Bridging Legacy Systems
Agencies issuing PIV cards will quickly face a challenge: Their current physical access control system (PACS) is unable to correctly read and validate the personalized PIV cards. Performance of this function requires the PACS to be capable of reading and processing the 200-plus bit, card holder unique identifier (CHUID) on the card. This is an impossible task for legacy PACS, which typically process 26-41 bits of card information. There is a solution to this dilemma.
A smart terminal is a biometric terminal with a contactless smart card reader capable of both reading and processing the CHUID. To process the CHUID, the terminal firmware must be able to:
-
separate, or parse the CHUID into its key components. These key components or data elements, known as the FASC-N, are comprised of the Facility Code, Agency Code, System Code, Credential Number and the expiration date of the card;
-
validate the data elements to make sure they have been digitally signed by an authorized source, and
-
confirm the card has not expired.
Processing the CHUID is a significant task for a front-end reader. There are currently no certified readers capable of processing the CHUID listed on the GSA FIPS 201 Approved Products List. There are 60 PIV smart card readers currently certified by the FIPS 201 GSA Evaluation Program Lab and listed on the GSA Approved Products List under the category of Transparent Reader.
A transparent reader simply sends the CHUID to the back end physical access control system (PACS) panel. It does not perform validation or processing of the CHUID, with the expectation that the PACS control panel will perform this function. Unfortunately, except in rare instances, legacy PACS control panels are unable to do this, lacking both processing capability and the ability to accept the 200-plus bit CHUID.
An additional challenge is funding. Most agencies do not have budgetary funding to replace their existing PACS system to meet FIPS 201/PIV requirements. The solution to this problem is to use smart front-end terminals capable of processing and validating the integrity of the CHUID data; and a software bridge to provide communication that is understood by the legacy PACS control panel.
The combination of these two solutions wraps an intelligent authentication layer around the legacy PACS, thus making it FIPS 201-compliant. The bridge, acting as a translator, takes the CHUID that has been processed and verified by the smart terminal and transforms it into the corresponding Wiegand signal. (The accompanying diagram depicts how the bridge works.)
With the current technology gap, the risk of chaos is imminent for agencies charged with implementing FIPS201 PIV cards in their existing access control environment. Many solutions, especially from a fiscal standpoint, are simply not practical. Smart terminals and a bridge provide these secure facilities with one solution.
About the Author
With 30 years’ operational and management experience in security systems, Consuelo Bangs is currently spearheading the definition and certification of Sagem Morpho products to meet HSPD-12 and TWIC requirements.
