High-security RFID access control system (national secret algorithm) solution

Nowadays, RFID access control systems can be seen everywhere in our daily lives, and in recent years, the application demand for high-level important access control systems in important national departments, financial institutions, military units, etc. has been growing. Due to the serious security loopholes in the currently widely used RFID access control systems, the National Cryptography Administration issued the "Letter on Requesting Assistance in the Management of IC Card System Passwords" to the central and national agencies in accordance with the spirit of the National Document No. 273 in 1998 and the needs of national security, and issued the "Notice on Strengthening the Management of IC Card System Passwords" and other documents to the password management departments of various provinces (autonomous regions and municipalities). In April 2009, the "Guidelines for the Application of Passwords for Important Access Control Systems" put forward specific requirements for the transformation and upgrading of existing important RFID electronic access control systems and the security of newly built important RFID access control systems, and provided relevant password application methods and method guidelines to meet the security requirements. Therefore, incorporating the SM7 national secret algorithm into the access control system undoubtedly provides an important guarantee for the security of access control applications.

Under the guidance of the State Cryptography Administration, Guangdong Huada Integrated Technology Co., Ltd. proposed an important RFID electronic access control system SM7 password security solution that meets the national password management requirements. The key products in the solution are the contactless logic encryption card chip CIR72128BA that supports the SM7 block cipher algorithm and the security module HDSM007 in the access control reader.

This solution applies to the following two situations:

Design and implementation of new important access control systems;

The modification and upgrade of important access control systems whose password systems have not been approved by the National Cryptography Administration.

1. System composition

This solution uses a contactless logic encryption card based on the SM7 algorithm as the access card. The system structure is shown in Figure 1.

2. Cryptographic System Overview

The important RFID access control system based on my country's SM7 cryptographic algorithm involves application subsystem, key management and card issuance subsystem, as shown in Figure 2.

This solution uses the SM7 block encryption algorithm specified by the National Cryptography Administration for key dispersion to achieve one card one key; it uses the SM7 block encryption algorithm specified by the National Cryptography Administration for identity authentication between access control cards and access control card readers.

3. Application subsystem

The application subsystem consists of access control cards, access control card readers and background management system, and the password modules in each device provide password security protection for the system. Its principle block diagram is shown in Figure 3.

3.1. Security Module

The access control card reader is produced by Beijing CEC HuaDa Electronic Design Co., Ltd. and has passed the security review of the State Cryptography Administration. It has an electronic tag reading and writing security module with SM7/SM1 cryptographic algorithm and true random number generator (already ready for mass supply), which is responsible for storing the system root key, the security cryptographic operation in the card reader and identifying the legitimacy of the access control card.

3.2. Communication with the backend management system

The communication between the access control reader and the background management system adopts the most commonly used RS485 transmission protocol (no byte limit for transmission). The protocol adopted by this system is a two-way communication protocol. The access control reader can send data to the background management system, and the background management can also send data to the access control card reader. At the same time, the SM7 electronic tag, card, and data are encrypted (such as DES algorithm) to transmit the unique identification of the access control card. In this way, the background management system, access control card reader, and SM7 card are indispensable, and the combination of the three is safer and more reliable.

3.3 Access Card

The access control card uses the CIR72128BA tag chip (already ready for mass supply) that has passed the security review of the National Cryptography Administration and has the SM7 block cipher algorithm. The issuance information and card key are stored in the card for the access control card reader or background management system to authenticate the access control card.

CIR72128BA Chip Overview

CIR72128BA is a single-interface contactless logic encryption card chip that complies with ISO/IEC 14443-2/-3 TypeA specifications. The chip integrates 128 bytes of EEPROM and has a domestic SM7 encryption algorithm hardware coprocessor. It has low cost and high security features. It can be used for one-way tickets in public transportation networks, tickets for various large-scale conferences or sports events, replacing the currently commonly used paper tickets.

Standard Features of CIR72128BA

Comply with ISO/IEC 14443-2 and 14443-3, TYPEA contactless logical encryption memory card

Carrier frequency 13.56MHZ, subcarrier frequency 847KHZ, data communication rate 106Kbps

Support short frame, standard frame and anti-collision frame

Supports secondary anti-collision

Working field strength range 1.5A/Am-7.5A/Am

The maximum size is 128 bytes of EEPROM, divided into UID area, OTP area, user data and key area

EEPROM is programmed by block, each block is 4 bytes, and the programming time is 5ms

EEPROM data retention time is greater than 10 years, and the number of erase and write times is greater than 100,000 times

Safety features of CIR72128BA:

Domestic encryption algorithm SM7

Random Number Generator

Two 128-bit keys, one for read key and one for write key for authentication

Comply with the two-way authentication process of the National Secret "SM7 Cryptographic Product Technical Requirements"

The communication encryption process complies with the national secret "SM7 cryptographic product technical requirements"

7-byte UID

4 Introduction to SM7 Algorithm

4.1 SM7 algorithm applies to:

SM7 is suitable for contactless IC card applications including identity recognition applications (access cards, work cards, competition cards), ticketing applications (tickets for large events, exhibition tickets), payment and pass applications (points consumption cards, campus cards, corporate cards, bus cards).

4.2 Security requirements and corresponding algorithms:

Security requirements Security measures Foreign algorithms National secret algorithms

Identity authentication security demonstration M1/DES/AESSM7/SM1

Data confidentiality communication encryption M1/DES/AESSM7/SM1

Anti-forgery encryption verification digital signature DES/AES RSA/ECC/SHASM1/SM2/SM3

Prevent tampering

Anti-repudiation digital signature RSA/ECC/SHASM1/SM2/SM3

4.3 Comparison between SM7 and M1

Comparison content SM7 algorithm M1 algorithm

Key type Symmetric key Symmetric key

Application type stream encryption, block encryption stream encryption

Key length 128BIT48BIT

Algorithm structure group permutation linear shift

Applicable products Logic encryption Logic encryption

5. Features of the solution

This solution uses commercial cryptographic algorithm products approved by the National Cryptography Administration: contactless logic encryption cards and SM7 security modules that support the SM7 block cipher algorithm, with reliable security guarantees.

The system development using the logic encryption card is simple and has the characteristics of short upgrade and transformation cycle. The relevant commercial encryption products required for the implementation of this solution are already available in batches.

postscript

After the Mifare one algorithm had security issues, the relevant national management departments also strengthened the management of important access control systems for governments and enterprises, requiring the encryption algorithms of important access control systems to use domestic algorithms and access control products to be included in the national commercial password management system. For access control system manufacturers, this is a new production and technical management system standard, requiring companies to develop a new access control system product series on the basis of strengthening product research and development and production safety management. At the same time, it also brings opportunities for some manufacturers to improve the competitiveness of their own products.