Smart Card Access Control Systems
Smart card-based access control for physical and logical access: PACS, PIV, FIDO2, and converged credential architectures.
Smart Card Access Control Systems
Physical Access Control Systems (PACS) using smart cards have largely replaced proximity cards and magnetic stripes in enterprise, government, and critical infrastructure deployments. Modern PACS combine ISO 14443 contactless smart cards, cryptographically authenticated readers, and centralised policy enforcement — providing audit trails and mutual authentication that legacy systems cannot match.
PACS Architecture
Card ←── ISO 14443 / OSDP ──► Reader ←── RS-485 / IP ──► Controller ──► Server
│ │ │ │
[credential] [crypto verify] [policy decision] [audit log]
The reader never stores credentials; it passes a challenge-response to the controller, which evaluates access rules. This ensures a compromised reader cannot replay a valid credential indefinitely.
Major Credential Technologies
| Technology | Standard | Security Level | Notes |
|---|---|---|---|
| 125 kHz Prox (HID) | HID Prox | Minimal | No crypto; replay-attackable |
| MIFARE Classic | Proprietary | Low | CRYPTO1 cipher broken since 2008 |
| MIFARE DESFire EV1 | ISO 14443ISO 14443StandardStandard for contactless smart cards.Click to view →-4 | Medium | AESAESCryptographyNIST symmetric block cipher for smart card encryption.Click to view →-128, diversified keys |
| MIFARE DESFire EV3 | ISO 14443-4 | High | AES-256, proximity check, SUN messages |
| HID SEOS | OSDP v2 / iCLASS | High | PKI-based, cloud provisioning |
| PIVPIVIdentityUS federal identity card standard.Click to view → / CACCACIdentityUS DoD identification smart card.Click to view → | FIPS 201FIPS 201ComplianceUS federal standard defining PIV smart card specifications.Click to view → | Very high | RSARSACryptographyPublic-key algorithm for smart card signatures and key exchange.Click to view →/ECCECCCryptographyEfficient public-key cryptography using elliptic curves.Click to view → certificates, biometric optional |
| LEAF (BLE) | BLE + AES | Medium–High | Mobile credential, NFC/BLE tap |
DESFire EV3's SUN (Secure Unique NFC Message) feature broadcasts a signed, counter-protected message each tap — even without a connected reader, the card proves its identity cryptographically.
OSDP — Open Supervised Device Protocol
OSDP v2 (IEC 60839-11-5) is the modern reader-to-controller protocol, replacing the legacy Wiegand interface that transmitted card IDs in cleartext with no authentication.
Key OSDP features: - Secure Channel (SCP): AES-128 encrypted and authenticated channel between reader and controller, using SCP03-derived key establishment. - Bidirectional communication: Controller can send LED/buzzer commands to reader; reader sends card events and tamper alarms. - Reader tampering detection: OSDP monitors cable continuity; a cut wire triggers an alarm rather than silently failing open (as Wiegand does).
OSDP Message Format:
SOM │ ADDR │ LEN │ CTRL │ DATA (encrypted) │ MAC (4 bytes) │ CRC
0x53 │ 1B │ 2B │ 1B │ variable │ │ 2B
HID SEOS
HID SEOS uses a secure element architecture with PKI-backed credentials. The SEOS container stores:
| Container | Contents |
|---|---|
| Primary SEOS | Credential ADF, access rights, cardholder ID |
| Certificate Container | X.509 certificate for reader mutual auth |
| Biometric Container | Optional biometric templatebiometric templateBiometricMathematical representation of biometric data stored on card.Click to view → reference |
SEOS supports cloud provisioning via HID Origo — credentials are issued over the air to NFC-capable smartphones or physical cards, eliminating the need for physical card personalisation at a central facility.
PIV for PACS
Federal agencies use PIV cards with PACS readers via the "PKI-AUTH" pathway defined in FIPS 201-3:
Reader reads PIV Authentication Cert → Controller sends challenge →
Card signs with PIV Auth Key (slot 9A) → Controller verifies sig
against CHUID → Access granted/denied
The PIV Authentication certificate (slot 9A) does not require PIN for contactless access by default, making turnstile throughput practical. High-security zones can require PIN or biometric via PIV slot 9B (Card Management Key) challenge.
Deployment Considerations
- Key diversificationKey diversificationSecurityDeriving unique per-card keys from a master key.Click to view →: Use site-unique diversification of DESFire keys derived from
a master key using
CMAC(masterKey, UID || siteCode). Compromising one card does not expose all credentials. - Anti-passback: Log entry/exit to prevent tailgating; flag credentials after a second entry without an intervening exit.
- Certificate revocation: Maintain OCSP responders or CRL distribution points for PIV deployments; revoke promptly when a card is lost.
- Reader firmware: Apply OSDP reader firmware updates regularly; CVEs exist for several major brands' Wiegand-to-OSDP bridge implementations.
Identify an unknown access card using the Card Identifier and cross-reference the AID using the APDU Builder.
Häufig gestellte Fragen
Our guides cover a range of experience levels. Getting Started guides introduce smart card fundamentals. Security guides address Common Criteria certification and key management. Programming guides target developers working with APDU commands, JavaCard applets, and GlobalPlatform card management.