E-Plex 5800 Series Meets FIPS 201 Requirements

Aug. 5, 2010
The E-Plex 5800 series is an economical solution to online systems which may not be practical or affordable in many applications.

The new E-Plex 5800 Physical Access Control System (PACS) Series from Kaba Access Control is the latest roll out of enhanced technology to meet the growing security needs of the institutional, commercial and governmental security markets in which Kaba has been a leader since it first introduced the Simplex lock many years ago. It builds upon the field-proven mechanical chassis of the E-Plex, and provides the upgrades by means of more powerful processing and software.

E-Plex 5800 PACS carries the Builders Hardware Manufacturers Association (BHMA) Grade 1 Rating and Underwriters Laboratory (UL) 3 Hour 10c rating for fire door applications.

The E-Plex 5800 PACS is made in the U.S.A. and meets the Buy American Act. It is a GSA approved commercial off the shelf (COTS) solution and appears on the FIPS 201 Approved Product List (APL).

E-Plex dealers already are aware of the constant upgrades to the E-Plex line which is now offers a wide selection of features for the standalone market.

The warranty is three years, and unique in the industry, the warranty clock starts running upon commissioning of the system, not date of shipment or invoice.

If you like to keep a spare on hand for emergencies, this is an excellent inducement to do so rather than wait for a failure and then demand an overnight replacement. How many times have you pulled a product off your shelf to install, and it’s already or nearly out of warranty? I bet more than once.

You ask: How do they know?

I answer: The built-in warranty counter in the lock’s memory.

The rollout of the 5800 series coincides with the introduction of other new features and products which impact other E-Plex models, and overall increase the power value to the client, and ease of deployment of the entire product line.

The 5800 targets the market segment which is subject to Federal Information Processing Standard 201 (FIPS 201). Currently this market includes entities which are subject to Homeland Security Directive 12 (HSPD 12). Part of this directive called for the implementation of a smart card initiative which met the requirements set forth in FIPS 201. The goal is to produce a common identification standard for all federal government employees and contractors.

The E-Plex 5800 PACS is designed to authenticate and provide physical access using Personal Identity Verification Contactless smart cards containing the bearer’s encrypted card ID data, digital signature, and certificate data, including photograph which complies with HSPD 12 FIPS 201. The E-Plex 5800 was the first Physical Access Control System integrating certified CHUID (CardHolder Unique Identifier) readers into a stand-alone locking device certified to meet the General Services Administration (GSA) standard for FIPS 201 products.

The E-PLEX 5800 PACS enables the user to not only enable or extend an existing electronic access control system, but also offers the power to implement a highly secure opening within a facility in order to meet HSPD requirements which might apply for the user if he wishes to participate in activities which require strategic deployment of compliant measures on openings to selected areas.

The E-Plex 5800 PACS supports all types of FIPS201 compliant cards including:

The PIV-I and PIV-II cards used by the U.S. federal government employees and contract workers

The First Responder Authentication Credential (FRAC) is used by emergency service workers. The Transportation Worker Identification Credential (TWIC) is used by transportation workers. The Common Access Card (CAC) is used by the Department of Defense. Also supported are Philips DESFire Contactless smart cards

The E-Plex 5800 PACS incorporates “CoreStreet-enabled” FIPS High Assurance technology ensuring enhanced credential authentication.

Access can be granted by either (credential) card only or dual credential (PIN followed by credential). Special Super Service users can be programmed PIN-only access.


E-Plex 5800 offers the patent pending Lectrobolt which eliminates the need for wires to be run through the door for installation. Power is carried from the power source to the electronics via special bolts which also physically secure the device to the door. This feature makes deployment faster and more reliable.


To further speed deployment, and provide more value to the end-users, the LearnLok feature permits enrollment of up to 300 cards right at the door without software or additional accessories.

If at any time the end-user needs to upgrade the security on the door with audits, schedules, time zones etc, the security management of the opening can be upgraded to a Kaba software managed solution. This will increase the user capacity of the E-Plex 5800 PACS to 3,000 users.

