Why would anyone consider challenging the status quo? Many airport owner/operators use proximity badges for access control. Just wave the prox badge at the reader, maybe enter a PIN code, and the door opens. Easy to use, familiar to all, and widely installed. Enter RFID — what exactly is it? Is a prox badge just another form of RFID? Following is an analysis of RFID as it pertains to access control and overall security at airports, from a veteran entrenched in the various industry working groups looking at its future application.
It may be better to discuss access control in terms of RF-enabled identity (ID) technologies that provide these capabilities. What exactly is the breadth of RF technology used for ID and access control? It is easy to become confused about RFID when there are different technologies claiming to be RF-enabled ID solutions. What is the threat/risk profile when you make a procurement decision for the RF-enabled ID credential technology used within your facility?
As a quick overview, RFID — radio frequency identification — encompasses a number of technologies. Anything that uses radio frequency to communicate with a reader for ID applications falls into the category of RFID. The challenge is understanding the application environment and understanding the security implications of that application. Typically, an RFID tag uses radio frequency transmission to send an ID number to a reader. Some are more secure than others. All have a place in the airport environment. Our concern is around security and access control, so some do not belong in that application.
RFID is used in many applications:
- logistics and electronic product codes;
- vehicle tracking and toll collection;
- proprietary access control systems;
- standards-based ID documents; and
- standards-based ID and access control.
Logistics tracking - the wal-mart example
The buzzword RFID historically was not associated with secure identity and access control applications. Rather, it was more frequently associated with identifying packages and pallets and tracking them within logistics applications. Wal-Mart made quite a splash with its intention to require all suppliers to deliver products and goods to them with RFID tags. The goal: more efficient inventory management and cost reduction. (The fear: the shirt that I bought will have an RFID tag on it, enabling anyone to track me after I leave the store.)
One of the key players in this view of the RFID industry is EPCglobal. Its website (www.epcglobalinc.org) says that “EPCglobal leads the development of industry-driven standards for the Electronic Product Code (EPC) to support the use of Radio Frequency Identification (RFID) in today’s fast-moving, information rich, trading networks.” EPCglobal’s core standard for this technology is known as the EPC Gen-2 RFID tag.
In response to the Wal-Mart brouhaha, EPCglobal did the right thing. It defined a set of guidelines for the use of its technologies in consumer goods (www.epcglobalinc.org/public/ppsc_guide/). It addresses core issues: notice to consumers about the RFID tags, how to find them, how to disable them. This enables the consumer to avoid being tracked, yet allows the retailer to gain the benefits in logistics to the supplier.
Migration of RFID to ID and Access Control
If RFID tags are for logistics, why even discuss them in the context of airport access control and security? Just look at the Department of Homeland Security (DHS) and you can see why. DHS has announced that it is using the EPC Gen-2 tag for human identification applications to cross the nation’s land and sea borders, via the Western Hemisphere Travel Initiative.
The State of Washington, in partnership with DHS, is piloting this technology for its citizens in a new driver’s license. For that state, this is a critical service to its citizens, enabling ease of access across the northern border.
Consider also the use of secure RF-enabled ID technology in the new electronic passports being issued by the State Department to U.S. citizens. Consider that any deployed proximity badge access control system uses a form of RFID. Even the new FIPS 201 for Personal Identity Verification uses secure RF-enabled ID technology.
What are the differences? What are the threats and risks when they show up in the airport environment? If they are all just RFID, why shouldn’t an airport owner/operator consider using any or all of these for access control?
The Smart Card Alliance has done some excellent work in discussing the pros and cons of the RFID debate. Its members include organizations that sell RFID tags per the EPC Global Gen-2 standards, Electronic Passport systems, proximity badge systems, and FIPS 201-compliant solutions. This depth of membership is important — the answer is not always “smart cards solve all problems.” The alliance has developed a robust body of work on this topic (visit www.smartcardalliance.org/pages/publications-rf-enabled-applications-and-technology).
