Ryan from a small BPO company in Dumaguete asked us to develop an RFID-based authentication and authorization method for their data center room. It only concerns one door. Since we already started doing this for our own lab, JD suggested the client that we could develop it. This is an ideal project for us since it involves R&D and prototyping based on knowledge and experience we already have from our own lab. It also provides the students of FU with an ideal opportunity to get working experience in a product development project for a real client, including the whole project management, quality control and documentation process. Lastly, the client is very interested in the concept of our incubator/maker-space and is happy to support us by providing some additional budget that we can use to buy additional tools/materials for our own use.

Since this project will be used in functioning company where security is essential, the quality standards of this project must be much higher than we would allow for ourselves. Details are important and bugs should be solved promptly. Code quality and security are important aspects.

Client requirements:

• Open Source as much as possible
• Secure
• Use same ID cards as FU

The overall goal is to provide a secure, easy to use and extensible integrated system of hardware and software for a locking mechanism, RFID based authentication, database based authorization and a web-based management application of these components, including an auditing trail. The system should be built securely to prevent un-authorized access and tampering, and be extensible so additions to the software and hardware may be made later on, both for that location, and for other locations.

• Use existing open source software as much as we can
• Devise a plan for security updates of the used software
• A secure and simple webapplication is needed that provides:
  • Authentication management (register and remove ID's)
  • Authorization management (record which users are allowed to do what)
  • Audit trail (show who accessed which resources when)
• Ensure user's privacy by not providing any information about cards and users to unauthorized user
• Regular backups

• A secure lock that is tamper proof from the outside
• An RFID scanner that has the same frequency as the FU cards (13.56Mhz)
• A network connected controller that is capable of handling authentication, authorization and serving the webapplication

• Authentication and authorization from other sources (LDAP/AD, centralized databases, etc)
• Centralized authentication and authorization database in case of multiple readers
• Touch screen interface to the authentication/authorization/audit-trail management application

Below are the actually required materials for the client. In agreement with Ryan we will later on add extra materials or some equipment to add to our own supply.

Milestone 1

• Research existing (open source) tools and software for reading RFID tags
• Roughly research different protocols, standards and tools for RFID communication and authentication, resulting in a list with short description of the tools
• Research rough list of required tools and materials
• Finalize our list of requirements
• Make a material list and budget
• Make a project planning (dates on the milestones)
• Finalize this project proposal
• Discuss proposal with client
• Discuss client requirements

Milestone 2

• Adjust proposal
• Discuss proposal with client and get final OK

Milestone 3

• Evaluate potential physical attack vectors (tampering with the hardware)
• Evaluate potential local software attack vectors
• Evaluate potential remote software attack vectors
• Evaluate potential privacy flaws
• Make software security management plan (signaling and updating security updates)

Milestone 4

• Study different standards and protocols regarding RFID/NFC authentication
• Research the possibilities for the connection of the controller to the door lock
• Research different libraries for RFID-reader/controller communication
• Research different hardware components, their functioning and available libraries and tools
• Create a technical design for the RFID reader, it's controller and the lock

Milestone 5

• Research different open-source authentication and authorization packages supporting RFID
• Make a technical design of the management software

Rest:

• Get a final OK for the the designs
• Order parts
• Start writing software
• Make a software and hardware testing plan
• Install first prototype
• Train the client on use of the prototype
• Test first prototype
• Adjust design, hardware and software according to test results
• Install final prototype
• Let user evaluate the system for a while
• Evaluate the system with the user in a feedback session
• Create the final version based on the client's feedback
• Install and test the final version

• RFID reader
• Controller
• Authentication and Authorization protocols and software (See also the article on Privacy Preserving Authorized RFID Authentication Protocols)
• Management webapplication
• Security and privacy

We made a 3D design for the connection between the servo and the lock, and a design for the mounting of the servo to the door. The files can be found on https://github.com/Waterspace/servo-lock-mount. If you click on the stl files, github shows you an interactive 3D view of the model.

The model has been printed, and after some tweaking, a heat gun and superglue we got it to fit! So now we need to create a casing for the electronics and hook everything up!

The code for the current arduino version can be found on github.

• http://www.instructables.com/id/A-Universal-RFID-Key/
• http://www.instructables.com/id/RFID-Emulator-How-to-Clone-RFID-Card-Tag-/
• http://www.secureidnews.com/news-item/understanding-rfid-part-9-rfid-privacy-and-security/
• http://www.projectmanagementdocs.com/project-planning-templates/project-management-plan.html#axzz4HZDJlNV0
• http://www.openbeacon.org/
• http://www.openpcd.org/
• http://llrp.org/
• http://transcends.co/open-source-rifidi-products/