An Access Management System Using Contactless Cardsltodi.est.ips.pt/aabreu/121.pdfthat the new reality must be known by each EDL. For achieving this, the IA periodically performs ―query‖

INTERNATIONAL CONFERENCE ON ENGINEERING UBI2011 - 28-30 Nov 2011 – University of Beira Interior – Covilhã, Portugal

An Access Management System Using Contactless Cards Duarte Henriques, Miguel Santos, Rui Pimenta and António Abreu Instituto Politécnico de Setúbal (IPS) – Escola Superior de Tecnologia de Setúbal Campus do IPS, 2910 761 Setúbal, Portugal [email protected]

Conference Topic – CT22, Technological Innovation and Product Development

Abstract

This article describes the ESTAccess project implementation, whose goal is to control and track the accesses of students and teachers to classrooms using a contactless ID card (Mifare-classic). The hardware component is composed by an Electronic Door Lock (EDL) and an Access-Point (AP). The software component is composed by firmware in the EDL, a web interface, a database (DB) and a Java application in a PC. The DB stores any event occurring in the system and allows the creation of rules granting access of users to classrooms, taking into account a timetable and the user type. The java application connects the DB to a network of WiFi APs, using sockets. Several EDLs are wirelessly connected to an AP through a low power, low rate, star-like network. Access events flow from the EDL to the DB, and permissions flow in the opposite direction, in real-time. All this traffic is regulated by a language where the receiver always acknowledges in order to provide robust communication. Also described are experiments and results that empirically prove the compliance and robustness of the system.

Key Words: Access management, proximity card, electronic door lock, MSP430, SimpliciTI, Wi-Fi, Access-Point, Database.

I. Introduction Today, security is a critically important issue, especially in building areas that are frequented by a large number of people. In many situations, documents, equipment, and other assets must be conveniently protected in such crowded environments. The desired security starts at the door of the offices where such assets are, i.e., the first thing to do is to inhibit the access of non authorized personnel to some critical areas. The history of traditional key locks goes back to ancient Greece, making it a successful invention of mankind. However, on one side, security anxiety has risen for many good reasons in the last decades, on the other, employee rotation in big corporations is larger nowadays, making traditional keys less attractive. They are easily duplicated. If it is easy to give someone a key in order to provide access to some place, it is not so easy to get the key back when the access shall be overturned. Also, it is not practical to manage accesses to many different places by way of traditional keys. These are some limitations. Electronics provide many means to make practical access control to offices in different types of buildings, in a secure way. Indeed, there are many ways to realize this, but this paper concerns only EDL where a contactless (credit card size) card plays the role of the key. Although with a history starting around the 1990’s, and in spite of its potential use, our society is not so dominated by the use of contactless cards, but it will be, eventually, either as a key, for ID or payment purposes, or all at the same time. Electronics, computers and networks make possible the development of practical, high security, access control systems. This paper describes one made with cheap, out-of-the shelf, electronic modules and components, open source software, and communication protocols normal in present day public buildings, in our case a university campus. The work reported in this paper was carried out under the final project for obtaining an engineering degree in electronics and computers, in Escola Superior de Tecnologia de Setúbal, of the Instituto Politécnico de Setúbal. It was developed under the support of a grant from the ―3º Concurso para Projectos de Investigação‖.


II. Architecture The general architecture of the system is illustrated in figure 1, where the four main functional components can be identified: EDL, AP, integration application (IA) and DB. From a physical point of view, the system is composed by several EDLs, several APs and a (PC like) computer server. Several EDLs connect to one AP through SimpliciTI[1], in a star-like network configuration. Several APs connect to the computer server through WiFi. The system was designed taking in mind the existence of a WiFi network, but a cabled ethernet could also be used to connect the AP to the server. Many public buildings (as universities are) have WiFi networks, and many more will have it in the near future.

