Monday 19 March: Key cards
Access, movement, time, security, smartness

Invitation: https://apass.be/keycards
Download texts: https://cloud.constantvzw.org/s/eGmApCmrlAWSA2l
Danny's slides: http://homes.esat.kuleuven.be/~decockd/slides/20180319.epassports.pdf

Readings:



Participants:
    Femke
    Adrijana
    Martino
    Peter
    Hans
    Joke
    Seda
    Danny
    Fran


Joke:
    
Let's start from the cards: you can buy the empty cards and then you go to the Ritcs, they are a school that is renting a part of the building. There is a system that is owned by the building owner, which was owned by the previous owner.

a pre-owned system
ritcs rents main part of the building; they have someone managing it.
they have the personnel who manages the access control...
ritcs is mainly other floors, and they make our cards (i.e., set the authorization)
when I want to use the card on the second floor, I cannot.

but you can use the elevator and get in anywhere: yes
you can also follow somebody else

the card system is not the same as pressing the bell
and it is not the same as the alarm
so there are three systems (at least)
if you push the door, which you can unlock with the card, and i let you in, i am opening it through a different circuit

we are a smaller organization, so we do not have a person of our own that deals with infrastructure
so, i went to marc

when femke needs a card, i take a card that is not in use.
i put in a word document that femke has this card
it is just a sticker that has a number that I assign to Femke
we have some cards with nothing on, because the sticker is gone

can you check?
you generate the sticker and it can be removed/brushed off
they don't keep these numbers, but they may???
the numbers they have,


0) card#: there is a number on the card that is printed on
1) ritcs # or a.pass #: there was a time when they put the a.pass number in their system, but now they don't (ritcs file)
2) a.pass sticker number (a.pass file)

ritcs puts on their card the name of the student but i don't do that, cause i don't give them the names

joke: i only want to know from whom i can get back which card

we have 1-2 cards that give access to our space and to the ritcs
cause sometimes we work together

ritcs can go into the computer
there is a network computer: a hardware/software system, the owner and ritcs
the fxied computer (server) is down on the ground floor
so that the owner has access and marc has access

once we had a keyboard connection, he could access with the cable the server
but the rats probably ate the cable
at some point he could access the server from home
but now he can only access the server directly

the system needs an update: but the owner doesn't want to cause it costs money

ritcs can go into the server 
they can see whether it was an apass or ritcs card
then they come to you, some cards they can see, because they have the a.pass number
you may not have the connection between the card id and the apass number (sticker is gone)

another person is mustafa
he picks people up if the alarm goes off
and calls me


the alarm: there is another system, which is the alarm system
the card system and the alarm system do not overlap
the alarm is programmed: during the week, 9am-11pm the alarm is off
all the rest, the alarm is on

when i come in with my card: people have 24 hour access
but they forget about the alarm system
so you have to switch it off
and there are codes
for each floor
so we have two codes


i have this transponder
it has the same functionality
but we can also use our keys
this allows you to go in the main door and allows you to doors where there are no keys
then we have the alarm system
and the normal keys

i don't ask people for money for the card
they give me cards back and sometimes it is not the card of the person

do you need to guess?
those that need a key, have a keycard with a number

but if they come back with a white card, no sticker?
two people have a white card and that's it
nobody tried to take the stickers off

i can give you the same card...
but we are talking about 40 cards with people we know
i have little doubt
we have a system based on trust

do you reprogram them?
once you have a card, it just stays
if not, they just walk with it

revocation:
with the old ones, ritcs can revoke, cause they still have the card numbers

when you loose your card, she will look up your number, number 15
she will then notify people from ritcs, that the card that was used by her needs to be revoked
but the problem is they have no idea what number 15 is

so, a lost card means that sb who finds the card can get in
i want to do an inventory and cancel the cards that are no longer used
we are around 30 people coming in and out
and we have about 50 cards

how many were lost?
from my list, but not the full list since i arrive in a.pass
before there were basically a pot of cards

for all the 30 people, look at access the last weeks, and throw out the cards that are no being used...
you are going smart
it is logical to remove them, we have not had the urge

to get in here, you need normal keys
you can wonder around the building but then the alarm goes off


