Computer Guard offers a variety of solutions for encoding smart cards, including encoding and creating encrypted keys associated with the client. This continues with methods for encoding the keys to the smart card and the reader accordingly. We provide this service for clients using our office’s production service and/or desktop software for self-execution of the process.
Many clients are not aware of the importance of encrypting employee cards. In many cases, proximity cards of various types are used, such as EM4100, TK4100, Temic T5557, Mifare – smart cards, even though they have no smart capabilities and certainly no protection or encryption. The common denominator in all these cards is that they only read the serial number of the internal chip, which is exposed information to anyone and not protected under any layer of security. The paradox is that the customer thinks they are receiving a “smart card,” but in reality, these cards behave like a simple card with a magnetic stripe that is easy and straightforward to copy and counterfeit. The problem with a card without any security is that it can be easily copied and cloned, resulting in identity theft, unauthorized access to the organization, and a significant security breach!
The solution is to use legitimate smart cards that support encoding and encryption of the data both at the card level and at the reader level, for example: HID SEOS cards and Mifare DesFire EV2/EV3 cards.
How does it work? The data, such as a unique card number or any other data, is stored within a secure folder in the card’s memory. Accessing the data and/or a folder requires the use of encryption keys.
In the context of access control and the relationship between a smart card and reader authentication is the process ensuring the credential and the reader have the ability to speak to and/or communicate with one another. The credential and reader engage in a series of rapid transactions (milliseconds) and once authentication occurs the format or data written into the secure memory in a card is harvested, encrypted and passed to the card reader where it is decrypted and the data within is then sent to the control panel for the access decision to be made.Of course, there is significant importance to the key management and storage, so when an organization decides to adopt high security and protection for its employee cards, the level of safeguarding and storage of encryption keys is as important if not crucial. If the keys by themselves are exposed in any way or stored in the hands of unauthorized individuals, then what is the point of using keys at all?
There are two main approaches to this issue:
- The Bank Approach – Just as we deposit our money in a bank we trust and not in someone’s hands, similarly, we should deposit encryption keys in the hands of an organized and secure official body. HID operates on this principle, and therefore a company that acquires employee cards using SEOS technology benefits from creating unique encryption keys stored in secure vaults at HID for the benefit of, and exclusively for, the company.
- The more “Open” Approach – Creating the keys can be done by anyone, and the storage of encryption keys depends on how each organization chooses to manage it. On one hand, it is indeed an approach where the organization is not “dependent” on a single card manufacturer. However, this method is more exposed to human errors since if the encryption keys are with a specific person, and tomorrow they leave the organization without passing on the keys in an organized manner, that’s a problem. The level of safeguarding and security of these sensitive keys is considered in relation to the level of security and impact of the organization. If there are malicious actors inside or outside the organization who manage to access the encryption keys, they obviously endanger the entire organization.
Computer Guard, as HID Global’s business partner in Israel, promotes SEOS technology solutions for card and reader encryption. However, we also offer solutions and tools for creating (generating) keys and storing them independently.