On the base of the SmartCard Handler library I have development a simple access control system. The major idea behind the library is that additional to the UID (that should be unique for each card) a SHA-512 hash value of a random generated passphrase is stored on the card. For the developing I use Mifare 1K card and as reader my HID Omnikey 5321v2.
The additional security effect is gained through the idea that not the card nor the server (computer with attached reader) has all information available in clear text.
The following information are stored on the entities:
- Server: sha512(cardUID) and passphrase
- Card: cardUID and sha512(passphrase)
The implemented library that uses the presented approach offers a method for the passphrase change. During the call a random generated token (random are not only the characters, but also the length) is written into the servers database and the SHA-512 hash value to the card. That makes it possible to change on every access (or from time to time) the passphrase.
The approach adds a additional layer of security to RFID authentication mechanism that is only base on the UID of the cards. Although I can not give a guarantee that the approach is under all circumstances secure. For example the random generate is only pseudo random and the database should be protected against intruder. Another point is that the whole system has to be implemented in a secure way. If the initiating of new card is public available for the user the whole mechanism breaks.
If you found a major security flaw on the approach (or on the implementation) please let me know. In the meantime the library is only a simple way yo protect non critical areas and a example how to use the SmartCard Handler.
Published as package in the SmartCard Library.