Introduction
From version 6.4 it is possible to configure template(s) to perform RFID only encoding. This means that vSEC:CMS can be used to issue and encode a supported RFID technology that has an RFID chip embedded into the card body.
The supported RFID technologies are:
- Mifare Classic
- DESFire EV1
- DESFire EV2.
In this article we will describe a simple example of how you can configure, issue and encode a supported RFID card using vSEC:CMS.
RFID Serial Number Representation
An RFID serial number can be represented in 4 different ways. These are Hexadecimal Standard, Hexadecimal Reversed, Decimal Standard (4 byte), and Decimal Reversed (4 byte). This representation is for HID Prox or iClass Wiegand (26 bit or 37 bit) RFID chips.
By default, the vSEC:CMS represents the RFID serial number as Hexadecimal Standard. If it is required to change the representation to any of the other types then this can be done at the variable level. There are two ways in how to retrieve the RFID serial number value depending on how the RFID value should be represented. This will be described by 2 examples.
Example 1: If is required that the RFID serial number is to be extracted from the system during smart card issuance as decimal reversed representation then from data export configure the variable {$RfidCsnDecRev} to be used to extract the value during issuance.
Example 2: If is required that the RFID serial number is to be extracted from the system post card issuance as hexadecimal reversed representation then add the variable {$DbCardsRfidCsnHexRev} to the Repository - Smart Cards view or extract the value.
Security Considerations
The cryptography, which is the authentication with the card and encryption of the Radio Frequency (RF) communication, is done in the card reader. This means the keys need to be sent to the card reader when operating with the card.
Since the keys also need to be shared with other components in the IT infrastructure, such as door lock readers, vSEC:CMS provides the possibility to import and/or export the key material.
Two important areas around the key security that need to be highlighted are:
- Import and/or export of key material is performed in the clear in the vSEC:CMS;
- The keys are sent in the clear to the card reader through the PC/SC protocol.
RFID Key Security
vSEC:CMS protects the keys against the following vulnerabilities:
- Extracting the keys from the vSEC:CMS database;
- Unauthorized export of the keys from the vSEC:CMS database;
- Extracting the keys from memory while using the keys at application runtime.
The keys are protected in vSEC:CMS as follows:
- When storing the keys in the vSEC:CMS database, the key material is encrypted with a 3DES key which is derived from the vSEC:CMS master key, access to which is protected by the operator PIN. This master key is a random key and different for each vSEC:CMS installation. This means:
- It is only possible to decrypt the keys within the organization where the keys were encrypted;
- When it is required to save and/or export the keys from the vSEC:CMS, it will be required to have an operator smart card available and knowledge of the operator PIN to successfully authenticate to the card.
- Whenever the keys are decrypted, i.e. when it is required to perform operation with them, the keys are obfuscated in memory. The keys will be removed from memory when access to the keys is no longer required.
Configuration Steps
A number of configuration steps need to be carried out before you can use this functionality.
Step 1 - Enable Functionality
As this feature will not commonly be used it will be necessary to enable it. From the File - Program Settings menu enable this feature as below and click Ok.
Step 2 - Verify RFID Card Configuration
Navigate to Options - Smart Cards and place RFID card onto an RFID reader and see if the card table gets filter for that card. You should see something similar to below which verifies that that RFID card is recognised by vSEC:CMS.
If you don't see that the card is filtered then it maybe that the card you are attempting to use is not supported. You can try to add the card details by selecting RFID only card and click the Edit button. Then click Add and with the correct reader selected (normally it would be shown as a contactless reader) click Get to populate the ATR and Mask fields. Click Ok and Save.
Step 3 - Create Template
Navigate to Templates - Card Templates and click the Add button.
Click the Edit link in General.
Enter a template name and click the Detect button. With a card that is to be managed attached make sure to select the correct card reader (normally it would be shown as a contactless reader). You should see something similar to below with RFID support listed. Click Ok to continue.
You will notice that some configuration options are removed than would normally be available. This is because the use cases available will of course be limited and therefore these options would not be possible in an RFID only use case.
Leave all other options as is for now and click Ok to save and close.
Click the Edit link in Issue Card. In this example we will use a simple sting identifier for the user assignment. Other user directories could be used here (for example, AD or LDAP) as support by vSEC:CMS. In the User ID Options section click the Manage button. Click Add and give a name for the template and select String for the type in the drop down field. Enter a value for the length of generated ID string if you wish vSEC:CMS to auto generate a string ID during issuance. Click Save and Close.
Enable Assign User ID and select the template just created in the drop down box.
In the Contactless section click the Manage button. Click Add and enter a name. In this example we will use Mifare classic so we select this option from the drop down box. For the Key(s) enter whatever values required for your environment. Below we show an example. Important to note that the fields below the A and B fields should have the same values.
Once you enter the values for A and B fields and you save the settings the next time you enter this dialog the fields will be empty. You will need click the Show key value(s) to see the values the next time you enter the dialog.
For the Wiegand code section configure as required for your environment. It is expected that the person performing this configuration has experience and expertise in configuring RFID credentials. Click Save and Close.
Enable Encode RFID and select the template just created in the drop down box.
Typically the encoded RFID details need to be exported to a system where the cards are to be used, for example a physical access system for door access. In this simple example we will configure the template to export the RFID details to a text file. In the Data export section click the Configure button and click Manage and Add. Enter a template name and select File (Export to file) for the Target.
Click the Format button and select the File Format you wish to use along with how the file should be encoded, how the values should be separated and whether the values should be shown in quotes. For Variables add {UserId} and all RFID variables that are available and click Ok.
Click Save and Close. Then select the template and Add and click Ok.
Leave all other settings as is and click Ok.
Click Ok to save and close the template configuration.
Issue RFID Only Card
From the Lifecycle page attach an RFID only card.
Select the Issued oval and click Execute button to begin the issuance. You will be prompted to enter a name who the card will be issued to.
You will get a short summary dialog once the issuance completes. Additionally, the exported details will be written to the file location configured in the template. You should now be able to use and test your RFID only credential.