Campus ID News
Card, mobile credential, payment and security
FEATURED
PARTNERS
slider dooraccess 1

Using PKI for physical access control

CampusIDNews Staff   ||   Feb 27, 2012  ||   ,

By Bob Fontana, President and CTO, Codebench

Physical security professionals are hearing about public key infrastructure, or PKI, more frequently than ever before. This is because the federal government, through the National Institutes of Standards and Technology and the Interagency Advisory Board (IAB), are pushing for higher security in the physical access control world.

The federal government says physical access control systems (PACS) need to be upgraded to be FIPS 201 and SP 800-116 compliant. Depending on the level of assurance required for entering the space, each door or turnstile will be secured by an authentication system capable of verifying one or more authentication factors before granting access.

A traditional access control reader provides one authentication factor, which results in "some" assurance. A single factor is the minimum standard for controlled access defined by SP 800-116. Readers with PIN pads can be used to provide two factors, and readers with a fingerprint sensor or iris scanner can provide three.

A FIPS 201-compliant contactless card reader must also ensure that the credential being presented is the one that was originally enrolled in the PACS rather than a forgery or clone.

Access control systems can use PKI at the door to accomplish this and determine a card's authenticity. The process uses private and public keys to sign and verify a random challenge sent to the smart card. Only an original, legitimate card can respond correctly to the challenge.

Where does PKI at the door live?

There are three basic configurations for PKI at the door:

  1. The challenge is generated at the panel and sent to the reader where it is passed to the card. The reader is effectively a transparent smart card reader that passes smart card commands and responses between the card and the panel. Cryptographic processing of the response from the card is performed at the panel and certificates and certificate revocation status are cached at the panel.

    The advantage of this approach is that it does not require extra boards or equipment, and it is highly resilient because the panel is designed to operate offline from the server for long periods of time. The downside is that the panel needs to be upgraded to perform PKI at the door.

  2. The challenge is generated at the PACS server and sent to the reader, which passes it to the card. The reader passes the response back to the server, which then verifies the response and issues a message to the appropriate hardware to unlock the door.

    This solution works with all panels today can handle hundreds of doors concurrently. It has an early advantage because there is no need to update panel firmware. The disadvantage is that its reliability depends upon server availability, although this is mitigated with a backup server.

  3. The challenge is generated by an additional board or controller and is sent to the reader, which passes it to the card. The reader passes the response back to the controller where it is verified. Depending on the verification results, the card identifier is sent to the access control panel.

    There is no need to update the panel firmware with this approach. Because it operates closer to the door, it is designed to operate independently of a server for long periods of time - much like a panel. On the negative side, a separate controller adds cost in equipment and wiring.

With all three approaches, data is sent over multiple hops from the card edge to the PACS.

With each hop, the data needs to be secured using encryption.

Is PKI at the door for everyone?

All of this data processing takes time. Factors, such as the type of card and type of connectivity between devices, cause card authentication times to range from one to several seconds.

The good news is that once a cardholder has authenticated with the requisite factors to enter a particular area there is no need to re-authenticate unless a security area requiring even higher assurance is nested within it. Even then only the additional assurance factors are required. Therefore, security managers should plan their SP 800-116 security zones with an eye on minimizing cost while maximizing throughput and security.

What does the future hold for PKI at the door?

While a physical card is the primary means for gaining access into a high-assurance area, near field communications (NFC) is quickly becoming standard in mobile phones. With NFC, the phone becomes both a credential and a reader. Combined with cloud services, NFC can dramatically lower the costs of PKI at the door by eliminating panels and reducing wiring to an NFC terminal connected to a door relay.

This type of solution won't work in every environment, but it will provide organizations with additional options, especially in the commercial market. NIST and IAB are already looking into this technology and security companies are gearing up for it.

The trickle down effect–where the mainstream market embraces technologies first implemented by the government–will play a large role in the adoption of PKI in the physical security market as a high assurance validation method.

Subscribe to our weekly newsletter

RECENT ARTICLES

Brista Hurst UT Tyler

Learn to analyze card system data at NACCU’s popular Data Summit

In a recent CampusIDNews Chats interview, Brista Hurst-Kent, Business Technology Services Manager at the University of Texas at Tyler, shared her experience attending the NACCU Data Summit. This two-day workshop focused on empowering participants to use common reporting tools – specifically Microsoft Excel with Power Pivot and Power Query – to create interactive dashboards that […]
Credentials 101 Series banner

Understanding chip options for contactless campus cards

Three main components underly modern credential technology – chips, formats, and encryption. Each are applicable to both cards and mobile credentials and understanding them is key to making informed decisions for your campus card program. In this series of articles, we will dive into each component, but first a brief preview. Chips are the core of […]
Apex OrderHQ Array modular lockers
Jul 02, 25 /

Modular locker solution streamlines campus order pickup

Apex Order Pickup Solutions launched a new modular system of automated order pickup lockers that can be stacked or setup in custom configurations. The OrderHQ Array Series lockers work in any floor plan without expensive remodeling. In an interview with Food On Demand, Kent Savage, founder and executive chairman of Apex Order Pickup Solutions, compares […]
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.
Twitter

Attn: friends in the biometrics space. Nominations close Friday for the annual Women in Biometrics Awards. Take five minutes to recognize a colleague or even yourself. http://WomenInBiometrics.com

Feb. 1 webinar explores how mobile ordering enhanced campus life, increased sales at UVA and Central Washington @Grubhub @CBORD

Load More...
Contact
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301
www.AVISIAN.com[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2025 CampusIDNews. All rights reserved.