Integrated Identification System at the University
of West Bohemia
Architecture, Use and Experiences
Karel Dudµcek, Jirí Ledvina, Vµclav Vais and Vlastimil Vavricka
University of West Bohemia, Pilsen, Czech Republic
dudacek@kiv.zcu.cz
edvina@kiv.zcu.cz
vais@civ.zcu.cz
vavricka@kiv.zcu.cz
University of West Bohemia, KIV - Department of Computer Science, Univerzitni 22, 306 14 Plzen, Czech Republic
http://www.zcu.cz/
Keywords: Identification, authentication, RFID card, access control
Abstract: This article describes an example of modern identification
technology implemented at the University of West Bohemia in Pilsen
(UWB) and its role in the university environment.
Many information and communication technology (ICT) services offered in everyday university life are provided on a subscription basis or
free to a defined set of users. Such services require reliable user identification and authentication. The number of such services is increasing rapidly as well as the number of services that are provided automatically
based on user identification using an electronic identification element,
usually a personal identification card.
The integrated identification system at UWB is based on the use of an
RFID contactless R/W card with cryptochip. This secure identification
medium allows the user access to dining services, library services, access
to public and departmental laboratories and student dormitories. Some of
them are tightly linked to the university security system.
This identification system is based on an existing network infrastructure. All identification cards are administered from the central administration office of the university. The applications are also administered
individually at department level. The hierarchical structure of the system
makes possible the flexible updating of user rights and other parameters
(including/excluding to/from the list of service subscribers, etc.). The main
advantage of the system is that it can be extended (overnight) to include
new services, not only at UWB but also at other universities. Remote administration of the system is possible, too.
The hardware structure of the system is briefly described in the article.
A more detailed description of the software and the administrative tools
is presented, and in conclusion some issues concerning service experiences are also presented.
The results of the projects LN00 B084 and 2352 00005 were supplied
with subvention by the Ministry of Education of Czech Republic. This support is greatly acknowledged.
Introduction
The Integrated Identification System at the University of West Bohemia (UWB) is based on the Radio Frequency Identification (RFID)
contactless R/W card with cryptochip. This secure identification
medium allows access to the following: dining services, library ser16
vices, public and departmental laboratories and student dormitories.
Some of the above are tightly linked to the university security system.
The identification system is based on an existing network infrastructure. All identification cards are administered by the central administration office of the university. The applications are
administered individually at department level. The hierarchical structure of the system makes possible the flexible updating of user rights
and other parameters (including/excluding to/from the list of service subscribers, etc.) The main advantage of the system is also the
ease with which it may be extended to new university applications.
Remote controlled administration of the system is also possible.
The partial problems of the identification system design and implementation have been presented in [1], [2], [3] and [4].
Architecture of the System
Principles of Contactless RF Identification
The main parts of the RFID system are the identification unit with
the reader, the reader antenna and the identification card.
The reader and reader antenna are used to transmit energy to a
card and read information back from it by detecting backscatter
modulation.
The identification card incorporates a silicon memory chip (usually
with an on-board rectification bridge and other RF front-end devices), a wound or printed input/output coil and a tuning capacitor.
In most applications, the card is powered by the magnetic field generated by the reader. The main advantage of this approach is that the
card is completely maintenance-free.
Communication between the reader and the card is as follows:
The reader continuously generates an RF carrier signal, watching
always for modulation to occur. Detected modulation of the RF field
would indicate the presence of the card. A card enters the RF field
generated by the reader. Once the tag has received sufficient energy
to operate correctly, it begins clocking its data on an output transistor, which is normally connected across the antenna coil. The transistor shunts the coil sequentially corresponding to the data clocked on
it. Shunting the coil causes dampening of the carrier wave, which is
seen as a slight change in the amplitude of the carrier (in the case of
amplitude modulation).
IT and Networking Computing Security
Integrated Identification System at the University
of West Bohemia
The reader detects this modulation of the carrier wave and processes the resulting bit stream.
When using Read/Write cards or Read/Write crypto cards, the
reader can transmit data to the card by modulating the generated
magnetic field.
Contactless Identification Cards
When considering memory chip and other card electronics capabilities, we can find three types of contactless identification cards: Read
Only cards, Read/Write cards and Read/Write cryptocards.
Both Read Only and Read/Write cards can be easily duplicated
by a potential intruder. By means of simple hardware instruments it
is easy to tap into the communication between the card and the
reader using the appropriate RF receiver and to record identification
data. Making a duplicate of a card (or at least an electronic circuit
simulating the card's behaviour) is not a very difficult task.
The crypto card is designed to overcome this drawback. The cryptocard functions as follows: The card's memory contains not only the
identification number but also the secret crypto key (bit string of
length about 64 - 128 bits). The key is written into the memory by
the system administrator and cannot be re-read from the card. The
copy of the key is encrypted and stored in the authentication system
database server. The identification card is authenticated ªinsideª the
identification unit (not in the authentication server).
