View US Site View UK Site

Universal PIV-C Cards & Secupas™ PKI Solution

Young,Business,Man,Holding,Lock,Icon.

Universal PIV-C Cards

 
The Universal PIV-C Card is a contactless card offering:

  • PKI - for logical and physical access
  • MIFARE® DESFire® EV1 type features/compatibility
  • Prox - for compatibility with legacy physical access

This all-in-one card has a high-quality Composite PET/PVC card body, with 'bank card’ quality printing allowing for any special effects printing. Custom encoding is done to specifications.

Development & Use Cases

Currently due to the NXP® chip crisis the lead time of DESFire is set to continue until 2025 and the prices of DESFire chips are 2-3 times normal. In the past, DESFire cards were significantly less expensive than PKI capable JAVA cards. This is not the case anymore. Due to the growth of the payment card market, we expect that PKI cards will remain cost effective. Therefore there are many market segments that would benefit from considering a switch from the proprietary NXP DESFire cards to open standards PKI capable JAVA cards.

1. PIV Cards for Physical Access

In the past, integrating PKI smart cards with PACS was complex and expensive. Today many PACS readers and systems manufacturers support the US government FICAM standard for physical access out of the box. Universal Smart Cards provides PIV compatible solutions that work with these physical access solutions, including a fully FIPS140-2 certified card, as well as a cost effective PIV-C card, both ready to use for physical access.

2. Combined: Logical & Physical Access

Enterprise customers need an integrated Identity solution for both physical and logical access. As US government cyber security regulations are cascading through the supply chain, more and more companies are required to implement secure Logical Access Solutions. Why not upsell them to a complete all-in-one solution?

Universal Smart Cards provides PIV compatible solutions that work with FICAM and logical access out of the box, including a fully FIPS140-2 certified card, as well as a cost effective PIV-C card, both ready to use for logical and physical access. These cards can be provided with support for Legacy PACS credentials – such as PROX and MIFARE as well.

3. Dedicated Application Providers

Many application providers have chosen DESFire because of cost and availability along with ease of development and integration. With support for PIV cards now widely available both on PACS and Operating Systems such as Windows, Linux and Android, a PIV configured JAVA card is now a viable alternative. PIV JAVA cards are built to open standards, so there is a wide range of opensource and commercial solutions available for integration. With more than 40KB+ of available memory on even the lowest cost card, these cards make a great upgrade path from DESFire (only 8KB) are available now and at low prices.

Card Construction

piv-c-card-construction

The Universal PIV-C Card combines all the above requirements, allowing clients to:

  • Upgrade the level of security
  • Increase the functionality of the cards
  • Add custom apps and integration systems to the same cards in future
  • Keep the cost low
  • Reduce lead times for ordering and avoid chip shortage issues
  • Future-proof the credential solution
  • Combine the Logical and Physical Access solutions
  • Staged approach allows for logical access to be added in future without re-issuance of cards
  • Customize the cards and credentials to the needs and specifications of the business

 

Secupas™ PKI Solution for Physical Access

 
Almost all large Enterprises use Public Key Infrastructure technologies to secure their digital assets, and many deploy PKI cards and tokens for end user authentication. Why not use these same cards and infrastructure for physical access? One significant reason is that migrating from the existing PACS to PKI based PACS is difficult and expensive. Why is this? Current PACS systems have proprietary card technologies that require special readers. But the Access infrastructure is based on open standards. This makes it possible to migrate from one card technology to another (say from Prox to Desfire) by upgrading the readers.

Current Card Systems

The current, first generation PKI based physical access systems use the US government PIV card interface, which is an open standard. But these systems use proprietary technologies to integrate the readers with the backend systems. This requires replacement of not just the readers, but door controllers and backend systems, and often requires full replacement of the cabling. There is no incremental migration.

1st Gen PKI Card Systems

The Secupas PKI Solution does provide a migration path by keeping the existing backend in place. The Secupas solution provides true PKI between the card and the reader. But the reader can use the existing backend system and infrastructure using existing standards such as Wiegand and OSDP. This means that only the readers have to be upgraded, and this can happen incrementally, providing a seamless migration path from existing proprietary technologies to PKI.

Secupas PKI Card Solution

How It Works PKI cards contain digital certificates. These digital certificates have information about the card and/or user that can be validated by checking the digital signature on the certificate. The certificate is uniquely tied to a private key on the card. This allows an application to confirm that the certificate belongs to the card. With Secupas, the card certificate contains additional data elements called card identifiers that emulate legacy physical access card credentials. For example a 24Bit prox credential, or 7 Byte DESFire ID. These card identifiers can be defined by the customer. If an enterprise is using PROX 24 bit with a facility ID of 150, then the Enterprise can add that data to the certificate on the card, just as it configures the user’s name and ID.

Secupas-4

When the user presents the card, the reader validates the certificate and card keys, reads the legacy credential from the certificate and sends it to the backend. To the backend nothing has changed. It is still receiving the same credential type it was using before.

Secupas How It Works
 

Discover more

 
To find out more about our Universal PIV-C cards or the Secupas PKI solution, get in touch with our team of specialists and we'll be happy to help answer any questions you have.