Showing posts with label HID Proximity. Show all posts
Showing posts with label HID Proximity. Show all posts

Saturday, May 5, 2018

Smart Card Standards

Smart Card Standards

Smart cards have the further advantage over magnetic stripe cards of being reloadable, and allowing advanced features like phone banking, automatic memory dialing and on-line services. Smart cards are used as identification device for GSM digital mobile phonesPrimarily, smart card standards govern physical properties, communication characteristics, and application identifiers of the embedded chip and data. Almost all standards refer to the ISO 7816-1,2 & 3 as a base reference.
International Organization for Standardization (ISO)
The ISO facilitates the creation of voluntary standards through a process that is open to all parties. ISO 7816 is the international standard for integrated-circuit cards (commonly known as smart cards) that use electrical contacts on the card, as well as cards that communicate with readers and terminals without contacts, as with radio frequency (RF/Contactless) technology. Anyone interested in obtaining a technical understanding of smart cards needs to become familiar with what ISO 7816 and 14443 does NOT cover as well as what it does. Copies of these standards can be purchased through the American National Standards Institute (ANSI). Copies of ISO standards are for sale on the ISO website.
Application-specific properties are being debated with many large organizations and groups proposing their standards. Open system card interoperability should apply at several levels:
1). To the card itself,
2). The card's access terminals (readers),
3). The networks and
4). The card issuers' own systems. Open system card interoperability will only be achieved by conformance to international standards.
This site's sponsors are committed to compliance with ISO and ITSEC security standards as well as industry initiatives such as EMV, MULTOS, the Open Card Framework and PC/SC specifications.
This site's sponsors are committed to compliance with ISO and ITSEC security standards as well as industry initiatives such as EMV, the Global Platform and PC/SC specifications.
These organizations are active in smart card standardization: The following standards and the organizations that maintain them are the most prevalent in the smart card industry:
ISO/IEC is one of the worldwide standard-setting bodies for technology, including plastic cards. The primary standards for smart cards are ISO/IEC 7816ISO/IEC 14443ISO/IEC 15693 and ISO/IEC 7501.
ISO/IEC 7816
ISO/IEC 7816 is a multi-part international standard broken into fourteen parts. ISO/IEC 7816 Parts 1, 2 and 3 deal only with contact smart cards and define the various aspects of the card and its interfaces, including the card’s physical dimensions, the electrical interface and the communications protocols. ISO/IEC 7816 Parts 4, 5, 6, 8, 9, 11, 13 and 15 are relevant to all types of smart cards (contact as well as contactless). They define the card logical structure (files and data elements), various commands used by the application programming interface for basic use, application management, biometric verification, cryptographic services and application naming. ISO/IEC 7816 Part 10 is used by memory cards for applications such as pre-paid telephone cards or vending machines. ISO/IEC 7816 Part 7 defines a secure relational database approach for smart cards based on the SQL interfaces (SCQL).
ISO/IEC 14443
ISO/IEC 14443 is an international standard that defines the interfaces to a "close proximity" contactless smart card, including the radio frequency (RF) interface, the electrical interface, and the communications and anti-collision protocols. ISO/IEC 14443 compliant cards operate at 13.56 MHz and have an operational range of up to 10 centimeters (3.94 inches). ISO/IEC 14443 is the primary contactless smart card standard being used for transit, financial, and access control applications. It is also used in electronic passports and in the FIPS 201 PIV card.
ISO/IEC 15693
ISO/IEC 15693 describes standards for "vicinity" cards. Specifically, it establishes standards for the physical characteristics, radio frequency power and signal interface, and anti-collision and transmission protocol for vicinity cards that operate to a maximum of 1 meter (approximately 3.3 feet).
ISO/IEC 7501 describes standards for machine-readable travel documents and has made a clear recommendation on smart card topology.
International Civil Aviation Organization (ICAO)
ICAO issues guidance on the standardization and specifications for Machine Readable Travel Documents (MRTD) such as passports, visas, and travel documents. ICAO has published the specification for electronic passports using a contactless smart chip to securely store traveler data.
Federal Information Processing Standards (FIPS)
FIPS, developed by the Computer Security Division within the National Institute of Standards and Technology (NIST). FIPS standards are designed to protect federal assets, including computer and telecommunications systems. The following FIPS standards apply to smart card technology and pertain to digital signature standards, advanced encryption standards, and security requirements for cryptographic modules.
FIPS 140 (1-3)
The security requirements contained in FIPS 140 (1-3) pertain to areas related to the secure design and implementation of a cryptographic module, specifically: cryptographic module specification; cryptographic module ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks.
FIPS 201
This specification covers all aspects of multifunction cards used in identity management systems throughout the U.S. government.
Europay, MasterCard, and Visa (EMV)
Europay, MasterCard, and Visa formed EMV Company, LLC and created the "Integrated Circuit Card Specifications for Payment Systems". These specifications are related to ISO7816 and create a common technical basis for card and system implementation of a stored value system. Integrated Circuit Card Specifications for Payment Systems can be obtained from a Visa, MasterCard or Europay member bank.
PC/SC
A globally implemented standard for cards and readers, called the PC/SC specification. This standard only applies to CPU contact cards. Version 2.0 also dictates PIN pad to card communications. Apple, Oracle-Sun, Linux and Microsoft all support this standard.
Microsoft has built PC/SC into their smart card services as a framework that supports many security mechanisms for cards and systems. PC/SC is now a fairly common middleware interface for PC logon applications. The standard is a highly abstracted set of middleware components that allow for the most common reader card interactions.
Comité Européen de Normalisation (CEN) and European Telecommunications Standards Institute (ETSI)
CEN and ETSI focus on telecommunications, as with the GSM SIM for cellular telephones. GSM 11.11 and ETSI300045. CEN can be contacted at Rue de Stassart, 36 B-1050 Brussels, Belgium, attention to the Central Secretariat.
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA adopts national standards for implementing a secure electronic health transaction system in the U.S. Example transactions affected by this include claims, enrollment, eligibility, payment and coordination of benefits. Smart cards are governed by the requirements of HIPAA pertaining to data security and patient privacy.
IC Communications Standards
The IC Communications Standards existed for non-volatile memories before the chips were adopted for smart card use. This specifically applies to the I2C and SPI EEPROM interfaces.
Global System for Mobile Communication (GSM)
The GSM standard is dominant in the cell phone industry and uses smart cards called Subscriber Identification Modules (SIMs) that are configured with information essential to authenticating a GSM-compliant mobile phone, thus allowing a phone to receive service whenever the phone is within coverage of a suitable network. This standard is managed by the European Telecommunication Standards Institute. The two most common standards for cards are 11.11 and 11.14.
OpenCardT Framework
The OpenCardT framework is an obsolete standard. The following data is for informative purposes only.
The OpenCard framework was a set of guidelines announced by IBM, Netscape, NCI, and Sun Microsystems for integrating smart cards with network computers. The guidelines were based on open standards and provided an architecture and a set of application program interfaces (APIs) that enable application developers and service providers to build and deploy smart card solutions on any OpenCard-compliant network computer. Through the use of a smart card, an OpenCard-compliant system should have enabled access to personalized data and services from any network computer and dynamically download from the Internet all device drivers that are necessary to communicate with the smart card. By providing a high-level interface which can support multiple smart card types, the OpenCard Framework was intended to enable vendor-independent card interoperability. The system incorporated Public Key Cryptography Standard (PKCS) - 11 and was supposed to be expandable to include other public key mechanisms.
GlobalPlatform (GP)
GlobalPlatform is an international, non-profit association. Its mission is to establish, maintain and drive adoption of standards to enable an open and interoperable infrastructure for smart cards, devices and systems that simplifies and accelerates development, deployment and management of applications across industries. The GP standard has been adopted by virtually all the banks worldwide for JavaCard®-based loading of cryptographic data. The standard establishes mechanisms and policies that enable secure channel communications with a credential.
Common Criteria (CC)
Common Criteria is an internationally approved security evaluation framework providing a clear and reliable evaluation of the security capabilities of IT products, including secure ICs, smart card operating systems, and application software. CC provides an independent assessment of a product's ability to meet security standards. Security-conscious customers, such as national governments, are increasingly requiring CC certification in making purchasing decisions. Since the requirements for certification are clearly established, vendors can target very specific security needs while providing broad product offerings.
Smart Card Links

ACT Canada – Advanced Card Technology Association of Canada.
EuroSmart – European Smart Card Association. Great resource.
JavaCard Forum – Promotes Java for multiple-application smart cards. 
MULTOS – First open, Multiple-application OS for highest security. 
MUSCLE – Smart cards in a Linux environment. PCSC lite.
HID Global– OMNIKEY Smart card reader and chipset manufacturer, maker of HID Prox and iCLASS cards 
P
ACSprobe – Software to read PACS data (card number, facility code ..)
PCSC Workgroup – Standard for integrating smart cards and smart card readers.
Smart Card Alliance – Promotes smart card technology.

