By Stephen Neff
In order to meet real operational requirements, security directors must choose a flexible and scalable technology. (Photo by LEGIC Identsystems AG)
FROM THE BARCODE TO CONTACTLESS SMART CARD
The demand for automated Identification and Verification of people has resulted in the development of contactless smart card technologies which are specifically designed to allow convenient yet secure ID credentials for use in a company, campus or stadium to name but a few applications. This journey towards contactless smart cards did not happen overnight and in order to understand where we are today it would be wise to take a brief visit back in time.
Generally we can lump electronic ID technologies into three generations or technological waves.
The 1st wave includes Barcode, Magstripe, Wiegand and simple 125 KHz/134 KHz RFID technology. This simple read-only RFID technology was developed for use in animal identification and eventually found its way into ID badges that could be used to identify employees. Due to the fact that it was contactless and it eliminated many of the problems associated with magnetic ¡®swipe-cards¡¯ a large user acceptance has taken place. However, this low frequency RFID technology (also commonly referred to as Prox), with its memory size of a few bits or bytes, was not suited for use in systems where reading and writing of the credential was needed. Also the security level of these low frequency Prox systems was not adequate enough for applications where a tamperproof system was needed.
Thus the second wave of ID technologies was created to meet the shortcomings for the 1st RFID systems. The 2nd wave can be characterized by the operating frequency of 13.56 MHz as opposed to 125Khz. These new systems allowed higher data transmission rates, read/write capability and in the case of LEGIC prime technology encryption of user data. With these new technical features the first contactless smartcard technology was born. Key manufacturers included LEGIC and its Prime technology, Texas Instruments with Tagit 1 and OTI among others. While the operating frequency was standardized, nothing else was. This had its drawback in terms of system inter-operability amongst different smartcard technology suppliers on the one hand, but the proprietary technologies worked very reliable in the field on the other hand.
Wave 3 are all the ISO conform 13.56MHz technologies such as ISO 14443A, ISO 14443B and ISO 15693.
Of the three ISO technologies, the ISO 14443A and B are considered as proximity technologies while the latter the ISO 15693 is referred to as a vicinity technology. Interestingly the ISO 15693 standard was defined with logistics applications in mind but lends itself for person ID where longer read/write ranges are needed.
Regardless of the reading/writing range, all three ISO standards have been integrated into the term contactless smartcard technology whereby the ability to encrypt user data is a de facto ¡®must¡¯ in order to qualify as a contactless smartcard technology.
With ISO 14443A and ISO 14443B technology being associated with public transport ticketing and government ID, access control manufacturers are looking more to use ISO 15693 because it offers superior read-write distances. For ISO 14443A and B for example, the read-write distance is usually less than five centimeters. For ISO 15693 though it is up to one meter.
In a nutshell the benefit of ISO 15693 is the longer read-write distances, the plus for ISO 14443A and B is that they transmit data at faster speeds.
ISO STANDARDS: INTER-OPERATABILITY NOT GUARANTEED
At a first glance it would seem that the ISO standards imply some sort of guaranteed inter-operatability. Unfortunately this is not the case. All three ISO standards have nothing in common except for the operating frequency.
To make matters even worse the only guarantee an operator may have is that an ISO 14443A reader should be able to read any vendors ISO 14443A transponders chip serial number (UID). The moment that information is stored in the memory section of the transponder the reader must understand the memory structure of the transponder, and in the case of ¡®safe¡¯ transponders the encryption algorithm. This leads to the absurd situation that the term ¡®ISO compliant¡¯ may mean no more then the ability to read an unencrypted UID. While this may suffice for a low security application, it is no more secure then the old 125KHz Prox system that they were designed to replace. Hence any buyer of an access control systems that use contactless smart cards should avoid systems that only use the UID of the transponder.
INVESTMENT SECURITY FOR SYSTEM USERS
The good news is that after a lot of misleading marketing hype, end users and integrators of contactless smart card technologies are seeing through the technology jungle. Users and integrators are educating themselves and spending time evaluating different contactless smart card technologies to ensure investment security. When this is done one sees that there are not only differences in the technologies but also in the suppliers business focus, which can have a large impact on investment security.
