6

Just musing to myself, what is the preferable access control mechanism in high security environments? Locks and Keys or RFID tags?

Going under the assumption that the locks/keys are not knoow to be pickable and that the RFID tags are not currently known to be vulnerable, how should one choose the appropriate system?

I think the smarter way to go would be RFID as it provides audit-able logs of which card has accessed what when but perhaps i'm missing anything that's in favor of the keys?

NULLZ
  • 11,426
  • 17
  • 77
  • 111

4 Answers4

6

Conceptual view: there is authentication, and there is authorization; these are distinct activities. Authentication is about making sure of who you are talking to; authorization is about deciding what some individual is allowed to do. You actually want to keep them separate.

RFID tags implement authentication: through the electronic conversation between the tag and the reader, the reader ascertains the identity of the tag, so (presumably) the identity of the tag holder. Authorization is performed by the reader, that can be linked with some central authorization server. On the other hand, with a key, authentication and authorization are conflated in the same device: having the key in hand automatically grants access.

The need for separation of authentication and authorization is made most visible when you want to revoke an access. With RFID tags, that's easy: simply flip some flag in the authorization server database. With keys, you cannot do that: to revoke an access, you must either recover the key itself (and you cannot do that if the reason for revocation was that the key has been lost or stolen), or change the lock (and that's expensive, not only for the lock itself, but because you must distribute a new set of keys to the other users). In a similar vein, with RFID tags you can enforce time-based access control (access granted only at some times in the day), and you cannot do that with keys.

Another good property of RFID tags is selective cloning. When a new employee must be granted access, issuing a new tag for him is easy for the system administrator; but users themselves will find it hard to clone their tag (good tags are like smart cards: they are tamper resistant). This means that authorization management remains in the hands of the sysadmins. With keys, either keys cannot be duplicated, in which case granting access to new users is hard, or keys can be duplicated, in which case preventing rogue cloning by existing users is hard.

Summary: RFID tags are superior to keys because they allow for fine-grained access control with immediate revocation, and centralized authorization and administration.

The most salient point which would make keys preferable over RFID tags, in some specific contexts. is that keys don't need to be powered. A padlock which has been locked, remains locked even after an extended power outage. However, in most cases, RFID tags are better.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • Slightly OT, but one thing you want to be sure of is that the RFID tag is NOT also an ID badge. If it is an ID badge that tells someone who finds it dropped in a parking lot what building and what areas of the building it is likely to work on. RFID tags should just have a generic "if found, call this #" message on them (with the # not being one easily linked to the site) if anything. – Rod MacPherson Jul 17 '13 at 14:12
  • @Rod - If you issue two items that employees have to carry they'll probably just bind them together anyway. – u2702 Jul 17 '13 at 22:47
5

In favor of the mechanical locks is that they are cheap and simple (and so less likely to break down).

(Even if you do deploy a fancy RFID system I bet you have a mechanical lock put in as well, because it costs next to nothing and gives you a fall-back in case the Access Control fails.)

However, in most high security environment you are likely to want some sort of electronic access control, not just for the logging, but so you can cancel access remotely. e.g. if Fred loses his RFID tag, or if Barney leaves the company, one change to the database and all three tags stop working.

(Three wasn't a typo: I was including the clone Betty made of Barney's tag that neither of you knew about. That Betty!)

As with all things security, it depends on the results of your risk analysis. I recently went with a mechanical-only lock on a new door to a secure area because when I ran the analysis, it simply wasn't worth the money.

Graham Hill
  • 15,394
  • 37
  • 62
5

TL;DR: Physical locks are simpler and therefore less prone to failure. Proximity cards (e.g. RFID) are superior in every other way.

Picking a lock
is a side-channel attack that grants access to an individual who does not need to have ever encountered a valid access token (in this case, a key). It's quick, highly effective, and leaves no audit logs (other than perhaps scratches). Nearly all locks are vulnerable to picking to some degree.
Picking an RFID station
would be a similar side-channel attack against the station hardware itself or against the underlying protocol. No such generalized attack exists, but specialized attacks against specific hardware may be possible.

Cloning a physical key
requires only a photograph of the key and the appropriate key-cutting hardware. Commercially produced hardware for doing this is available at minimal cost, or you can do it manually using a file and a decent ruler. The distance at which you can clone a key is unlimited for practical purposes, and requires only line-of-sight. Whether or not sufficient resolution exists to do this from space is not publicly disclosed, but it may be a possibility. A cloned key can be made indistinguishable from an original. In some cases it's also possible to use the physical properties of the lock to create a working key (without ever seeing another "real" key). Every key can be cloned. Without exception.
Cloning an RFID token
requires a device to read and reproduce the RFID signal, such as the Proxmark3. This is a specialized device which is readily available but not widely possessed. Higher-security challenge-response tokens cannot be cloned by reading their signal. Full stop.

Revoking access for a physical key
involves re-keying all the locks so that the revoked key no longer works. Simply returning the key is insufficient, as keys are trivial to clone... even if they say "do not duplicate".
Revoking access for an RFID key
involves telling the system to stop trusting the revoked key. No further work necessary.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • Are higher-security RFID tokens susceptible to power analysis attacks? As for "cloning keys from space", that's funny :) – Deer Hunter Jul 18 '13 at 05:35
  • 1
    @DeerHunter a power analysis attack would be against a specific installation or implementation, not against the underlying technology itself. Perhaps, for example, model X123 would be vulnerable if installed according to *figure 3* in the manual. Something like that. – tylerl Jul 18 '13 at 17:10
2

Agree with most of what Tom Leek said but there are some additional things to consider.

RFID tags can be easier (and faster) to clone than physical keys. The signal between RFID and the reader is out in the ether were someone can capture that signal and replay it, either with a small reader placed next to the real reader or something with an antennae.

To get a copy of your key they would have to get physical access or possibly a photograph of the key. Once they had that they would need to cut a copy of the key.

u2702
  • 2,086
  • 10
  • 11
  • Some smarter RFID tags don't simply stream the key, but instead uses a PKI algorithm to respond to a challenge sent by the reader. This prevents cloning/replay attacks. – Lie Ryan May 24 '14 at 11:18
  • Which introduces the risk of replay attacks because the messages move across an insecure channel. I would be curious to see how good that RFID tag crypto is, I would imagine that stronger crypto == increased power consumption. – u2702 May 27 '14 at 17:14
  • The fact that you can steal cars worth 80-100k€ with 15€ equipment shows that electronic keys (whatever system they apply) are nowhere near safe. You'd think that in this price class, the manufacturers make sure this cannot happen. Or think of the Onity locks found in pretty much every hotel (mangnetic card, not RFID, but whatever). They'll open in 2 seconds to anyone in possession of an Arduino or similar device. Insofar, having a physical key in addition really isn't useless if you care anything about security. – Damon Dec 31 '14 at 10:53
  • I'm not sure I love that assessment. There are lots of cases where very simple/very cheap attacks can compromise expensive assets. Think about the house you live in, there's probably only a pane of glass between a door lock or window-latch and the attacker outside. I don't think the math is that simple for value of asset versus value of protection. Would you spend $999 on a safe to hold $1,000? Risk of arrest or capture has to factor in. For online attacks that risk is much, much smaller which probably makes attackers more brash. Stealing a car has to happen in the physical world. – u2702 Jan 01 '15 at 21:14