Creating a Trusted Identity

When CardKey Systems Inc., (part of Johnson’s Controls’ Group) replaced a lock and key with a card and reader more than 50 years ago, it started a continuous technology evolution in the physical access control systems (PACS) market that seems to...


When CardKey Systems Inc., (part of Johnson’s Controls’ Group) replaced a lock and key with a card and reader more than 50 years ago, it started a continuous technology evolution in the physical access control systems (PACS) market that seems to have accelerated in recent times. Modern notions of identity — its representation and meaning — are challenging the way we will think of PACS systems of the future.

Today, helped by robust encryption technology, ubiquitous computing power and always-on, mobile intelligent devices, a new paradigm for identity management is emerging, as internet access becomes a necessity for normal functioning of society.

Leading the way are government security initiatives based on the Homeland Security Presidential Directive 12 (HSPD-12) on how to improve the safety and security of access control. As part of these efforts, the Personal Identity Verification (PIV) card was introduced to allow — for the first time — a formal and absolute method of assigning a trusted identity to a PACS card user.

In the context of these changes, I offer a look at how PACS is developing to help commercially savvy security system designers understand what they should embrace — and what they should avoid.

The Meaning of You

Cardkey’s innovative card technology, based on magnetized barium ferrite domains on a credit-card sized template, revolutionized PACS. This was followed by Wiegand wire cards, which also used magnetization to represent the data on the card.

Within the last 20 years, the contactless proximity technology first pioneered by Hughes Identification Devices (now HID Global Corporation) has become the card technology of choice, purely because of the convenience and efficiency of entering a door with a wave of a card. The current technologies use contactless smart cards based on the ISO standards of 15693 and 14443, such as HID’s iCLASS and NXP’s MiFare technologies.

Yes, cards and readers are still here after 50 years, but will they continue to be used in the future? Doors are not going away, and the cards and readers work, are reliable and easy to configure and install. The answer may be in the way we treat “identity.” More to the point, perhaps, is what we actually mean by “identity.”

Googling “identity” does not help (422 million hits!). But we should have a clue — after all we are in the PACS business right? The reality is that none of us sit around thinking about how to define identity.

A card is printed, it is programmed with site-specific data, a photo ID is possibly added, and then it is issued to you, the employee. You and the card are one (from the PACS viewpoint). We add some clever rules about two-factor use, PIN and card, and even add your biometric template to make sure that you are you and that no one else can use your card. These work as intended, when the system designer applies risk-appropriate controls at the door such as anti-tailgating, or even a two-man rule. But seriously, what percentage of installations has these types of layered security controls? I think you know the answer.

But there has been considerable movement to make card issuance more difficult, in the name of higher security. The primary driver has been the federal government, aided and abetted by the availability of technology. I am referring to the Personal Identity Verification (PIV) system promoted by the NIST Computer Security Division. In response to HSPD-12, which was issued in the aftermath of the 9/11 attacks, the government decided to outline a common control and security objective, including the personal identity proofing process for employees and contractors. This alone was an important milestone in establishing a policy for asserting an identity.

The Federal Information Processing Standards (FIPS) 201 was developed to satisfy the technical requirements of HSPD-12 (approved by the Secretary of Commerce and issued on February 25, 2005). FIPS 201, together with NIST SP 800-78 (Cryptographic Algorithms and Key Sizes for PIV), is required for U.S. Federal Agencies. According to the latest Office of Management and Budget data more than 4.3 million PIV credentials have been issued as of the end of 2010.

This content continues onto the next page...