access control
Access control controls access using a set of rules set by the operator "WHO − WHEN − WHERE", so that only authorized persons have access to the areas in buildings or protected areas on a site that have been released for them . The access authorizations can be limited in time (expiry period, time). The access authorization can be given by people, e.g. B. employees of a security service , or by technical access control systems can be checked using proof of identity.
Identification means
Active, passive and biometric identification means can serve as media for access control.
active
Active identification means are battery operated. Either the battery in the identification means supplies the decision electronics of the locking system with energy via contact, or the identification means sends non-contact signals to the locking system via radio or infrared . The latter is being used more and more in modern automobiles, for example.
passive
A distinction is also made between contact-based and contactless media with passive identification media. This is where the range of technologies used is greatest.
Contactless
Contactless proximity systems use various RFID technologies. The Legic and Mifare (13.56 MHz) or Hitag and EM4102 (125 kHz) systems, which are widely used in Germany, work with passive transponders and, depending on the permitted transmission power and the antenna, achieve a typical reading distance of a few centimeters up to a meter. Media in ISO card format ( plastic card ), as a key fob (key fob) or as a bracelet are common. Contactless systems can also be integrated into wristwatches , cell phones , mechanical keys and items of clothing or fashion accessories.
Transponders can be even relevant passages surgically under the skin to implant . The process is particularly popular in the identification of animals, there are also implants for use on humans.
Contact-based
Today, magnetic stripe cards are generally no longer considered secure enough because they can be copied without great technical effort. In addition, the cards are subject to high wear and tear. Nevertheless, this system is still popular in hotels, for example, because it is very inexpensive to manufacture. However, the magnetic card is being replaced more and more by the chip card, such as the smart memory card (similar to the health insurance card ). This also has the advantage that the locking authorization data can be stored in encrypted form when using a so-called Smart Processor Card . In addition, a larger memory than on a magnetic strip is possible. The main area of application for the chip card is also in the hotel industry.
The so-called iButton , a brand name of Dallas Semiconductor , has also established itself in the area of access control. The iButton is based on single-wire technology , in which just two contacts are sufficient to exchange data between the identification means and the decision electronics. This enables an extremely compact and robust design.
Passwords or PINs can also serve as a further passive means of identification , for example as a door opening code that can be entered using a number keypad.
Mobile phone as a means of identification
Since 2006 it has been possible to use the mobile phone via Bluetooth as an identification means, i.e. as a key.
A distinction is made between two systems:
- Those that get by without special software on the mobile phone. Only the MAC address of the Bluetooth interface is read out, i.e. it is checked which mobile phones the nearby devices are pretending to be. Some systems, such as those from SOREX, also support a password without software on the mobile phone.
- Such systems that use special software to request a password on the mobile phone.
Modern access control systems allow the use of mobile phones as identification means using near field communication and can thus simulate the functionality of chip cards.
There are providers of various systems on the market.
biometrics
Furthermore, biometric features such as
- fingerprint
- Iris or retinal scan
- Palm print
- Palm vein detection
- Facial features
can be used for identification or verification.
Counterfeit security
In order to reliably prevent the duplication of ID cards, crypto chip cards are increasingly being used, in which authentication according to the challenge-response procedure is used. The encryption methods used are usually DES or Triple DES . These cards include B. the TCOS chip card or the Mifare DESFire. In addition, a PIN can be used with these cards , with which the owner must identify himself to the card as a legitimate user. These two functions are one of the basic requirements for fulfilling the BSI guideline BSI - TL 03403 (formerly BSI 7551) Class 3. Specifications for the secure use of chip cards in access control systems and other applications are contained in the technical guideline BSI - TR 03126-5 of the BSI .
