Demo Abstract: WISP-based Access Control Combining ...guxxx035/paper/WISP... · cluding WISP-based access cards, access control clients and the server interface. Different from existing

Demo Abstract: WISP-based Access Control CombiningElectronic and Mechanical Authentication

Yuanchao Shu∗, Fachang Jiang∗, Zhiyu Dai∗, Jiming Chen∗, Yu Gu†, Tian He‡∗State Key Laboratory of Industrial Control Technology, Zhejiang University, China

† Singapore University of Technology and Design, Singapore‡ Dept. of Computer Science and Engineering, University of Minnesota, USA

{ycshu, fcjiang, derek88}@zju.edu.cn, [email protected]

[email protected], [email protected]

1 IntroductionAccess control systems can be divided into two broad cate-

gories based on their underlying physical identification mech-anisms. The first category that based on mechanical matchingincludes keys and combination locks. However, due to thephysical constraints of mechanical matching systems, they arenot secure enough for critical infrastructures. If a key is lost,access control to a designated space can be easily breached.

The other category of authentication for access control sys-tems is electronic authentication including barcode, magneticstripe, biometrics and etc. Compared with mechanical match-ing authentications, the electronic proximity authenticationsuch as smart card offers much more convenience and flexibil-ity for both administrators and users of access control system-s. However, it still suffers from similar loss of keys problem.Anyone who carries the card will be granted the access andthe security of the system still can be compromised. Althoughvarious biometric authentication mechanisms have also beenintroduced for further security enhancement, such methods asfingerprint, iris and voice recognitions have high infrastructurecost and cannot be transferred among trusted users.

To bridge the gap between insufficiency of existing prox-imity authentication solutions and the increasing demand ofhigh security guarantee for access control systems, we deve-lope a WISP-based access control system combing electron-ic and mechanical authentication methods. In our authenti-cation, encryption complexity is changeable and trusted userscan share privileges with each other.

During our experiments, our system has achieved about95% authentication accuracy rate with up to 5 different users.2 Authentication Method

The authentication system we design attempts to combinethe best of both mechanical matching and electronic proximityauthentication methods. The main idea of our system designis shown in Figure 1. A similar architecture is used in [2]for access control system description. Similar to mechanicalmatching methods, access control system users have to perfor-m a series of predefined actions which are sensed and pickedup by sensors integrated on the access cards. Then the sensorydata as well as encoded identification information on the card

Copyright is held by the author/owner(s).SenSys’11, November 1–4, 2011, Seattle, WA, USA.ACM XXX-X-XXXXX-XXX-X

is sent to the network server through access control clients forauthentication.

α

Figure 1. System Function Diagram

In our proposed system, we integrate accelerometers ontoaccess cards for action detection. If an accelerometer is be-ing rotated, the static acceleration of gravity on its three axeswill change accordingly. For a two-dimensional rotation, wecan calculate the tilt angle α of an accelerometer from staticacceleration of gravity on its X-Axis and Y-Axis to determinethe attitude of the accelerometer in a two-dimensional plane.Firstly in our authentication process, users have to perform aseries of predefined rotations. Then the sensory data of ac-celerometer as well as the onboard ID information is encodedtogether into electronic product code (EPC) and sent to thenetwork server. If both sensory data and identification infor-mation match a valid record in the authentication database,the network server then instruments the actuator and grantsthe card holder the access to the system. In this way, evenan unauthorized personnel possessed an authentic access cardor duplicated it illegally, as long as the card holder does notknow how to generate the correct sensory data, he or she stil-l cannot access the system thus the security of the system issuccessfully preserved.

In order to meet the need of security levels in different sce-narios, one complete authentication consists of several basicrotations. Different number of basic rotations and granulari-ties of recognition lead to a much larger key space and an ad-justable encryption complexity. Table 1 summarizes possiblekey space for two-dimensional rotations with different num-ber of basic rotation k and granularity of recognition n. From

Table 1. KEY SPACE BETWEEN DIFFERENT k AND nn = 4, k = 3 n = 4, k = 8 n = 8, k = 8

Key Space 864 6718464 1.18×1010

the table, we can see with just such simple rotations, key s-pace can be significantly enlarged and therefore increases thesecurity level of systems.

