Creating a Trusted Identity

When CardKey Systems Inc., (part of Johnson’s Controls’ Group) replaced a lock and key with a card and reader more than 50 years ago, it started a continuous technology evolution in the physical access control systems (PACS) market that seems to...

By establishing a trusted identity authority that can verify that the identity data used by cards, readers, printers, nodes, and so on, the PACS operates in a completely secure and trusted way (just like NIST intended with PIV) but without the overhead of PKI-based cryptography. And even better than PIV, with bounded systems, we can use symmetric key-pairs with both secret keys sharing the same value. Of course this idea is not new — it is practiced daily. The GSM mobile phone network uses symmetric key-pairs to authenticate the phone to the network. It is secure and works because it is a bounded system; all phones are known and their SIM cards are issued by a single central authority, which is analogous to any other PACS system.

So how can we create an analog to the GSM network?

Setting up a trusted component architecture is not trivial; it requires the investment of a secure, cryptographic vault operating under generally accepted security policies for key management, and the distribution mechanism to certify all PACS components

Recent developments by HID Global have taken precisely this approach. To simplify trusted card issuance and trusted reader points, HID set up a central Trusted Identity Platform (TIP) capability, which provides a trusted service for all card and reader key programming. All PACS components that are so-called TIP-enabled are trusted and can be used to create a completely secure infrastructure, without the need for PKI.

One Big Soup: The Universal ID

Meanwhile, the digital universe demands that we log in each time we access a portal. Cloud computing only exacerbates this need for Web identities. As we go through each day asserting our various identities to access the Web, the office, our network — is there a way we can establish a universal ID for all access functions?

Surely there must be a way to register once and be able to many sites. Fortunately, there is. The OpenID initiative ( provides such an aggregation service and is supported by the internet’s largest players. Unfortunately, however, Open ID is for personal Web use, and it is unlikely that any enterprise would allow my trusted, but personal ID to be used to access the corporate network or my office door.

The point of all of this is that ID aggregation must evolve to be able to link different systems together via your universal ID. The ultimate goal is to bring together multiple identity systems into one — truly a many-to-many relationship model. Until that time comes, when my personal cryptographic assertion is accepted by everyone, PACS and LACS users and designers who want the benefits of trusted identity will have to rely on the current, limited range of options.

One option today is by using products and components that operate under the Trusted Identity Platform umbrella. These will ultimately allow security designers to develop fully trusted systems that use symmetric key cryptography, without PKI levels of complexity.


Tam Hulusi is the senior vice president responsible for innovation and intellectual property for HID Global. In this role, he is responsible for expanding the value of HID’s worldwide technology assets for customers and partners by optimizing the value-added component of current technologies, as well as leveraging his experience to bring emerging technologies to market. A graduate of Harvard Business School, Dr. Hulusi holds a Ph.D. in physics.