Development of an electronic access control system
A system consists of at least three components that can be housed in one or more physical devices. The sensor records the identification or verification of the user and transmits this to the access control center, in which the WHO-WHEN-WHERE rules are applied. If authorized, an actuator is controlled and access is granted. The head office either makes this decision itself (offline system) or has it first confirmed by a central control body (online system). Access control systems usually appear in a central or decentralized topology or a mixed form. With a central arrangement, all sensors (readers) and actuators (door openers, locks, etc.) are connected to the centrally installed access control center, which is usually in a secure area such as B. technical room is housed. In a decentralized arrangement, there are many smaller, often networked, access control centers in the immediate vicinity of the sensor and actuator. These either work independently and are networked via Ethernet , EIB or serially via RS485 , or connected to a central main control. The controls store up to thousands of access authorizations and logs internally, even if the network fails. Several sensors such as door and bolt contacts can also be connected to the controls. This means that attempts to compromise and break in can be detected and passed on to an intrusion alarm system.
More and more, for smaller or medium-sized requirements, instead of such complex access controls that need to be wired, self-sufficient hardware systems are also becoming established. The read head, locking technology and decision electronics are integrated in the fitting, are often battery-operated and work with most commercially available DIN mortise locks without any major modifications to the door. The lock is guaranteed either by blocking or idling the lever handle (security against falling) or by means of a rotary knob firmly mounted on the fitting (security bolt), which can only be engaged and operated manually with authorized access.
The progress of technical development has already produced a large number of electronic knob cylinders, which can easily be installed and retrofitted in almost any door lock in place of a mechanical cylinder. These usually have two turning knobs, of which the one on the outside turns empty and can only be operated with authorized access. In the case of electronic knob cylinders with access control on both sides, this is even the case on both sides.
With an increasing number of these fittings and cylinder solutions at an operator, the administrative effort to update the locking plans or to make messages available at a central point such as a porter or security center increases. The real-time connection of door fittings and terminals requires an active connection that cannot be made possible by handheld or on foot. Subsequent networking then usually requires a similar effort as the installation of a conventional access control system, although systems with radio, cell phone or other alternative connections also exist on the market. Some solutions take the alternative route of not wiring the device, but using the ID medium as an intermediary for both authorization and other data.
The interaction between security systems is becoming more and more important for the operators of such systems. Therefore, several manufacturers offer solutions to network security systems from different disciplines (fire alarm technology, intrusion alarm technology, video surveillance etc.) and often also from different manufacturers. The aim of these efforts is to minimize the support effort or to implement holistic security concepts.
Standards and guidelines for access control
1. Standards at German and European level
- DIN EN 60839-11-1 VDE 0830-8-11-1: 2013-12 Alarm systems Part 11-1: Electronic access control systems - Requirements for systems and devices
- DIN EN 60839-11-2 VDE 0830-8-11-2: 2016-02 Alarm systems part 11-2: Electronic access control systems - application rules
former norms:
- EN 50133-1 / DIN VDE 0830 part 8-1: 2003-09 "Access control systems for security applications, part 1 system requirements" (document withdrawn)
- EN 50133-2-1 / DIN VDE 0830 Part 8-2-1: 2001-08 "Access control systems for security applications , Part 2 - 1: General requirements for system components" (document withdrawn)
- EN 50133-7 / DIN VDE 0830 Part 8-7: 2000-04 "Access control systems for security applications, Part 7: Application rules " (document withdrawn)
2. Guidelines
2.1 VdS guidelines
- VdS 2353: 2004-06 "Guidelines for the approval of installer companies for access control systems" (withdrawn)
- VdS 2358: 2009-10 (02) "Guidelines for Access Control Systems, Part 1: Requirements"
- VdS 2359: 2009-10 "Test methods for parts of access control systems"
- VdS 2367: 2004-06 "Guidelines for Access Control Systems, Part 3: Planning and Installation"
- VdS 3436: 2005-08 "Operating log for access control systems"
2.2 BSI - guidelines and guidelines (Federal Office for Information Security)
- BSI - TR 03126-5 "Electronic Employee ID"
- BSI - TL 03402 "Requirements for access control systems"
- BSI - TL 03403 "Access control systems - guidelines for planning and implementation"
