Integrating Access Control System with Hackerspaces Passport and Membership Software

[Wise Cricket]

Jigsaw Renaissance are looking into integrating Nadine and Hackerspaces Passport with our door locks. 

If you are able to commit time to help us designing or building, please post to:Inscape Access Control System

• If you are interested in the project, please go to the group and sign up.
• There will be opportunities to work on embedded firmware, electronics, mechanics, encryption, and the membership software application.
  
• You can then control whether to get each email separately or receive a digest once a day.

About the project:

This project will provide an electronic door access for our new building. The project will involve providing several badge readers (probably RFID), and door lock controllers as well as a car park induction loop.

Finally there is a need for software that manages the keys and access privileges. This software must be easy to use as the building landlord will use it.

-- 

Jigsaw Renaissance is a learning and making community, a collaborative community dedicated to collective education and creation. Our mission is to create an environment in which success, failure, and most of all discovery are celebrated. Our vision is that this environment will foster an enduring sense of wonder and a drive to effect change in ourselves, our communities, and the world.

For more information about JR (www.jigsawrenaissance.org), please visit our wiki page atwiki.jigren.org/Starting_Classes or this page: www.element14.com/community/groups/jigsaw-renaissance/blog/2011/03/25/who-we-are 

Contact us, so we can chat about scheduling something cool together.

Thanks! 

Ultimate Regards,

--

Budi Mulyo

+1.206.571.8430

[Wise Cricket]

We have ordered the parts

After some discussions with our landlord we are starting the project with just a single door to Jigsaw's space within the large Inscape building. Hopefully we will expand to the 5 external doors and the parking lot at some point a little later but we need to do a proof of concept first.

So our design will be:

• Arduino Uno board
  
• shop.23b.org awesome shield for battery charging, door strike drivers, Weigand interface
  
• Arduino Ethernet board
  
• Adafruit NFC card reader and a selection of Mifare cards
  
• Some wireless router TBD
  
• A PC  for running membership software (hopefully Nadine from Office Nomads)
  
• Duct tape / Perl scripts / beer as appropriate
  

The parts are on order so we will probably start putting it together on Wednesday 21st

I appreciate the offers of help especially security analysis. Once we have a better idea how we are going to approach the distributed nature of our access lists I will post a description for people to poke holes in.

Alan

[ITechGeek]

The NFC card reader should also be able to work w/ the NFC chip on the
Nexus S.

On Sep 12, 2:50 am, Wise Cricket <celestialproph...@gmail.com> wrote:
> We have ordered the parts
>
> After some discussions with our landlord we are starting the project with
> just a single door to Jigsaw's space within the large Inscape building.
> Hopefully we will expand to the 5 external doors and the parking lot at some
> point a little later but we need to do a proof of concept first.
>
> So our design will be:
>

>    - Arduino Uno board
>    - shop.23b.org awesome shield for battery charging, door strike drivers,
>    Weigand interface
>    - Arduino Ethernet board
>    - Adafruit NFC card reader and a selection of Mifare cards
>    - Some wireless router TBD
>    - A PC  for running membership software (hopefully Nadine from Office
>    Nomads)
>    - Duct tape / Perl scripts / beer as appropriate

[ken larson]

Any details on how the NFC reader might be integrated with the 23b board? 

I mention this because the 23b board expects a Wiegand (data0/data1) input using 2 pins, but the Adafruit NFC reader integrates at a lower level, with more pins.

http://www.ladyada.net/products/rfidnfc/wiring.html

A couple of ideas come to mind:
- one is to connect the NFC board in like in the Adafruit sample, and modify the 23b sketch to include some of the Adafruit code.  I'm not sure whether the optocoupler on pins 2&3 would mess things up, whether there is some way to either bypass it, or add the capacitors on like you do if using a higher-speed Wiegand reader.
- another would be to use a second Arduino for the NFC board, and modify the Adafruit sample to add code to output a Wiegand signal, and then connect the Wiegand output to the Wiegand input on the 23b shield.  I've done some things like this in the past for testing one Arduino using another.

One disadvantage of both of these options is that the only thing being read is the unencrypted ID number from the NFC tag (or phone).  I'm not yet experienced enough with NFC to be able to say how you might perform, say, a challenge/response to a key on the NFC tag (or phone).

Ken

[Scott Bailey]

I don't think converting from NFC to Weigand is optimal.  Not sure what is, though.

--
Scott Bailey

[Will Bradley]

I have a high frequency reader that uses wiegand for signaling. Haven't tested it yet tho. Remember that nfc is not a wire protocol (and, wirelessly, is a bunch of disparate HF protocols) so the conversion really happens in the reader itself.

Attempts to do challenge-response with open protocols have been sparse from what I've seen. The industry could use some open innovation.

[Arclight]

I took a look at the NFC tutorial, and it looks like it attaches via SPI. You can use the SPI pins on the Open Access that are left open accessories. The only problem is that you can't extend SPI very far, so the NFC reader would need to pretty much sit on top as a shield.

