是安防系统中最重要的子系统之一,而门禁控制器又是门禁系统的核心。许多生产安防设备的大厂都有自己品牌的门禁控制器,而且其中不乏国外的产品。这些产品除了拥有我们所需要的稳定性、可靠性之外,会不会也附带一些安全上的隐患呢?这点需要我们给予充分的gz。 二、门禁控制系统概况 门禁控制器按照结构区分,基本分成两大类。一类是门禁控制一体机,另一类是独立的门禁控制器。门禁控制一体机是一种安全性相对比较低的结构类型,因为这类门禁控制器将门禁系统的身份识别部分和处理控制部分集成在一个设备里。这样在安装设备时,必然将整机安装在门外,无形中增加了设备被破坏的可能。而单独的门禁控制器是通过信号线与身份识别部分进行连接,通过信号线传递识别信息,完成开门操作。这样在安装设备时,可将控制器安装在门内,增加了设备的安全性。在这里我们主要讨论独立的门禁控制器的安全问题。 独立的门禁控制器与前端识别设备之间需要进行通讯,现在使用的通讯方式基本上为两种,一种是使用RS485总线进行通讯,另一种使用韦根线进行通讯。 RS485通讯使用双绞线进行半双工通讯,采用平衡发送和差分接收,因此具有抑制共模干扰的能力,传输距离可以达到数公里,可实现高速的信息传送。 RS485通讯采用总线式的连接方式,可保证多台设备正常工作,而且它是串行通讯,所以每台拄接在总线上的设备有自己的ID地址,进行数据通讯时,系统保证总线上只有一台设备发送数据,其它设备处于接收数据状态;设备之间采用自定义的协议传输数据。 采用RS485方式进行通讯的门禁控制器可挂接多个读卡器,传输数据的过程如图1。每一个读卡器和门禁控制器都有自己的ID地址,RS485网络上传递的数据都包含地址信息,在网络上只有一个设备发送数据,其它设备都会接收数据,对于目的是自己的数据,设备会进行相应的处理,而不是以自己为目的的命令将被抛弃。在这样的门禁系统中,门禁控制器通过轮巡的方式,完成一个门禁控制器管理多个读卡器的功能。 关于门禁控制器安全漏洞的探讨 安普通讯是一种经常在安防系统中使用、通过两芯线进行点对点近距离通讯的通用通讯协议,最常用的格式有Weigand26,它通过DATA 0和DATA 1两条数据线分别传送数据“0”和“1” ,每帧传输的数据为26Bit。它利用在两条通讯数据线上分别产生的脉冲生成数据序列,通讯距离大约10米左右。
图2 门禁系统工作流程 门禁控制器工作在两种模式之下。一种是巡检模式,另一种是识别模式。在巡检模式下,控制器不断向读卡器发送查询代码,并接收读卡器的回复命令。这种模式会一直保持下去,直至读卡器感应到卡片。当读卡器感应到卡片后,读卡器对控制器的巡检命令产生不同的回复,在这个回复命令中,读卡器将读到的感应卡内码数据传送到门禁控制器,使门禁控制器进入到识别模式。 数据筛选器如同门禁控制器一样,一般工作在巡检模式下,它不断向感应读卡器发送巡检数据,并且等待获取感应卡内码数据。在这个过程中,感应读卡器已经wq和门禁控制器分离,门禁控制器对它的巡检命令wq由数据筛选器完成。只有当数据筛选器获取到卡信息并通过自身验证之后,才将数据送到门禁控制器。建立起感应读卡器和门禁控制器的联系。数据筛选器进行自身验证的数据源是经可靠途径获取的卡片内码数据。“后门卡”的内码不可能被传递到数据筛选器中,从而阻止了 “后门卡”的攻击。 Access Control Systems Security Systems are the most important one of the subsystems, while the Access Controller Access Control System is the core. Lot of the production of security equipment manufacturers have their own brand Access Controller, and one of many foreign products. In addition to these products we need stability, reliability beyond, will have attached to some security problems do? This requires our full attention.