Figure 1 – Project Architecture

A. Components We start by giving a quick look to the main components used in the system. The door lock is the model CARD 300-A (https://www.interportas.net), which needs four 1.5V AA batteries and having 20,000 expected lock releases with the same battery pack (according to the manufacturer). The original transponder works in 125KHz, which is incompatible with the 13.56MHz required by the MIFARE[4,5,6,7,8,9] classic card used by the IPS campus population. This basically means that we had to substitute all the electronics inside the EDL by our own. The card reader is the model SL031 (http://www.stronlink.cn), having an UART interface. The microprocessor board is the eZ430-RF2500T manufactured by Texas Instruments, whose main components are a MSP430F2274 microcontroller[3] and a CC2500 radio operating at 2.4GHz. This board is cheap and TI makes available a good development environment at no cost. The AP functions as a gateway between a network of EDLs (connected by a SimpliciTI network), and the WiFi network. The AP is an electronic board made up of an eZ430-RF2500T and one WiFi transceiver MatchPort b/g (http://www.lantronix.com). The integration application (IA) was codded in Java and the DB was implemented using the Oracle Database 10g Express Edition. Lets give a closer look at the EDL and the AP, which are original electronic circuits.

https://www.interportas.net/

http://www.stronlink.cn/

http://www.lantronix.com/


B. Electronic Door Lock (EDL) Figure 2 shows a set of pictures showing the interior of the lock’s metal enclosure.

Figure 2 – Hardware developed in the door lock

The photo at right shows the main board where the batteries are connected, composed by the power electronics for triggering the electromagnet commanding the lock, a power supervisor, a connector to reprogram the MSP430 microcontroller, and a three-color LED showing the status of operation (batteries requiring substitution, access granted, access not granted, acknowledge received, and no communication with the AP). The second photo from the right shows the eZ430-RF2500T board mounted on top of the base board. Finally, the third photo from the right shows the SL031 card reader. This board must be the last one before the black plastic cover that can be seen at the leftest photo. It must be like this because the card reader requires close proximity to the card in order to read its unique ID without errors. The facts that i) the chip antenna of the CC2500 radio is surrounded by the steel enclosure of the door lock, and ii) the card reader is on top of CC2500 antenna, does not degrade the communication between the EDL and the AP by way of the SimpliciTI RF protocol, as will be made clear by experiments we describe later. We show a block diagram of the electronic circuit inside the EDL in fig. 3.

Figure 3 – Door lock Block diagram

The microcontroller consults the card reader for the presence of cards three times per second. The rest of the time, the card reader is put into sleep mode to save battery power. The radio chip is always ON (although it should not). The microcontroller maintains a small database of card IDs to whom permission must be granted, i.e., the door opens if the card ID is present in the MSP430 internal RAM. This means that the decision about the access permission is local, implying that the EDL works in case the WiFi network is off.


C. Access-Point (AP) The AP is an original electronic board whose main function is to connect two different network wireless protocols. It is then a gateway between a WiFi network and a star-like network of EDLs (the AP being the central node and each EDL the end device). We present two photos of an AP in fig. 4.

Figure 4 – Hardware developed in the Access-Point

As previously stated, the WiFi protocol is implemented by the MatchPort b/g module, and the EDL network is realized by the SimpliciTI protocol performed by the CC2500 radio controller present in the eZ430-RF2500T board (placed vertically, at the right side of the WiFi antenna visible in both photos of fig. 4).

Apart from its (gateway) main function, the AP also has the ability to connect to a wired Ethernet network (which we did not use). All the traffic arriving at the CC2500 radio can be redirected to a RS232 port (and vice versa), and all the traffic arriving at the WiFi module can also be redirected to a second RS232 port (and vice versa too), making these two RS232 ports sniffers to both the SimpliciTI’s and WiFi’s traffic; this was very useful during the development stage. The AP is mains powered, because its gateway function has a 100% duty-cycle.

Figure 5 shows a block diagram of the AP’s electronic circuit.

Figure 5 – Access-Point Block diagram

We now turn our attention to the software modules of the system: the Java application (denoted Integration application) and the DB.