Danny, can you read something from the card?
no, because these are chip cards, but these are rfid tags
rfid tags work in a similar manner, they have a 10 digit identifier, and every time you get close to it 5-10 inches
if you bring it in the vicinity of the reader
it will power the tag and read out the identifier

they cost 1$ per piece...
they used to be cheaper, but now 1euro
they come with identifiers and that is fixed

when you buy them, you get  a list that says here are the identifiers of your card
they are burnt into it and cannot be changed

my reader is for chips
it is a different language that they speak
the language my reader speaks is or bidirectional communication
whereas the other one is one direction, you just get a 10 digit identifier

basically, insde the card there is a coil
when it gets close to a reader, there is a magnetic field, which gets powered and it broadcasts the number

leuven cards are myfair+ cards
this is a personnel/student card
mifare+ cards [mobib, oyster?] https://en.wikipedia.org/wiki/MIFARE https://myfarecard.com/
it means that there is an rfid chip
but protected with a password

MRZ: machinereadable zone -- functions as a password that is publicly visible 
why is it there?
to make it function...
depends on the application
identification is there to identify me
it needs to contain information that is necessary for you to be able to read it out
if i would claim that this card belongs to me
maybe i have manipulated/counterfeited the document
it is a polycarbonate card
everything that is not black can be made black
i can add dark glasses, a beard, make it male
i have time to counterfeit my card
if you are in doubt about the genuinness of my card
and in order to read it out, you need this information


how does it work with the passport?
the passport has a data page
and it has a two line MRZ
if you type this into an application
you can read out the data that was included in the back page of your document
it is the same principle

a question: why is it then in europe and outside you need your passport, is it related?
the presence of an MRZ on an id document, drivers license, id etc., then it is a travel document
if there is no MRZ, it is not a travel document
you cannot enter the UK with a document that doesn't have an MRZ

what is in the passport depends on the age of the passport?
this old passport, contains my hand written signature
i can read out my hand written signature

can you store things on it?
no, you cannot, but when you are requesting the id document
you fill out a request form,
and that is scanned and used as a reference to provide all the data that is included in the chip

i designed the belgian eid card
if you allow anybody to write on the eid card, you have to say no to others
72kb memory
during the production, they produce key pairs that are written into the chip
and some other information is read from the chip
the picture and a bunch of other information and the public key are written into the chip
so there are a couple of files, less than 72kb
so there is 20kb spare memory
but that memory is only available to the administration to write longer key files or certificates, or even identity file
and after that, it cannot be modified except the address and the certificates

the national register is the only one with the rights to write on the id card
both the passport and the belgian ids are made by the federal government
this is a residence permit, it has the same chip as the belgian id card
it is only writeable by the municipality
there is a police person that verifies that you are at a new address
they confirm the change

when i move
i first go to the municipality
i initiate the address change process
i tell the new address
they update it on the national register db
and they trigger a police to check whether it is true
as soon as that is verified
he goes back to the office and says i checked it and confirms

the address was updated immediately when i went to the municipality, but it is not yet active
the police activates it
the first encounter after that, when they see my eid, they will update my address

j: we have people from abroad
and they have to wait for the first encounter to be active
the foreign affairs looks at the data and it is not yet active
so we run into problems


it can take 4 months and you don't have access to anything until you have the card, which is a big hassle

i was wiped out from the db at some point
the two administrations were not hte same
i didn't get allocation familiale for a while
because of the different input by different people and things went wrong

i was english living in scottland
they have a similar thing where the counsel comes and checks who is on the lease
they come and ask who lives there

they can ask you for a rental contract
they want a proof of people living on that address

going back:
    this is a simple card, but it already ties into dbs and management
    we have an anecdote that some people entered on new years
    and there was a check done and the people were reprimanded
    even if apass would have difficulty pointing at a different person
    
    you have in a sense collective responsibility: because the cards are not personally assigned
    
    we use the card as a key and that's about it
    mustafa told me though that there was a woman with glasses
    and i didn't think of femke
    but here i had information
    
the writing is hard but reading is very easy
danny: it depends
nudge is towards a single/legal/economical identity. 
A physical key has no memory connected to it. The cards have memory outsourced. It is not anymore in your control. 
There must be logs of the entrances, what cards entered. 
At the VUB they installed this to prevent stealing. 
Trick: I arrive with a large/heavy box, struggles to entering, someone opens up ... so it is not necessary?


