From the Product Manager's POV

  • By Security Products Staff
  • Aug 02, 2007

HIRSCH Electronics is no stranger to introducing new products or winning accolades among its peers. From the competition at ISC West, Hirsch won a special achievement award in the Security Industry Association's New Product Showcase in Las Vegas. We thought readers should know more about the RUU-201 Verification Station, so we talked to Scott Howell of Hirsch Electronics.

Q. The RUU-201 received the industry's special achievement award. What makes the verification station so special?
A. The judging committee said the Special Achievement award is given "in recognition of outstanding accomplishment in technical innovation." The verification station is unique, highly secure and it can be used in a variety of applications. I like to describe it as a 4x4: four factors and four applications. It is one of the first four-factor authentication devices available on the market—card, code, fingerprint and PKI certificate check—so that delivers the high-security assurance. And, it can be used in four ways: at card issuance to verify the card recipient's identity before card handover, as a door/gate controller, as an enrollment device to populate a physical access control system with card data and as a standalone or networked verification station to verify identities anytime, anywhere.

Q. The verification station must be compatible with a variety of applications. What are the most popular uses of the product?
A. Many customers use the verification station strictly as an identity verification device, before handing over a card or at a manned ID checking station. Most customers that use the verification station as a door reader configure it for identity authentication and then forward the verified identity to the access control panel for authorization (lock release), to control who goes where when. Assuming the access control database is kept up-to-date (ideally, via a real-time link from the HR/personnel system) even a recently-terminated employee will be denied entry, even if their identity was verified by their PIN and fingerprint.

Q. Today, security technology is on the cutting edge. What technologies does the verification station incorporate?
A. The verification station is a convergence device. It integrates several technologies, including a privacy-sensitive scrambling keypad, contact and contactless smart card readers, biometric fingerprint reader and a six-line LCD display. The unit is IP-addressable, and it includes ports for a door or other relay, Ethernet, Wiegand, RS-485 and RS-232.

Q. Identity verification is important in many industries. For what market was the verification station created?
A. It was originally designed to help federal government facilities comply with HSPD-12 and the standards published by NIST as FIPS 201. However, the unit is really taking off in non-government, non-FIPS 201 applications, as well. Hirsch is seeing strong sales of the unit into non-FIPS 201 applications. It can be used with non-PIV smart cards, such as MIFARE and DESfire. Prisons, hospitals, universities, as well as state governments and first responders are the early adopters so far.

Q. How does the verification station help a federal agency comply with FIPS 201?
A. An agency would be hard-pressed to comply with the standard without some type of full-featured identity and card verification device. Let's say a sponsor requests a card for an employee, then the registrar does the background check, and the signatory approves the issuance. Finally, the issuer prints and encodes the card, and the applicant is ready to pick it up. But how can the issuer be sure the card works and that they are giving it to the right person? That card must be tested right in front of the issuer, using some type of verification station to check the card's readability, the PIN code acceptance and fingerprint match. That is just one example—card issuance, where the verification station helps agencies comply with FIPS 201. It closes the loop on the process and confirms interoperability before the card is ever used for logical or physical access.

There are many other ways the verification station can help agencies comply with FIPS 201 because of its ability to read a PIV card's expiration date and Federal Agency Smart Credential-Number from the CardHolder Unique IDentity container in the smart card's processor.

Q. I understand the Verification Station uses a fingerprint and PIN differently than is historically done with physical access applications. How so?
A. Most fingerprint readers require that users be pre-enrolled in the reader or access control system. That pre-enrollment requirement is a real problem for those traveling to multiple locations, and it means the organization does not have card or identity interoperability between sites.

In compliance with FIPS 201, the Hirsch verification station uses a more interoperable and user-friendly model whereby the encoded fingerprint data is locked inside the smart card and is unlocked and passed to the reader only after a valid PIN entry. The verification station then performs a one-to-one match of the live finger's print to the card's print. In the FIPS 201 model, the PIN is not issued by the local access control system administrator to be used by the access control system as a second factor of authentication, as was historically done. Rather, the PIN is issued by the central card issuer and used to ensure privacy of the personal identity information stored on the card.

The key here is that government users don't have to be pre-enrolled. Any PIV cardholder can go to any agency at any site in the world and have their identity verified using the verification station—now, that's interoperability. Once identity is authenticated, local authorities or the access control system can determine the appropriate authorization to doors, areas and computers. The process of identity verification (authentication) is separated and administered discretely from the process of granting access (authorization). This idea of using the PIN to unlock the biometric template stored on the card was brought to the forefront by the government's IT-centric FIPS 201 standards, and it is a useful model for ensuring privacy both in the public and private sectors.