Two diagrams [shown here] relevant to this article are found in the alliance’s published works:
- Figure 1 - Range of RF-Enabled Applications shows a continuum of RF-enabled technologies. It provides a way of looking at the sensitivity of the information and application next to the technologies that provide the security to protect that information.
- Figure 2 - RF Technology Standards and Applications provides a view of the governing standards and how they fit into these applications.
Let’s look at this material in light of the airport owner/operator’s needs, and discuss them in order. For the airport environment, we need to discuss RF-enabled applications in:
- today’s proximity badges for door access;
- long read range EPC Global Gen-2 RFID tags;
- vicinity-based solutions;
- secure proximity-based solutions; and
- security issues around these technologies.
RFID for access control systems used to be a nice, closed world. It was all about access control and very little about identity. Systems over the last 10 years largely operated on the proprietary solutions in the 125 KHz band. They are easily used, and simply waving the badge near the reader is sufficient. A security director for the airport would procure badges that were pre-coded to work only at their airport by their vendor of choice. The vendor would not sell those codes’ ranges to any other organization.
But this is more security-by-obscurity than true security. The codes are transmitted in the clear, with no access control between the badge and the reader. As shown in Figure 1, these solutions fit nicely in the low to medium sensitivity and security requirements for “door access cards” — as long as it stays local, this works quite well.
This solution is dominant today and is now being evaluated as entering ‘end of life.’ Why? Essentially, the market is shifting from a closed environment to a federated environment. The code numbers (a.k.a. credential numbering scheme) must scale beyond the local buildings. Consider that many airports are within close proximity of seaports, rail, or other airports. Within that region, it may be desirable for one ID credential to work across all facilities. If so, a more open environment is necessary.
Consider next the use of EPC Gen-2 RFID tags in access control and airport operations. An immediate fit for these tags, provided the economics works out, is in baggage tags and bag handling operations. Additionally, they work well in some airport environments to provide a surveillance capability — where is Joe at this very moment? RFID tags of this nature have very long read ranges and the RF frequency being ultra high frequency (850-900MHz) enables them to be read through clothing, luggage, etc.
Some airport solutions activate a tag within the access control system when one enters the facility, tracks the individual within the area, then de-activates them as the person exits the facility. Tags found within an area that were not appropriately activated trigger an alarm.
But what happens when you use this technology and the EPC Gen-2 RFID tag leaves the facility and goes home with the individual it was assigned to? Consider a story published by The Seattle Times regarding the use of the DHS-sponsored EPC Gen-2 RFID tag in that state’s driver’s licenses:
“The properties of RFID that make it convenient also make it inherently insecure, said experts at a policy roundtable on RFID held Thursday at the University of Washington Law School.
“RFID tags are essentially like bar codes in that they typically store a unique identifying number. But unlike bar codes, RFID tags have the ability to be read silently, from a distance, while moving, in the dark, and even through material.
“That means one difference between the current license and the new one is that with the RFID tag, information on the license can be read remotely without the owner knowing about it.
“Security expert Dan Kaminsky states, ‘RFID tags can easily be reverse-engineered and replicated, and a huge market exists for information on people’s travel and buying habits.’”
Translate this into security-related actions at an airport. Who wants to know who is coming and going into the airport? What would happen if an attacker clones an RFID tag that’s known to have access to areas of interest and 50 attackers access your facility within one hour? How do you establish linkage between the RFID tag and the human to ensure that only the individual assigned has access to the facility?
Since the RFID tag has minimal storage capability and no inherent mechanism to protect any information, all access information (and potentially biometric information) must be centralized in a database. How are we to protect this database from leakage or outsider attack? Do local laws and regulations allow you to have such a database?
A state of transition
The state of the industry in access control and ID technologies is in a huge transition. Just using RFID in a basic sense now creates external risks that go outside of the airport facility, so security directors must consider the threat/risk profile of what can happen outside their facility. Are you enabling tracking and profiling of employees? Can the technology resist being cloned and used within the facility? Does the long range read of an EPC Gen-2 tag make it easier to track or clone? What are your defenses to these issues?