D. Integration application (IA) Implemented in Java, this application links the DB to the EDLs. This connection is bidirectional. The unique ID of each card presented to any EDL is sent to the DB for storage (with the respective timestamp and decision about whether to open the lock). So, the IA executes ―insert into‖ SQL statements into the DB. This is traffic in one direction. Each time an access permission changes (deliberately by the super user, or when out of date) implies that the new reality must be known by each EDL. For achieving this, the IA periodically performs ―query‖ SQL statements (one per 5 seconds) to the permission table in the DB, letting the EDLs know what is new. In practice, this is real-time behavior, a most desirable feature concerning security in access management. This is traffic in the opposite direction. The IA is a threaded application. In particular, both directions are governed by different threads. Network traffic is made through a TCP/IP server socket inside the IA.

E. Database (DB) and Web interface The DB is composed by several tables uniting all the entities required by an access management application, which are persons (having inclusive types student, teacher, visitor, employee), contactless cards (possibly more than one per user), timetables (having due dates), EDLs, rooms (having different exclusive types), buildings, permissions (associating cards to EDLs), accesses (which card was read by which reader), and events (e.g., batteries are almost depleted), and a history of past events from which statistical patterns can be evaluated.

All this information can be accessed through the web (fig. 6), possibly modifiable depending on the user privileges. There are three types of users to which correspond different privileges: superusers, teachers, and students. As examples of the type of permissions/ privileges different users have, we give the following: superusers manage passwords and grant access to teachers and students to particular types of rooms; and teachers grant room access to students. The system also provides alerts, by pop-up windows, when a special event is about to happen, e.g., one day before a deadline the user knows that it will lose access to some classroom or lab.

Figure 6 – Screenshot of the web interface

F. Thread of execution A typical thread of execution in the system is now explained. A superloop seeks a card three times per second, sleeping in between. When a card is read, the microcontroller tests if the card ID is in a list of IDs to which permission must be granted. If it is not, a red LED blinks; If it is, the door lock is released and a green LED blinks.


In either case, a SimpliciTI frame is assembled characterizing the EDL, the card ID and the logic result of the test, and sent to the AP. Each frame sent requires an acknowledge, so the EDL maintains a ring buffer with frames not acknowledged. This ends the cycle. If the process works as expected, a few hundred of milliseconds later the EDL will receive the respective acknowledge frame, and the ring buffer will be cleaned of this frame. If not, 5 seconds later the EDL resends the original frame. This repetition process does not stop until an acknowledge frame is received. The main loop is then composed by the following processes:

card process, as explained first in this section;

frame process, where the EDL deals with frames sent by the IA;

acknowledge process, were the EDL evaluates if it is necessary to resend frames. In the IA the following three threads are running:

Reminder – as explained in the section D (IA);

UpdatePermissions – at the end of each day (23:59:59), a SQL query is performed in the DB, searching for permissions that had changed meanwhile. Each change is converted to a frame that will be sent to the EDL;

TimeOut – takes care of frames sent but not acknowledged. Every 10 secs, the IA resends every frame that was never acknowledged. Each time an acknowledge is received, the corresponding frame is removed from the not-acknowledge-frames list.

G. Network messages Network messages (or frames) between the Information Server (IS) and an EDL follow a a priori specified command set. We implemented a mechanism where the receiver always acknowledges the received messages. There is a set of six different messages or frames:

Insert and respective acknowledge – the IS uses this message to insert a card ID into the list of cards the lock must open. The EDL responds with ACK, if it executed the command with success, or responds with NACK, in case it did not (e.g., it was not possible to insert the card ID because there is not enough memory or because the card ID is already in the list).

Delete and respective acknowledge – the IS sends this message to an EDL when it wants to deny access to a card ID. The EDL responds with ACK in case of success, or NACK, otherwise.