Biometric Standards
Many new secure ID system implementations are using both biometrics and smart cards to improve the security and privacy of an ID system.
ANSI-INCITS 358-2002
ANSI-INCITS 358-2002, BioAPI Specification - (ISO/IEC 19784-1). BioAPI is intended to provide a high-level generic biometric authentication model-one suited for any form of biometric technology. It covers the basic functions of enrollment, verification, and identification, and includes a database interface to allow a biometric service provider (BSP) to manage the technology device and identification population for optimum performance. It also provides primitives that allow the application to separately manage the capture of samples on a client workstation, and the enrollment, verification, and identification functions on a server. The BioAPI framework has been ported to Win32, Linux, UNIX, and WinCE. Note that BioAPI is not optimum for a microcontroller environment such as might be embedded within a door access control reader unit or within a smart card processor. BioAPI is more suitable when there is a general-purpose computer available.
ANSI-INCITS 398
ANSI-INCITS 398, Common Biometric Exchange Formats Framework (CBEFF) - (ISO/IEC 19785-1). The Common Biometric Exchange Formats Framework (CBEFF) describes a set of data elements necessary to support biometric technologies and exchange data in a common way. These data can be placed in a single file used to exchange biometric information between different system components or between systems. The result promotes interoperability of biometric-based application programs and systems developed by different vendors by allowing biometric data interchange. This specification is a revised (and augmented) version of the original CBEFF, the Common Biometric Exchange File Format, originally published as NISTIR 6529.
ANSI-INCITS
ANSI-INCITS Biometric Data Format Interchange Standards. ANSI-INCITS has created a series of standards specifying the interchange format for the exchange of biometric data. These standards specify a data record interchange format for storing, recording, and transmitting the information from a biometric sample within a CBEFF data structure. The ANSI-INCITS published data interchange standards are shown below. There are ISO equivalents to each standard listed here.
ANSI-INCITS 377-2004
Finger Pattern Based Interchange Format
ANSI-INCITS 378-2004
Finger Minutiae Format for Data Interchange
ANSI-INCITS 379-2004
Iris Interchange Format
ANSI-INCITS 381-2004
Finger Image Based Interchange Format
ANSI-INCITS 385-2004
Face Recognition Format for Data Interchange
ANSI-INCITS 395-2005
Signature/Sign Image Based Interchange Format
ANSI-INCITS 396-2004
Hand Geometry Interchange Format
ISO/IEC 19794

ISO/IEC 19794 series on biometric data interchange formats. Part 1 is the framework, Part 2 defines the finger minutiae data, Part 3 defines the finger pattern spectral data, Part 4 defines the finger image data, Part 5 defines the face image data, Part 6 defines the iris image data, and still in development, Part 7 will define the signature/sign time series data, Part 8 will define the finger pattern skeletal data and Part 8 will define the vascular image data.

Friday, August 5, 2016

Facility Code or Site Code

What is a Facility Code ?
There are many different proximity card formats, but the proximity cards that we sell are encoded with a "Standard" 26-Bit Wiegand format.  Like other proximity and RFID cards, an HID card is simply an ID card which enables proximity technology in its everyday functions. HID cards, as well as other types of RFID cards and smart cards, are popular for access control, as well as other functions like public transportation and employee ID.This format actually contains two sets of numbers:
  •         A 3-digit "facility code", which can range from 1-255
  •         A 5-digit "card number", which can range from 1-65,535.

