printer friendly version

Virtual credentials

For decades, we have carried our identities around on magnetic stripe (magstripe) and smart cards, but in today’s mobile world, we now have the opportunity to embed them on a variety of portable devices. This will enable us to use products like smart phones, USB tokens, memory sticks and microprocessor-based SmartMX cards to open doors, buy tickets and execute other secure transactions. In order for this to work, however, we need a new way to securely provision identity and embed it into these portable devices.

There has been considerable news recently about mobile commerce developments, including reports that Microsoft is adding Near Field Communications (NFC) short-range wireless communication technology to its Windows Phone mobile operating system, and that Google, RIM and Apple are all preparing mobile payment and wallet systems. Similarly, the ISIS coalition (AT&T Mobility, T-Mobile USA and Verizon Wireless) has announced plans for the first pilot mobile commerce network using smartphone and NFC technology. Juniper Research has estimated that half a billion people worldwide will use their mobile devices as travel tickets on metros, subways and buses by 2015.

These and other initiatives will enable us to load our mobile devices with credentials that provide various levels of facility access, eliminating the need to carry a card, while making it easier for security managers to control who is entering and exiting monitored access points. It will also be possible to use these portable credentials to make other contactless transactions as well, such as cashless payment and transit ticketing, data transfers including electronic business cards, and gaining access to online digital content. Users will also be able to have multiple virtual credentials on a single device. For example, it will be possible to use a portable device to access a secure facility and also make cashless payments at the facility’s canteen.

Moving beyond the traditional smartcards

Over the last 20 years, 125 kHz RFID proximity (or Prox) cards and readers have become a de facto standard for physical access control. They offer customers the optimum in cost and convenience, but are less secure than the contactless technology that subsequently emerged in the early 2000s.

The latest 13,56 MHz read/write contactless solutions enhance security through data encryption and mutual authentication, and also support multiple applications such as biometric authentication, cashless vending and PC logon security. Contactless solutions have provided reliable service for nearly a decade while becoming the standard for efficient, secure and effective access control.

Now, the industry is developing a new access control architecture for a new era of advanced applications, mobility and heightened security threats. This architecture will enable a new class of portable identity credentials that can be securely provisioned and safely embedded into both fixed and mobile devices. This will improve security while enabling the migration of physical access control technology beyond cards and readers into a new world of configurable credentials and virtualised contactless solutions.

Managing the coming generation of portable, virtualised credentials involves a number of complex steps. In one typical example, a server would first send a person’s virtualised credential over a wireless carrier’s connection to the person’s mobile phone. To present the person’s virtualised credentials at a facility entry point, the phone is held close to an NFC-enabled secure access control reader.

Chain of trust

Throughout the process, there must be a way to ensure that the credential is valid. Both endpoints, plus all of the systems in between, must be able to trust each other. In other words, there needs to be a transparently managed chain of trust extending from one end to the other. This chain of trust requires the creation of a trusted boundary within which all cryptographic keys governing system security can be delivered with end-to-end privacy and integrity. This is the only way to ensure that all network endpoints, or nodes (such as credentials, printers, readers and NFC phones) can be validated, and all subsequent transactions between the nodes can be trusted.

One of the first such bounded environments is HID Global’s Trusted Identity Platform (TIP). At the heart of the TIP framework is the Secure Vault, which serves known nodes within a published security policy. TIP establishes a scalable framework and delivery infrastructure for delivering three core capabilities: plug-and-play secure channels between hardware and software; key management and secure provisioning processes; and integration with information technology infrastructures. The environment can also support multiple usage models such as cloud-based applications that require service delivery across the Internet without compromising security.

With the establishment of a trusted boundary, it now becomes possible to deploy a new generation of readers and credentials that enable the use of portable virtual credentials on mobile devices, while also providing advanced security and performance functionality. This next-generation platform must go beyond the traditional smart card model to introduce a new, portable credential methodology based on a secure, standards-based, technology-independent and flexible identity data structure. HID Global calls this data structure the Secure Identity Object (SIO), which can exist on any number of identity devices and works with a companion SIO interpreter on the reader side.

Device-independent data objects and their companion interpreters behave like traditional cards and readers, but use a significantly more secure, flexible and extensible data structure. They offer three key benefits: First, because they are portable, they can reside on traditional contactless credentials and many different mobile formats, ensuring interoperability and easy migration. Second, their device independence enhances trusted security by enabling them to act as a data wrapper to provide additional key diversification, authentication and encryption while guarding against security penetration. And third, since they use open standards, these device-independent identity objects improve flexibility and can grow in security capabilities while traditional architectures remain stuck in a fixed definition.

Interoperability and migration

Next-generation readers using standards-based, device-independent data structures will enable access control solutions that can operate on multiple device types with varying security capabilities. It will be possible for an identity object stored on one device to be ported to – and interoperate with – another device, with ease and without strict constraints.

Research reported in an AVISIAN 2010 survey shows that 90% of end users believe that adding new applications with minimal investment is important; and 53% of respondents stated that they are not satisfied with the solutions to accomplish this in today’s market.

Next-generation access control readers and credentials will also be able to provide an additional layer of security on top of device-specific security. Secure objects will act as a data wrapper and provide additional key diversification, authentication and encryption, while guarding against security penetration.

The objects will be bound to specific devices by using device-unique properties, which will prevent card cloning. 93% of end-users in the AVISIAN survey said a key requirement was having multiple layers of security on cards or credentials – especially when other applications and private data were present. 37% of industry providers said they were not satisfied with available solutions.

Additionally, next-generation readers will incorporate EAL5+ Secure Element (SE) hardware to ensure tamper-proof protection of keys and cryptographic operations. They also will include such features as velocity checking to provides breach resistance against electronic attacks, and active tamper technology to protect against physical tampering of the reader.

Standards-based flexibility

The coming generation of reader platforms using device-independent data structures will also use open standards such as Abstract Syntax Notification One (ASN.1, a joint ISO/IEC and ITU-T standard), a data definition that allows for an infinitely extensible object definition. This definition can support any piece of data, including data for access control, biometrics, vending, time-and-attendance and many other applications. This will enable card and reader systems to optimise deployment flexibility and grow in security capabilities, unlike solutions with fixed-field data structures that remain stuck in a fixed definition.

Another benefit of device-independent extensibility is the flexibility it brings the developer community. The interpreter portion of the system takes care of mapping data to supported devices, which means the developer need only focus on generating and transacting (reading/writing) the secure objects. The days of the vending-machine developer having to learn about intricate credential-technology sector terminology and key rules is over.

Additional considerations

In addition to enabling credential portability, the coming generation of reader and card platforms will forge new territory in the area of sustainability. Intelligent power management will reduce reader power consumption by as much as 75% compared to standard operating mode, and manufacturers will move to the use of recycled content.

Next-generation reader platforms will also improve usability and performance by including features such as multi-mode frequency prioritisation, which will increase transaction performance while improving card management. These reader platforms also will include a variety of improved user notification features.

Device-independent data structures deployed on next-generation readers within a trusted boundary will enable the migration of physical access control technology beyond traditional cards into a new world of configurable credentials and virtualised contactless solutions that can be securely provisioned, no matter where they are or how they are connected. This model will also enable users to add levels of security, customise security protection, and extend system capabilities without having to overhaul the device infrastructure and applications.

Finally, this new approach will significantly improve overall system security while creating a more easily extensible access control system infrastructure that can also support a new era of more convenient, virtual credentials that can be embedded into phones and other portable devices.

Share this article:

Further reading: