- Company News
Best Practices | October 22, 2019
That is the question many security professionals are asking themselves as they look to bolster the security of their card-based access control systems. In this brief we’ll look at the security benefits of Seos technology and evaluate its relative strengths and weaknesses versus other leading encrypted credential alternatives in the market.
Seos is HID’s latest encryption technology that is designed to address the risk of record and replay attacks that rendered traditional proximity cards, which communicated access credentials in the clear over RFID, insecure. This new technology also overcomes the vulnerabilities that allowed HID’s previous encrypted credentials, iCLASS, to be extracted via the master encryption key on the physical readers. (https://www.openpcd.org/images/HID-iCLASS-security.pdf)
When using Seos, the card and the reader exchange secret keys to co-validate that each device is trustworthy and then the card shares an encrypted credential via RFID that is decrypted by the HID reader and passed to the access control system.
This is the most common question when it comes to evaluating Seos as DESFire appears to be very similar. We’ll evaluate the difference across three axes: security, cost, and interoperability.
Both Seos and DESFire are considered the top-of-the-line in terms of security for encrypted card credentials. Both Seos and DESFire use secret keys to ensure the card-reader connection is secure, and neither card format has been proven hackable in the same way the previous HID iCLASS cards were. One concern across both cards is they both leverage proprietary encryption, which is typically frowned upon in the cryptographic community since it’s not peer reviewed. Regarding Seos, Terry Gold of D6 research notes: “There is no information on the Seos website as to certification, third party testing or community code reviews. This is somewhat concerning. The competitive card format is DESfire EV1 which is also completely proprietary but has gone through common criteria certification.” (Common Criteria certification: EAL5+ for IC hardware and software)
Here is an average of card costs at various volumes based on a sampling of trusted card vendors:
Because of the minimum card order HID enforces with its wholesalers, it can be expensive to purchase Seos cards at a small volume. However, the relative cost difference grows as the volume increases. Terry Gold of D6 Research explains the cost differential, saying “The entire Seos packaging is 100% proprietary. It is not sold by any other channel than HID. Baseline prices are set at wholesale and carefully managed, and there is limited sourcing competition.“
If time is money then it would also be worth mentioning here that, on average, card vendors can deliver custom-printed DESFire cards in 2-3 days vs 2-3 weeks for custom-printed Seos cards.
Seos technology extends beyond cards and is used in HID mobile access solutions as well. Note that you will need to purchase an additional Seos credential to use it on mobile as well – one credential can not be applied to both cards and mobile devices. Also worth noting is that other mobile access solutions use encryption to mask credentials shared over wireless mediums between phones and readers, but they do not use Seos as it is a proprietary technology to HID.
While MIFARE DESFire is bound to the NXP chip, it is not exclusive of one card or reader manufacture and can achieve interoperability between vendors. Mobile access vendors, such as Proxy and others, have mobile readers that can read DESFire cards. Interestingly, HID sells cards that utilize MIFARE DESFire, although DESFire as implemented by HID is also proprietary, so in order to use DESFire with an HID reader, you must purchase HID DESFire cards, which cost much more than non-proprietary DESFire cards. Additionally, you can buy MIFARE cards today and leave them open, with the option to encrypt at a later time if so desired.
In contrast, Seos credentials can only be read by HID readers. Terry Gold of D6 research notes, “Once you are bought into this, there is no getting out of it without a complete reissuance of credentials, and if not careful with the reader selection, you'll be ripping those out as well.”
While HID Seos represents the top of the line for card credential security, MIFARE DESFire EV1/EV2 cards have equivalent security at a substantially lower cost and higher interoperability and should be considered a more favorable option.