Prox vs. iClass ExplainedBy: Brian Rhodes, Published on Jul 12, 2013
The differences between 'contactless' proximity credential formats are significant, yet the details are not well understood. Most access designers and users are familiar with 'Prox', but replacing them with 'iClass' has no real benefit... or does it? In this note, we contrast Prox versus iClass formats, and examine the key differences between both. Should you upgrade you Prox system to iClass? We answer that question in this report.
Key Pros and Cons
The key advantages of Prox cards are:
- Low Cost: The huge number of (persistent) Prox users contribute to lower prices compared to iClass.
- "Good Enough" Security: While vulnerable to "snooping", that risk is uncommonly exploited and most users are comfortable with Prox's "security through obscurity".
By contrast, the key advantages of iClass are:
- Encrypted Security: Unlike Prox, iClass uses a two or three factor encryption of card data, and only a iClass reader can decode the string, meaning it is nearly a 'snoop-proof' credential.
- More Capacity: iClass features more bits, and subsequently more storage, than Prox. There is enough room in an iClass card to store user information for a number of different systems aside from only EAC
Prox is (still) King
Despite heavy marketing of iClass as 'next generation proximity', the majority of all access control platforms worldwide still use 'Prox II' format credentials. In a recent IPVMU Access Fundamentals discussion, ~75% of attendees explained they use, design, or install EAC systems that use 125 kHz Prox credentials. While many designers and end users are aware of other 'contactless' credential options, many are unclear of the functional differences between the two and simply continue to use the Prox format they are familiar with.
A good part of iClass's slow uptake is a result of how closely it resembles Prox technology to the end user and casual eye. Both formats are 'contactless' credentials typically used by waving a card, fob, or token in close proximity to an reader. In this section, we look at the two aspects that are common between either formats:
- Data Format
- Read Range
Data Format: A Prox card and an iCLASS card 'look' identical to an access control system. While the data written to the credential is formatted differently on the card, the reader pushes the same Wiegand or clock and data format to the access control head end.
Read Range: From a technical perspective, iClass carries further distances than Prox, however in reality the ranges are very close to same. Because so many 'contactless' credentials are passively powered by the reader, the cards must be close to the reader in order to work. This requirement limits data read ranges are typically between 0.25" - 6.0", however distances between 18.0" - 24.0" are possible with active (battery powered) credentials.
However, despite the similar use pattern to end-users, there are many technical differences between the formats including:
Frequency: The single biggest difference between the two credentials is transmissive radio frequency, where Prox is a low frequency 125 kHz and iClass is high frequency at 13.56 MHz. The higher frequency offers faster transmission speeds and greater bandwidth, more 'bits' of information are able to be exchanged between card and reader in a nominally quicker period of time.
With contactless credentials, a lower RF band constrains performance. 125 kHz is roughly 100X lower in frequency than 13.56 MHz, and the tolerance to wait for a credential to scan at a lock door is seconds. Anything longer results in a high level of impatience by users, so Prox credentials are limited in the data volume of information they exchange. As a result, the maximum number of bits for Prox is typically 64 and commonly 26 bits, well beneath the 128 bit, 256 bit or greater encryptions afforded by the iClass category.
The higher frequency also occupies a less 'noisy' radio band. In some environments, especially industrial, sources like VFDs can generate sufficient interference to prevent 125 kHz readers from being reliable. Higher frequency iClass typically resolve these problems.
Encryption: With the improvements in bandwidth and speed, iClass offers encryption against 'man-in-the-middle' attacks brought about by snooping unencrypted 125 kHz credentials. HID offers this explanation in their iClass product catalog:
"The communication between an iClass reader and card is encrypted using an algorithm. The transaction between the card and reader cannot be “sniffed” and replayed to a reader. The encryption protocol uses unique 64-bit card serial numbers and mutual card and reader authentication. (or, keys only known to the card/reader)"
A simplified overview between the two formats is shown below. With Prox, all transmission is unencrypted. However, with iClass, all transmission is encrypted and only can be decrypted in the reader once a specific 'key' is shared by the credential:
Also, this image from a hacker's conference shows the 'handshaking' between iClass credential and reader:
The comparison between "keys" (part of the "signature" in the chart above) is a process not possible with Prox. iClass therefore attempts to mitigate the 'snooping risk' although several sources claim to have exploited iClass using modified snooping methods.
Readers: The readers must match the frequency of the credential; in other words, iClass cards cannot be read on Prox readers and vice versa. A user cannot simply migrate from Prox to iClass credentials without also replacing every reader. The cost of an iClass reader is generally more expensive that an Prox reader, the average price being about 15% higher.
However, the power and data utilities are the same for both formats, and switchovers typically are a quick process of installing the iClass reader in the same place as the removed Prox. All the reader form factors for Prox are available in iClass versions, and therefore changes can even be 'bolthole-to-bolthole' matches.
Certain readers are designed to handle both frequencies simultaneously. No only does this potentially simplify designs and inventory, but allows credential migrations to happen over time - rather than forcing everyone to be issued a new card at once, the normal attrition process of card reissue when expired can be followed.
Cost: Despite a lower credential manufacturing cost than Prox, iClass typically costs more. Because of the frequency difference, 125 kHz credentials need more wire coil loops than 13.56 MHz to achieve the right resonance level. iClass credentials use less expensive components than Prox, and despite higher prices, the cost of manufacture is lower. In previous years, HID offered pricing for either formats at near the same prices, although in recent years iClass is typically priced higher. The chart below lists typical internet pricing of standard parts:
Average Component Cost Comparison
Should I Upgrade?
Many answer the question of "Prox or iClass?" simply, and stick with the less expensive and familiar Prox format. Undoubtedly, millions of electronic access control systems use the format every day with satisfactory result, despite claims of being a security risk. The persistence of Prox, aside from its widespread market share, is due to the relative satisfaction with its use.
However, if Prox is the stubborn 'status quo', then iClass has true operational advantages not possible otherwise. For high-security deployments, or where there might be a high volume of other identity details carried in the credential (for logical or multi-system use) the higher bit capacity and encryption level of iClass is ideal.