Register and respective acknowledge – an EDL sends this message to the IS when reads a card ID, independently of granting access to the user or not. The server responds with an ACK frame.

Figure 7 illustrates the process of message exchange between the IS and an EDL.

Figure 7 – IS and EDL’s exchange messages in order to one execute commands on the other


We show examples of a register frame and the respective ACK in fig. 8.

Figure 8 – Examples of a register frame and the respective ACK (each square grid is a byte), and IS means Information

Server

As one can see, frames are delimited by start and end bytes, 2A or 23 and 0D, respectively; there is a byte representing the command and two bytes representing the EDL sending/receiving the frame (allowing 65,535 different EDLs). We decided to differentiate between frames sent by the EDL (starting with 2A) from frames sent by the IS (starting with 23), because it helped when using the sniffing capabilities of the AP in the developing stage. In the example of fig. 8, EDL 3738 sent a register frame (byte 52) announcing that card ID C45456E2 was read and the lock was released (byte 53). The IS responded with a Register Acknowledge Frame (command 41).

III. Experiments

In this section we describe several tests with the intent of characterizing the real behavior of the system.

A. Locking mechanism An EDL signals its own status through a three-color LED. An EDL must remain in the unlocked state long enough to allow the user to open the door. Finally, the card reader must poll the antenna for the presence of a card with a duty cycle not too large in order to reduce current consumption. The locking mechanism in the EDL is carried out by an electromagnet, which requires about 250mA at 4V (nominal values) to unlock the door. We wanted to find out the threshold voltage at which the lock starts to operate incorrectly. We started with batteries at almost all-charge (6V), and proceed downwards, measuring how many times the lock operates correctly in 20 attempts. We show the voltage values with respective success rate in tab. 1.

Table 1 – success rate of correct behavior of the electric lock for different voltage values Voltage [V] 6 4.72 4.38 4.18

Success rate [%] 100 95 85 0

Based on these results, we decided to introduce a voltage monitoring circuit tunned for 4.38V, which when reached makes a red LED to blink at 1Hz, letting the user know that batteries should be changed.

B. Power measurement Some experiments were performed in order to estimate the energy consumption of the EDL. Current was measured with a Wavetek Meterman 27XT voltmeter (accuracy of 0.5%) through a 1Ω resistance placed in series with the power supply. The measured current in steady state was 29mA for a total battery voltage of 6.0V. By steady state we mean no card reads and no lock activations. This value is somehow exaggerated, and its due to the voltage regulator and the receive mode of the CC2500 radio, which is always active. The microcontroller polls the card reader three times per second, requiring 75ms in each poll, thus requiring 29mA×0.075×3/3600=1,81µAh from the battery. We now assume that the user


enters its room once per hour (i.e., 24 times per day). The lock requires 250mA for one second to open the door (250mA×1/3600=0.07mAh); the simpliciTI requires 25mA for 500ms to exchange frames with the AP (25mA×0.5/3600=0.0035mAh); and the card reader requires 50mA for 100ms to read the card (50mA×0.1/3600=0.001mAh). The sum of these calculations does not change the grand total due to the low duty cycles, but surely they have an impact on battery duration. The individual capacity of each of the AA alkaline batteries used is 2850mAh; four batteries in series have a total capacity of 11,400mAh. Considering 1.5V the nominal voltage and 0.8V the value at which the battery fails to provide current, then the usable voltage range is 1.50.8=0.7V. The measured threshold voltage (see Locking mechanism test) is 4.38V, so 1.1V per battery, which corresponds to 57% of usable capacity ((1.5-1.1)/0.7×100=57%). We can finally calculate a theoretical value for the lifetime of batteries of approximately 9 days (11400×0.57/29). We do not take into account the self discharge rate of alkaline batteries. According to some manufacturers, this rate would not have a big impact on the calculated battery duration. The current consumption would be greatly reduced if the voltage regulator was replaced by one with switched capacitors (e.g. the MAX604 consumes 15μA in steady state) and if the receive mode of the CC2500 was activated once per minute. According to [11], the CC2500 in receive mode consumes an average current of 18mA for 4ms. Then activating the receive mode once a minute would have a consumption of 18mA×60×4ms/3600=1.2μAh. The consumption of eZ430-RF2500 board would be 1.2μA+(788μA×3600/3600(consumption in idle mode)=789.2μAh. Accounting for the consumption of other components and the AC consumption above referred would give a total of 934μAh. The theoretical value for the battery life would be

