Missouri Sheriffs and Jail administrators came together in October. They’re passionate about the securing county detention centers!
electronic access control
By Neal Bellamy, IT Director at Kenton Brothers
A couple of months ago, we talked about higher levels of security and Multi-Factor authentication for your computers and servers. Today, I’d like to bring that discussion back to Commercial Access Control.
Cards and Fobs are the number one method of gaining access to your building.
Card and fobs identify the “cardholder” with a string of bits (ones and zeros). Those bits are broken down to a “Facility Code” and a “Card Number”. The facility code is used to group the cards together or designate that card belongs to a certain building. Additionally, the cards weren’t originally encrypted, meaning that if you had the right technology, you could read any access card.
Even worse, on the common 26-bit access cards, there are only 256 unique facility codes and 65,536 unique card numbers. I’m pretty sure there are more than 256 companies using commercial access control. I don’t want to spend a lot of time talking about old technology… but I implore you: If you’re using true proximity cards (there are a lot of you out there), come talk with us about using an encrypted card that can’t be easily duplicated!
Okay, so if most cards aren’t that secure, how do we make things better?
Step 1: Encrypt the card
Encryption for the cards and readers has been around for a while. As an example, HID iClass was introduced in 2002. The general premise is that the card is encrypted with a Public Key Infrastructure or PKI. Then the reader is loaded with the matching key. When the card is presented, the reader decrypts the credential and gives the access control system the unencrypted credential number. This number can still just be the same 26 bits as above, but only a reader with a matching key can read the credential.
Several technologies use encryption as a base layer of protection including HID iClass, Mifare, and FeliCA. There are several variations for each type.
Step 2: Increase the “uniqueness” of the card
Now we have a card that can’t be read by every reader in the world. However, there is still a good chance, with only 26 bits, that the exact sequence of bits exists on another card somewhere. The answer is simple… increase the number of bits. For every bit you add, you increase the possible card numbers by a power of 2. (16 bits = 65,535 possibilities, 17 bits = 131,072.)
The common 37-bit format allows for 65,536 facilities (16 bits) and 524,288 cardholders (19 bits). Although 37-bits allow for more variation in the sequence, there is still a chance of overlap. An even better solution is where your “Facility code” is registered and can never be duplicated.
Several Card manufacturers offer a program where your facility code is guaranteed to be unique. HID corporate 1000 is one such offering, Gallagher does this by default.
Another strategy for creating a unique card is to not use a card at all. Biometrics fall into this category.
The premise is that by providing a “reader” that reads a unique feature of a person and then sends the 1s and 0s to the access control system, the credential can be duplicated when all those things are combined in the right order. Hand scanners, fingerprint readers, vein readers, iris scanners, and facial recognition all fall into this category.
Biometric readers solve or circumvent many of the issues above. No encryption is needed between the credential (the person being read) and the reader because a person can’t be duplicated. The systems can even tell twins apart.
The downside to biometrics has been ease of use. Biometric systems require enrollment to create and store the “credential”. Early adopters also faced a reliability issue where the biometric was not recognized even is it was the right person. This false negative issue has mostly been resolved. With the right biometric system in place, I would argue that it is better than any card based system. It cannot be reasonably duplicated and cannot be lost or shared.
If we decide that we don’t want to use biometrics, we at least have a card that’s encrypted and probably (or guaranteed) unique. However, we still just have one form of authentication. If your card gets lost or stolen, someone has access to your facility until you can get it disabled. That’s where multi-factor authentication comes in.
Step 3: Multi-factor authentication
The multi-factor comes in many flavors. The oldest is “pin and prox” (The prox part can and should be encrypted and unique), where the person presents the credential and then enters a PIN on the reader. Biometrics can also be used as a second form of authentication. The user presents their credential and then presets their biometric. This form of biometric makes biometric even more secure than biometrics alone. Instead of the biometric matching anyone in the database, it has to match the same person that presented the card. Dual factor authentication doesn’t have to be on every door in your facility. It could be used for the exterior doors only, highly sensitive doors only, or any combination.
So far, we haven’t talked about the latest tech in credentials, which is using your phone as a card.
Using Your Phone as a Card
Multiple vendors offer a “mobile” Credential, but they all work similarly. An application on your phone receives an encrypted package that identifies who you are. When you present your phone to the reader, it sends the 1s and 0s to the access control. If this sounds exactly like a unique encrypted card… it is.
As an administrator, you can enforce the application to require a second form of authentication (Pin, Fingerprint, Face) in order to send the credential to the reader. Now you have a uniquely encrypted credential with two-factor authentication, without the headache of enrolling users in a biometric database. Mobile credentials aren’t compatible with all systems, and some systems offer easier management of mobile credentials than others. That said, mobile credentials are going to be the next wave of authentication. They provide ease of use and high security in a single package.
Want to know more? Give us a call!
By David Strickland, Vice President of Kenton Brothers
Federal agencies and companies that do business with them:
NDAA Section 889 B is now in effect.
The Federal Government alone experiences hundreds of thousands of digital assaults every day. Malicious actors are persistent, usually well-funded and constantly changing their tactics. They often exploit technologies from the identified Chinese companies to do so. The Administration shares Congress’ strong commitment to addressing insidious threats to the Nation’s national security and intellectual property.
