Subscriber Discussion

MERCK Smart Card Application (MSCA)???

David Stolerow

•Sep 22, 2017

We have a customer that needs to conform to a new standard being pushed down from their corporate security in Sweden. Sweden has not been able to be reached to answer any questions we have.

The specification we are provided states that the readers must be MERCK Smart Card Architecture (MSCA), RFID, MiFare readers. Speaking with HID, they said that they can read the serial number, but not the specific MERK read key. My understanding is that it is similar to an HID Corporate 1000 key.

Here are the definitions from the specifications provided:

MERCK Smart Card Architecture: "The MSCA is the defined data organization that contains keys and data of mandated vendors, which are essential for the secured data exchange of smart cards and reading components."
Read Key: "The Read Key is a part of the MSCA and is necessary to allow RFID-Readers to establish a data exchange session with Merck Smart Cards.

I'm hoping the someone in the IPVM community is familiar with MERCK, and can help point me in the right direction to find a manufacturer who owns, or can support a MSCA Read Key.

Thank you in advance,

Dave

Reactions:

Brian Rhodes

•Sep 22, 2017

IPVMU Certified

Is Merck the customer or otherwise affiliated with Merck?

What they are specifying here is a traditional 13.56 MHz MIFARE format, but with cards/credentials/readers keyed to a specific Merck-only value.

This is smart from an operational security point-of-view, but it does mean that you should expect to work through Merck only to get this information. It quite literally is protected information.

If the customer is not Merck/ affiliated with them and is using a boilerplate spec, they will need to change this language.

Reactions:

David Stolerow

•Sep 22, 2017

In reply to Brian Rhodes

Hi Brian,

Thanks for the quick and helpful response.

This is actually a MERCK affiliate company under a different name. The cards will be provided from Merck KgaA though. We are tasked with selecting and replacing the readers, but don’t know which manufacturer to buy from. After working with HID for two weeks, they made the statement that they don’t “own” the MERCK read key, and we’ll have to buy elsewhere.

I’m hoping there’s someone here is familiar with the brand they have standardized on.

Reactions:

Brian Rhodes

•Sep 22, 2017

IPVMU Certified

In reply to David Stolerow

Hello David,

Very likely, even when the manufacturer is known, they won't tell you the key/ sell you Merck parts unless you have a letter or specific permission from someone at Merck.

The key itself is not a substantial thing, but it is like a password - unless the readers and card have it, any further data exchanged between the two is ignored.

Reactions:

(1)

Undisclosed

•Sep 24, 2017

The cardholder info is probably inside an encrypted container on the card. It could be DESFIRE or something other than MIFARE. Nobody (anywhere!) should be using the card serial number (CSN) since that's cloneable. You probably need to switch to a reader vendor who has more robust (some would say less primitive) features than HID. You probably need to have the readers configured for the customer's specific access keys. Real card reader companies provide capabilities for readers to be configured with site-specific keys.

The old style of "we ordered the readers from the factory, we can't configure them in the field" is not acceptable because the customer's supposed to be the one in control of the crypto keys (not some beancounter in manufacturing in Texas.)

INID, Wavelynx, Springcard, STid, and other vendors can probably help you. Some of these (INID for example) are oem'ed by your fav PACS vendors and so are well integrated into conventional vendor supply chains.

Reactions:

(1)

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions