聯絡電話
(852) 3104 3323 (Main) / (852) 3126 1732 (Sales)
+852 3104 3326 (傳真)地址
香港觀塘鴻圖道88號
志聯中心3樓
Card Encryption and Key Management for Access Control System
A comparative study on CPU, iClass and MiFare DESFire technologies
Author: Mr. Charles Qi, COO of AgileCore
Contactless smart cards are now widely used for building access, transportation, and payment systems, but their security varies significantly by card type. More importantly, relying only on card encryption is insufficient. The strength of any cryptographic access control system ultimately depends on how well its keys are protected, controlled, and managed throughout their lifecycle.
1. Comparative Security Analysis of Card Technologies
CPU cards offer the strongest protection among common contactless smart card technologies. With embedded microprocessors, they perform cryptographic operations internally and store sensitive data in a secure, tamper-resistant environment. Some can even erase stored data if physical intrusion is detected, making them suitable for banking cards, government IDs, and other high-security applications.
iCLASS cards provide moderate security by combining proprietary encryption with mutual authentication between card and reader. They are commonly used in enterprise access control and membership systems, but remain vulnerable to advanced attacks if implementation weaknesses or poor key management practices exist.
MIFARE cards range from weak legacy systems to more secure modern options. MIFARE Classic relies on the broken Crypto-1 algorithm and is highly vulnerable to cloning, making it unsuitable for sensitive applications. MIFARE DESFire, by contrast, supports modern standards such as AES and can provide strong protection when properly configured. However, its security still depends heavily on key management.
2. The Critical Role of Key Management
Even advanced card encryption cannot secure a system if cryptographic keys are mishandled. Encryption can be viewed as the lock, while keys are what operate it. If the keys are exposed, shared too broadly, or poorly controlled, the entire access control system becomes vulnerable.
Many breaches result from key management failures rather than flaws in the cards themselves. Keys may be stored in plaintext, exposed in code repositories, controlled entirely by third parties, or left active after staff departures. In these cases, even secure technologies such as CPU cards and MIFARE DESFire cannot prevent compromise.
Strong key management requires secure storage, preferably in hardware security modules or equivalent protected environments. Keys should be rotated regularly, accessed only by authorized personnel, revoked promptly when no longer needed, and fully logged for audit and forensic review.
3. Conclusion and AgileCore Perspective
In conclusion, CPU cards and MIFARE DESFire can provide strong technical security, while iCLASS offers practical protection for many enterprise uses. However, the decisive factor is not card encryption alone, but how cryptographic keys are implemented, controlled, and maintained.
AgileCore addresses this by combining advanced card technologies with enterprise-grade key management, centralized lifecycle control, strict access permissions, and full audit capabilities. This integrated approach helps organizations achieve practical, sustainable access control security.