The communication between the identification card and the identification unit is presented in Fig. 1. When a card is inserted into the
magnetic field generated by a reader, it transmits its identification
number. The identification unit recognises the identification number
and then sends randomly generated bit string (challenge) to the card.
An additional electronic circuit incorporated in the card encrypts the
challenge using a crypto key stored in the card's memory. An encrypted string (response) is transmitted back to the reader of the
identification unit. The identification unit processes the same encrypting algorithm with the challenge and the card's crypto key (acquired
from the database using the card's identification number as the pointer). If the result of this encrypting process does agree with a received response, the card is accepted. If it does not, the card is
rejected.
Fig. 1 The communication between the card and the identification unit
Identification Unit
The identification unit consists of the reader part and the database
management unit.
The card reader contains hardware for communication with the
RFID card and firmware that simplifies communication with other
layers of the system architecture. In most cases the card reader is
integrated into an identification unit, but it can be build as a standalone reader, too. The main advantage of a stand-alone reader is its
low cost. The number of stand-alone readers in the system is unlimited. These modules are connected to the application PC directly via
RS232 line. The application PC transfers data to LAN and vice versa
IT and Networking Computing Security
through a standard network adapter card. This sort of reader is suitable for applications where the authenticity of the card could be verified by other means (for example card readers in library - existing
system expects read-only identification media, the card authenticity is
checked visually by the librarian).
The identification unit's memory is used for storing ID tags database, access database, configuration and event logs. A typical unit is
designed to hold access information for approximately 10,000 users.
It is possible to manage more users using proprietary communication
protocol to get information about an inactive ID tag from the communication client. The communication protocol is designed for
RS485 or RS232C interface. It is a proprietary character oriented
protocol, which allows encrypted transparent data transmission, error detection and recovery. The identification unit's memory and
backup power unit allows uninterrupted operation of the identification unit even in case of the power failure or the communication client's temporary inaccessibility.
Card Reader Circuits
The antenna supplies the transponder with energy and provides for
bi-directional data transmission. In our applications we use simple
coils with a rectangular or circular shape working as a serial resonance circuit. The chosen dimensions are often electrically not optimal but match the dimensions of the housing of the identification
unit. Long-term temperature stability is desired but it is not the first
line requirement because at this time all identification units are working in a relatively small temperature range. In order to allow remote
measurement of each identification unit frequency we implemented
simple hardware and software support. This makes it possible to use
simple commands to transfer the measurement results over the network to the service provider.
Special interface chips for half-duplex data transmission between
transponder and identification unit reader are now on the market.
We have tested some of their properties like electrical behaviour
and stability, complexity of the surrounding circuits, complexity of
control and availability on the market. The reader integrated circuits
(ICs) can be classified into two classes.
The first one forms ICs with a simple antenna driver, simple VCO
(Voltage Controlled Oscillator) without crystal control and a simple
amplitude demodulator. The maximum transmission distance is influenced by the accuracy of the antenna's resonance, usually 5 to 7 cm
can be reached. In order to achieve a longer distance some analog
pre-processing in the reading channel is necessary. The reading distance can be enlarged up to 10 cm. This sort of IC uses often very
simple two wire interface (one direct input for modulator and one
output from demodulator). Software control of such a circuit is easy
but the result of the reading process depends on the quality of the
demodulator, which usually is not very high.
The second class of reader chips uses more sophisticated demodulators with built in adaptive algorithms for correct phase or amplitude demodulation. These reader circuits are usually programmable
through a two or three wire serial interface and the user can change
the gain and frequency properties of the reading channel. The frequency function of time intervals resulting from the reading process
has strong separated maximums. This makes the decoding much easier than in the first case. Another valuable property of these types
of ICs is the low number of necessary passive components in the analog part of the reader circuit.
In our identification units both types of reader circuits are used
depending on the supposed application field.
Identification Unit Control
The data transmission between reader IC and transponder, the necessary encoding and decoding and the communication with the host
17
Integrated Identification System at the University
of West Bohemia
computer over RS232 or RS485 line is provided by the 8 bit microcontroller. On various types of identification units we used I8052
clones. The standalone program implements a small set of elementary commands which allows the host computer to operate with the
transponder and with dedicated inputs/outputs at the identification
unit.
Some identification units are used for managing entries into the
laboratories, where a large number of students can work. In order
to speedup access to the central database an extended identification
unit is used. It is equipped with another dedicated microcontroller
and local RAM, which is used as a cache memory. The central database server updates the local cache on demand over the serial
RS485 line. The identification unit contains the logical inputs and outputs, which are used for visual and acoustic indications, for door lock
control and for door state monitoring.
The communication server transforms requests from the communication clients (proprietary protocol) to the database server (SQL
language). It propagates database updates to all communication clients. It also receives event logs messages from the communication
clients and stores them in the database. In case of unexpected events
the communication server generates e-mail alert messages to inform
administrators. The communication server is running on a UNIX platform.
Communication and Database Subsystem
Depending on the topological requirements, the identification units
can be clustered. Up to 32 modules in the cluster are interconnected
by RS485 line. Each cluster incorporates at least one communication
client, which connects the cluster to the LAN. The communication
client is implemented on the PC computer with the RS485 interface.