Second, Access Control System Overview Access Controller in accordance with the structural distinction between the basic divided into two broad categories. One category is the access control machine, and the other is an independent Access Controller. Access control machine is a relatively low security of the structure type, because this type of Access Controller Access Control System will be part of identification and treatment control part integrated into a device. At the installation of such equipment must be installed on the outside machine, virtually an increase of equipment may be damaged. The Access Controller is a separate signal line and connect some identification, pass through the signal line identifying information to complete the open operation. At the installation of such equipment can be installed in the door controller to increase the safety of the equipment. Here we focused on independent access controller security issues. Independent access controller and front-end to identify the need for communication between devices, and now the use of means of communication are essentially two types of communications using the RS485 bus, another use of Wiegand communications lines. RS485 communications for the use of twisted-pair half-duplex communication, using a balanced differential receiver to send and therefore inhibit the ability of common-mode interference, transmission distance can reach several kilometers, can achieve high-speed information transmission. RS485 communication using bus-based connections, many devices can guarantee the normal work, but it is a serial communication, so each post at bus access equipment has its own ID address, data communications, the system to ensure that the total online only one piece of equipment to send data, other equipment in the receive data state; between devices using a custom protocol to transmit data. Way to communicate using RS485 Access Controller can be articulated in a number of readers, the process of transferring data in Figure 1. Each reader and the access controller has its own ID address, RS485 data transfer network contains the address information in the network there is only one device to send data, other devices will receive data, for the purpose of its own data, equipment will deal with accordingly, rather than for the purpose of their order will be discarded. In this access control system, the Access Controller through the Tour the way round to complete an Access Controller to manage multiple card reader functions. Access Controller about security vulnerabilities of Apramycin Communications is a regular at the use of security systems, through the two-cored wire for general-purpose peer-to-peer communication at close range communications protocol, the most common format has Weigand26, through DATA 0 and DATA 1 data lines, respectively, the two transmission data "0" and "1", each frame of data transmission for 26Bit. It uses the two-line communications data separately to generate the data generated pulse sequence, communication distance of around 10 meters. Third, safety issues Comparison of two commonly used mode of communication. RS485 bus communication using their own definition of the protocol, and Wiegand to adopt a common protocol. Custom protocol design will have more space, here we mainly target at such a mode of communication for study and discussion. Because of the access control system, the Access Controller majority are connected through the RS485 bus sensor reader, keyboard, magnetic card reader, fingerprint reader, such as front-end equipment, the use of RS485 serial bus for communication equipment required in accordance with the self - the definition of the communication protocol for data exchange, so. Production access controller manufacturers will be compatible with the front-end production equipment. This will appear in the Medium Access Controller Access Control System, front-end equipment, as well as the communication protocol between them are designed by a manufacturer production. In this case, the Access Controller will not be able to exclude the "back door card" the possibility of existence. Here called "the back door card" means the Access Controller manufacturing plant for certain purposes, set aside at the back door access controller, when the use of certain specific card or a combination of certain operations, the use of these has not been Registration cards will be able to start Access Controller Open the door. If the access control systems have been "back door card" attacks, our access control system will be easily broken at the moment, but also meant to reinforce the efforts of perimeter moment they have been in vain. Although this is only a guess. However, the technical level, the implementation of this "back door card" function is possible. This is also our customers, especially for the safety of the users have special requirements, are worried about a problem. IV solutions Access Controller Principle In order to block the "back door card" access. We must, first of all familiar with the Access Control System equipment, working principle, know how to coordinate the various devices are working to master its operation mechanism, so that can find solutions to the problem. To illustrate the problem, we can build a simplified model of Access Control Systems. In this model, using an Access Controller to control the management of a sensor reader devices for data communications through the RS485. Flow system in Figure 2: Access Control System job flow Figure 2 Access Control System Access Controller job flow in the two models under the job. One is the inspection mode, and the other is to identify patterns. At inspection mode, the controller continuously send reader inquiries to the code, and receive reader response command. This model has been maintained until the sensor to the card reader. When the reader detects the card, the card reader on the controller command inspection produce different responses, at the back order, the reader will read the proximity card code data to access the controller, so that access control controller into the identification model. Access Controller at the identification mode, the Access Controller code analysis card, with the equipment stored within the card data than the right, and implementation of follow-up action. Access Controller to complete the action of receiving data, it will send readers back order, so that the restoration of the status of the reader at the same time, Access Controller mode to return to patrol. 