The best option would probably be to design a board with its own micro and RS232, RS485, Wiegand, or whatever you needed as outputs to the panel/controller. While you're at it, get a 3.3V version and eliminate the buffer chip.

Arclight

[ken larson]

Unfortunately, the Nexus S (and I think this is true of all current NFC phones) does not support card emulation, and it looks like it is questionable whether ordinary developers will ever be able to do this.  To do so requires access to the secure element of either the phone or the SIM card, which you can't do without the keys that Google, handset manufacturers, or carriers hold.  Looks like this functionality will be reserved for big players only, like Visa/MasterCard, Google wallet, etc.

Which means that you are unlikely to be able to build a system to get in the door using a phone, where the reader is a normal NFC/RFID reader.

An interesting alternative to explore is the peer-to-peer NFC mode.  A reader on the door capable of this could support an NFC phone such as the Nexus S, peer-to-peer mode is working today.

See this link:

http://www.nfcworld.com/2011/05/11/37352/google-raises-concerns-over-the-viability-of-nfc-card-emulation-mode-for-mobile-payments/

[ITechGeek]

That would still be a great idea, being able to not even need an RFID
tag and it sounds like w/ the peer-to-peer model since it allows for
2-way communication, you might even get a basic level of encryption in
there so that you don't have to worry about someone maybe picking up
the transaction and duplicating it.

The problem w/ even RFID credit cards is that even though there is
encryption, my understanding is there is no system in there for
authentication of who the card is talking to and will therefore talk
to any reader near it. I always thought it was an interesting idea of
when you hand your card to a waiter, they could have a reader in their
sleeve that would read the data on the card on the way to being
swiped. Just the waiter holding the card for a few seconds and they
would have all the information needed to reproduce the card, then
clone the RFID itself (not even the face of the card) w/ reusable RFID
chips and blow through dozens of people's credit cards w/ a laptop, a
reader, and an RFID chip.

Might have to go a little more powerful then an Arduino (Maybe a
Sheevaplug which would then send the unlock command to the Arduino?)
but then have some sort of asymmetric encryption based on x.509 or PGP
based certificates (I would say x.509 since it is the most widely
used).

[Arclight]

Yeah, it seems like an app that can access the NFC hardware on the
phone in peer mode might be the way to go.

On another note, the guys from the Raspberry Pi Linux server project
are coming to Los Angeles next month, and I'm going to try get them to
come by and talk to us about their system.

A $25 board that runs a real Linux OS might be just the thing for the
"Level 2 management server" tasks we all seem to need for a secure
system.

http://www.raspberrypi.org/

This device really seems to bridge the gap between "roll your own
software in C after designing a 32-bit embedded system" and "hook up
to a full-size PC" and comes in at a cheap enough price point that one
of these could be on every 1-4 doors, with access to any type of Linux
software or library you might want to use.

Arclight

[ITechGeek]

And it seems like for the normal Hackerspace environment the Raspberry
Pi would be all you'd need for management. Although if you could make
this interact w/ cell phones w/ a small app on the cell using NFC
peer-peer (Or how about Bluetooth?) and actually secure the coms, you
might have the basis to unseat RFID as a primary form of electronic
access control (hey, can we file a patent for unlocking doors via
bluetooth???) (=

Use Bluetooth between the phone and a reader to connect to the
Raspberry Pi, use a handshake similar to https to create a secure
connection then send the tag info to unlock the door.

Might even be able to extend the system to a Level 3 management server
(a standard desktop computer) for like whole building (multi-zone)
implementations.

Any Android devs on this list???????

[Arclight]

Yep! Nullspace Labs Hacker Space in L.A. has a tool that could be a
good dev platform for this:

http://wiki.032.la/nsl/RFiddle

Arclight

[Alan Widmer]

I finally had a day to spend with the pieces of the system for Jigsaw Renaissance. I got the shop.23b board working without any problems. Then I got the Adafruit NFC board connected and I am able to read the MiFare tags that came with it.

One of the reasons we wanted to try MiFare cards instead of the 125KHz cards is because in Seattle the buses and light rail use a payment system based on MiFare so many of our members already carry an NFC card in their wallets.

I was able to read the ID from 2 transit cards and also get an ID number from a Citibank PayPass credit card.

I don't have an NFC capable cell phone so I can't try anything but I understand that it may not be possible.

The adafruit board does support accessing the NFC chip via a UART instead of SPI and this would help in two ways:

1) Longer wiring possible so I don't have to mount the door controller close to the reader

2) I am running out of pins to use for SPI chip selects as I need 2 for the Ethernet board and 1 for the NFC reader. For now I disabled the Reader 2 opto isolators and used those 2 pins.

However it is not a trivial matter to change the NFC library to use UART instead of SPI.

Alan

[Arclight]

Alan,

It sounds like you made progress.  For extended range, you could also consider attaching an Arduino or other micro to the NFC device via SPI, then doing RS232 or RS485 out to the panel.  The software serial or newsoftserial libaryy can give you more ports.

Emulating Wiegand output is also possible.