Most HID proximity cards and key fobs have the 5-digit card number printed on the card.  The 3-digit facility code, however, is printed only on the box in which your cards are shipped.
Gate Keeper can be configured to interpret the Wigand data as either a 16-bit number or a 24-bit number.  The 16-bit number will contain only the 5-digit card number.  The 24-bit number will contain the facility code and card number for a total of 8 digits.  For example, if the facility code for a card is "123" and the card number is "56789" then the 24-bit (8-digit) number read from the card will be "12356789".
A Facility Code is a number encoded on access cards that is intended to represent a specific protected facility or building. Not all card formats support a Facility Code, but the most common card data format in use today does support it — the industry’s original open (i.e. non-proprietary) 26-bit format. The 26-bit format has two data fields: a Facility Code (8 bits) and a Card Number (16 bits), plus two parity bits; thus, the Facility Code number can be a number be between 0 and 255, and the Card Number can be between 0 and 65,535.
With only 65,535 card numbers available across the cards of all customers using the 26-bit card data format, duplicate card numbers are inevitable; therefore, the first purpose of the Facility Code was to enable customers in close proximity to each other to differentiate their set of cards from another customer’s cards. Ideally, each manufacturer would try to manage the facility numbers it issued to various customers in a specific area to minimize the occurrence of duplicates. A card with a Facility Code not matching those used by that specific customer would be denied access, typically generating “Access Denied – Wrong Facility Code” messages.
The 26 bit Wiegand standard format is the industry standard. Card manufacturers such as HID, Indala and AWID sell cards with this format to any dealer. This 26 bit format is recognized by all access hardware.

Over the years, formats with a higher number of bits (33, 37, 48, 50)  have been added to increase card security.


However, some of the higher bit formats are  "proprietary", and usually carry a higher price tag. One exception is the HID 37 bit proprietary format, priced similarly to a 26 bit card.


As an example, if Company A has cards numbered from 1 to 1000, with facility code 230, they would be programmed as follows:

230 - 00001

230 - 00002
230 - 00003 .......up to 230 - 01000

Company B could have the same serial numbers, but with facility code 180, and their cards would be:
180 - 00001
180 - 00002
180 - 00003........up to 180 - 01000

To grant access, an access control system validates the facility code AND the serial number.  Company A will reject Company B cards, and viceversa, even if they have the same serial number, because the facility code does not match.
The HID 37 bit Wiegand format with Facility Code is H10304.  The format consists of 2 parity bits, 16 bit Facility Code and 19 bit Cardholder ID fields.
PFFFFFFFFFFFFFFFFCCCCCCCCCCCCCCCCCCCP
EXXXXXXXXXXXXXXXXXX..................
..................XXXXXXXXXXXXXXXXXXO
P = Parity
O = Odd Parity
E = Even Parity
X = Parity mask
F = Facility Code, range = 0 to  65,535
C = Cardholder ID, range = 0 to 524,287


HID recently announced that the standard format for their Corporate 1000 proximity cards has changed from a 35 bit card format to a new 48 bit card format.

Originally, all Corporate 1000 format cards offered the 35 bit structure (“Corporate 1000 – 35”). The Program’s success created the need for a new format (“Corporate 1000 – 48”).  The larger 48 bit structure change allows for an increased number of individual cards numbers available, from just over 1,000,000 individual card numbers per format for Corporate 1000 – 35 to over 8,000,000 individual card numbers for the new Corporate 1000 – 48 format.
IMPORTANT NOTE: Prox cards are custom programmed with the facility code and start numbers requested by you. For this reason it is important to have the correct numbers at the time an order is placed.