The best approach to ensure long-term investment security is for the end user to decide on a technology supplier that meets their requirements in terms of security, multi-application features, read/write distance and the availability of a wide range of transponder memory sizes. Most importantly though is to ask: will the supplier still be around in 10 years time? Will they still support my credential that I have issued with their new reader products in 10 years? These questions when posed make the technology choice more an issue of supplier then ISO standard.
In order to illustrate this, imagine a large corporation such as BMW or Airbus with more then 100,000 credentials and thousands of readers for access control, vending and parking in operation and the cost involved if new readers are not able to read the installed credential base. For this reason, large corporations should take a holistic approach when deciding on a contactless smart card technology platform and not just focus on memory size or which ISO standard they wish to deploy.
Contactless smart card technology can be well suited for use in systems where expandability and multi-applications are demanded. (Photo by LEGIC Identsystems AG)
STATE-OF-THE-ART CREDENTIAL AND APPLICATION CONTROL
The choice of vendors for contactless smart card technologies is wide. With the huge marketing effort being generated around RFID for Logistics applications (Wal-Mart and Metro¡¯s Future store), e-passport and e-payment, it is easy to lose sight of what is available and proven as opposed to what is wishful thinking. For a security director of a company who is faced with rolling out a new company-wide credential that is more then access card criteria include:
How many applications can be loaded onto the credential?
How easily can we add a new application after the credential has been rolled out?
Who can add new applications to the credential and how?
Is the technology tamperproof and secure?
Does the technology meet data protection laws and guidelines in other countries?
Will I still be able to buy credentials and readers in 10 years that are compatible with what is being rolled out today?
Does the technology allow use in offline systems such as vending machines or standalone door locks?
Are there vendors offering the applications that I need locally and abroad?
While the above list is not complete, it does illustrate that characteristics of contactless smart card technology used in a company environment are different than those of a technology suited, for example, in logistics applications. Thus many of the RFID technologies, while purporting to be suitable for multi-application company cards are in reality not. Unfortunately, as has been seen in many cases the weaknesses of the system only become apparent after the credential has been deployed and in operation for a few years. The major problems that are encountered are:
New vendor applications cannot be added onto the card as there is no mechanism to allow this without recalling all the issued credentials.
Technology supplier discontinues transponders and new transponder do not function with installed reader base.
Larger memory size is to be deployed but existing reader base cannot handle the new transponder.
Vender applications are not compatible on the same credential even if the same contactless smart card technology platform is used.
In order to meet these real operational requirements, the security director must choose a flexible and scalable technology. Contactless smart card technology can be well suited for use in systems where expandability and multi-applications are demanded. And high security and multi-applications go hand-in-hand with investment security. This is why companies such as BMW, Airbus, UBS, Volkswagen and Audi have each deployed worldwide hundred of thousands of employee cards each incorporating contactless smartcard technology.
WHAT IS THE TREND AND WHERE WILL IT LEAD?
Companies like the ones mentioned above are pioneers and trendsetters in terms of using these technologies to ensure a secure and at the same time cost effective means of giving there employees an ID that allows them to use one single credential for the complete activity cycle at the office. While many corporations still believe this to be something new and untried in reality it is ¡®state of the art¡¯ and LEGIC estimates that of the over 50,000 LEGIC installations worldwide more than 50% are running more than one application on the same card right from the start and another 20% add additional applications within 2 years. With this in mind the worldwide trend to ¡®all-in-one-cards¡¯ will continue due to the large savings involved when only one credential has to be managed and administered as opposed to a multitude of different cards and technologies. Keeping this in mind the future for contactless smartcards looks bright for users and system operators alike.
Stephen Neff is Vice President Sales & Business Develoment, Legic Identstems AG.
For more information, please send your e-mails to firstname.lastname@example.org.
¨Ï2007 www.SecurityWorldMag.com. All rights reserved.