Download PDF version Contact company
PKI is fast becoming a leading driver in controlling physical access 
 The Public Key Infrastructure is beginning to be adopted as a driver in physical access 
Traditionally associated with logical access and the digital signing of documents, Public Key Infrastructure (PKI) is now also being used to control physical access. Their use in physical access control is likely to be more prevalent with the implementation of the FIPS 201-2 recommendations this year. Derek Scheips of ASSA Abloy Future Lab explores the benefits of this key infrastructure for physical access systems.

PKI is fast becoming a leading driver in controlling physical access largely due to FIPS 201 (Federal Information Processing Standards Publication 201), US government physical-access control specifications recommending PKI at the door. Recommendations since 2005, they are expected to become mandates with FIPS 201-2 later this year.

FIPS explained

FIPS offers standards for not only what information should be stored on an ID card, but also best practices for verifying the credential is authentic and in the right person's possession, says Kevin Graebel, product manager of HID credentials at HID Global, a leading manufacturer of physical and logical access control solutions. "A digital certificate is placed on the card with the user's key information/access levels. Then the PKI process sends that information via an electronic bridge to a federal certificate authority, making sure access hasn't been revoked or information tampered with."

Benefits of PKI-based access systems

The primary benefit of a PKI-based access system is that it does not depend on a shared secret key 

PKI boils down to the use of a mathematically linked pair of keys, one designated public and the other designated private. The linkage ensures that information processed with one key can only be decoded or validated using the other key.

"The primary benefit of a PKI-based access system is that it does not depend on a shared secret key; instead it uses an asymmetric key pair," says Graebel. "In traditional access systems, the reader and the access card share a symmetric key used to authenticate each other. This requires a great deal of coordination between the cards and readers, especially when the cards may be used at more than one location. Using PKI, only the public key of the card needs to be shared, and it can easily be revoked or changed in the event of a breach. The private key is stored securely within the card."

Many advances in deploying PKIs have led to efficiency and interoperability that make it a natural choice not just for logical but also physical access control. "An organization can use a single PKI smart card, such as a PIV (Personal Identity Verification) card, for physical access to a building and to certain rooms, and for logical access to workstations, servers, VPNs, and so on," notes Dave Coombs, director of PKI Standards and Policy at Carillon Information Security, a Canadian air transport and aerospace identity management consulting firm. "This reduces the complexity of managing access control: manual provisioning or removal of access for a person in dozens of different systems is replaced with the issuance or revocation of a single credential."

Furthermore, recent interoperability advances allow one organization that accepts PIV cards to understand the identity of a visitor with a PIV card from a completely separate organization.

Many advances in deploying PKIs have led to efficiency and interoperability that make it a natural choice for not just logical but also physical access control 
 Advances in deploying PKI-based have led to interoperability that make it the natural choice for physical access control
Cost of adopting PKI

But despite PKI's promise, there can be disadvantages, including cost and speed. "At a minimum, organizations will need to create or have access to a Certification Authority to manage the generation and validation of certificates," says Graebel. Depending on how this is implemented, it may require costly rewiring and upgrading of all of their readers."

Contact versus contactless access control cards

The speed is also a bottleneck for physical access control. For durability and vandalism reasons, it is more practical to use contactless rather than contact communication between the card and the reader and then communication can take as much as 1.5 to 2 seconds. This may not seem like a long time, but when users are used to the fraction of a second read times offered by technologies like Prox or iCLASS, it can cause issues.

"One disadvantage we hear about is the perceived slowness of PKI at the door," observes Coombs. "This can be mitigated by caching revocation information or OCSP (Online Certificate Status Protocol) responses, or even by pre-validating every morning each credential that was used at that site the previous day." He predicts that in the coming years: "more and more public and private organizations will be going this route, particularly given the work being done in the US right now."

PKI development in Europe

Of course, many countries have been developing their own PKI methodologies in parallel.