C. RF communication Experiments were conducted in order to analyze the occurrence of communication failures. Traffic exchange was observed in the AP through its sniffing capabilities. Another set of tests were centered in evaluating how the metal enclosure of the EDL interferes with card reading, since metal reflects the magnetic field created by the antenna in the card reader, inhibiting its propagation. The setup for the experiment was the server PC and EDL separated by 2m, line-of-sight. A card was presented to the card reader 50 times, at approximately 5cm distance. This process originated 50 SimpliciTI frames (EDL->AP) and 50 WiFi frames (AP->IA) and the same number of frames in the opposite direction. No errors were detected (100% success rate), i.e., the IA received 50 correct (register) frames, and the EDL commanded the electric lock to open 50 times. We conclude that the EDL's metal enclosure, despite being very close to the card reader and very close to the chip antenna of the CC2500 radio, did not cause any communication interference. In another experiment, we tried to analyze the RF interference by creating a hostile environment to the communication between the EDL and the AP (SimpliciTI traffic), in order to experimentally measure how resilient is this RF protocol. SimpliciTI operates at 2.4GHz. Two mobile phones transferred a file via Bluetooth (which also operates at 2.4GHz) and two other mobile phones were simultaneously making a phone call to each other (900/1800MHz central frequencies); all four mobile phones were in a vicinity of about 15cm around the EDL. In the same room, there were also four laptop computers connected to the existent WiFi network (2.4GHz) with their users surfing on the web. The experiment consisted of presenting


a card to the EDL 50 times, and evaluating whether there were errors in the frame. One error was detected in the 200 frames involved, i.e. the success rate was 99.5%.

D. Range of networks This experiment was carried out in a block of offices and classrooms in a faculty of engineering at IPS, aiming at measuring the maximum range of the WiFi and SimpliciTI networks. This is important in determining how many APs should exist in order to serve a certain amount of EDLs, which ultimately permits to evaluate the costs of the system in a real situation. Communication was tested in two different scenarios, evaluating range in two situations: line-of-sight (LOS), and walls as obstacles between transmitter and receiver. We measured 25m until communication by simliciTI was not possible anymore, with emitter and receiver in LOS (1m above ground), and 12m when transmitter and receiver were separated by two walls (15cm thick). In the case of WiFi, we used an AP and a laptop, and measured 32m LOS, and 22m with three walls in between. Next, we were interested in evaluating how many APs would be needed to cover a particular set of offices and classrooms in a floor (illustrated in fig. 9). We installed an EDL in each end of the floor (offices F365 at the right end and F313 at the left end) and realized that one AP is not sufficient because both EDLs are about 60m apart, which is out of the network range. According to the values presented in the third paragraph of this section, the range of a SimpliciTI network would have a maximum radius of 50m. So, two APs would be needed to cover all the (26) EDLs in the floor plan illustrated in fig. 9, and possibly more if there were more offices above and below the ones presented. If APs are placed equidistantly between the floor ends, the best position is the one presented in fig. 9. This floor is equipped with an Access Point to the existent WiFi network (Eduroam), which is located at the wall of classroom F304 in front of the stairs. AP1 and AP2 are within the range of this AP, which means no modifications would be required in order to install the system in this floor. We can conclude that our APs do not increase too much the cost of the system, because its individual cost is not too high and because they cover a large number of EDLs.