The communication client is used for communication between any
cluster of identification units and the communication server. The
communication client is currently based on PC running Linux operating system. It allows direct monitoring and control of attached identification units. The communication client stores all data used by
identification units and works as a proxy server. It caches all data exchanged during the communication between cluster and communication server. When the communication server is not accessible, the
client uses recent valid data stored in its own permanent storage device. This approach increases the system reliability, reduces the server load and allows the reliable installation of any number of
identification units anywhere in the university computer network.
The communication client is responsible for data updates in all attached identification units. It converts the data message format used
by the identification units to simplify their firmware. This preprocessing includes access zone merging, access bitmap generation and
some other tasks. It also records event logs from identification units
and sends logs to the communication server. If the communication
server is not accessible, the communication client temporarily logs all
cluster events. Communication between the communication client
and the communication server is run over a TCP stream.
Fig. 2 Overall identification system architecture
18
Fig. 3 System communication scheme
The database server handles centralised data concerning users (ID
tags), access rights and event logs. The access right is represented by
a triplet [user/group, object, time zone]. User rights can be defined
individually or they can be inherited from the rights of the group, the
user belongs to. The user can be a member of several groups. The
object is represented by a set of identification units. Time zones are
defined in the period of one week. A time zone represents a set of
time intervals when the object is accessible by single user or any
member of a user group. The database also contains all system configuration information (identification unit types and addresses, communication clients addresses, topology information, etc.)
The database server is running under ORACLE RDBMS. It allows
strong co-operation with STAG (university student agenda). The students can be grouped automatically using data imported from STAG.
System Administration
The system is administered from two levels. All identification cards
are administered at the upper level by the system administrator from
the central university office. The special workplace is equipped with a
dedicated management station (PC), scanner and coloured thermosublimation printer for identification card personalization. Special
software has been developed which allows the scanning of the users'
photographs, and adjusting, and storing them in the database, together with editing of the card design and printing on the plastic card
surface. The full colour card can be printed in only 40 sec. The database contains all information concerning identification cards.
New users are introduced into the system by the system administrator when they get their identification cards. User data can be
modified, e.g. when the user loses or returns his card. At this level of
administration objects are defined. Configuration of identification
units, communication clients and lower level manager rights are maintained at this level, too.
The applications are administered individually at the department
level. The department administrator can add and modify access rights
to the objects (users and groups) that he manages. He can also create and modify time zones and user group membership. The department administrator can also browse logs from objects assigned to
him.
IT and Networking Computing Security
Integrated Identification System at the University
of West Bohemia
This hierarchical structure of the system administration makes possible the flexible updating of user rights and other parameters (including/excluding to/from the list of service subscribers, etc.). The
main advantage of this philosophy of system administration is that it
can be extended (overnight) to include new services, not only at
UWB. Remote administration of the system is also possible.
Fig. 4 System administration scheme
Fig. 6 A screenshot of the access logs
System administration at both levels is possible using a WWW interface. This interface allows a user-friendly way of modifying all the
attributes mentioned above. It can be illustrated by Fig. 5, Fig. 6and
Fig. 7.
Fig. 7 A screenshot of user group members list
Fig. 5 A screenshot of groups the user belongs to
Conclusion
The integrated identification system presented above was designed
and implemented at UWB by a group of developers during last three
years. Currently this system supports the following applications: dining services, library services, access to public and departmental laboratories and access to the student dormitories. These services are
used by about 12,000 users. The system functions are highly reliable
due to the decentralised system structure and to replication of access
rights in extended identification units and in communication clients.
No serious troubles have been observed during the two year period
the system has been in operation. The system has also been successfully transferred to the University of Pardubice (east Bohemia) and
also, in the initial phase, it was managed from Pilsen over the Internet.
The system is still in the process of development and new applications and services are in progress, e.g. user authentication in the university computer network, control of access into university buildings,
storage locker management, etc.
IT and Networking Computing Security
19
Integrated Identification System at the University
of West Bohemia
Bibliography
1 Ledvina, J., et al.: Authentication and Registration System of Access to Public Laboratories (tech. report). UWB Pilsen, 1997Page30,
2 Ledvina, J., et al.: Integrated Identification System at the University of West Bohemia
(in Czech language). Sdelovaci Technika. 1999, 3, Page16 - 17, 0036-9942.
3 Dudacek K., et al.: Personal Dressing Box Access Administration Using Contactless RF
Cards. Ed.: Pinker, Jiri: Proceedings of Applied Electronics 2000 Conference. UWB Pilsen, 2000Page53 - 56, 80-7082-650-9.
4 Vais, V., et al.: Dependability Model of a Distributed Authentication System. Ed.: Rang,
T.: Proceedings of Baltic Electronic Conference BEC 2000. Tallin Technical University,
2000Page157 - 160, 9985-59-179-8.
20
IT and Networking Computing Security
Download PDF
Similar pages