How to Select an HSPD-12 Reader
The most critical factor in successfully upgrading a PACS to use HSPD-12 credentials is selecting the proper PIV, PIV-I, TWIC or CAC Reader. The first step is determining whether your building needs low assurance or high assurance. According to the latest federal guidelines,* agencies should select a PACS that does not employ PKI mechanisms only in areas with “extremely low risk”.
You should also consider these factors:
Should the Reader support both Dual Interface contact and contactless operation?
Yes. The contact interface enables compliant 2-Factor authentication as specified in FIPS-201 (PIN submitted to credential) while the contactless interface does not. The contact interface also provides redundancy for failed antennas on a credential.
Does the Reader need to operate with all Government issued CAC, PIV, PIV-I and TWIC Credentials?
Yes. Remember that HSPD-12 specifies that credentials from one agency interoperate in another agency’s facility. This interoperation eliminates the need for multiple badges.
Does the Reader need a keypad for 2-Factor authentication?
Yes. NIST standards specify that for 2-Factor authentication to be compliant, the PIN must be submitted to the Credential and not the PACS.
Should the Reader support PKI Challenge Response to both the Card Authentication Key (CAK) and the Personal Authentication Key (PAK)?
Yes. If there is a possibility you will need HIGH assurance now or in the future you will need PKI challenge-response capability.
Is the Reader easily flash-programmable and field-configurable?
Keep in mind that Government standards could change in the future. Be sure to future-proof your system with Readers from a provider that is fully committed to support HSPD-12.
Is the Reader is a critical component in your security?
If so, you should consider the added value provided by a Reader that is securely designed and built in the USA as opposed to an off-shore Reader.
The following table provides a guide for how BridgePoint Readers fill the four levels of security authentication per Federal Government guidance. Click here to order BridgePoint's White Paper on Securing Federal Facilities Utilizing the Federal Government Issued CAC and PIV Credentials
* As cited in “Modernizing Federal Physical Access Control Systems” published by the Federal CIO Council’s Identity, Credential and Access Management Committee.
Entrypoint™ & Trustpoint™ Application Notes
1. EntryPoint and TrustPoint Readers can be configured with Wiegand bit streams compatible with most legacy access systems from suppliers such as Lenel, General Electric, Software House, Honeywell, Quintron, AMAG, TAC-Andover and others. Contact BridgePoint with legacy system details for assistance with Wiegand format specifications.
2. EntryPoint and TrustPoint Readers interoperate with all Federal Government issued smart credentials including CAC1, CAC-NG, CAC-EP, TWIC, FRAC, PIV and PIV-I. Default Wiegand outputs are as follows:
CAC1: Least significant 56 or 64 bits of Card Unique Identifier (CUID)
CAC-NG, CAC-EP, TWIC, FRAC, PIV AND PIV-I: 16-digit (56 or 64 bit) FASC-N (Federal Agency Smart Credential Number). FASC-N includes Agency Code, System Code, Credential Number, Credential Series and Individual Credential Issue Code).
3. Minimum Wiegand Output: BridgePoint strongly recommends against using EntryPoint and TrustPoint Readers on any legacy access system that cannot perform a true match of the credential bit stream as defined above in No. 2 above. PACS with Panels that cannot perform a complete FASC-N (16 digits = 56 bits) match must hash down or truncate the identifier which results in a loss of unique identity data and introduces the possibility of “collisions.” A collision means that any one credential may appear the same as any other credential to the PACS. The probability of this happening is surprisingly high because any credential in the world has a chance of being granted access by any PACS not performing the complete match. Obviously this is a significant security risk and NIST 800-116 specifically warns about this using a PACS with this deficiency.
NOTE: The warranty on any Reader is null and void if used on a legacy access system that does not perform a complete 64 bit match on a CAC1 credential or a 56 bit match on a PIV compliant credential.
4. TrustPoint Readers support cryptographic challenge-response at the reader using RSA-1024, RSA-2048, 3-DES, AES-128, AES-256, SHA-1, SHA-2 and ECC algorithms. Challenge-response time at the Reader is typically 1 to 2 seconds depending on the individual CAC/PIV credential response and signing time.
5. All 2-Factor EntryPoint and TrustPoint Readers have the capability to be dynamically switched between 1-Factor and 2-Factor modes from the PACS if a suitable control signal can be generated by the PACS panel.
6. All 2-Factor EntryPoint and TrustPoint Readers submit the PIN to the Credential per Government guidance. The Readers can be reconfigured to submit a Pin to the system panel. Note that the Pin is required to be different than the PIN to the credential and that this requires the use of 2 different pins. This often results in pin entry confusion by the user and the potential for locking the credential and is not recommended.
7. All EntryPoint and TrustPoint Readers are forward compatible via field flash-reprogrammable technology. Readers can be upgraded through an RS-232 serial interface or USB port on the back of the Reader. This connection can also used for reader configuration and diagnostics.
8. EntryPoint and TrustPoint Readers include a one-year warranty (see product Warranty statement for details). BridgePoint also offers an extended warranty to cover software upgrades that may be required as a result of future changes to the CAC and PIV Credential formats.