Security experts have long held the belief that biometrics may hold promise for enabling the use of RFID tags or deployed proximity badge solutions within the access control environment. But stories like that published by eWeek entitled “The Security of Biometrics: Two Screws and a Plastic Cover” highlight how security is a systems solution, not an individual technology solution. The article demonstrates that the proximity card’s ID number is all you need. One can bypass the biometric reader and signal the system to open the door. This calls into question the use of easily cloned RFID tag technologies that do nothing to defend themselves. And it calls into question systems that rely on the ID number as the actual security decision attribute.
HID’s iClass product line helps mitigate these risks. iClass can use cryptographic keys instead of just ranges of ID numbers as the leading security element. If the iClass badge cannot generate the right cryptogram, the reader will reject the ID badge. This is a significant step in the right direction.
Yet it does have shortcomings. It is still aimed at local operations of a local facility and may not federate well into larger environments. Many airport owner/operators are already migrating to iClass — this is a good thing, but the open standards enabling federation (also supported by HID) are next in line, and security directors should look to the future in making any upcoming procurement decisions.
The Way Forward
If proximity badges, RFID tags, and vicinity tags are not the answer for the next generation of ID and access control, what is? Figure 2 does a nice job of showing the transitions we can expect as we enhance our security postures for ID and access control using RF-enabled technologies in an airport environment.
A driving force in making this decision is recognizing one of the key changes in the security of access control: we must link the human to the ID credential to the request for access, anytime that an access decision is to be made for a sensitive area of an airport. There are many ways to establish this linkage, but in our emerging federated ID environments, a key factor is placing ID information about the human on the credential and keeping that data appropriately secure to meet both privacy and access security objectives.
The grandaddy of them all that has the ID part right is the ePassport being issued by the Department of State. In this case, it is important to know that a passport, as a travel document, is intended to be read — even between hostile nations. Consider that a North Korean passport must be read by the U.S., Iran, Iraq, France or Russia. In this environment, no one is willing to share secrets or cryptographic keys to enable a country to read the issuing country’s passport. The passport books incorporate digital signatures on the information, the Basic Access Control (BAC) protocol, and shielding in the booklet covers to protect the information. These protections implemented by the ePassport enable the passport holder to control who can read the data (you must hand the passport to the reader and open it for the RF functions to work), and they must then use data found on the printed page to gain access to the electronic information.
Stories about ePassport being broken into are interesting. Typically, the attacker describes being able to copy the electronic passport data for an individual’s passport and to “easily” be able to decode the electronic data. Again, these documents are designed to be read. They certainly meet that objective. No attacker, though, has ever indicated that this data can be changed without detection. And this is the crucial element of ID applications.
The issuer controls the ID assertion and no one can fake it anymore. (See the recent statement about ePassport security by the Smart Card Alliance for additional insight into this issue.)
The methods used by the ePassport are sufficiently strong that it is anticipated that TSA will use a derivation of this method in the TWIC credential for biometric access control solutions.
Figure 2 shows us that we are in a migration away from proprietary technologies and islands of security and into a realm of technologies that support federation, enabling both secure ID and secure access control — all using RF-enabled ID technologies. The leader emerging in this marketplace is the ISO 14443 proximity technology. This solution enables ID and access control technology providers to use cryptography and provides sufficient storage for ID information relevant to the access control environment. The shorter read range avoids having a door open for Joe (who does not have access) when Jane (who does have access) happens to walk by.
It’s amazing that this area has gotten so complicated, but that’s the technology marketplace at work. It provides options and capabilities that we must evaluate carefully against our threat/risk profiles. Airport owner/operators and security directors must be extremely careful around selection of access control technologies. Use of RFID or proximity badges augmented by central databases containing ID and biometric information about all individuals with access to a facility may not be an option, due to legislative restriction or privacy issues. And, use of vicinity badges may meet local security objectives, but not regional or national objectives.
Identity and access control in the aviation environment deserves stronger assurance linking the human to the credential to the access decision. Look carefully and you will see that secure ISO 14443-based solutions are a key element of your next access control system.