In an effort to protect the nations systems and data, The National Defense Authorization Act (NDAA) was enacted in July 2019 with two distinct phases:
Part A – The Government Cannot Obtain Prohibited Telecom
Part A became effective on August 13, 2019. Part A prohibits the government from obtaining (through a contract or other instrument) certain telecommunications equipment (including video surveillance equipment) or services produced by the following covered entities and their subsidiaries and affiliates:
- Huawei Technologies Company
- ZTE Corporation
- Hytera Communications Corporation
- Hangzhou Hikvision Digital Technology Company
- Dahua Technology Company
Hangzhou Hikvision Digital Technology Company and Dahua Technology Company are two of the largest Commercial Video surveillance manufacturers in the world. They operate and distribute through OEM (Original Equipment Manufacturer) over a 100 brands around the globe.
For a complete and updated list, check out IVPM here. IVPM is a great resource for ongoing list changes.
What may shock companies and agencies throughout the Midwest and beyond are a few of the names on those lists including:
- FLIR – Specific Models
The Department of Defense has the authority to add additional companies to this list at any time. Part B outlines that these items need to be removed by August 13, 2020 or a waiver needs to be submitted allowing for more time.
This order applies to all companies that do business with the Federal government. In any capacity, and at any level.
Part B – Government Contractors Cannot Use Prohibited Telecom Part B is effective August 13, 2020.
Part B prohibits the government from contracting with any entity that uses certain telecommunications equipment (including video surveillance equipment) or services produced by the entities listed in the statute.
- The Government cannot contract with an entity that uses covered telecommunications equipment or services as a substantial or essential component of any system or as critical technology as part of any system.
- Prohibition applies regardless of whether or not that usage is in performance of work under a Federal contract.
- The prohibition applies to every sector and every dollar amount. Your ability to enter into contracts with the Government will be impacted by Part B.
- After conducting a reasonable inquiry, entities will represent whether they do or do not use prohibited telecommunications equipment or services.
Part B has been added to the Federal Acquisition Regulation (FAR) at FAR subpart 4.21.
RECOMMENDED CONTRACTOR COMPLIANCE ACTIONS
- Regulatory Familiarization. Read and understand the rule and necessary actions for compliance.
- Corporate Enterprise Tracking. Determine through reasonable inquiry whether you use “covered telecommunications” equipment or services.
- Education. Educate your purchasing/procurement, and materials management professionals to ensure they are familiar with the entity’s compliance plan.
- Cost of Removal. Implement procedures if the entity decides to replace existing covered telecommunications equipment or services and ensure new equipment and services acquired for use by the entity are compliant.
- Representation. Provide representation re use and alert Government if use is discovered during contract performance.
- Phase-out Plan and Submit Waiver Information. Develop a phase-out plan and provide waiver information to the Government along with the complete laydown of the presence of the covered telecommunications equipment or services.
- Federal Acquisition Regulation; Federal Acquisition Circular 2020-08; Small Entity Compliance Guide
- YouTube Video – Explains many of the rules associated with Rule 889
Please let Kenton Brothers know if you have questions on navigating Rule 889.
By Ryan Kaullen, Field Services Manager at Kenton Brothers
Kenton Brothers has the honor and privilege of working with many types of customers including government entities. Recently, a governmental client located in the state of Missouri wanted to expand their access control system. The goal was to deploy it globally across their different physical sites across the state.
You may ask, “What’s a Global Solution?” Think of it like an ecosystem that enables users to knit together an entire security management system & video management system under one, centrally controlled, and distributed network.
This specific customer uses S2, an access control platform that Kenton Brothers supports and installs. This access control application made sense for the customer for many reasons, including the ability to monitor and manage multiple locations centrally. They can quickly build reports that run on a schedule, make security changes immediately that are reflected across the entire system, and build and administer global access levers that grant permissions across the entire organization.
Our S2 based solution took care of a major need for this customer. Previously, they were using a collection of off-line systems. These included mechanical systems with no audit capabilities and individual access control systems with no standardization.
The S2 Global solution allows them to have standardized security across all of their sites. They’ve reduced their liability, upgraded their commercial security, and adopted a centrally managed system. The results? Their business is more efficient, they receive expedited alerts of security issues, and they have the ability to expand their coverage across future sites down the road.
Whether Kenton Brothers’ clients need a standalone system or something as intricate as a global deployment for their business needs, we are able to help and guide our customers down the path that best protects their people, property, and possessions.
Contact Tracing is the process of identifying people who may have come into contact with an infected person, and collection of information about these contacts.
RECENT BLOG POSTS
- You need to monitor your video surveillance at 84 locations? No problem.November 18, 2020 - 6:00 am
- Employee Spotlight: Zach HoldenNovember 11, 2020 - 6:00 am
- Missouri Jail Administrators: Hard working, Professional and CommittedNovember 4, 2020 - 6:00 am
- Meet Verkada. Smart. Scalable. Simple.October 28, 2020 - 9:59 pm
- Employee Spotlight: Josh HernOctober 21, 2020 - 6:00 am