We need a door control system. Preferably one that works with the RFID fobs handed out by UR for the main door at ACTA, since otherwise we'd need to maintain two parallel fob administrations and have added cost for purchasing our own fobs.

Requirements

• Embedded hardware (critica infra requires high availability and a PC isnt the solution)
• Queries a *membership database* for auth
• lock must be normally-closed. board members to have keys (Ultratux has a normally-closed electronic lock he is willing to donate)

In addition we have outlined the need for two-factor auth, so we want to add a keypad to this where you type your PIN.

RFID options

UR HID RFID Fobs

The fob is the Proxkey IIII which operates at 125kHz: http://www.nodaccess.com/media/content/files/proxkeyIII_ds_en.pdf

We should only need to read the fob-identifier from the card, which means activating it at the right frequency and reading it's output (which hopefully already contains the id).

I think that pdf says nothing of value, it's just a brochure. Some of our peers however, have some interesting stuff on HID RFID systems. Mostly this is about a different frequency system: iClass, but nevertheless I think it's a highly recommended read ! http://www.openpcd.org/HID_iClass_demystified

Readers that were tried:

• AuthenTec-RFID-reader
• Leser 6 - owned by ultratux (Link to vendor link to 'plus' version)

We should study the HID ProxkeyIII documentation (if available) to find out why it might be incompatible. There may be general crypto stopping non-HID devices talking to HID devices. In that case we could solve it by acquiring a HID ProxkeyIII reader off ebay. However, there may even be a crypto key inside the UR reader that was created unique to UR, in which case all our attempts will fail.

Other possible ideas to test compatibility prior to purchasing a HID proxkey III:

1) Acquire a HID tag and ask if UR would enable that tag instead of a UR-provided tag. If that proves possible, UR having unique crypto can be all but ruled out-- unless installing that crypto key is an integral part of the activation process...

2) If someone knows the right people at a place the HID ProxkeyIII is deployed, it may be possible to bring a UR fob to them and ask if they can try to add it to their system. Obviously one needs to be on a very friendly basis with such a person, otherwise this would simply not be allowed for a whole range of reasons. But maybe one of us knows a friendly datacenter operator or some other place where such systems are in use...

An rfid reader could be made using an arduino, a simple circuit, and winding our own antenna: http://arduino.cc/playground/Main/DIYRFIDReader - a project for this has been started.

PIN systems

Several vendors have integrated RFID + PIN systems for little money. The reason we rejected such systems (aside from a possible HID fob incompatibility) was that all logic is in one box and that box unavoidably sits on the outside of the door since it has the keypad. This is unacceptable, if you tear it off the wall you not only can power actuate the lock, but you potentially also have a data leak if they can read out which fobs are allowed in (and therefore, into UR too).

So we need a separate system where the keypad does not house the RFID data. It probably is acceptable that you can circumvent the PIN by tearing the keypad off the wall; you'd then still need a fob. The people breaking in through violence usually aren't the same people breaking in through cloning of the fobs... However, the reverse does not necessarily hold true-- the people who painstakingly cloned our fobs may well see their attempt foiled by the added keypad, and try to circumvent that last hurdle using conventional means (read: a screwdriver/crowbar) So let's discuss this...

The case we want to avoid: a UR-independent system

If for whatever reason we cannot re-use the fobs of UR main door for our own space we might have other options like the aforementioned wish to link members to SpaceFED / LDAP. I have looked at cheap systems but most all have a limited number of fobs (20 or 50) which is directly or in the short run insufficient. After more digging I've found a system that has no attainable limit (500), and can interface with a PC for logging. http://www.conrad.nl/ce/nl/product/750782/ This system has the obvious drawback of not being able to use the UR fobs, but if that fails anyway OR if we feel that linking to LDAP has strong advantages maybe this becomes a feasible system. In the case we go for this option we'd have to buy our own rfid fobs, which adds [amount of members] x 6 euro which is a lot. However: maybe we can add generic fobs people already own (their work, home or garage) to our reader, thereby avoiding the purchase of a fob. This could present a security risk for those people so they must make the choice on a case by case basis.