From the Product Manager's POV

  • By Security Products Staff
  • Aug 02, 2007

HIRSCH Electronics is no stranger to introducing new products or winning accolades among its peers. From the competition at ISC West, Hirsch won a special achievement award in the Security Industry Association's New Product Showcase in Las Vegas. We thought readers should know more about the RUU-201 Verification Station, so we talked to Scott Howell of Hirsch Electronics.

Q. The RUU-201 received the industry's special achievement award. What makes the verification station so special?
A. The judging committee said the Special Achievement award is given "in recognition of outstanding accomplishment in technical innovation." The verification station is unique, highly secure and it can be used in a variety of applications. I like to describe it as a 4x4: four factors and four applications. It is one of the first four-factor authentication devices available on the market—card, code, fingerprint and PKI certificate check—so that delivers the high-security assurance. And, it can be used in four ways: at card issuance to verify the card recipient's identity before card handover, as a door/gate controller, as an enrollment device to populate a physical access control system with card data and as a standalone or networked verification station to verify identities anytime, anywhere.

Q. The verification station must be compatible with a variety of applications. What are the most popular uses of the product?
A. Many customers use the verification station strictly as an identity verification device, before handing over a card or at a manned ID checking station. Most customers that use the verification station as a door reader configure it for identity authentication and then forward the verified identity to the access control panel for authorization (lock release), to control who goes where when. Assuming the access control database is kept up-to-date (ideally, via a real-time link from the HR/personnel system) even a recently-terminated employee will be denied entry, even if their identity was verified by their PIN and fingerprint.

Q. Today, security technology is on the cutting edge. What technologies does the verification station incorporate?
A. The verification station is a convergence device. It integrates several technologies, including a privacy-sensitive scrambling keypad, contact and contactless smart card readers, biometric fingerprint reader and a six-line LCD display. The unit is IP-addressable, and it includes ports for a door or other relay, Ethernet, Wiegand, RS-485 and RS-232.

Q. Identity verification is important in many industries. For what market was the verification station created?
A. It was originally designed to help federal government facilities comply with HSPD-12 and the standards published by NIST as FIPS 201. However, the unit is really taking off in non-government, non-FIPS 201 applications, as well. Hirsch is seeing strong sales of the unit into non-FIPS 201 applications. It can be used with non-PIV smart cards, such as MIFARE and DESfire. Prisons, hospitals, universities, as well as state governments and first responders are the early adopters so far.

Q. How does the verification station help a federal agency comply with FIPS 201?
A. An agency would be hard-pressed to comply with the standard without some type of full-featured identity and card verification device. Let's say a sponsor requests a card for an employee, then the registrar does the background check, and the signatory approves the issuance. Finally, the issuer prints and encodes the card, and the applicant is ready to pick it up. But how can the issuer be sure the card works and that they are giving it to the right person? That card must be tested right in front of the issuer, using some type of verification station to check the card's readability, the PIN code acceptance and fingerprint match. That is just one example—card issuance, where the verification station helps agencies comply with FIPS 201. It closes the loop on the process and confirms interoperability before the card is ever used for logical or physical access.

There are many other ways the verification station can help agencies comply with FIPS 201 because of its ability to read a PIV card's expiration date and Federal Agency Smart Credential-Number from the CardHolder Unique IDentity container in the smart card's processor.

Q. I understand the Verification Station uses a fingerprint and PIN differently than is historically done with physical access applications. How so?
A. Most fingerprint readers require that users be pre-enrolled in the reader or access control system. That pre-enrollment requirement is a real problem for those traveling to multiple locations, and it means the organization does not have card or identity interoperability between sites.

In compliance with FIPS 201, the Hirsch verification station uses a more interoperable and user-friendly model whereby the encoded fingerprint data is locked inside the smart card and is unlocked and passed to the reader only after a valid PIN entry. The verification station then performs a one-to-one match of the live finger's print to the card's print. In the FIPS 201 model, the PIN is not issued by the local access control system administrator to be used by the access control system as a second factor of authentication, as was historically done. Rather, the PIN is issued by the central card issuer and used to ensure privacy of the personal identity information stored on the card.

The key here is that government users don't have to be pre-enrolled. Any PIV cardholder can go to any agency at any site in the world and have their identity verified using the verification station—now, that's interoperability. Once identity is authenticated, local authorities or the access control system can determine the appropriate authorization to doors, areas and computers. The process of identity verification (authentication) is separated and administered discretely from the process of granting access (authorization). This idea of using the PIN to unlock the biometric template stored on the card was brought to the forefront by the government's IT-centric FIPS 201 standards, and it is a useful model for ensuring privacy both in the public and private sectors.

