Access control systems using the contact smart card can be employed in high-security applications which involve large numbers of people that require significant flexibility and layering, but need only moderate throughput rates. These systems are replacing many of the key card and magnetic stripe systems due to their ease of use, security, and reliability. Homeland Security Presidential Directive 12 (HSPD-12) sets a clear goal to improve physical access control systems through the use of government-wide standards. The Federal Information Processing Standard 201 (FIPS 201) defines characteristics of an identity credential that can be interoperable government-wide. Smart cards support the implementation of these standards.
Smart cards usually look like a common credit card, although other forms are commercially available in the form of jewelry, such as a ring, pendant, or bracelet. The differences in appearance among the cards are aesthetic and are not related to the electronic features and functions available on the integrated circuits (IC) embedded in the plastic body of the cards.
The type of embedded IC determines the capabilities of a card. The two types of integrated circuits used in smart cards are microprocessor circuits and memory circuits. The capabilities of a microprocessor card are roughly equivalent to an early generation personal computer in terms of memory and processing speed; however, these capabilities are increasing with newer cards. Memory cards usually store minimal amounts of data, but such cards cannot perform data manipulations or computation, or execute processes, such as a collision resolution algorithm. The card reader must apply any encryption or changes to the data on a memory card. There are several memory configurations available, which allow certain sections of the onboard memory to be write-protected or reserved.
To operate a contact smart card system, a user must insert a card into a reader. The card reader provides power to the card, which causes the card to initialize. Depending on the type of card system, after initialization, the card can provide stored digital files such as biometric templates or encryption keys or perform algorithmic functions that have been defined by the security application programmers. Regardless of the system architecture, the card reader authenticates the card and then sends a message to the access control panel to open the entry point. A multitude of card readers are commercially available. Contact smart card readers often have built in numeric keypads for entering PINs and provisions for connecting biometric devices for two-factor authentication.
The mode of operation of the contact smart card provides some advantages to its use versus other access control technologies. First, because contact smart cards must be inserted into and withdrawn from a reader, , the system throughput tends to be lower than for other smart card systems. Fumbling with the card and a delay during the initialization when the card comes into contact with the reader contribute to the lower throughput. Such a delay can be an advantage, because it provides the time required for touch-based and scan-based biometric authentication systems to work.
Contact smart cards are suited for indoor, medium throughput access control systems where system flexibility is important. They are often used in high-security facilities and can handle large numbers of users.
Contact smart cards tend to be unsuitable for exterior applications because of the effects of weather on the contact points of the reader. Contact smart cards can be used for both physical and logical access control, as well as for tracking employee time and attendance. The overall value of the system can be increased by supporting other applications from the smart card platform. Besides providing secure identification and authentication, smart cards can be used as personal or organizational data holders and fiscal or accounting tools.
As a digital data storage device, the contact smart card has many potential applications. But when used specifically for access control, microprocessor smart cards offer many important advantages. The processor in the card enables the system manager to store the applications and computer programs on the card along with the data; magnetic stripe systems do not store enough information to have this capability. The advantage is that the applications and programs can be specifically tailored for the user’s access control requirements and can be changed as the need arises. For example, if a biometric system is used for authentication, managing several thousand templates using the facility’s central database and network can become an enormous task.
Template management coupled with the multiple vulnerabilities associated with computer networking can disable the facility’s security program. Alternatively, the biometric template can be stored on the user’s smart card so that the template is always available when the card is presented to a reader. If the authentication algorithm is also stored on the card, then the card reader only needs to make the card run its own authentication program. The card responds after verifying the biometric, which is stored and processed on the card. The biometric template itself is more accessible and has a higher degree of security because the only time it is present in the facility’s system is during enrollment.
Performance depends on the specific technologies and applications used. The International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 7816 provides physical standards for contact smart cards, describing the size of the card, contact
locations, electrical characteristics, and data transmission protocols. Proprietary cards and systems exist, particularly with memory only card systems. Transaction speed,The transaction speed of contact smart cards increases with higher processor speeds. Data collisions cannot occur because two cards cannot occupy the reader at the same time.
Smart card systems that place authentication algorithms and templates on the cards and do not maintain online databases of this information are intrinsically more secure than systems that maintain online template databases. The only time a person’s template may be in the central network might be during enrollment for systems using card-based templates. Online template databases have some vulnerability to hacking.
There are a number of published procedures that detail methods to compromise the data on cards. Methods include dismounting the chip and using microscopic electrical probes to record the actions of the microprocessor; selectively erasing parts of the card’s operating system to bypass or break encryption schemes; and operating the card outside of temperature, supply voltage, or external clock speed parameters to cause a software fault and generate a memory data dump.
Normally, such assaults are cost prohibitive because the potential value of breaking the card is much less than the time invested. Tamper detection and protection are important issues and should be discussed with the card system vendor.
Punching holes in the card to attach a lanyard or a key chain can sever portions of the card’s electronics and ruin it. Strong magnetic fields can scramble or erase the memory on some cards.
Card holders should be instructed on the proper care of the card to reduce the incidence of these problems.
Overall, the vulnerability associated with the loss of a contact smartcard or a compromise of a PIN or password is less than that of many other systems. If the card is regularly used for entry, then a lost card will be promptly reported and can be quickly invalidated. Two-factor authentication makes personal information on a card more secure than information obtained from a stolen wallet or purse. The information is even more secure if the card has tamper resistant features in the circuitry or encryption. Finally, re-issuing a card is relatively simple, particularly if the issuing authority maintains an archive of card data.
- Access Control Technologies Handbook
see also :