The E-Plex 5800 PACS is available in different configurations: Cylindrical, Mortise, Exit Trim, Back-to-back, and Standalone Access Controller (SAC). SAC is used where external electric locking devices are required.

Units are field handable and will fit on most interior or exterior wood or steel core interior or exterior doors. An optional remote unlock feature is available. Mechanical key override is available as an option.

Most keyways and interchangeable core types are supported. The E-Plex 5800 PACS exit trim models are compatible with most exit devices.

The use of the mechanical override is recorded on the activity log. The E-PLEX 5800 PACS may be configured for entry privacy or residence function. Note that a thumb turn is required for privacy and residential functions.


The following three levels of operation are supported depending on the security environment in which the lock is deployed: Learnlok Mode; FIPS General PACS Software, and FIPS High Assurance Software.

LearnLok requires no external accessories and up to 300 users may be enrolled right at the door. If an audit trail is desired, an inexpensive interface unit may be used, and the E-Plex retains the most current 30,000 events for offload.

The new LearnLok Auditor Kit works with not only the E-Plex 5800, but also the e5700 and the future e5600 series.

The solution includes an ActiSys USB-IrDAadapter, and a Kaba USB Memory Drive.

The end-user may provide a laptop or netbook locally. The LearnLok Kit is Windows compatible, but if in doubt check with Kaba to confirm your devices are supported.

Operation involves plugging the two USB devices into your laptop or netbook, and visiting the door(s) to be managed. The IrDA communicates with the IrDA window on the E-Plex.

If updating from LearnLok operation, this system retains your existing card-user database.

FIPS 201 identifies the following four primary parties in the personal identity verification (PIV) process.

Applicant: The individual who needs the ID.

Sponsor: The entity within the agency that sponsors or approves the applicant.

Registrar: Responsible for the processing approved PIV card requests: validating the identity of the applicant and conducting background checks.

Issuer: Personalizes the PIV card and delivers it to the applicant.

The second stage of PIV involves the addition of a digital signatory and authentication certification authority.

Identity proofing and registration requires the in-person appearance of the applicant to the registrar enrollment station with two forms of I-9 approved identification, referred to as breeder documents. These documents go through a document proofing process that authenticates them. Biometric information is also captured including fingerprints and facial photograph.

The FIPS General & High Assurance Software may be used single PC or networkable.

The FIPS-General version of the software will authenticate the card locally during the card enrollment process.

The card enrollment is accomplished using a Kaba recommended smart card enroller.

In FIPS-General, the software:

Validates the Personal Identity Verification (PIV) Authentication Certificate and signed CHUID signature which contains the FASC-N to make sure that the credential has not been modified.

Requires the card holder to enter her/his personal FIPS card PIN to make sure that the card belongs to the person presenting it during enrollment (eg., the card is not a stolen one).

Verifies that the card is not expired; and retrieves the digital photo of the card holder to compare it to the person actually enrolling at the card enrollment station. The “General” version does not validate the Card Authentication Certificate (CAC) even if it is present on the card.

This checking is done in the “High Assurance” version using the PKI (Public Key Infrastructure) validation protocol. In FIPS-High Assurance, in addition to performing the above verifications, it also validates that the credential carried on the card is from a trusted issuing authority (e.g., a federal government agency) by performing these additional validation steps, live by interrogating an approved OCSP (Online Credential Status Protocol) server via the internet by performing a public key <-> private key challenge (PKI) to make sure that the credential has not been cloned or copied; and

FIPS high assurance also checks the status of the credential to make sure that it has not been revoked (CRL) by the issuing authority. Depending on the FIPS card deployment policy of each government agency, some card holders will have the Card Authentication Certificate also on their card which is validated only in the “High Assurance” version of the software as described above. This simply indicates that this card holder is indeed the person who says who she or he is. The software will add this attribute of the card holder during enrollment of this user in the database. The system operator will now have the option of configuring a few E-Plex 5800 door locks as “high assurance” doors which will then grant access to only card holders with high assurance attribute.

For more information on Kaba Access Control products, contact your local locksmith distributor or visit Web Site: www.kabaaccess.com.