Q. Of course, security is of the utmost importance, how does it secure the PIN code?
A. The verification station incorporates a Hirsch ScramblePad, a unique, time-tested, high-security digital keypad. Using the ScramblePad, the PIN cannot be accidentally shared with, or stolen by, onlookers. Each numeral is randomly scrambled to a new position every time the "start" button is pressed, so a bystander cannot ascertain the finger pattern or telltale wear marks. Also, the ScramblePad's internal viewing restrictors allow only the person directly in front of the keypad to see the numbers.

Q. What are the benefits of verification station-assisted enrollment into the physical access control system?
A. Speed, accuracy and consistency. For example, authorized employees visiting from another site can have their identities verified quickly, and then the appropriate data on the card can be instantly imported into the local site's access control system, without a keystroke and without having to go to the personnel or security office. Typos and other data entry errors are avoided. And Thomas is consistently entered as Thomas, rather than Tom. That leaves only the step of assigning authorization privileges to the cardholder, which can be further simplified using role-based access control.

Q. Along the lines of being a "converged" solution, how does the verification station use the IP network?
A. The verification station is Ethernet-ready and IP addressable, and it plugs right into the local site's TCP/IP network infrastructure, if desired. One can use the network to access and configure the RUU-201. And, the RUU-201 can use the network to communicate to a card management system, identity management system or physical access control system. Additionally, the RUU-201 can use a network to do a real-time PKI certificate check with an internal or third-party certificate authority over the LAN/WAN or Internet to ensure the card has not been revoked by the original issuer

Q. What is the PKI certificate check all about, and what is its value?
A. Public key infrastructure is a security tool that has become popular with IT departments to verify the identity of a person logging onto the network, to electronically sign e-mail and to verify the authenticity of a document. The verification station can validate a PKI certificate stored on the card. It works like this: After the card, PIN and fingerprint are read, the verification station (if configured for PKI-check mode) obtains the certificate from the card. The verification station sends the certificate out its Ethernet port and across the LAN/WAN/Internet network, via a secured connection, to a certificate authority, such as an online credential status provider or credential revocation list. The card's certificate is checked by the OCSP or CRL, and a result (e.g., certificate "valid" or "revoked") is returned to the verification station for appropriate action.

Thus, in the case of a recently terminated employee, even though the cardholder's PIN, unique number (e.g., FASC-N) and fingerprint may be valid, the verification station will reveal the card's certificate to be invalid. This extra step—the PKI certificate check—is important for many applications. However, the local site or physical access control system must establish communication to the card issuer's infrastructure and use an OCSP or a CRL to use this feature.

Q. So this is an "edge reader" then, distributing intelligence to the edge of the IT network?
A. Right. In fact, it is one of the first true edge readers on the market. In comparison to the other products we've seen on the market, the Hirsch verification station is the most sophisticated, integrated and secure edge reader available. It's more than a reader though, because it can communicate with the identity management system, card management system and physical access control system. And it can serve as a four-factor, high-security identity verification unit and as a standalone door controller.

Q. Is the verification station integrated with solutions from other companies?
A. Yes. The verification station is part of an integrated, end-to-end solution for FIPS 201 compliance offered by Hirsch and its partners. Hirsch's partners include the leading players in the IDMS, CMS and enterprise database solution sectors. The verification station also can be used with Hirsch's Velocity Security Management System, and it can be used as a door reader attached to nearly any brand of access control system.

Scott Howell is the manager of worldwide marketing for Hirsch Electronics.

Featured

  • Data Driven, Proactive Response

    As cities face rising demands for smarter policing and faster emergency response, Real Time Crime Centers (RTCCs) are emerging as essential hubs for data-driven public safety. In this interview, two experts with deep field experience — Ross Bourgeois of New Orleans and Dean Cunningham of Axis Communications — draw on decades of operational, leadership and technology expertise to share how RTCCs are transforming public safety through innovation, interagency collaboration and a relentless focus on community impact. Read Now

  • Integration Imagination: The Future of Connected Operations

    Security teams that collaborate cross-functionally and apply imagination and creativity to envision and design their ideal integrated ecosystem will have the biggest upside to corporate security and operational benefits. Read Now

  • Smarter Access Starts with Flexibility

    Today’s workplaces are undergoing a rapid evolution, driven by hybrid work models, emerging smart technologies, and flexible work schedules. To keep pace with growing workplace demands, buildings are becoming more dynamic – capable of adapting to how people move, work, and interact in real-time. Read Now

  • Trends Keeping an Eye on Business Decisions

    Today, AI continues to transform the way data is used to make important business decisions. AI and the cloud together are redefining how video surveillance systems are being used to simulate human intelligence by combining data analysis, prediction, and process automation with minimal human intervention. Many organizations are upgrading their surveillance systems to reap the benefits of technologies like AI and cloud applications. Read Now

  • Right-Wing Activist Charlie Kirk Dies After Utah Valley University Shooting

    Charlie Kirk, a popular conservative activist and founder of Turning Point USA, died Wednesday after being shot during an on-campus event at Utah Valley University in Orem, Utah Read Now

Most   Popular

New Products

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises.