ANSSI CSPN-certified access control

Logic's commitment to flawless security means that protecting access to the building is not enough. It is also important to put in place mechanisms to secure the system itself.

Technical architecture

Cyber risks all along the supply chain
An access control system is made up of a number of technical components, from user badges to access supervision and rights management stations.

This technical architecture is riddled with loopholes that can be exploited by the unwary: 

  • Badge cloning 
  • Reader substitution 
  • Access to Component data 
  • Interception and modification of communications between devices 
  • Database theft 
  •  Access and actions in the software that drives the solution 
A solution for every risk
Fortunately, protection mechanisms exist at all levels. 
 
 And the ANSSI, as part of the CSPN certificate it issues, imposes certain cybersecurity technologies:

  • Transparent" badge readers (without Encryption keys stored in an accessible element) 
  • Fully secure communications 
  • EAL5+ tamper-proof components 

> Show architecture (full screen)  

A robust system and products

Proven safety... 3 times!

Based on a compliance analysis and tests carried out by an assessor under the authority of ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information), TIL's Access control solution has been CSPN certified 3 times by the organization since 2018.
 
The robustness and cybersecurity of our solution has been approved on the basis of a technical target that has been expanded each time, and according to an increasingly stringent cyber-protection reference framework that takes technological developments into account.
 
So our latest certificate includes protection against "proximity check / radio bridge" radio relay attacks, as requested in ANSSI's latest Note 7 v2.
 
> See the TIL page on the ANSSI Site

A commitment to trust

For both products and service, certification confirms the trust placed in our teams and our work: 
Confidentiality and protection of data entrusted by the user of the product or service 
  • Ongoing remediation of identified cyber vulnerabilities (CVEs) 

 As a user, when you choose our ANSSI-certified access control solution, you can be sure that our features offer a proven level of security, and are resistant to attacks of a specified level.

The Criterion for flawless safety

  • Desfire EV1, EV2, EV3 badge technologies 
  • Multi-application Encoding and Graph printing of badges in a single operation  
  • KEY SECURE MANAGER software enables end-users to control the encryption keys protecting access to each badge application (RFID access control, biometrics, restaurants, photocopiers, etc.). 
  • Key diversification to have different keys for each badge 
  • Export keys in AES 256-bit encrypted container to MICROSESAME for centralized key download to field modules 

  • Transparent" EVOLUTION readers, with no Encryption keys stored in the readers. 
  • Secure, signed communication between Daemons, specialized MLP2 modules and EVOLUTION readers (RS485, 128-bit AES encryption), with sign-of-life and anti-tear alarm. 
  • Each Reader can read up to 4 different types of DESFIRE EVx badges, thanks to the specialized MLP2 module. 
  • Reader + keyboard versions, corresponding to levels 3 and 4 of the ANSSI guide  

  • Access to MICROSESAME software supervisor via password managed by LDAP directory 
  • Fine-tuned management of Operator rights: display levels and access to functions, sites, entities, access classification, according to precise profiles. 
  • Traceability of Operator actions in a dedicated Interface 
  •  Protected operator passwords in BDD HASH SHA-512 - 512-character SEL 
  • WEBSESAME portal protected against CSRF attacks 

  • Hot redundancy of the MICROSESAME server for automatic recovery from hardware failures, without interruption of Department or loss of data 
  • Compatible with secure IT environment (VPN/ VLAN networks, TLS v1.2, 802.1x radius server, LDAP directory, IPv6 ready, SNMP v3 (network status)) 
  • Network port filtering 
  • All encoders, Enrollment devices and Client workstations do not store badge keys. 

A complete security target

ANSSI recommendations
The ANSSI insists that, in addition to the electronic components, the Controlled Access Management center, i.e. the software solution, must be part of the certified system as a whole (ANSSI guide v2 + Note 7 v1).
 
The mere presence of certified products among the system's components is not a sufficient condition for compliance with its recommendations.
Certification of just one part of the security chain, however important, is also not in line with ANSSI recommendations for guaranteeing a site's cybersecurity.
TIL certified from start to finish!
TIL TECHNOLOGIES has obtained CSPN certification for the entire security chain, from the badge to the operation stations, to guarantee the highest level of protection on the market for the most sensitive sites.
 
> Show architecture (full screen) 

Downloads

 Would you like to find out more about our MICROSESAME system?