Trends In Access Control: SMART CREDENTIALS

Are there any industry guidelines relating to non-DHS sector recommended credential/reader selection based on risk-assessment?

There are many. For instance, the US DEA recently issued a new rule requiring doctors and pharmacists to use 2-factor authentication when electronically prescribing controlled substances. The most usable combination is a smart card with a biometric. The biometric template would be stored on the card. The government demands that the card have a cryptographic device which the aptiQ smart card has.

Where does aptiQ fit into FIP-101/HSPD-12?

The Schlage readers that read aptiQ smart cards also read the government’s PIV cards. Utilizing smart card or multi-technology readers from Schlage would be useful for sites utilizing mixed card types.

Although the both PIV cards and aptiQ are ISO 14443 based credentials, they are much different in terms of openness, security, and processes for issuance. aptiQ is an open architecture contactless smart card enabling significant customization and featuring the highest levels of encryption currently available on contactless smart cards. The PIV card is a credential used by the government. It has an extra component, a dual interface which lets information be stored and accessed in either contactless or contact environments.

Please explain mutual authentication in the context of aptiQ.

Mutual authentication ensures that the reader and the card are allowed to talk with each other before any information is exchanged.

Please explain AES 128.

In cryptography, the Advanced Encryption Standard (AES) is a symmetric-key encryption standard adopted by the U.S. government. The AES ciphers have been analyzed extensively and are now used worldwide. AES was announced by National Institute of Standards and Technology (NIST) as U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001 after a 5-year standardization process. It became effective as a Federal government standard on May 26, 2002 after approval by the Secretary of Commerce. It is available in many different encryption packages. AES is the first publicly accessible and open cipher approved by the NSA for top secret information.

Please (briefly) explain MIFARE DESFire EV1.

One must look for the “EV1” designation to assure they have the most secure card.

A Mifare DESFire card is sold already programmed with a general purpose software (the DESFire operating system) that offers a simple directory structure with files, similar to what is typically found on smart cards. The maximal read/write distance between the card and reader is 10 cm (4 inches), but actual distance depends on the field power generated by the reader and its antenna size.

Mifare DESFire EV1 is a new evolution of the above-described DESFire card, broadly backwards compatible. It is available with 2KB, 4 KB and 8KB NV-Memory. Other features include:

• Support for random ID
• Support for 128-bit AES

Please (briefly) explain MAC (Message authentication code).

The Message authentication code (MAC) further protects each transaction between the credential and the reader. This security features ensures complete and unmodified transfer of information, helping to protect data integrity and prevent outside attacks.

Please explain Diversified keys.

Diversified keys virtually ensure no one can read or access the holder’s credentials information without authorization.

If possible please compare aptiQ with OneBadge.

OneBadge is an application while aptiQ is hardware. The OneBadge applications could be loaded onto an aptiQ smart card credential.

How can an existing installation migrate up to aptiQ, and what would be the cost-benefit for such a transition?

Besides aiding implementation, multi-technology readers are available to create flexibility in the transition while allowing companies to leverage the lower cost of smart cards.

With a multi-technology reader being installed at every new door, organizations are able to flexibly plan for the future, using their present proximity cards today and migrating to smart cards when budgets and time reach their nexus. They can upgrade on their preferred timelines, not due to the whim of technology that forces a “now or never” alternative.