nerdexam
(ISC)2

CISSP · Question #1327

Which of the following is an effective control in preventing electronic cloning of Radio Frequency Identification (RFID) based access cards?

The correct answer is D. Asymmetric Card Authentication Key (CAK) challenge-response. This question tests knowledge of cryptographic controls that prevent RFID access card cloning attacks. Asymmetric challenge-response authentication is the most effective technical countermeasure against card cloning.

Submitted by tom_us· Mar 5, 2026Security Architecture and Engineering

Question

Which of the following is an effective control in preventing electronic cloning of Radio Frequency Identification (RFID) based access cards?

Options

  • APersonal Identity Verification (PIV)
  • BCardholder Unique Identifier (CHUID) authentication
  • CPhysical Access Control System (PACS) repeated attempt detection
  • DAsymmetric Card Authentication Key (CAK) challenge-response

How the community answered

(30 responses)
  • A
    10% (3)
  • B
    23% (7)
  • C
    7% (2)
  • D
    60% (18)

Why each option

This question tests knowledge of cryptographic controls that prevent RFID access card cloning attacks. Asymmetric challenge-response authentication is the most effective technical countermeasure against card cloning.

APersonal Identity Verification (PIV)

PIV is a credential standard and framework (FIPS 201) that defines the overall identity verification system, but by itself it is not a specific control that prevents cloning - its effectiveness depends on which authentication mechanism (e.g., CAK or PKI) is actually enforced.

BCardholder Unique Identifier (CHUID) authentication

CHUID authentication relies on a static identifier stored on the card that can be read and replicated via RF sniffing, making it inherently vulnerable to replay and cloning attacks rather than preventing them.

CPhysical Access Control System (PACS) repeated attempt detection

Repeated attempt detection is a behavioral/anomaly detection control in the access control system that may flag suspicious activity after cloning has already occurred, but it does not technically prevent the card from being cloned or the cloned credential from being used.

DAsymmetric Card Authentication Key (CAK) challenge-responseCorrect

Asymmetric Card Authentication Key (CAK) challenge-response requires the card to cryptographically sign a random challenge using its private key, which cannot be extracted or cloned from the card. Because the private key never leaves the card's secure element, an attacker who captures the RF communication cannot reproduce the correct response for future authentication attempts. This makes cloning the card's cryptographic identity computationally infeasible, directly preventing electronic cloning attacks.

Concept tested: Cryptographic challenge-response to prevent RFID card cloning

Source: https://csrc.nist.gov/publications/detail/fips/201/3/final

Topics

#RFID security#Access control#Asymmetric cryptography#Challenge-response

Community Discussion

No community discussion yet for this question.

Full CISSP Practice