printer friendly version

iCLASS SE implementation and migration

HID Global’s iCLASS SE access control platform goes beyond the traditional smartcard model to implement a portable credential methodology based on the company’s secure, standards-based, technology-independent and flexible SIO data structure. HID Global’s iCLASS SE reader and credential family is designed to raise the bar for overall system security while supporting key emerging technologies and delivering superior performance, enhanced usability and increased environmental sustainability.

iCLASS SE readers and credentials are the first access control products to operate under the company’s Trusted Identity Platform (TIP) framework, which creates a secure and trusted boundary within which all cryptographic keys governing system security can be delivered with end-to-end privacy and integrity.

Moving to portable SIOs within a trusted boundary

In 2010, HID Global took the first step toward a new generation of contactless smartcard and reader technology with the introduction of its TIP framework, which improves security while enabling the migration of physical access control technology beyond traditional cards and readers into a new world of mobile credentials and remote identity management. TIP-enabled devices, otherwise referred to as TIP Nodes, provide interoperability and portability of secure identity within a trusted boundary.

TIP provides the framework and delivery infrastructure to extend the traditional card and reader model with a new secure, open and independent SIO data-structure on the credential side, and corresponding SIO interpreters on the reader side. SIOs and SIO interpreters perform similar functions to traditional cards and readers, only using a significantly more secure, flexible and extensible data structure.

From cards to SIOs

An SIO is a standards-based, device-independent data object that can exist on any number of identity devices, including HID’s iCLASS SE credentials. SIOs deliver three key benefits: portability, security and flexibility.

Firstly, SIOs can reside within any TIP Node, or any location where the SIO will be generated and interpreted by TIP Nodes. Thus, not only can SIOs reside on HID’s iCLASS SE credentials, they also are portable and can reside on other memory cards containing other card technology, microprocessor-based cards like SmartMX, smartphones with NFC capabilities, computer disk drives, and many other formats. This means that solutions can be developed that operate on multiple device types with varying security capabilities. The same object stored on one device can later be ported to another device with ease, and without strict constraints.

Secondly, device-independent SIOs deliver trust-based security. This security protects objects created and bound to one device from being copied to another device, thus protecting sites against cloned card attacks.

Thirdly, SIOs deliver extensibility because they are defined using open standards including Abstract Syntax Notification One (ASN.1, a joint ISO/IEC and ITU-T standard). This data definition allows for an infinitely extensible object definition. The definition can support any piece of data, including data for access control, biometrics, vending, time-and-attendance, and many other applications. Unlike many other fixed-field structures used in today’s access control card and reader systems, SIO and associated interpreters continue to grow in security capabilities while traditional architectures remain stagnant, stuck in a fixed definition. Extensibility brings significant value to the developer community that utilises the technology. Since the interpreter takes care of mapping data to supported devices, all the developer has to focus on is generating and transacting (reading/writing) secure objects. The days of the vending machine developer having to learn about intricate credential-technology sector terminology and key rules is over.

iCLASS SE platform overview

The first endpoints to be based on the Secure Identity Object platform are HID Global’s iCLASS SE family of readers and credentials. The family includes:

* iCLASS SE credentials.

* iCLASS SE and multiCLASS SE readers.

* iCLASS SE Reader Programming Cards (for field configuration and upgrade options).

iCLASS SE implementation overview

Implementing next-generation access control capabilities is a very straightforward process with the iCLASS SE platform:

* Readers are technology-agnostic and designed to simplify migration to the next-generation iCLASS SE platform based on SIO technology.

* Customers now can order a single reader that will accommodate technology needs both today and tomorrow.

* Users can optionally follow a migration strategy to SIO technology that simultaneously enables interoperability between both SIO- and non-SIO-based credentials.

* For optimum security, users can completely transition to the new SIO data structure.

* Cards are delivered with pre-provisioned SIOs.

* Simplifies deployment.

* Users have multiple reader-to-panel communication options.

* RS-485 OSDP, CANBUS Hi-O, and Wiegand for legacy control panel compatibility.

* Reader and credential upgrade options don’t require a physical change to the device.

* Interpreter packages that support specific card technologies can be applied in the field and after the initial installation.

* Cryptographic operation changes or upgrades can be applied to both readers and credentials after the initial installation and card deployment.

* Customers optionally can manage their own cards and credential keys.

iCLASS SE features and benefits

Based on HID Global’s flagship smartcard and reader technology, HID Global’s iCLASS SE platform features deliver trusted security, sustainability, improved performance and usability, and an open system environment that simplifies the development of both traditional and mobile access control solutions.

Trusted and secure

* Multi-layered security. Ensures data authenticity and privacy through the multi-layered security of HID’s SIO.

* Out-of-box SIO compatibility. Ensures highest level of protection.

* Trusted Identity Platform (TIP) node. Provides trusted identity within a secure ecosystem of interoperable products.

* EAL5+ certified secure element hardware. Provides tamper-proof protection of keys and cryptographic operations.

* SIO data binding. Inhibits data cloning by binding an object to a specific credential.

* Expanded iCLASS Elite Programme. Extends private security by protecting uniquely keyed credentials, SIOs and programming update keys.

* Velocity checking. Provides breach resistance against electronic attacks.

* Active tamper. Protects against physical tampering of the reader.

Sustainable

* Software defined radio (SDR) technology. Enables reading multiple types of Prox (125 kHz), including HID and Indala simultaneously enabling SKU reduction.

* Intelligent power management (IPM). Reduces reader power consumption by as much as 75% compared to standard operating mode.

* Recycled content. Contributes toward building LEED credits.

* Wiegand-compatible interface. Provides connection to existing panels without the need to swap out back-end systems.

Improved usability/performance

* SIO media mapping. Simplifies deployment of third-part objects to multiple types of credentials.

* Multi-mode frequency prioritisation. Increases transaction performance and improves card management.

* Combined bi-directional host communication and 125 kHz support. Simplifies the reader portfolio offering and expands the use of Prox and higher security connections.

* New models. RP10 and RP30 provide multiCLASS functionality in new form factors, creating more flexible installation options.

* Flexible hardware connection. Pigtail or terminal strip connections are included on all reader models.

* Field programmable readers. Provide secure upgrades for migration and extended lifecycle.

* RGB LEDs. Delivers increasing capability to notify users and trouble-shooters regarding system state.

* Reader/card anti-passback user notification. Provides clear feedback to the user while assisting trouble-shooters.

* Read progress notification using LEDs. Provides clear feedback to the user about new credentials entering the market that require more lead time (eg, FIPS 201-compatible credentials).

Open System Environment

* Near Field Communication (NFC) card emulation. Enables migration to HID access control on mobile devices.

* SIO portability. Provides technology independence and portability to other smart card technologies.

* Licensable SIO generators and interpreters. Provide an expansive ecosystem through SDKs and embedded products.

* Upgradeable hardware connection. Allows all Wiegand-based communication readers to later expand communication capabilities to OSDP, Hi-O and other bi-directional communication protocols.

Conclusion

HID Global’s next-generation access control card and reader platform provides a generational step function in security, usability and performance, and environmental sustainability. The platform introduces a new portable credential methodology based on a standards-based, technology independent and highly flexible SIO identity data structure. HID Global’s iCLASS SE reader family uses this identity data structure to significantly improve overall system security while creating a more easily extensible access control system infrastructure that can also support a new era of more convenient mobile keys and credentials that can be embedded into phones and other portable devices.

Share this article:

Further reading: