Campus ID News
Card, mobile credential, payment and security
slider dooraccess 1

Using PKI for physical access control

CampusIDNews Staff   ||   Feb 27, 2012  ||   ,

By Bob Fontana, President and CTO, Codebench

Physical security professionals are hearing about public key infrastructure, or PKI, more frequently than ever before. This is because the federal government, through the National Institutes of Standards and Technology and the Interagency Advisory Board (IAB), are pushing for higher security in the physical access control world.

The federal government says physical access control systems (PACS) need to be upgraded to be FIPS 201 and SP 800-116 compliant. Depending on the level of assurance required for entering the space, each door or turnstile will be secured by an authentication system capable of verifying one or more authentication factors before granting access.

A traditional access control reader provides one authentication factor, which results in "some" assurance. A single factor is the minimum standard for controlled access defined by SP 800-116. Readers with PIN pads can be used to provide two factors, and readers with a fingerprint sensor or iris scanner can provide three.

A FIPS 201-compliant contactless card reader must also ensure that the credential being presented is the one that was originally enrolled in the PACS rather than a forgery or clone.

Access control systems can use PKI at the door to accomplish this and determine a card's authenticity. The process uses private and public keys to sign and verify a random challenge sent to the smart card. Only an original, legitimate card can respond correctly to the challenge.

Where does PKI at the door live?

There are three basic configurations for PKI at the door:

  1. The challenge is generated at the panel and sent to the reader where it is passed to the card. The reader is effectively a transparent smart card reader that passes smart card commands and responses between the card and the panel. Cryptographic processing of the response from the card is performed at the panel and certificates and certificate revocation status are cached at the panel.

    The advantage of this approach is that it does not require extra boards or equipment, and it is highly resilient because the panel is designed to operate offline from the server for long periods of time. The downside is that the panel needs to be upgraded to perform PKI at the door.

  2. The challenge is generated at the PACS server and sent to the reader, which passes it to the card. The reader passes the response back to the server, which then verifies the response and issues a message to the appropriate hardware to unlock the door.

    This solution works with all panels today can handle hundreds of doors concurrently. It has an early advantage because there is no need to update panel firmware. The disadvantage is that its reliability depends upon server availability, although this is mitigated with a backup server.

  3. The challenge is generated by an additional board or controller and is sent to the reader, which passes it to the card. The reader passes the response back to the controller where it is verified. Depending on the verification results, the card identifier is sent to the access control panel.

    There is no need to update the panel firmware with this approach. Because it operates closer to the door, it is designed to operate independently of a server for long periods of time - much like a panel. On the negative side, a separate controller adds cost in equipment and wiring.

With all three approaches, data is sent over multiple hops from the card edge to the PACS.

With each hop, the data needs to be secured using encryption.

Is PKI at the door for everyone?

All of this data processing takes time. Factors, such as the type of card and type of connectivity between devices, cause card authentication times to range from one to several seconds.

The good news is that once a cardholder has authenticated with the requisite factors to enter a particular area there is no need to re-authenticate unless a security area requiring even higher assurance is nested within it. Even then only the additional assurance factors are required. Therefore, security managers should plan their SP 800-116 security zones with an eye on minimizing cost while maximizing throughput and security.

What does the future hold for PKI at the door?

While a physical card is the primary means for gaining access into a high-assurance area, near field communications (NFC) is quickly becoming standard in mobile phones. With NFC, the phone becomes both a credential and a reader. Combined with cloud services, NFC can dramatically lower the costs of PKI at the door by eliminating panels and reducing wiring to an NFC terminal connected to a door relay.

This type of solution won't work in every environment, but it will provide organizations with additional options, especially in the commercial market. NIST and IAB are already looking into this technology and security companies are gearing up for it.

The trickle down effect–where the mainstream market embraces technologies first implemented by the government–will play a large role in the adoption of PKI in the physical security market as a high assurance validation method.

Subscribe to our weekly newsletter


Sheridan College onecard banner
Sep 21, 23 / ,

Interview: Sheridan College onecard manager details hugely successful mobile credential rollout

At the start of the fall term in 2022, the Sheridan College onecard office rolled out its new Mobile onecard. The Canadian institution serves 27,000 students across its three campuses in Ontario, so launching a project of this magnitude required careful planning and a well-orchestrated marketing effort to ensure success. CampusIDNews spoke with Aesha Brown, […]
University of Minnesota Twin Cities mascot
Sep 21, 23 /

Treasure hunt sends students in search of mascot’s lost campus card

At the University of Minnesota Twin Cities, the mission is to find Goldy’s U Card. On each of the institution’s three campuses, one of the mascot’s U Cards is hidden. Each undergraduate student that finds a card will receive a $100 reward. Finding the cards will not be easy. To help in the hunt, three […]
UX Tech event logo
Sep 19, 23 / ,

ColorID’s UX Tech event explores campus ID impact on user experience

We all want great user experiences for our cardholders and our system administrators, and advancements in technology are making this more possible than ever before. New credential and reader technologies are transforming the campus ID and with it the campus. The event is hosted and sponsored by UC Irvine, and will take place at the […]
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.

Join us, @NACCUorg, and @TouchNet to explore how campus card programs can successfully navigate the sales and procurement process. Join the webinar on June 6, 2 pm EDT.

Webinar: Learn how the University of Arizona uses campus cards, mobile ordering, kiosks, lockers, and robots to revolutionize campus dining. April 7, 2-2:30 EDT. Register Now at

Load More...
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2023 CampusIDNews. All rights reserved.