Wednesday, May 21, 2014

Accepting Real-World Access Control Challenge

I write about change quite a bit because I am fascinated with all of the various elements that make change both interesting and dreaded by most people. To write about a subject, many writers research the subject matter they are tackling. I do this too, but I prefer hands-on experience. Reality changes in a hurry in our business world. What can this principle teach us in the world of convergence security technology?
Plenty, if it means you have the responsibility of delivering sustainable security solutions your customers count on every day. So let’s use a real-life example to more closely examine the tactical side of security. The challenge was to design, sell, install and commission a replacement of a 30-year-old+ mag stripe electronic access control system with a new IP-based system. Now, for plenty of you this challenge is a walk in the park, part of your everyday security business life. For others, it is not — including yours truly. Yes, I have security system integrator experience with a large company and founded an IP video integration company, but it’s been a few years since I strapped on a 33-inch tool belt. Wisdom and waist size have both grown a bit over the years, but that didn’t stop me. I was up to the challenge and charged forward.
Changing the Mindset on Decades-Old Ways
What I know about security technology from an application and elemental building blocks perspective is much different than putting the IP system puzzle pieces together onsite at 5:30 a.m. because the customer opens for business at 11 a.m. Ladders are unsightly, liability increases and the business operations are impacted — not to mention dropping fiberglass from the ceiling tiles into someone’s glass of beer.
The pressure of doing an IP installation properly in the correct sequence, and coordinating other contractors and supplier support while wrestling with old technology, is as close to “ground truth” as you can expect in the civilian world. Schedules and timing are important when you cut over an access control system. The old system has to continue operating while a new system is readied to take over the workload on a very specific date (no pressure here to get it right!). Now add to this the expectation of your customer for a significant operational improvement and you are involved with a bare-knuckle fight with change. Did I mention that I love a good challenge with change?

Here’s how this installation tale began. An acquaintance is a controller for a chapter of a large, well-known fraternal organization that has thousands of chapters worldwide. And he is not just any controller ... he was recognized nationally in 2012 as the best in the country, a guy who knows a thing or two about business and return on investment. He knew I worked in the security field so we started talking about the mechanics and costs of membership-based organizations that restrict/permit access based on bylaws and being current with their dues. Now add some size to this challenge. This particular chapter has approximately 800 male and female members, each with separate requirements.
So how were they managing access privileges? Every year the chapter needed to order new magstripe cards for all its members. This is an old credentials technology, so you can understand some of the cost factors. These credentials had to be replaced every year when membership dues were due. To this cost add the management time for physically handing over a new credential once dues were paid. This process has obviously worked for 30+ years, but what would the future look like for 30-year-old+ magstripe readers and 24VAC electric strikes? How long would they last? Could they even be repaired? How long could they disrupt operations if they did fail? Perhaps it is time to consider a change in electronic access control technology and upgrade the system.
Analyze Your Recommended Technology Applications to Ensure They Are Appropriate
I initially recommended a biometric solution since it would entirely eliminate the cost and management of card credentials. I like cool technology that is affordable and reliable (and I just wrote about this technology a few months ago, noting that it is an obvious solution to recommend).
But not so fast — remember, blindly recommending the application of technology can be dangerous, as well as narrow-minded and myopic. Does this sound like anyone you know or work with perhaps? We all are guilty of sticking with a “true blue” product or supplier because it is the path of least resistance. Guilty as charged.
How can you avoid the automatic product choices in your comfort zone? Ask the right questions. While biometric fingerprint technology is affordable and reliable, it isn’t a panacea. There is a large percentage of chapter membership groups that evolved in the late 1950s, and using new technology can be intimidating and less effective with their older members. Consider the lifetime use of older members’ hands and the gradual deterioration of their skin.
Biometric fingerprint technology has come a long way in the past five years but still has its limitations. What about facial recognition biometrics? Yes, the technology does work better in this application, but consider the perception of the older members and their comfort level of using card credentials for the past 30+ years vs. presenting their face to a reader or camera … it might feel a bit Orwellian, no?
Applying new technology and, more importantly, the right technology means asking your prospect/customer the right questions then considering the impact of change your solution delivers.
In this particular installation challenge, what was the best choice? An RFID credential solution made the most sense from a cost, application and functionality perspective. With several good choices for reliable IP access control systems I chose a new supplier, breaking out of my comfort zone, that I had done some consulting with to test my thinking.
I started by asking the appropriate questions to ensure the technology would fit the application. For example, how simple would it be to manage from a customer’s perspective? How cost effective would it be now and in the future? Once I got the answers I needed, it was time to kick the tires and light the fires.
The hardware and software components were fairly straightforward and not overly complex to process. Actually they were quite simple, and who doesn’t love simple? The documentation gets a C+ in my book and has room for improvement.
The supplier’s customer support in the field at crunch time — you know, when the customer is looking over your shoulder — was an A. The price vs. value delivery was in the A+ range, allowing me to provide additional spare parts and lots of extra credentials, which all IP systems you sell should absolutely have. This will ensure that any future service or maintenance will be fast, which is especially pertinent for electronic access control installations. What other challenges should you consider?
Thanks to Mr. Paul Boucherle for help.