Campus ID News
Card, mobile credential, payment and security
slider dooraccess 1

Using PKI for physical access control

CampusIDNews Staff   ||   Feb 27, 2012  ||   ,

By Bob Fontana, President and CTO, Codebench

Physical security professionals are hearing about public key infrastructure, or PKI, more frequently than ever before. This is because the federal government, through the National Institutes of Standards and Technology and the Interagency Advisory Board (IAB), are pushing for higher security in the physical access control world.

The federal government says physical access control systems (PACS) need to be upgraded to be FIPS 201 and SP 800-116 compliant. Depending on the level of assurance required for entering the space, each door or turnstile will be secured by an authentication system capable of verifying one or more authentication factors before granting access.

A traditional access control reader provides one authentication factor, which results in "some" assurance. A single factor is the minimum standard for controlled access defined by SP 800-116. Readers with PIN pads can be used to provide two factors, and readers with a fingerprint sensor or iris scanner can provide three.

A FIPS 201-compliant contactless card reader must also ensure that the credential being presented is the one that was originally enrolled in the PACS rather than a forgery or clone.

Access control systems can use PKI at the door to accomplish this and determine a card's authenticity. The process uses private and public keys to sign and verify a random challenge sent to the smart card. Only an original, legitimate card can respond correctly to the challenge.

Where does PKI at the door live?

There are three basic configurations for PKI at the door:

  1. The challenge is generated at the panel and sent to the reader where it is passed to the card. The reader is effectively a transparent smart card reader that passes smart card commands and responses between the card and the panel. Cryptographic processing of the response from the card is performed at the panel and certificates and certificate revocation status are cached at the panel.

    The advantage of this approach is that it does not require extra boards or equipment, and it is highly resilient because the panel is designed to operate offline from the server for long periods of time. The downside is that the panel needs to be upgraded to perform PKI at the door.

  2. The challenge is generated at the PACS server and sent to the reader, which passes it to the card. The reader passes the response back to the server, which then verifies the response and issues a message to the appropriate hardware to unlock the door.

    This solution works with all panels today can handle hundreds of doors concurrently. It has an early advantage because there is no need to update panel firmware. The disadvantage is that its reliability depends upon server availability, although this is mitigated with a backup server.

  3. The challenge is generated by an additional board or controller and is sent to the reader, which passes it to the card. The reader passes the response back to the controller where it is verified. Depending on the verification results, the card identifier is sent to the access control panel.

    There is no need to update the panel firmware with this approach. Because it operates closer to the door, it is designed to operate independently of a server for long periods of time - much like a panel. On the negative side, a separate controller adds cost in equipment and wiring.

With all three approaches, data is sent over multiple hops from the card edge to the PACS.

With each hop, the data needs to be secured using encryption.

Is PKI at the door for everyone?

All of this data processing takes time. Factors, such as the type of card and type of connectivity between devices, cause card authentication times to range from one to several seconds.

The good news is that once a cardholder has authenticated with the requisite factors to enter a particular area there is no need to re-authenticate unless a security area requiring even higher assurance is nested within it. Even then only the additional assurance factors are required. Therefore, security managers should plan their SP 800-116 security zones with an eye on minimizing cost while maximizing throughput and security.

What does the future hold for PKI at the door?

While a physical card is the primary means for gaining access into a high-assurance area, near field communications (NFC) is quickly becoming standard in mobile phones. With NFC, the phone becomes both a credential and a reader. Combined with cloud services, NFC can dramatically lower the costs of PKI at the door by eliminating panels and reducing wiring to an NFC terminal connected to a door relay.

This type of solution won't work in every environment, but it will provide organizations with additional options, especially in the commercial market. NIST and IAB are already looking into this technology and security companies are gearing up for it.

The trickle down effect–where the mainstream market embraces technologies first implemented by the government–will play a large role in the adoption of PKI in the physical security market as a high assurance validation method.

Related Posts

Subscribe to our weekly newsletter


Virginia Tech access control readers from Allegion

Virginia Tech's multi-year journey eliminates brass keys from campus

  At Virginia Tech, a strategically planned, multi-year process has eliminated physical keys from the campus. Brass keys have been replaced by card access in buildings and residence halls. The only remaining keys are stored in secure key boxes for security personnel and residence hall advisors to access in case of emergencies or after hours […]
Harvard CrimsonCash logo
Jun 07, 24 / , ,

Harvard to end longstanding declining balance program starting July 1

Harvard’s CrimsonCash – a declining balance program that enables students to use their campus card to make payments on and off campus – will be sunsetted in phases beginning July 1, 2024 and finishing July 1, 2025. The announcement was made in an email sent to account holders and a posting on the university’s website. At […]
ELATEC Secure Logon product review

Secure computer labs and faculty workstations with existing campus cards and mobile IDs

Eliminating usernames and passwords has positive security and convenience implications, and ELATEC’s Secure Logon solution helps campuses achieve the goal. Using your existing campus ID or mobile credential, users tap it on a reader to access shared computers and resources. In this video, ELATEC’s campus lead Rawldon Weekes, discusses Secure Logon and overviews a variety […]
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.

Attn: friends in the biometrics space. Nominations close Friday for the annual Women in Biometrics Awards. Take five minutes to recognize a colleague or even yourself.

Feb. 1 webinar explores how mobile ordering enhanced campus life, increased sales at UVA and Central Washington @Grubhub @CBORD

Load More...
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2024 CampusIDNews. All rights reserved.