Trends In Access Control: SMART CREDENTIALS

In security, there are three universally recognized factors for authenticating individuals:

  • Something you know, typically a Personal Identification Number (PIN)
  • Something you have, typically a security token (encoded credential).
  • Something you are, such as a fingerprint, a retinal scan.

In electronic access control, electronics are used to authenticate the individuals authorized to enter a protected area.

When guards are used to provide manned security management, electronics may be combined with manual authentication to test a credential and visually verify identity, possibly with a Photo-ID

The more authentication used, the higher the security.

But other considerations come into play when specifying how much security is being deployed. Based on the risk assessment, the cost to deploy and maintain the system may become a factor. Guards are expensive.

Based on the risk assessment and specific application, inefficient authentication may result in throughput issues and lead to system abuses.

High technology security can malfunction and lead to low throughput.

Credentials used in access control are:

  • Magstripe: widely used but are considered too easy to clone
  • Barrium Ferrite: obsolete and even easier to clone
  • (Concealed) barcode: the easiest to clone
  • Wiegand: Encoded, still used.
  • Proximity: the most widely deployed used type of credential
  • Smart Cards: predicted to soon become the de facto standard in security credential technology.

Although the term Wiegand is often used to describe a credential or a reader, this is sometimes not referring to the card encoding and reader technology, but rather the format used to transmit the data that is read off the card by the reader back to the access controller.

The term Wiegand was originally used to refer to card reader technology which included the encoded credential, the reader and the interface (data format) between the reader and the access control electronics. 26 bit referred to the protocol of the data on the card.

Proximity credentials and readers currently hold the majority of the market share, and typically use the Wiegand interface and 26 bit encoding.

The Wiegand credential and reader once ruled as the most popular reader/credentials, and are still offered, but Wiegand readers have a big disadvantage compared to proximity. Although the Wiegand reader was totally sealed and extremely robust, performing a card read required physical contact between the reader and the credential to gain access, whereas the proximity does not. The need to manipulate the credential in the reader slowed down throughput. The proximity reader was far more convenient and reliable.

The other disadvantage was that the credentials had to be factory ordered, since they were encoded during the manufacturing process.

The evolution of the manufacturing engineering and the economies of scale (lowered cost as quantities increase) also contributed to Wiegand’s loss of market, and proximity’s gain in popularity.

The “Wiegand Effect” was invented by John R. Wiegand, and it took him 40 years to do it. It is based on the phenomenon of what occurs when specially manufactured wire passes through a magnetic field.

Unlike magstripe, where the ferrous material on the credential is magnetized with the data pattern, the Wiegand card is embedded with small wires in a specific pattern. When the card is passed through the magnetic field in the reader, measurable fluctuations in the wires embedded in the card are sensed by the reader sensor, and buffered into a Wiegand bit stream. The Wiegand Interface is a buffering circuit which generates data as “1” and “0” data pulses.

The Wiegand interface requires three conductors; DATA-1; DATA-0; and DATA RTN. Additional conductors are required if audible (beeper) and visual (LED) control on the reader is desired.

The DATA-1 and DATA-0 lines are held ‘high’ at 5 VDC, and go to ground in a pattern which represents the data on the credential. The timing of the pattern and other parameters of the data stream is generated by the Wiegand interface circuitry in the reader.

Some reader manufacturers indicate that 500-foot cable lengths between the reader and the access controller are allowable, and shielded multiconductor is specified. More conservative cable lengths are cited in access control product documentation, depending on the manufacturer. As a practical matter, if your controller is 500 feet from your door, you are going to have to deal with other performance issues besides bad card reads.

In difficult installation environments, reader performance can be enhanced by grounding the reader end of the shield. Also range extender and multiplexer modules are available for long cable runs or high noise environments which will provide good reader data transmission, and eliminate voltage drop problems.

Hardly obsolete, the Wiegand Effect is used in other technologies besides access control.

In access control 26-bit is the industry standard encoding format. It is an open format. (The use of this format is not restricted). The data encoded using 26-bit format consists of 255 possible facility codes. Within each facility code, there are 65,535 unique card numbers.

Several other Wiegand formats with higher levels of security are available to the access control industry

The use of a memorized P.I.N. (Personal Identification Number) or biometric template in conjunction with the proximity credential is referred to as multiple factor authentication and regarded as strong authentication.

The trend in credentials is towards Smart Cards which can support multi-use (access control as well as meal or bookstore transactions); utilize higher security encoding (example: DesFire) and also carry a biometric template on the card for speedy 1:1 biometric verification at the entry or point of transaction)

Schlage apti-Q

Unlike proximity cards, aptiQ smart cards from Schlage, using MIFARE DESFire EV1 technology, offer several different layers of security, including mutual authentication, which ensures that the reader and the card are allowed to talk with each other before any information is exchanged. aptiQ smart cards from Schlage also provide AES 128-bit encryption, a key encryption technique that helps protect sensitive information.

They also supply diversified keys, which virtually ensure no one can read or access the holder's credentials information without authorization. A message authentication code (MAC) further protects each transaction between the credential and the reader, ensuring complete and unmodified transfer of information, helping to protect data integrity and prevent outside attacks.

We contacted Jennifer Toscano,Ingersoll Rand Security Technologies, Portfolio Marketing Manager, Credentials, Readers, Software, and Controls, and interviewed her about this important new technology trend. Following are Ledger’s questions and Ms. Toscano’s answers.

For which markets/applications is the aptiQ intended?

Smart cards can be used in diverse applications such as access control, cashless vending, meal programs and transit applications because of their ability to read data from and write data to the card.  Smart cards also employ advanced security features that make them an ideal candidate for both high security applications and those in which important data or financial information will be transmitted.