We mainly focused on the feasibility of our novel approachthat combining sensory data and onboard static ID informa-tion in authentication process. In fact, since sensory data andID information are gathered into EPC, lots of work on authen-tication protocol and communication encryption in ultra highfrequency (UHF) RFID system can be easily adopted into ourauthentication method, and therefore several security vulner-abilities such as replay attack and eavesdropping can also bewell solved.3 System Description

The prototype system we built consists of three parts in-cluding WISP-based access cards, access control clients andthe server interface. Different from existing authenticationmethods such as combining proximity cards and an addition-al keypad near the reader, our method could be adopted withminor modification of existing infrastructure.

Access cards used in our system is built based on the In-tel Wireless Identification and Sensing Platform (WISPs)[3].WISP is a fully-passive UHF RFID tag which integrates anultra-low-power processor and several low-power sensors suchas temperature sensor and accelerometer. Through WISP’s an-tenna, the signal from standard UHF RFID readers can be usedfor both communication and powering the entire WISP. Dueto the space constraint of cards, we reshaped the antenna oftraditional WISP and optimized it under the licensed RFIDfrequency band in China. Figure 2 shows the comparison be-tween our WISP-based access card and the original WISP.

Figure 2. WISP-based Access Card vs. Original WISP

To further improve the communication quality between ac-cess card and RFID reader, we orthogonally placed 2 WISPsonto one card. In this way, two different orientated antennaeensure a more stable power supply and data transmission forour system. Data from two different accelerometers are com-plementary and consolidated for authentication. In our experi-ments, 50 complex rotations under each number of basic rota-tions k are designated to 3 volunteers (abbreviated as VLT inTable 2). Accuracy rates of authentication and average rota-tion delay for each volunteer are reported in Table 2. Throughexperiments, we found the probability of simultaneous sen-sory data loss is reduced relative to that with only single ac-celerometer and average accuracy rates of all three columns

are higher than 95% according to Table 2. From the last lineof Table 2, we can observe that the delay of rotation approxi-mately linearly grows but even when number of basic rotationsk = 5, delay is no more than 15s. By improving hardware de-sign and optimizing authentication algorithm, delay could befurther reduced.

Table 2. ACCURACY RATE vs. DIFFERENT VOLUN-TEERS WITH DUAL ACCELEROMETERS (n = 4)

k=1 k=2 k=3 k=4 k=5VLT #1 100% 100% 94.0% 94.0% 96.0%VLT #2 100% 94.0% 96.0% 100% 98.0%VLT #3 98.0% 96.0% 94.0% 96.0% 98.0%Delay 1.9s 4.7s 7.7s 10.5s 13.3s

We use an Impinj Speedway Reader IPJ-R1000 as accesscontrol client. It powers the whole WISP-based access cardand provides network connectivity between the card and thebackend authentication network server.

Figure 3. Authentication User Interface

Figure 3 shows the user interface of our system. Networkinterface of it is based on an open source of Impinj ReaderApplication [1]. During rotation process, realtime attitudesof access card are shown in the left part (WISP-liked figureis used here for display) and communication details are listedin the right. Moreover, the demo GUI can reconstruct the w-hole rotation process and most importantly, we can obtain thematching result of sensory data user generated with records inthe authentication database.4 Acknowledgement

This research was supported in part by NSFC No.60974122 and SUTD-ZJU Collaboration Grant SUTD-ZJU/RES/03/2011.5 References[1] Reader Application. http://wisp.wikispaces.com/reader-

+application.

[2] I. Daradimos, K. Papadopoulos, I. Stavrakas, M. Kaitsa,T. Kontogiannis, and D. Triantis. A physical access con-trol system that utilizes existing networking and computerinfrastructure. IEEE EUROCON, 2007.

[3] A. P. Sample, D. J. Yeager, P. S. Powledge, A. V. Mami-shev, and J. R. Smith. Design of an RFID-based battery-free programmable sensing platform. IEEE Transactionson Instrumentation and Measurement, 2008.