why did the owner chose this system?
the price: it is cheap
it is not a secure system, i do not want to discourage you

all these questions about i cannot tell you
safety policy and all this

to reproduce the key takes 6-7 euros
you can make keys invalid but physical keys not
we changed the locks: we thought it was a time to refresh


Trick 2: Buy 1000000 cards, and the chances are the

danny: you were saying something about smartness
these are smart cards: they protect against copying
but the tags do not have protection against it, so they are not smart

no, i am saying something else. some have chip or coil
but in my life they are functioning in the same way
if i use my passport not just traveling to another country
but registering myself in a commune, but also the media markt and train ticket
i get a blur between galerie inno advantage card and national id

the dutch OV is interesting

we asked how long they were keeping the data?

Different things happening.
Material things related to the cards.

Myfare has been cracked. Not Myfare+


phone/cctv/interface
- behavior

ID/key card [passive and active cards]
- biometrics
- token
- chip
- rfid tag

Card reader
- who
- what
- when

Database
- behavioral analytics

Money is important / costs
Talkative cards.

Different ways of connecting to the reader. 
Machine readable zones and hidden passwords
What can the cardreader read, and what can it write.
A lot of decisions are being made. There are radically different cards, even when they look the same. Differentiating cards helps to see relations around them.

Things that are implemented but not designed

It is not just about what is written on the card, and what type of card of it ... but what system is around it.
Zero knowledge proofs

Microsoft had a product they called 'passport' for online use, to authenticate all types of transactions. Uproar against microsoft, afraid of MS becoming a monopoly for onlinbe transactions. so the issue with MS passport was as it was bad for the market, not so much because bad for the privacy.

'passport' was trying to 'help' users with authentication. It is hard to make policies for each card/transaction. To articulate what is reasonable. 
Efficiency and money issues prevail

DB registration - somebody knows something about what cards enters when. It is plausible they kept all the data for a long time.

The cards are the tip of the iceberg. Even a non-smart system links into a system of governance. Conflating roles: shopping, identifying, ...
Any sensor is a stepping stone for function creep. Capturing how people behave. Keys are entering a market logic.
Cards function as a token. 
Authentication makes you show the token belongs to you. [Jokes' list] + authorization
Tokens are increasingly replaced by (or combined with) biometrics. [tokens are too easily swapped].
Continuous authentication - machine learning is starting to eat everything -- analyse your behaviour continuously. Banks are interested in this [keystrokes, patterns]

Keycards are an entry into this.

Identification becomes continuous. The 'smartness mandate' operates both on the side of the person, and on the side of the database. 

Movement becomes part of the authenticating systems. Based on normative bodies.

Joke: we did not sign anything in relation to the cards. 
Seda: it is easy to track who is who. There should be a data-protection something. Laws are changing [GDPR] General Data Protection Regulation. European. It is the same as always, harder to ignore, larger fines. You can identify who is a smoker. Implementing could be o


BSI: German institute for security (technical, not totally national security, i.e., they are related)
Golder reader:
    the three lines to enter the Machine Readable Zone
    the font is OCR friendly
    so you can swipe it and read it
    
    looking at the Logical Data Structure (LDS)
    RFU: reserved for future use. it is not clear what it contains.
    
    with these data fields, it means that there has already been a discussion about what the standards should be and what can be protected in the future, even if not now
    
    
IDEA: joke suggests we make a game with id cards, put some rules and tell people they have to get to a certain goal with the IDs in their wallet

the data in the passport is only used in criminal cases
if you are caught red handed, and they find some fingerprints, they will use the reference fingerprints to really confirm that this is seda that left behind the fingerprints. so, they are forensive fingerprints.


DANNY quick overview of chips, tags etc.:
    
Memory Chips vs. Smart Cards:
    there is no protection against replication and maybe also not for reading and writing.
    
Smart cards: is able to protect itself. There is real authentication that needs to take place before it allows you to read the information or do something with the card. There is a layer above, which shields the functionality.

RFID chips: in the passport or oyster card. Chip refers to the fact that they do not show their functionality to everyone. Only after some authentication that you can use the functionality.

Real Chips: contact chips. vs. RFID. In payment systems you have RFID chips.
Like with wireless payment systems.
If you have a visa or american express card, they are contact chips.

Applications:
    the biggest application is for identification
    you show it to claim who you are
    
    identity verification: it takes place when you read out the content of the chip
    
    electronic transactions: for real applications that you want to do something with: sign a contract, money transfer
    i sign with my identity or bank card the transaction
    
    token: everything you can put in your pocket
    
    tamper evidence is extremely low for RFID tags
    smart cards that can protect themselves: it has much higher tamper evidence
    
    


    







////////////////////////////////////

*a.pass keycard investigation

Url printed on card: https://www.parallax.com/shop Parallax is the company where Joke Liberge (Production coordinator, apass) bought the cards. They are blanco, and "they all have a unique code".

Bruno (RITCS) can initialise the card, program it. He adds a 2nd number. Joke keeps track of who has what number card at what time (word-doc). Saves the files since 2008.
If she needs new passes, she brings blanco keycards (she bought 50, 20 euros or so) to Bruno to initialise them.

Conversation (by mail) with Marc Vandermeulen / RITCS

Mocht er bezorgdheid zijn om privacy: wij gaan er van uit dat onze ruimtes van het RITCS behoren tot een stukje “omsloten publieke ruimte”. 
Dat betekent dat die ruimte niet tot het private domein van individuele mensen behoort, en dat mensen normaal geen redenen zouden moeten hebben waarom hun aanwezigheid in de Bottelarij geheim of onzichtbaar zou moeten blijven. Anderzijds is het ook zo dat we de gegevens over toegang tot de Bottelarij voor geen enkel ander doel zullen gebruiken dan waar ze voor bedoeld zijn, namelijk de vlotte interne werking en veiligheid. Ze worden verder discreet behandeld, zo worden ze bijvoorbeeld niet zomaar aan onbevoegde derden meegedeeld.

What company provides the software + hardware (reader + 'locks')?

Dat ga ik niet vertellen. Zij zullen trouwens weinig of niet bereid zijn mee te werken aan experimenten met de toegangscontrole, aangezien ze een zeer strikte veiligheidspolicy volgen (niet onbegrijpelijk vanuit hun rol). Ook ikzelf kom bepaalde zaken niet te weten die ik louter om praktische redenen graag zou weten. 
  
Dat belet niet dat er heel veel leveranciers zijn van zowel compatibele kaarten, als van losse kaartlezers: zowel via USB op PC aan te sluiten, als via Arduino te lezen enzovoort. 
Je kan met zo’n lezer enkel het interne en niet wijzigbare nummer van een kaart lezen, wat je er verder mee wil doen moet je volledig zelf uitbouwen. 
Je kan niet zelf iets extra aansluiten op het bestaande systeem, elke poging daartoe zal onmiddellijk een alarmmelding veroorzaken. Je kan dus niet in interactie gaan met het bestaande systeem of de gegevens die het bewaart, je moet zelf je eigen toepassing volledig ontwikkelen. Maar je kan daarbij wel gebruik maken van de bestaande kaarten of tags. 
  
What hardware (reader/writer) is used?

Over de hardware van het Bottelarij systeem ga ik verder niets zeggen. 
  
Het los verkrijgbare materiaal zijn tamelijk standaard 125kHz RFID tags en readers. Alom verkrijgbaar in allerlei vormen, en niet duur. 
Zie https://www.impinj.com/about-rfid/types-of-rfid-systems/
  
En vb. https://www.antratek.be/catalogsearch/result/?q=rfid (hier staan ook lezers en kaarten tussen van systemen die niet compatibel zijn met de onze). 
  
Het is een type kaart dat enkel op zeer korte afstanden kan gelezen worden, dus je moet je kaart echt tegen de lezer houden. Sommige andere systemen kunnen ook een kaart lezen die je gewoon in je zak houdt. Het is een type kaart waarvan enkel het interne nummer kan gelezen worden, je kan niets op de kaart opslaan (bij sommige andere kaarttypes kan dat wel). 
De kaarten of tags zijn van het passieve type: ze bevatten geen batterij. De weinige energie die nodig is om hun interne elektronica te voeden, wordt overgebracht op het moment dat je de kaart (of de tag) voor de lezer houdt. 
  
What is the relationship/contract with the company ('service = abonment' or one time purchase)

Hier weet ik de details niet over, en het lijkt me ook niet relevant voor jullie project. 
  
Is any of the system networked/on-line (automatic updates, cloud, ...)

Het systeem is niet rechtstreeks met het internet verbonden. Meer ga ik er niet over vertellen. 