Figure 9 – Coverage of SimpliciTI network

IV. Final remarks Most of the current electronic door lock systems operate in a static mode. For instance, the contactless card must be presented to the electronic lock after passing a master card, for the electronic lock to learn the new code. In this case, it is virtually impossible for the electronic lock to unlearn a code without the card’s presence, unless there is a due date or validity for


the code, or the electronic lock memory is cleared. In other cases, the contactless card is programmed in a central desk/office before first use, but the information server has no contact with the electronic locks, making impossible to observe the user’s habits. If something is wrong, the whole process must be repeated, forcing the user to return to the central office in order to have its problem solved, because no operations can be done remotely. There are not many traditional systems where there is communication between the computer server and each door lock, and when this happens the communication is by wires, which endear the system. New generation lock systems do not have these shortcomings. Data flows wirelessly in real-time, from servers to the electronic locks, and vice-versa. The electronic door lock can act as a contactless card programmer, if it is necessary, all in order to provide a high quality of service to its users. The system presented in this paper belongs to a new generation of access control systems. The door lock is low-power, wireless, powered by batteries and applicable to most office doors. The system was planned to use open source or free software (Java, PHP, Apache, Oracle Database Express Edition) and off-the-shelf components, as are current electronic door locks, 8/16-bit microcontrollers, wireless communication modules, contactless card readers, AA batteries, etc., all relatively easy to afford and acquire. The EDL proposed requires only a very small attention from its users. In fact, in principal, it is up to the user to ensure that batteries would not deplete totally. This is made known to the user by a blinking LED. In the future it could also made be known by email; it surely has the potential for that. The system is also secure. User identification is made through smart cards[10]. The web interface is password protected. The WiFi communication is encrypted through WPA/TKIP or WPA2/PSK, and SimpliciTI is encrypted through the 128-bit XTEA algorithm[2]. Many experiments were performed in order to test the compliance of the final product with the requirements, and to measure important practical variables (energy consumption, battery duration, resilience to noise, range, etc.). The presented project was developed as the requirements for completing a three-year engineering degree in electronics and computers in a polytechnic institute in Portugal (usually known as the final project). In this regard, it is very complete in scope, covering hardware, firmware and software development.

V. References [1] Friedman, Larry, SimpliciTI Application Programming Interface, version 1.2, Texas Instruments, San Diego, USA, 2009. [2] Friedman, Larry, SimpliciTI Security, version 1.10, 6 pages, San Diego, USA, 2009. [3] Baugh, Tom, MSP430 State Machine Programming with the ES2274, first edition, Softbaugh, Inc., 2008. [4] Final Committee Draft, ISO/IEC 14443-1, Identification cards - Contactless integrated circuit(s) cards - Proximity cards, Part 1: Physical characteristics, ISO/IEC, 1997. [5] Final Committee Draft, ISO/IEC 14443-2, Identification cards – Contactless integrated circuit(s) cards – Proximity cards – Part 2, Editor D. Baddeley, Motorola, ISO/IEC, 1999. [6] FINAL COMMITTEE DRAFT, ISO/IEC 14443-3, Identification cards — Contactless integrated circuit(s) cards — Proximity cards — Part 3: Initialization and anticollision, Editor D. Baddeley, Motorola, ISO/IEC, 1999. [7] Identification cards — Contactless integrated circuit(s) cards — Proximity cards — Part 4: Transmission protocol, Editor Hauke Meyn. [8] Identification cards — Test methods — Part 6: Proximity cards, ISO/IEC, 2000. [9] MF1 IC S50, Functional specification, Rev. 5.2, NXP, 2007. [10] Logical Access Security: The Role of Smart Cards in Strong Authentication, Smart Card Alliance, New Jersey, EUA, 2004. [11] http://cnx.org/content/m21606/latest/?collection=col10684/latest.

http://cnx.org/content/m21606/latest/?collection=col10684/latest

Documents

An Access Management System Using Contactless Cardsltodi.est.ips.pt/aabreu/121.pdfthat the new reality must be known by each EDL. For achieving this, the IA periodically performs ―query‖