0

Smart cards (for instance, public transit cards) are widely used in some countries for authentication purposes at universities and workplaces, so that an authorized person can use a printer or access a room by just putting the card on a reader. How does this really work and is it enough safe to use a public transit card in such cases? Can a bank card be used in this case instead of a public transit card?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Pro
  • 15
  • 1
  • 4
  • "can a bank card be used" theoretically, yes, but that is up to the system that would read it. And I'm not sure any system would want to take on that liability. – schroeder Apr 07 '20 at 21:32
  • @schroeder Been to London? All the public transit accept Oyster card or contactless credit cards interchangeably. – Mike Ounsworth Apr 07 '20 at 21:35
  • 1
    Yes, but that's not what we're talking about here. That's a *payment* system. I think PCI's head might explode if a company used payment cards for non-payment door access. – schroeder Apr 07 '20 at 21:37
  • Oh I see, using a public transit card *to access a printer*, not to access public transit. Got it. – Mike Ounsworth Apr 07 '20 at 21:39

2 Answers2

1

An example of dumb card is those used in hotels to replace physical keys. Or entry badges. These can be usually be cloned with equipment like a Proxmark, Proxmark pro or even an NFC-enabled smartphone. You can argue that they are less secure than physical keys, because someone who has portable equipment (that is readily available on the market and may already exist in your pocket) and comes close enough to the card could make a copy.

When it comes to contactless there are quite a few standards. Not all cards are the same in terms of design, cryptographic abilities and they do not all operate on the same frequency ranges.

Let me address this sentence:

Smart cards (for instance, public transit cards) are widely used in some countries for authentication purposes at universities and workplaces, so that an authorized person can use a printer or access a room by just putting the card on a reader.

What you describe is not authentication but identification. Because you are not proving you are who you say you are (an authorized user), for example by providing a password in addition to the physical token. Anybody can 'borrow' your card to use the printer.

The difference can be explained in simple terms:

Identification occurs when a user (or any subject) claims or professes an identity. This can be accomplished with a username, a process ID, a smart card, or anything else that can uniquely identify a subject...

Authentication is the process of proving an identity and it occurs when subjects provide appropriate credentials to prove their identity. For example, when a user provides the correct password with a username, the password proves that the user is the owner of the username. In short, the authentication provides proof of a claimed identity.

Source: Identification, Authentication, and Authorization

For a more detailed discussion: Difference between authentication and identification [Crypto and Security perspective]

As to the question "Can a bank card be used in this case instead", the answer is yes probably but there are legal considerations that will probably not permit it. If my employer required the use of a bank card or chip identity card to access the printer or restroom, the data protection authority in my country would step in, because such a scheme is illegal.

In addition to the legal considerations, the liability aspect raised by Schroeder above has to be considered too.

Kate
  • 7,092
  • 21
  • 23
0

Giant disclaimer that this varies quite a bit by the manufacturer of the card. This answer is off the top of my head and I expect someone could give a better one with some research.

Dumb cards

The basic kind of contactless card just gives its ID number, for example over RFID. The reader looks that up in a database. This is obviously vulnerable to cloning.

PKI Smart Cards

This varies by manufacturer, but the basic idea is that the card has an RSA or ECDSA public key (or certificate) and private key in it. The reader will look up your public key (or certificate) in the database to know who you are, and then challenge the card to prove that it has the matching private key. Conceptually the reader will create a random string (called a nonce) and ask the card to digitally sign it with its private key.

This type of card is designed to prevent cloning -- the card will never release its private key, and requires very advanced reverse-engineering to almost literally rip it out at the transistor level. You can read about cryptographic side channel attacks.

They also prevent record-and-replay attacks because the reader will create a new random string each time, and the signature produced by the card needs to match.

EMV credit cards

I am pretty fuzzy on the EMV spec, but my understanding is that it's similar to PKI Smart Cards, but with some extra complexity to handle a PIN, and that you don't necessarily trust the point-of-sale terminal that the card is interacting with.

Mike Ounsworth
  • 58,107
  • 21
  • 154
  • 209