Q. Of course, security is of the utmost importance, how does it secure the PIN code?
A. The verification station incorporates a Hirsch ScramblePad, a unique, time-tested, high-security digital keypad. Using the ScramblePad, the PIN cannot be accidentally shared with, or stolen by, onlookers. Each numeral is randomly scrambled to a new position every time the "start" button is pressed, so a bystander cannot ascertain the finger pattern or telltale wear marks. Also, the ScramblePad's internal viewing restrictors allow only the person directly in front of the keypad to see the numbers.

Q. What are the benefits of verification station-assisted enrollment into the physical access control system?
A. Speed, accuracy and consistency. For example, authorized employees visiting from another site can have their identities verified quickly, and then the appropriate data on the card can be instantly imported into the local site's access control system, without a keystroke and without having to go to the personnel or security office. Typos and other data entry errors are avoided. And Thomas is consistently entered as Thomas, rather than Tom. That leaves only the step of assigning authorization privileges to the cardholder, which can be further simplified using role-based access control.

Q. Along the lines of being a "converged" solution, how does the verification station use the IP network?
A. The verification station is Ethernet-ready and IP addressable, and it plugs right into the local site's TCP/IP network infrastructure, if desired. One can use the network to access and configure the RUU-201. And, the RUU-201 can use the network to communicate to a card management system, identity management system or physical access control system. Additionally, the RUU-201 can use a network to do a real-time PKI certificate check with an internal or third-party certificate authority over the LAN/WAN or Internet to ensure the card has not been revoked by the original issuer

Q. What is the PKI certificate check all about, and what is its value?
A. Public key infrastructure is a security tool that has become popular with IT departments to verify the identity of a person logging onto the network, to electronically sign e-mail and to verify the authenticity of a document. The verification station can validate a PKI certificate stored on the card. It works like this: After the card, PIN and fingerprint are read, the verification station (if configured for PKI-check mode) obtains the certificate from the card. The verification station sends the certificate out its Ethernet port and across the LAN/WAN/Internet network, via a secured connection, to a certificate authority, such as an online credential status provider or credential revocation list. The card's certificate is checked by the OCSP or CRL, and a result (e.g., certificate "valid" or "revoked") is returned to the verification station for appropriate action.

Thus, in the case of a recently terminated employee, even though the cardholder's PIN, unique number (e.g., FASC-N) and fingerprint may be valid, the verification station will reveal the card's certificate to be invalid. This extra step—the PKI certificate check—is important for many applications. However, the local site or physical access control system must establish communication to the card issuer's infrastructure and use an OCSP or a CRL to use this feature.

Q. So this is an "edge reader" then, distributing intelligence to the edge of the IT network?
A. Right. In fact, it is one of the first true edge readers on the market. In comparison to the other products we've seen on the market, the Hirsch verification station is the most sophisticated, integrated and secure edge reader available. It's more than a reader though, because it can communicate with the identity management system, card management system and physical access control system. And it can serve as a four-factor, high-security identity verification unit and as a standalone door controller.

Q. Is the verification station integrated with solutions from other companies?
A. Yes. The verification station is part of an integrated, end-to-end solution for FIPS 201 compliance offered by Hirsch and its partners. Hirsch's partners include the leading players in the IDMS, CMS and enterprise database solution sectors. The verification station also can be used with Hirsch's Velocity Security Management System, and it can be used as a door reader attached to nearly any brand of access control system.

Scott Howell is the manager of worldwide marketing for Hirsch Electronics.

Featured

  • The Yellow Brick Road

    The road to and throughout Wednesday's and Thursday's ISC West was crowded but it was amazing. Read Now

    • Industry Events
    • ISC West

  • An Inside Look From Napco at ISC West

    Get a look into the excitement at ISC West 2025 from Napco. Hear from some of their top-tech executives live from the show floor. Read Now

    • Industry Events
    • ISC West

  • Upping the Ante

    I am not a betting man in terms of cards, dice, blackjack or that wheel with the black marble racing around the circumference of a spinning wheel, but I would bet on the success of ISC West this year. Read Now

    • Industry Events
    • ISC West

  • It's Show Time

    I am one of those people that likes to see things get bigger and better. As advertised, ISC West is going to be bigger (more exhibitors) and better (more attendees). It’s show time in Las Vegas. Read Now

    • Industry Events
    • ISC West

  • SIA Releases New Report on Operational Security Technology

    The Security Industry Association (SIA) has released an impactful new resource – Operational Security Technology: Principles, Challenges and Achieving Mission-Critical Outcomes Leveraging OST. Read Now

Most   Popular

New Products

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.

  • ComNet CNGE6FX2TX4PoE

    The ComNet cost-efficient CNGE6FX2TX4PoE is a six-port switch that offers four Gbps TX ports that support the IEEE802.3at standard and provide up to 30 watts of PoE to PDs. It also has a dedicated FX/TX combination port as well as a single FX SFP to act as an additional port or an uplink port, giving the user additional options in managing network traffic. The CNGE6FX2TX4PoE is designed for use in unconditioned environments and typically used in perimeter surveillance.

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.