They cover all of the applications in which proximity works plus high security applications, situations requiring data storage, where protection of high value areas or information is needed and in scenarios requiring multiple credential applications.

Is aptiQ intended for use with IR or other systems?

The aptiQ smart card is designed on an open architecture platform and can be used both in access control systems manufactured by Ingersoll Rand, as well as third party systems. 

How many different aptiQ credential types are there?

There are three basic form factors, clamshell cards, ISO Cards, and an adhesive PVC patch.  Within those three form factors, we offer 12 different types:

  • SXF8420 MIFARE DESFire EV1 16k bit Clamshell Card
  • SXF8440 MIFARE DESFire EV1 32k bit Clamshell Card
  • SXF8480 MIFARE DESFire EV1 64k bit Clamshell Card
  • SXF8520 MIFARE DESFire EV1 16k bit ISO Card
  • SXF8520M1 MIFARE DESFire EV1 16k bit ISO Magnetic Stripe Card
  • SXF8540 MIFARE DESFire EV1 32k bit ISO Card
  • SXF8540M1 MIFARE DESFire EV1 32k bit ISO Magnetic Stripe Card
  • SXF8580 MIFARE DESFire EV1 64k bit ISO Card
  • SXF8580M1 MIFARE DESFire EV1 64k bit ISO Magnetic Stripe Card
  • SXF8720 MIFARE DESFire EV1 16k bit PVC Patch
  • SXF8740 MIFARE DESFire EV1 32k bit PVC Patch
  • SXF8780 MIFARE DESFire EV1 64k bit PVC Patch

How many different aptiQ reader types are there?

The aptiQ credential can be read by the smart card readers in the Schlage and XceedID product lines.  They can also be read by select multi-technology readers from Schlage and XceedID.   Schlage AD-Series locks that include the smart card reader module or multi-technology module are also capable of reading aptiQ smart cards from Schlage.

How real a threat is proximity credential cloning in an environment where reasonable security management policy is in force?

It is very real.  All it takes to clone a card is a very inexpensive device that can be ordered over the Internet.  Nobody would know that a cloned card was being used.

Are there and industry guidelines exist relating to non-DHS sector recommended credential/reader selection based on risk-assessment?

There are many. For instance, the US DEA recently issued a new rule requiring doctors and pharmacists to use 2-factor authentication when electronically prescribing controlled substances.  The most useable combination is a smart card with a biometric.  The biometric template would be stored on the card.  The government demands that the card have a cryptographic device which the aptiQ smart card has.

Where does aptiQ fit into FIP-101/HSPD-12?

The Schlage readers that read aptiQ smart cards also read the government’s PIV cards. Utilizing smart card or multi-technology readers from Schlage would be useful for sites utilizing mixed card types. 

Although the both PIV cards and aptiQ are ISO 14443 based credentials, they are much different in terms of openness, security, and processes for issuance.  aptiQ is an open architecture contactless smart card enabling significant customization and featuring the highest levels of encryption currently available on contactless smart cards.  The PIV card is a credential used by the government.  It has an extra component, a dual interface which lets information be stored and accessed in either contactless or contact environments. 

Please (briefly) explain mutual authentication in the context of aptiQ 

Mutual authentication ensures that the reader and the card are allowed to talk with each other before any information is exchanged.

Please (briefly) explain AES 128.

In cryptography, the Advanced Encryption Standard (AES) is a symmetric-key encryption standard adopted by the U.S. government.  The AES ciphers have been analyzed extensively and are now used worldwide.  AES was announced by National Institute of Standards and Technology (NIST) as U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001 after a 5-year standardization process. It became effective as a Federal government standard on May 26, 2002 after approval by the Secretary of Commerce. It is available in many different encryption packages. AES is the first publicly accessible and open cipher approved by the NSA for top secret information.

Please (briefly) explain MIFARE DESFire EV1.

One must look for the “EV1” designation to assure they have the most secure card.

A Mifare DESFire card is sold already programmed with a general purpose software (the DESFire operating system) that offers a simple directory structure with files, similar to what is typically found on smart cards.  The maximal read/write distance between the card and reader is 10 cm (4 inches), but actual distance depends on the field power generated by the reader and its antenna size.

Mifare DESFire EV1 is a new evolution of the above-described DESFire card, broadly backwards compatible.  It is available with 2KB, 4 KB and 8KB NV-Memory. Other features include:

  • Support for random ID
  • Support for 128-bit AES

Please (briefly) explain MAC (Message authentication code).

The Message authentication code (MAC) further protects each transaction between the credential and the reader.  This security features ensures complete and unmodified transfer of information, helping to protect data integrity and prevent outside attacks.

Please (briefly) explain Diversified keys.

JT: Diversified keys virtually ensure no one can read or access the holder’s credentials information without authorization.

 If it possible please compare apiQ with OneBadge.

OneBadge is an application while aptiQ is hardware.  The OneBadge applications could be loaded onto an aptiQ smart card credential.

How can an existing installation migrate up to aptiQ, and what would be the cost-benefit for such a transition?

Besides aiding implementation, multi-technology readers are available to create flexibility in the transition while allowing companies to leverage the lower cost of smart cards.

With a multi-technology reader being installed at every new door, organizations are able to flexibly plan for the future, using their present proximity cards today and migrating to smart cards when budgets and time reach their nexus.  They can upgrade on their preferred timelines, not due to the whim of technology that forces a "now or never" alternative.

Does a dealer need to meet any criteria or qualifications in order to obtain and offer aptiQ to clients?

No. They can either purchase it directly from Ingersoll Rand Security Technologies through their Schlage Electronics account or through Schlage’s extensive distribution network.