HID Proximity Cards: Decoded Versus Undecoded Outputs?

Can someone explain the difference between an HID proximity card's decoded
and undecoded outputs? My guess is that number printed on the card is an
undecoded output, and it's just there to make it easier for humans to type
in a number to a software application. Probably the real number is on the
card as is longer or more complex format? How many digits are there and
in what format (e.g., alphanumeric only).

I saw a demo on TV recently of some guy who using a home made circuit board
was able to swipe any person in his vicinity's prox cards, then record that
and play it back to get access through any prox reader. Pretty scary
stuff, and it's obviously not a very secure architecture if they are sending
out numbers in a way that doesn't use some kind of private and public key
exchange.

We are thinking of using the proximity cards as part of a two factor
authentication system to login to computers, which is why I would like to
understand the length and structure of the number on the card. We would be
using PCPROX readers.

--
Will

Re: HID Proximity Cards: Decoded Versus Undecoded Outputs?

There is no decoded and undecoded outputs in the HID Proximity format you
mention. At its simplest the prox card has a chip inside it creating a pulse
output. There are many physical forms of "active cards" and "passive cards"
and fobs and "lick and sticks" etc. The unique card number is programmed
into the chip inside the card. The HID Proximity format has become an
industry standard so many manufacturers use it since the HID patent expired.
So the chip inside the card creates the same type output as the original
Wiegand pulse-generating cards that used bits of wire inside the card and no
chips. So that's it. It is a pulse. The "pulse" can be different lengths.
There is the standard 26 bit format, meaning a "pulse" of 26 pieces or bits
of on or off data. In that output format you have the card number, the
facility code or site code etc. (because the nomeclature varies a lot). To
make it more interesting one can vary the location of the start bit location
and scramble things up a little. Different access control manufactureres
have their own formats. Continental Instrumants 36 bit, Card Key 35 bit,
Infographic Systems 34 bit, CEM 33 bits etc. Therefore what is printed on
the card may be the actual card number output or something else not at all
related to the card number in any way. When you get the cards from the
manufacturer there is a sheet that cross references what is printed on the
card versus the actual output.
You can certainly defeat the security of a card access system by using a
device like the one you saw on TV. You don't even have to be cleaver enough
to build your own device, you can buy it complete and ready to use right off
of the Internet and start spoofing.
I don't think that one would install simple weigand cards on a facility
where high security was a concern. There are other technologies besides
weigand. One step up would be to use the Indala reader. Indala is now a part
of HID. You get a more unique communications going between the card and the
reader that makes it a bit more difficult to spoof.
HID is not stupid. They do make cards that you can't easily spoof and
formats that are unique. The HID iCLASS format, combined with an Elite class
reader and Corporate 1000 format would pretty much rule out spoofing or
duplication completely. The iCLASS would mean what the spoofer read would
not work when "played back" to the reader. It is unique evey time (well the
challenge repeats every 1.5 million years or some ridiculously long time)
because there is a two way communication going. The Elite ties the reader
and the card together so even another iCLASS card won't be acknoledged. And
the Corporate 1000 means HID will never produce another card with that
number on it so there are no duplicates ever produced by HID.
Does it worry anyone in the industry that Weigand Prox format cards can be
spoofed? I don't know. If you put a reader on a glass door and have a
strike on a door lock I think not. A prox card is not like a door key that
works 24/7/365. For the most part a card is programmed to work normal
business hours on a limited set of doors. Even if you spoofed a card and
antipassback was in play you couldn't just spoof a card of a random person
passing by and then walk in. In most cases the bad guy wanting in will pick
up a rock and smash out the glass. If the bad guy is a bit more resourceful
or skilled he will pick or pry the lock. I have never been made aware of a
successful (or unsuccessful) spoof attack in real life. If I do I'll try and
post the video clip of the guy here because I am sure there will be one.
There are almost always other sorts of security measures to have to get
around like cameras, or in the reader itself, like PIN numbers, biometric
interfaces, face matching, etc. Remember we're only talking about Weigand
Prox formats. There are other formats like MiFare, RFID etc. I think the
career of a Weigand Prox format spoofer would be very short. But don't let
me disabuse anyone here from a career choice. I know some guys that work
with prison ministries and they hear from the inmates that the food is good
and the sex is great.

"Will" wrote in message
news:xYOdnVhXn_wZH4DYnZ2dnUVZ_oydnZ2d@giganews.com...
> Can someone explain the difference between an HID proximity card's decoded
> and undecoded outputs? My guess is that number printed on the card is
> an
> undecoded output, and it's just there to make it easier for humans to type
> in a number to a software application. Probably the real number is on
> the
> card as is longer or more complex format? How many digits are there and
> in what format (e.g., alphanumeric only).
>
> I saw a demo on TV recently of some guy who using a home made circuit
> board
> was able to swipe any person in his vicinity's prox cards, then record
> that
> and play it back to get access through any prox reader. Pretty scary
> stuff, and it's obviously not a very secure architecture if they are
> sending
> out numbers in a way that doesn't use some kind of private and public key
> exchange.
>
> We are thinking of using the proximity cards as part of a two factor
> authentication system to login to computers, which is why I would like to
> understand the length and structure of the number on the card. We would
> be
> using PCPROX readers.
>
> --
> Will
>
>

Re: HID Proximity Cards: Decoded Versus Undecoded Outputs?

