Subscriber Discussion

iCLASS Credentials In Access Control

UI
Undisclosed Integrator #1
Mar 29, 2017

Hi

Don't even know if this is allowed, if it isn't please feel free to remove and let me know. That is not a design question.

We have been tasked for a "difficult-to-break" access control system. We have been installed Access Control System now for a while, they have been Prox 125 KHz  system. Someone on the customer IT department asked for iClass and the owner went with it.. So iClass it will be ... My question about iClass credentials:

Do they come with a unique ID that is translated by the reader as a Wiegand string?

Let me make myself clear, when one buys a 26 -bit Wiegand Prox , you have 65,536 unique numbers (2 exp 16)  available for each of the 256 facility code (2 exp 8)... Is it the same when an iClass credential is purchased? The iClass credentials can be programmed of course but customer doesn't (yet) need that. Can we just purchase a bunch of IClass and be done? Are iClass out of the box, unique without any programming, just like Prox? (to a certain extent of course if they are only 26-bit) enough for the needs and customer can later customize/program the iClass cards.

iClass cards while being more secure and higher tech than Prox seems to be at the same price and often cheaper, often more heavily discounted. Is iClass on its way out? to be replaced by a different version?

I thank the collective in  advance

 

DD
Dan Droker
Mar 29, 2017
LONG Building Technologies • IPVMU Certified

iClass Seos is the version that will be around long term.  It is available in any of HID's formats (26 bit, 37 bit, 48 bit, etc).  If you specify the part number for pre-programmed iClass cards (like 5006PGGMN) and supply the desired format information, you will get cards that work out of the box (as long as you are using compatible readers).

(1)
U
Undisclosed #2
Mar 29, 2017

Stick with iClass Seos with a 37-bit format if you can.  There is billions of unique numbers and HID has told me they will never print the same number twice eliminating the need for facility codes.

Avatar
Scott Lindley
Mar 29, 2017
Farpointe Data, Inc.

Yes, 13.56 MHz iClass credentials fall under the category of contactless smartcards. As such standard variants do come with an ID that, when read by a contactless smartcard reader, is typically translated and then outputted by said reader to the electronic access controller as a Wiegand string.

In regards to your second question, the answer is also yes. It's my understanding that iClass cards can indeed be ordered programmed with industry standard 26-bit Wiegand format data programmed by the manufacturer in the access control application data area of the card.  In this manner the credential's data will be presented to the electronic access controller in a style identical to that of a typical 125 kHz proximity card.

Beyond frequency, contactless smartcards and proximity cards have other differences. One is that contactless smartcards often conform to international standards, such as iClass cards meeting ISO 15693, while proximity cards are often proprietary or, at best, conform to industry conventions.  This is important because it means with smartcards that the method of exchanging data between the smartcard credential and reader is standardized, and understandable to anyone with the skill who obtains the standard.  With proximity this information is typically trade secret, and is not generally available.

Also know that contactless smartcards will often store different pieces of data in different locations on the credential. One area mentioned previously is the access control application data area.  This area is typically secured with keys that are normally kept secret.  Another location data is stored on the contactless smartcard is the card serial number (CSN), which acts, in a sense, as a fixed license plate for the credential.   The CSN is open and visible to all smartcard readers capable of successfully exchanging data with the credential.

Finally, while the advantages and disadvantages of using the CSN in electronic access control are certainly debated, it is not uncommon to see this CSN being used as the access identifier. To meet the requirements of the electronic access controllers in use, smartcard readers may buffer or truncate the data forming the CSN, literally adding or removing bits.  For example, by truncating the CSN's data this would allow a 64-bit CSN to appear to the electronic access controller as an industry standard 26-bit Wiegand string.  Important to note here is that as the data has been truncated, the risk of duplication is increased.

(1)
(1)
UI
Undisclosed Integrator #3
Mar 29, 2017

I would also note that the standard "legacy" iClass credentials can be cracked as well if your customer is concerned with security. Google it and you'll find a number of links referring to that.

As mentioned above iClass SEOS would be the most secure HID credential available right now. MiFare DESFIRE is another type of credential (and HID sells these as well) that hasn't been cracked and is considered secure.

If security is also a concern you might also want to consider the interface between the reader and the controller (Wiegand vs. OSDP). Wiegand control protocol has also been broken (though it does require physical access to the data wires, so the user either has to get in the ceiling or pop the reader off without triggering tampering mechanisms). 

(2)
(1)
UI
Undisclosed Integrator #1
Apr 23, 2017

Wanted to thank you all. It was an education!

 

Would like to see more OSDP acceptation within the industry

(1)
UI
Undisclosed Integrator #3
Apr 24, 2017

100% agree. It's amazing how some of the major manufacturers don't support it yet.

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions