Access control system solution based on national secret CPU cardRead: 983 Release time: 9/16/2019
In March 2008, German scholar Henryk Plotz and Ph.D. student Karsten Nohl of the University of Virginia disclosed on the relevant website that they used reverse engineering to crack the hardware of the logical encryption algorithm used by the Mifare one, the M1 chip. Cracking method. The news that the M1 chip was successfully cracked attracted the close attention of our country's relevant departments in early 2009. Because its security involves the interests of many operating units and cardholders, the National Cryptographic Administration of National security needs, issued a notice to the central and state authorities on the "letter to assist in the password management of IC card systems" and "the guide to the application of important access control system passwords", the transformation of new or existing important RFID electronic access control systems And upgrade put forward specific requirements, and gave related password application methods, method guide.
This year, the No. 1 document issued by the Guangdong Provincial Cryptographic Administration clearly requires that the provincial authorities and the IC card access control card system invested and constructed by the government must comply with the "Guidelines for the Application of Important Access Control System Passwords" formulated by the State Password Administration. The issuance of the notice opened the curtain on the upgrade and reform of IC card access control card systems in various provinces and cities. It is also another major move after the Ministry of Industry and Information Technology of the People's Republic of China and the State Administration of Password issued a clear request for this work in 2009. This proves that the time is ripe for the upgrade and reconstruction of IC card access control card system.
2. Important technical points of access control system
Most of the access control systems built before are ID cards or IC cards. Even IC cards use the physical card number of the IC card as the application ID, and the security of the system is weak.
The National Secret Access Control Guide requires important access control systems to use CPU cards based on domestic cryptographic algorithms. Compared with traditional access control systems, security has been strengthened in the following areas:
Card: The card requires a CPU card based on the national secret algorithm. The non-contact CPU card has a built-in CPU, a storage unit, and a chip operating system COS, which can implement data storage, encryption and decryption processing, and communication processing. The security authentication mechanism of the CPU card is stricter, including two-way authentication with the machine, key management, card personalization, and application process. The national secret CPU card is characterized in that the cryptographic algorithm used in the authentication and key management process is a domestic cryptographic algorithm. The use of national secret CPU cards requires corresponding processing capabilities and security of the access control sensor.
Access control sensor: Since the national secret CPU card uses a domestic cryptographic algorithm, the symmetric key system and the same cryptographic algorithm are used between the access control sensor and the CPU card, and the access control sensor is required to have corresponding processing capabilities. The radio frequency interface of the access sensor still complies with the IC card ISO 14443 specification. Compared with the traditional access control sensor, the national secret access control sensor usually uses a SAM card module as a cryptographic computing module to achieve two-way authentication with the CPU card. This is similar to the bank card machine.
Access controller and background: The access controller and background are similar to the traditional one and use TCP / IP. Or 485 interface.
3. National Security CPU Card Issuance
State secret CPU card issuance includes 3 steps:
CPU card structure is established. The CPU card file system is planned, including main files, key files, basic information files, personal basic information files, application files, record files, and so on.
Key filling. Including master key, application key, management key, etc.
personalize. The card issuer writes relevant information to the personal information file, application file, etc. according to the card issuer key.
4. The national secret transformation plan of the traditional access control system
The reconstruction of the national access control system of the original access control system mainly involves the following points:
1. Card: The card needs to be replaced with a national secret CPU card.
2.The access sensor needs to be replaced with an access sensor that supports the national secret algorithm.
3. The card issuing system needs to be replaced.
4. The Wigan interface is used as the interface between the access controller and the access sensor. The original system can be used for the access controller and the access background. If you use a non-Wiegand interface, you need to provide an interface protocol for interface development, otherwise you need to replace the access controller and the background.
The specific transformation plan is as follows:
1) Replace the access sensor
All access sensors need to be replaced with national secret access sensors. National secret access sensors are connected to the access controller using Wiegand 26 or 34.
2) CPU card issue
The user uses the national secret card issuer and card issuing software to issue the national secret CPU card. The card can write user information, such as user name, department, and unit; user application information, such as application ID.
If the original access control system uses M1 card sector data to store application data, the original application ID data can be written into the user application data file; if the original access control system uses card physical card number data, the card number data can be written into the CPU card application file. Background system data and access controllers do not need to be reauthorized.
3) Transformation process
In order to ensure that the original access control system is not affected during the transformation, there are two ways for the transformation process:
Method 1: Connect the access sensor during the transformation. The national secret access control sensor and the original access controller are connected in parallel. During the modification, the user swipes different cards on different access sensors. After the system transformation is completed, the original access sensor is removed and the original access card is retracted.
The disadvantage of the first method is that two access sensors need to be connected at the door, which has space requirements, and the wall surface left after the original sensor is removed needs to be processed after removal.
If the customer has the key of the original access card, the provided national secret access control sensor ZCR111s can be configured through the configuration method, so that the original access card can be read, that is, the original access card and the national secret access card are supported at the same time. So you can directly replace the original access control sensor and install the new national secret access control sensor in the same location.
5. Combination of State Secret Access Control System and Access Control System
The CPU card used in the state secret access control is not a new technology that has only recently appeared. The CPU card has been used for many years in many high security requirements applications. For example, all bolile phone SIM cards are CPU cards. At present, communication operators are vigorously developing card cards. Bolile phones also have near-field communication capabilities, such as RFID-SIM, SIMPASS, and NFC. The bolile phone non-contact application is based on the CPU card, and its application model is consistent with the national secret CPU card. In government and enterprise units, it is more convenient to open a door with a bolile phone than with a card. bolile phone card is also a card for government and enterprise unit access control system transformation, it is recommended to choose the support of national secret CPU card and mobilephone card access sensor, which is convenient for customers and protect customer investment. The company's access control sensor ZCR111S developed by the company for government and enterprise users has built-in SAM cards. It not only supports the national secret SM1 algorithm CPU card, but also meets the requirements of the National Password Administration's important access control system password application guide. It also supports the mainstream manufacturers' CPU cards on the market. 3 telecom operators' bolile phoneCPU cards (including RFID-SIM, SIMPASS, NFC, etc.).