2. Data on the working principle of the filter Through the above controller and card reader access control work flow, we can see that in order to achieve open, need to go through the following steps: 1) Sensor proximity card reader to read information, proximity card access code; 2) induction reader proximity card information will be passed to the access controller; 3) Access Controller on the card read sensor data and system memory to compare information; 4) access controller according to judge the results, open the door control circuit implementation. One of the steps one at the completion of the internal card reader, steps 3,4 Medium Access Controller at the completion of that they have solidified to the device which can not be changed. And Step 2 is to connect the two devices through the RS485 communication line to complete, which for us to fundamentally prevent the "back door card" created the conditions. We design a filter known as the data equipment, the equipment installed in serial data communications channel for all credit card code to the device through more than right, right recognized data, the card code data is sent to the access control controller to carry out follow-up operation; for non-recognized data, directly to the data discarded; This makes those "back door card" data simply can not sent to the Access Controller, which basically cut off the "back door card" information pathways. The following is a data filter job diagram. Job data filter block diagram Filter data, as access controller, the general work in the inspection mode, it constantly to send inspection data reader sensor, and proximity card access to Wait for coding data. In the process, sensors and access control card reader controller has been completely separated from the Access Controller of its inspection order fully completed by the data filter. Only when the data filter access to the card information and verify through their own only after the data to the Access Controller. Build sensors and access control card reader controller links. Filter data to validate their own data sources are as reliable access to data on the card code. "Back door card" code can not be delivered to the data filter, thereby preventing a "back door card" attacks. 3. Data filter hardware implementation Based on the above ideas, you can use single-chip implementation of hardware circuit design, the hardware block diagram shown in Figure 4. SCM ~ a serial, with the access controller and reader to communicate, the serial port through the switch circuit to ensure that at a point in time and the only one of two types of communications equipment, all sent to the Access Controller All orders are confirmed after the procedure Singlechip a lawful order, so you can achieve data selection and isolation. At the same time, single-chip through another serial port, monitor and control access controller of the communications between computers, through analysis of communication content, to obtain legitimate card code data and data stored in a large-capacity E PROM as the basis for data comparison. Data filter hardware block diagram Figure 4 data filter hardware block diagram 4. Data flow filter software Serial links are access control card reader controller and sensor communications port. At inspection mode, data filters through the serial port, analog access controller. Send inquiries to the sensor reader command; induction card reader is not, send no reply card orders; data filter for the next round of inquiries. When the sensors have card reader, the card data will be sent to the data filter. Filter data into the identification mode, the card data and local storage of data than the standard right, if the data does not exist. Data will be discarded, and respond to sensor data have been receiving reader. Data filter back to the inspection mode and start the next round of inquiries. If the data in memory has been found that this card is a legitimate card, the data should be sent to the Access Controller. At this point, the device first serial switching, and access control to enable single-chip controller to communicate. From the sensor reader to receive the data as it is sent to the Access Controller. Access Controller and waiting to receive a reply; Receive replies. Once again will switch back to serial port to communicate with the sensor reader, access controller forward back orders; after the completion of data transmission, data filter back to patrol, and the next round of inquiries. Specific than the flow shown in Figure 5. Filter data on the flow than Filter data through real-time monitor and control access controller of the communications between computers, to obtain legitimate card code data and data stored in E PROM filter, as the future than on the basis of the data. Its work flow is as follows: the data filter to monitor the computer sent to the Access Controller to all orders, through the analysis carried out to obtain all of the cards by adding, changing the internal operation of the orders of the command, corresponding to stored in E2PROM induction card code data by adding, changing, and ensure data store filter data and Access Controller: Data flow filter job, in reality, because of access controllers, front-end equipment, as well as the communication protocol between them by the same manufacturer of production, so there may be "back door card" security risks. For special departments, the crucial sector, they have special security requirements, access control system protection in the use of safety is also concerned about the device's own security, reliability. The author at the data presented in the text filter can effectively prevent the concept of "back door card" attack on the Access Control System, Access Control System to protect its own security. 86,324,822 access low-cost installation and maintenance |