Oh, and you can use the analog pins as D15..D19 if you need to. Just don'y use the I2C pins, as the real-time clock uses those.

Arclight

[ken larson]

I'm looking forward to getting one of those NFC breakout boards when they are back in stock...

Anyway, it does look like the NXP PN532 chip on that board does fully support peer-to-peer, so in theory it should be possible to communicate with a phone that way. 

Ken

[Alan Widmer]

Thanks for the tips. I am considering all of those thing; I just haven't made up my mind which way to go yet.

Alan

[Alan Widmer]

Just in case you are not aware, there is another NFC board available that is cheaper and in stock but uses essentially the same hardware.

If I had known about it at the time I would probably have ordered this instead:

http://www.seeedstudio.com/depot/nfc-shield-p-916.html?cPath=132_134

They have a schametic available to look at and Adafruit does too but the Adafruit schematic is for Rev 1 and they are shipping rev 2 which has an interface for FTDI so you can easily connect to a PC.

The library I am using is from seeedstudio. They took the Adafruit version and extended it with functions to read/write blocks of memory from the card.

I think that the seeedstudio board has the level translators built in but there is something in their instructions about changing the attached seeeduino board to run at 3.3 so it wasn't clear whether it was compatible with a 5V Arduino board.

Hope this helps.

Alan

[Wise Cricket]

Do you guys know about this unconference:  Access Control in Hacker/Makerspaces 

Let's participate in this.

[rrix]

Does space federation not realise we've solved this problem?

r

On Wednesday, August 31, 2011 9:58:01 AM UTC-7, Wise Cricket wrote:

[rrix]

Uhm, google groups's new ui just pooped all over me and posted that to the wrong thread, haha. :(

[Ryan Rix]

Wait, it didn't, it's just a usability nightmare.

*switches back to email*

On Tue 17 April 2012 22:04:50 rrix wrote:
> Uhm, google groups's new ui just pooped all over me and posted that to the
> wrong thread, haha. :(
>
> On Tuesday, April 17, 2012 10:03:41 PM UTC-7, rrix wrote:
> > Does space federation not realise we've solved this problem?
> >
> > r
> >
> > On Wednesday, August 31, 2011 9:58:01 AM UTC-7, Wise Cricket wrote:

> >> Jigsaw Renaissance <http://www.jigsawrenaissance.org/> are looking into
> >> integrating
> >> Nadine<http://wiki.coworking.info/w/page/31359618/NadineProject>>>
> >> and Hackerspaces
> >> Passport<http://hackerspaces.org/wiki/Hackerspaces_Passport> with>>
> >> our door locks <http://wiki.jigren.org/Inscape_Access_Control_System>.

> >>
> >> If you are able to commit time to help us designing or building, please
> >> post to:Inscape Access Control

> >> System<https://groups.google.com/forum/#!topic/inscape-access-control-sy
> >> stem/ijn9H9XR_90>>>
> >> - If you are interested in the project, please go to the group and
> >> sign
> >> up<https://groups.google.com/group/inscape-access-control-system/subsc
> >> ribe>
> >> .
> >> - There will be opportunities to work on embedded firmware,

> >> electronics, mechanics, encryption, and the membership software
> >> application.

> >> - You can then control whether to get each email separately or

--
Ryan Rix -- http://rix.si
== OpenSource.com: Where Open Source Happens! ==
_
\/"/_ All Hail the Beefy Miracle!
/_/
\ \

[Arclight]

Heh, that's just what you wanted, right? :)

So yes, I'm signed up for the "unconference." At this point, we have a typical open-source project, where it's been developed to working reliably but that's about it.

Since I'm just about sold out of the original Open Access board at this point, I figure this is a good opportunity to finish up the new version of the board this week.

Of note is:

-Increased stand-alone user count by way of a 128K eeprom
-Full support of all of the lines on the Wiegand readers (blinky LED and beeper)
-Optional built-in Arduino on board
-No more glass fuses (all self-resttting PTCs)
-Better expansion (extra I/o and 2 types of Ethernet boards supported)

Arclight

[David M. N. Bryan]

Let me know when you have the final setup ready, and I'll put in an order for one. Also did you end up adding a MicroSD reader?

-David

Of note is:

*switches back to email*

> >> For more information about JR ( www.jigsawrenaissance.org ), please visit

[Arclight]

David,

The new system has a 1Mb eeprom chip that will support about 12,000 users.  Since SSD devices only work on 3.3V, I am putting the SSD and ethernet on a separate daughter board. You can also buy the Arduino Wiznet board with SSD and plug it in.

Here is what the new board will look like:

http://23.org/~arclight/pic/access_v31.png

Arclight

[David M. N. Bryan]

I would love to see a Micro USB instead of the really large USB a port.

-- 

David M. N. Bryan

612-978-9765

Sent from a mobile device.

[Ryan Rix]

Is that the board you showed Will and I the last time you were visiting HSL?
I'm pretty interested in upgrading HSL's setup to that guy, if so. :)

r