Are there regular updates/maintenance

Ja, maar daar ga ik niet meer over zeggen. 
  
What type of information is stored about the different cards (what access etc.)

Het interne nummer van de kaart 
Eventueel een extern nummer dat op de kaart werd geschreven of gekleefd 
Een “naam”: dat kan zowel een echte naam van een persoon zijn, ofwel één of andere nummering (vb. APASS9873) die niet nauwkeurig naar een persoon verwijst. De organisaties kiezen hierin zelf of ze namen of algemene nummers opgeven.

What type of data gets saved when a user enters a door (what user, what door, what time, ...) or: what does Marc know about the usage of the cards (can he check which card enters when?) 

Je kan uiteraard achteraf zien welke kaarten gebruikt werden, waar en wanneer, maar veel meer ga ik daar niet over vertellen. 
Het enige doel is interne werking en veiligheid bevorderen. Vb. nagaan of mensen zich wel aan de afspraken houden, niet buiten de toegestane dagen en uren komen zonder daar toestemming voor te vragen, wie het alarm heeft laten afgaan, wie in de Bottelarij kwam werken zonder achteraf op te ruimen enzovoort…. 
Zo probeerde dit jaar een student vlak na Nieuwjaar (01-01-2018, 00u15) binnen te gaan (zonder succes). Dat was allicht niet om studieredenen, dus  die werd daar wel degelijk op aangesproken. 
  
Who else can access this data? [Marc, Bruno, Raymond, Ghiska, -> there is software installed on some computers in the building to give access? What can be accessed? (user data, access plan, ...)] Is there a main computer, that these terminals connect to?

Een zeer beperkt aantal mensen, waaronder ikzelf, Bruno en Raymond. Meer ga ik er niet over melden. 
  
How long is the data saved? What happens when there is a break-in for example, would they check?
  
De data worden zolang bewaard als nodig is om veiligheidschecks te kunnen doen. Maar ik kan daarover enkel spreken voor het RITCS, ik ben niet de “hoofdbeheerder”. 
Ja, uiteraard controleren we regelmatig wat er gebeurt, zowel wat betreft toegang tot het gebouw, als toegang tot het systeem. 
  
When does the card start/stop to work (once programmed?)

De kaart zelf stopt enkel met werken als ze beschadigd wordt. Aan de gegevensinhoud van de kaart zelf (die enkel een lang  ID nummer bevat) wijzigt nooit iets (die is read-only van bij de fabrikant). 
Als het nummer van de kaart nooit in het systeem werd gezet, zal de kaart altijd geweigerd worden, een pas aangekochte kaart zal nooit vanzelf werken. 
Je kan enkel het systeem programmeren om te zeggen wat het moet doen bij aanbieden van een bepaald kaartnummer. 
Je kan de toegangsrechten van een kaart zowel automatisch (op een bepaalde tijd), als manueel in- of uitschakelen. Je hoeft de kaart daarvoor niet aan te bieden aan het systeem. Zo kan je ook een verloren of gestolen kaart blokkeren. 
  
What if there is a software breakdown/bug?

Ook als de computer voor de bediening uit staat, of plat ligt, en zelfs bij stroomuitval blijft het systeem werken. Maar ik ga niet vertellen hoe precies, of hoe lang. 
  
Can they cancel a card 'remotely'

Als je bedoelt: een kaart blokkeren die je niet in bezit hebt: ja, dat kan uiteraard, vermits de rechten die je met de kaart krijgt niet op de kaart zelf worden bewaard, maar in het systeem. De kaart blijft technisch wel functioneren, niets belet dat ze ergens in een ander systeem ingelezen en gebruikt wordt volgens de rechten die ze daar krijgt. 
  
What extra/other functions could be installed on these cards with the current system (for example: exit control?)?

Op de kaarten van dit type wordt helemaal niets geïnstalleerd, alle functionaliteit zit in het systeem. Er bestaan wel andere systemen die wel gegevens op de kaart schrijven. 
Exit control zou mogelijk zijn als je ook om buiten te gaan een kaart zou moeten aanbieden. Maar dat wordt in praktijk niet gedaan, omdat mensen altijd een gebouw moeten kunnen verlaten (bij brand vb.), ook als ze geen badge hebben. Vandaar drukknoppen hiervoor, geen kaartlezers.