 An organization can use a single PKI smart card, such as a PIV (Personal Identity Verification) card, for physical access to a building
Organizations can use a single PKI smart card for physical access to a building, and access to workstation and certain rooms
The French government issues PKI credentials to its citizens every year to file their income tax, and its General Security Framework (RGS) includes recommendations on securing large-scale IT systems using PKI. "The Belgians have done something similar with their eID card," says Coombs. "It's a PKI-enabled smart card issued to Belgian citizens to authenticate their access to government systems and programs online."

Meanwhile, the German government is leading the way in implementing the European Union directive concerning ‘qualified signature' certificates, the only kind of digital signature that carries the force of law in Europe. 

It should be noted that these European initiatives concern only logical access control to information systems, and it is still early days for PKI as a physical access control. At this point, very few public companies are choosing to use PKI for physical access control because of the newness and relative complexity, observes Graebel. "I suspect it will become more common as FIPS 201-2 is implemented and there is a wider variety of products available on the market to support it."

 Derek Scheips of Assa abloy Future LabsDerek Scheips
Freelance Writer
Assa Abloy Future Lab
Download PDF version Download PDF version

Related videos

Join The Biggest Hour For Earth

Join The Biggest Hour For Earth
Unveiling Wavestore 6.36: Elevate The Security Experience

Unveiling Wavestore 6.36: Elevate The Security Experience
Hikvision Introduces CGSA-Access Control And Functions

Hikvision Introduces CGSA-Access Control And Functions

In case you missed it

Comprehensive K12 Security
Comprehensive K12 Security

For K12 education pioneers, embarking on a journey to upgrade security controls can present a myriad of questions about finding the best-fit solutions and overcoming funding hurdle...

Choosing The Right Fingerprint Capture Technology
Choosing The Right Fingerprint Capture Technology

Choosing the appropriate fingerprint technology for a given application is dependent on factors including the required level of security and matching accuracy, the desired capabili...

How Do New Security Technologies Transform Retail And Loss Prevention?
How Do New Security Technologies Transform Retail And Loss Prevention?

When it comes to preventing theft and ensuring overall safety, technology offers a robust toolkit for retail stores to enhance security in several ways. From intelligent surveillan...

Security beat

Energetic ISC West Reflects Industry On The Cusp Of Accelerated Change

Energetic ISC West Reflects Industry On The Cusp Of Accelerated Change
View all

Round table discussions

How Can The Security Industry Contribute To Protecting The Environment?

How Can The Security Industry Contribute To Protecting The Environment?
View all

Security bytes

Getting To Know Chris Bone, CTO At ASSA ABLOY Group

Getting To Know Chris Bone, CTO At ASSA ABLOY Group
View all
Featured white papers
Multi-Residential Access Management And Security

Multi-Residential Access Management And Security

Download
Guide For HAAS: New Choice Of SMB Security System

Guide For HAAS: New Choice Of SMB Security System

Download
Precision And Intelligence: LiDAR's Role In Modern Security Ecosystems

Precision And Intelligence: LiDAR's Role In Modern Security Ecosystems

Download
Hikvision: Solar Powered Product Introduction + HCP

Hikvision: Solar Powered Product Introduction + HCP

Download
Gunshot Detection

Gunshot Detection

Download
More expert commentary
IP Network Camera Buyer’s Guide: Do’s And Don’ts

IP Network Camera Buyer’s Guide: Do’s And Don’ts
Wireless Security Systems: Time To Get Serious

Wireless Security Systems: Time To Get Serious
H.264 Video Compression Standard For Video Compression: Improvement Or Buzzword?

H.264 Video Compression Standard For Video Compression: Improvement Or Buzzword?
Featured products
Verkada TD52 Cloud-Based Video Intercom

Verkada TD52 Cloud-Based Video Intercom
exacqVision IP08-64T-R1XW-E X-Series 1U Rdnt IP NVR 64TB RAID5 Windows OS with 8 IP Ent Lic

exacqVision IP08-64T-R1XW-E X-Series 1U Rdnt IP NVR 64TB RAID5 Windows OS with 8 IP Ent Lic
Climax Technology TouchPanel-3 7” Color Graphic Touchscreen Panel

Climax Technology TouchPanel-3 7” Color Graphic Touchscreen Panel