I have searched for the weigand kit. I can't find it anywhere on the
Internet. I would like to purchase one. Anyone have a link?

Roland Moore;44621 Wrote:
> There is no decoded and undecoded outputs in the HID Proximity format
> you
> mention. At its simplest the prox card has a chip inside it creating a
> pulse
> output. There are many physical forms of "active cards" and "passive
> cards"
> and fobs and "lick and sticks" etc. The unique card number is
> programmed
> into the chip inside the card. The HID Proximity format has become an
> industry standard so many manufacturers use it since the HID patent
> expired.
> So the chip inside the card creates the same type output as the
> original
> Wiegand pulse-generating cards that used bits of wire inside the card
> and no
> chips. So that's it. It is a pulse. The "pulse" can be different
> lengths.
> There is the standard 26 bit format, meaning a "pulse" of 26 pieces or
> bits
> of on or off data. In that output format you have the card number, the
> facility code or site code etc. (because the nomeclature varies a lot).
> To
> make it more interesting one can vary the location of the start bit
> location
> and scramble things up a little. Different access control
> manufactureres
> have their own formats. Continental Instrumants 36 bit, Card Key 35
> bit,
> Infographic Systems 34 bit, CEM 33 bits etc. Therefore what is printed
> on
> the card may be the actual card number output or something else not at
> all
> related to the card number in any way. When you get the cards from the
> manufacturer there is a sheet that cross references what is printed on
> the
> card versus the actual output.
> You can certainly defeat the security of a card access system by using
> a
> device like the one you saw on TV. You don't even have to be cleaver
> enough
> to build your own device, you can buy it complete and ready to use
> right off
> of the Internet and start spoofing.
> I don't think that one would install simple weigand cards on a
> facility
> where high security was a concern. There are other technologies
> besides
> weigand. One step up would be to use the Indala reader. Indala is now a
> part
> of HID. You get a more unique communications going between the card and
> the
> reader that makes it a bit more difficult to spoof.
> HID is not stupid. They do make cards that you can't easily spoof and
> formats that are unique. The HID iCLASS format, combined with an Elite
> class
> reader and Corporate 1000 format would pretty much rule out spoofing
> or
> duplication completely. The iCLASS would mean what the spoofer read
> would
> not work when "played back" to the reader. It is unique evey time (well
> the
> challenge repeats every 1.5 million years or some ridiculously long
> time)
> because there is a two way communication going. The Elite ties the
> reader
> and the card together so even another iCLASS card won't be acknoledged.
> And
> the Corporate 1000 means HID will never produce another card with that
> number on it so there are no duplicates ever produced by HID.
> Does it worry anyone in the industry that Weigand Prox format cards can
> be
> spoofed? I don't know. If you put a reader on a glass door and have a
> strike on a door lock I think not. A prox card is not like a door key
> that
> works 24/7/365. For the most part a card is programmed to work normal
> business hours on a limited set of doors. Even if you spoofed a card
> and
> antipassback was in play you couldn't just spoof a card of a random
> person
> passing by and then walk in. In most cases the bad guy wanting in will
> pick
> up a rock and smash out the glass. If the bad guy is a bit more
> resourceful
> or skilled he will pick or pry the lock. I have never been made aware
> of a
> successful (or unsuccessful) spoof attack in real life. If I do I'll
> try and
> post the video clip of the guy here because I am sure there will be
> one.
> There are almost always other sorts of security measures to have to
> get
> around like cameras, or in the reader itself, like PIN numbers,
> biometric
> interfaces, face matching, etc. Remember we're only talking about
> Weigand
> Prox formats. There are other formats like MiFare, RFID etc. I think
> the
> career of a Weigand Prox format spoofer would be very short. But don't
> let
> me disabuse anyone here from a career choice. I know some guys that
> work
> with prison ministries and they hear from the inmates that the food is
> good
> and the sex is great.
>
> "Will" wrote in message
> news:xYOdnVhXn_wZH4DYnZ2dnUVZ_oydnZ2d@giganews.com...
> > Can someone explain the difference between an HID proximity card's
> decoded
> > and undecoded outputs? My guess is that number printed on the card
> is
> > an
> > undecoded output, and it's just there to make it easier for humans to
> type
> > in a number to a software application. Probably the real number is
> on
> > the
> > card as is longer or more complex format? How many digits are
> there and
> > in what format (e.g., alphanumeric only).
> >
> > I saw a demo on TV recently of some guy who using a home made
> circuit
> > board
> > was able to swipe any person in his vicinity's prox cards, then
> record
> > that
> > and play it back to get access through any prox reader. Pretty
> scary
> > stuff, and it's obviously not a very secure architecture if they are
> > sending
> > out numbers in a way that doesn't use some kind of private and public
> key
> > exchange.
> >
> > We are thinking of using the proximity cards as part of a two factor
> > authentication system to login to computers, which is why I would
> like to
> > understand the length and structure of the number on the card. We
> would
> > be
> > using PCPROX readers.
> >
> > --
> > Will
> >
> >


------------------------------------------------------------ ------------
View this thread: http://www.wirelessforums.org/showthread.php?t=7501
http://www.wirelessforums.org