Encryption and Electronic Access Control

Cracking secret naval codes helped to win the Battle of Midway and has been a decisive factor in the outcome of many wars.

In the same manner, protecting your customer’s Electronic Access Control (EAC) information is important for their safety and security — and your business success. Your customers often will ask what type of encryption the EAC system provides.

In this article, we’ll discuss encryption protocols and how they secure your EAC data. We’ll discuss issues that pertain to mobile, hard-wired, internet, Wi-Fi, cellphone and cloud encryption — all of which are crucial to providing security.

Encryption 101

Two basic processes protect the integrity of your access control data. They verify the authenticity of the sender and connection and conceal your secured information from third parties.

The first process is verification. Whenever you connect to an HTTPS website, the “S” indicates you’re connecting to a secure site that provides a digital certificate verified by a trusted third party. This certificate ensures that the site is what it claims to be.

The original protocol for delivering digital certificates was the SSL (Secure Socket Layer) standard. This later was upgraded to the current TLS (Transport Layer Security) protocol, which has additional information and protections. Sites that use either SSL or TLS certificates are allowed to display the HTTPS header.

Passwords, digital certificates and blockchain are “hashed” with a Secure Hashing Algorithm (SHA) to produce an exact number that can be verified by a third party. “Hashing” is a one-way encryption process where the actual passwords or digital certificates never actually are seen — only verified. Hashing is critical to the digital signatures you receive when connecting to a secure website.

SHAs were introduced by the National Security Agency in 1991, and the algorithm was upgraded to SHA-2 in 2001. SHA-3 was released by the National Institute of Standards and Technology (NIST) in 2015. This protocol allows for more flexibility, although SHA-2 still is considered to be a secure system.

The second process is the actual encryption and protection of your data. With respect to encryption, there are several areas of concern for EAC. These include hard-wired transmission, mobile credentials, smart cards, Wi-Fi, the internet and the cloud. A customer’s “data in-transit” and “data at rest” in the cloud, on servers or elsewhere have to be protected.

Potential Threats

A number of potential threats exist, although hacking a professional-grade smart lock generally isn’t one of them, unlike with their DIY counterparts. Your threat evaluation has to balance the cost against the probability and consequences of an attack. Complex, costly and sophisticated attacks likely won’t be carried out against low-value targets, whereas many organizations and government agencies will demand the highest standards.

We’ve all seen videos of unencrypted cellphones or laptop computers being hacked by a nearby scanner. Chips in readers, cards, fobs or mobile credentials are potentially vulnerable to “side attacks,” which measure timing or emissions to reverse engineer, or hack, an encryption key. Most current EAC systems, however, use hardened chips rated at EAL5+ (Evaluation Assurance Level) for an extremely high level of defeat resistance. If your client’s assets or personnel are potentially vulnerable, you might want to verify that the reader and credential chips have been hardened.

Meanwhile, a Bluetooth Low Energy Technical Advisory was published in 2015 on potential relay attacks. In this type of attack, one person could relay a signal from an exposed device to a conspirator adjacent to a BLE-operated lock. Relay attacks can be a problem with automotive key fobs, but mobile-credential apps verify that the actual transmitting phone is the one that’s registered for a particular door. In addition, transmission-latency triggers, geolocation verification or both thwart such attacks.

Most legacy EAC systems use the Wiegand transmission protocol. Although this 1970s technology is intercepted rather easily, retrofit modules now are available to allow for an equipment upgrade. We’ll explain this shortly.

Contemporary Systems

The Data Encryption Standard (DES) was developed by IBM in the 1970s and adopted by NIST in 1977. A major problem with this technology was the short 64-bit key. The system was cracked first in 1994, and today’s hacker equipment can penetrate DES systems rather quickly. RSA systems also are considered to be inadequate today.

The Advanced Encryption Standard (AES) was developed during the 1990s. The system’s flexibility, security and performance led to NIST adoption in 2000. The AES standard uses a substitution permutation network of much larger key blocks.

In AES encryption, an algorithm scrambles plain text messages so only the recipient who has a “cipher key” can read the data. Multiple rounds of substitution and transposition encrypt the message with a new “round key” for each loop.

Encryption key length can be 128, 192 or 256 bits. AES-128 runs 10 rounds of the encryption process. The seldom used AES-192 uses 12 rounds, and AES-256 takes 14 rounds of encryption.

The math for AES-128 works out to 240 sextillion possible key combinations. Current supercomputers would take longer than the age of the universe to execute a “brute force” type of attack on AES-128-encrypted data. I won’t even try to pronounce how many possible combinations you’d find in AES-256. The bottom line is AES-128 is considered to be extremely secure with rapid transmission and is more than good enough protection for the next several years.

The vast majority of internet, Wi-Fi and cloud communications are protected with the AES-128 encryption protocol. The AES-256 system provides even more security but at the cost of slower transmission. ASSA ABLOY and dormakaba run AES-128 and Allegion uses AES-256 on their Wi-Fi enabled locks.

The Open Device Supervised Protocol (OSDP) was introduced in 2008 by the Security Industry Association (SIA) as a replacement for the unencrypted Wiegand protocol. OSDP is an open-architecture protocol that insures interoperability between different brands of access control and security equipment. The system uses AES-128 encryption, transmits at far higher data rates and increases hard-wired transmission distances from 500 feet to 4,000. OSDP modules can be placed inside existing legacy reader and controller housings to provide secure communications.

The Keys to the Kingdom

When it comes to working with IP, or internet-based, EAC systems, two basic processes are used to encrypt your secure data. Symmetrical encryption occurs when the encryption key is known to both parties. This method is used in closed systems where outside parties aren’t involved, such as an EAC system inside a facility. The second process is asymmetrical encryption where secure data is routed through public websites.

These processes generally use transposition, substitution or both in the concealment. In some cases, large prime numbers are used, because they are nearly impossible to reverse engineer.

Asymmetrical encryption is where parties who have no previous contact can establish secure communication, such as in an email or at a public website. You use this transparent process when uploading customer data to any secure (HTTPS) website. Each party has their own “public” and “private” encryption key. Others send you secure messages in the public key you provided. Only you can read the message through your own private key.

Wi-Fi Integrity

Although Wi-Fi network integrity is in the hands of the IT department, it’s good business to understand how it affects the access control system. Your customer will want their EAC system protected on two levels. The Wi-Fi routers must be secured in addition to encrypting EAC data.

Several threats against a Wi-Fi network are possible. These include an unsecured switchport, adding a wireless interface to a networked computer, mis-association with an unsecured nearby network and man-in-the middle attacks.

Wireless Protected Access (WPA) introduced a 128-bit dynamic key and message integrity check for network security in 2003. WPA2 was introduced in 2004 with an encryption upgrade. WPA3 came online in 2019 with even better encryption for public networks, better brute-force defenses and easier connection to hidden routers. You should be good with using either WPA2 or WPA3 equipment.

We’ve tried to cover the basics on encryption in EAC here, although there’s far more to know if you wanted to wander into the weeds. I hope you found this subject as interesting (if mind-bending) as I have. If some of the concepts still are fuzzy, welcome to the club. Just know that when it comes to encryption, as with physical locks, upgrades always are in the works.

Cameron Sharpe, CPP, worked 30 years in the commercial lock and electronic access industry. [email protected]