technology, for example. The level of protection aimed for should on the one hand be correspondent to the (technical) security measures and on the other hand be in accordance with the protection requirements of the secured area. To increase the level of protection one can extend the usage of an RFID-based card through the incorporation of further factors such as knowledge (PIN) or possession (biometric features). Beyond this one could check the logging data for technically correct authorization but potential illegal usage - such as with cloned cards.
What features must a system demonstrate from your point of view so that it can be considered safe?
Andreas Rohr: An indication of the secure architecture of an access control system - as described in the white paper - is the readiness of the manufacturer to lay it open to testing and evaluation - if necessary covered by a non-disclosure agreement (NDA). Thus the actual security is based on the consistent use of open and well investigated standard cryptographic algorithms (in contrast of obscure mechanisms). Said another way, the architecture should be rateable as secure right from its inherent design. The real security level is then dictated by cryptokey management. This includes the secure generation of keys, their secure distribution over the affiliated Secure Authentication Modules (SAM) as well as their use in the personalization environment of access cards. The ability to create all master keys ourselves is seen as essential at RWE, so the key hierarchy does not start outside RWE as is common with some integrators.
Could you briefly explain the individual phases of the introduction of a secure access concept at RWE?
Andreas Rohr: Broadly speaking, a total of three phases were carried out at RWE. The security demands of future access control systems were described in the first phase and all the applications within the concern that came into question were taken into consideration. Following that, a target architecture was described that would enable both the existing installations to continue to be operated transparently and simultaneously permit the new implementation in the form of a gentle migration. We developed and implemented the system modules necessary for this in a second phase. Parallel to that the new concept was prototyped at three locations within the scope of new building projects that were running there to gather operational experience of the new systems. This phase is virtually completed and the final phase has already begun, i.e. the actual regular usage in projects where the access technology has had to be renewed. Particularly sensitive areas can now make use of the new RWE Group standard in order to migrate to the required level of security.
Could you describe the new multifunctional RWE Service Card concept a little more closely?
Andreas Rohr: The main purpose is to have an ID that can be used internationally for all the various different applications throughout the entire RWE Group. This will be first and foremost secure access control and cashless payment in the RWE canteen. But in the future it will also include authentication at computers and services in the RWE IT world using certificates. Three central elements are necessary that then fundamentally support every type of decentrally managed access control or IT system. The three central components are a concern-wide common card management (incl. production), the cryptokey management and a common, workflow-based rights management platform. The necessity for integrative card management is obvious, as a card must be recognized in all relevant systems and is easiest implemented in a top-down method. The associated card production should therefore be multi-client capable and able to produce cards decentrally. Central key management is a precondition for secure operation and must be uniform across the whole concern. An abstraction in the sense of identity and rights management is necessary if you don‘t want to individually administer the rights of a user in all access control systems (typically one system per manufacturer). In this way every employee can be authorized with his card in every location, regardless of the actual system installed there. All available modules have a defined interface and are thereby able to be substituted. This increases competition and the variety of products used within the concern, but without building the infamous island solutions. The biggest advantage for the users, such as facility management or individual projects, is standardized manufacturer‘s products that can be used with relatively low implementation risk.
These are hybrid cards with Legic Prime, Legic Advant and Desfire EV1 - and HID cards are being tested, too?
Andreas Rohr: Because various technologies are already in use in the existing access control and gastronomy installations a corporate ID must be a hybrid card with various RFID chips so that backward compatibility is ensured. Alternatively one could certainly use readers that can handle the various cards. However, it is then almost impossible to set a uniform security level (for each area). For this reason, for the implementation of the new design in new buildings and refurbishments, we decided not to worry about compatibility to some old cards, so employees with access to these areas then get a hybrid card. In this way a prolonged exchange is possible for a period of time and complete replacement is not necessary. Only new hybrid cards will be used for all new systems with cards and card production.
To what extent are you working with other companies on this project?
Andreas Rohr: RWE is just one company that is currently in a phase of redesigning its company IDs and access control. The reasons for this are manifold and we are in close contact with other large companies in the Dax 30. All have in common that they believe just copying previous approaches with the change to new RFID technology only is not the way to go. We are in close contact with chip manufacturers and also with the development departments of leading providers of access control equipment. To date, no products are on the market for a centralized key and rights management system that met the list of requirements. So we developed a suitable generic, secure key management system in cooperation with another Dax 30 company and the Security Research Labs in Berlin. In the area of rights management, we are currently running a study and investigations into the limits and prerequisites for a generic access rights management in a heterogeneous environment. Further on it is intended to write an industry standard into the development books of the various manufacturers that in the end will lead to lower implementation risks for the supplier and the customer and to more flexibility in the final selection. In the future there should be no more customizing effort to integrate the various access control systems because otherwise this leads to extra work during the entire lifecycle and increases complexity in lifecycle management.
Dr. Rohr, many thanks for the conversation.