Difference between revisions of "Doorbot"

From Technologia Incognita
Jump to: navigation, search
(The case we want to avoid: a UR-independent system)
(Replaced content with "{{Machine |Hostname=Doorbot |ID=33 |IPv6=No |IPchaos=No |IPleiden=No |Function=Open the door |Location=Door |Contact=Brainsmoke }}")
Line 1: Line 1:
{{Project
+
{{Machine
|ProjectSkills=access control
+
|Hostname=Doorbot
|ProjectStatus=Planning
+
|ID=33
|ProjectNiche=Electronics
+
|IPv6=No
|ProjectPurpose=Infrastructure
+
|IPchaos=No
 +
|IPleiden=No
 +
|Function=Open the door
 +
|Location=Door
 +
|Contact=Brainsmoke
 
}}
 
}}
We need a door control system. Preferably one that works with the RFID fobs handed out by UR for the main door at ACTA, since otherwise we'd need to maintain two parallel fob administrations and have added cost for purchasing our own fobs.
 
 
=Requirements=
 
* Embedded hardware (critica infra requires high availability and a PC isnt the solution)
 
* Queries a *membership database* for auth
 
* lock must be normally-closed. board members to have keys (Ultratux has a normally-closed electronic lock he is willing to donate)
 
 
In addition we have outlined the need for two-factor auth, so we want to add a keypad to this where you type your PIN.
 
 
== Future proofing ==
 
(Good to have in mind when choosing the platform)
 
* Networking capable
 
* Ability to do basic cryptographic operations (at least SHA1 hashing).
 
* Nice to have: The platform could speak LDAP over TLS, but we could wing it with a much simpler request-response API.
 
 
 
=RFID options=
 
== UR HID RFID Fobs ==
 
 
The fob is the Proxkey IIII which operates at 125kHz: http://www.nodaccess.com/media/content/files/proxkeyIII_ds_en.pdf
 
 
We should only need to read the fob-identifier from the card, which means activating it at the right frequency and reading it's output (which hopefully already contains the id).
 
 
I think that pdf says nothing of value, it's just a brochure. Some of our peers however, have some interesting stuff on HID RFID systems. Mostly this is about a different frequency system: iClass, but nevertheless I think it's a highly recommended read ! http://www.openpcd.org/HID_iClass_demystified
 
 
'''Readers that were tried:'''
 
* [[AuthenTec-RFID-reader]]
 
* Leser 6 - owned by [[User:Ultratux|ultratux]] ([http://www.conrad.nl/ce/nl/product/751242/ Link to vendor] [http://www.codatex.com/index.php?en_Leser_6plus link to 'plus' version])
 
 
 
We should study the '''HID ProxkeyIII''' documentation (if available) to find out why it might be incompatible. There may be general crypto stopping non-HID devices talking to HID devices. In that case we could solve it by acquiring a HID ProxkeyIII reader off ebay. However, there may even be a crypto key inside the UR reader that was created unique to UR, in which case all our attempts will fail.
 
 
'''Other possible ideas to test compatibility prior to purchasing a HID proxkey III:'''
 
 
1) Acquire a HID tag and ask if UR would enable that tag instead of a UR-provided tag. If that proves possible, UR having unique crypto can be all but ruled out-- unless installing that crypto key is an integral part of the activation process...
 
 
2) If someone knows the right people at a place the HID ProxkeyIII is deployed, it may be possible to bring a UR fob to them and ask if they can try to add it to their system. Obviously one needs to be on a very friendly basis with such a person, otherwise this would simply not be allowed for a whole range of reasons. But maybe one of us knows a friendly datacenter operator or some other place where such systems are in use...
 
 
An rfid reader could be made using an arduino, a simple circuit, and winding our own antenna: http://arduino.cc/playground/Main/DIYRFIDReader - a [[Arduino/RFID-Reader|project]] for this has been started.
 
 
 
 
 
== PIN systems ==
 
 
Several vendors have integrated RFID + PIN systems for little money. The reason we rejected such systems (aside from a possible HID fob incompatibility) was that all logic is in one box and that box unavoidably sits on the outside of the door since it has the keypad. This is unacceptable, if you tear it off the wall you not only can power actuate the lock, but you potentially also have a data leak if they can read out which fobs are allowed in (and therefore, into UR too).
 
 
So we need a separate system where the keypad does not house the RFID data. It probably is acceptable that you can circumvent the PIN by tearing the keypad off the wall; you'd then still need a fob. The people breaking in through violence usually aren't the same people breaking in through cloning of the fobs... However, the reverse does not necessarily hold true-- the people who painstakingly cloned our fobs may well see their attempt foiled by the added keypad, and try to circumvent that last hurdle using conventional means (read: a screwdriver/crowbar)  So let's discuss this...
 
 
= The case we want to avoid: a UR-independent system =
 
 
If for whatever reason we cannot re-use the fobs of UR main door for our own space we might have other options like the aforementioned wish to link members to [[SpaceFED|SpaceFED / LDAP]]. I have looked at cheap systems but most all have a limited number of fobs (20 or 50) which is directly or in the short run insufficient. After more digging I've found a system that has no attainable limit (500), and can interface with a PC for logging. http://www.conrad.nl/ce/nl/product/750782/
 
This system has the obvious drawback of not being able to use the UR fobs, but if that fails anyway OR if we feel that linking to LDAP has strong advantages maybe this becomes a feasible system.
 
In the case we go for this option we'd have to buy our own rfid fobs, which adds [amount of members] x 6 euro which is a lot. However: maybe we can add generic fobs people already own (their work, home or garage) to our reader, thereby avoiding the purchase of a fob. This could present a security risk for those people so they must make the choice on a case by case basis.
 
 
Phicoh has two 125khz RFID readers, one with USB, one with wires for the raw low level protocol. The USB one is trivial to connect to a pc as keyboard.
 
 
= Alternative: Using OV Chipcard for access =
 
 
Another nice way of avoiding "more keys in your wallet" is using OV chip cards. Most people carry them around anyway, and they contain RFID too. Using them might be less expensive.
 

Revision as of 23:04, 18 January 2014


Doorbot
Hostname Doorbot
IPv4 10.0.20.33
Function Open the door
Location Door
Contact Brainsmoke