Supporting PIV I Cards

How to determine if your physical access control system supports the solution

  • By Bob Fontana
  • Jun 01, 2012

When your physical access control system (PACS) manufacturer tells you its system supports PIV-I “end-to-end,” you might want to do some additional digging to make sure you both agree as to what that really means. Legacy PACS designed for proximity cards (or even PIV cards) are unlikely to support PIV-I cards without specific upgrades for handling 128-bit identifiers. Just because a PACS supports PIV cards doesn’t mean it supports PIV-I cards. In a plug-and-play world, it may be your job to ensure that each component is capable of PIV-I.

PIV Card Identifiers

The identifier on a PIV card is the 32-digit Federal Agency Smart Credential Number (or FASC-N). The FASC-N, found in the card’s CHUID container, is a “smart number” consisting of nine fields.

The first five FASC-N fields—16 binary coded digits—are sufficient to uniquely identify every federally issued credential. That means that physical access control systems may safely use the first 16 digits of the FASC-N as the card identifier without concern for duplicates. The largest possible 16-digit identifier would therefore be 9,999,999,999,999,999, which happens to require 54 bits. Most access control panels cannot store a value as large as this as a single number. Instead, they employ schemes that split the value into two or three logical parts. A common method is to concatenate the agency code, system code and credential number (14 digits), forming one number, and the credential series code and individual credential issue (2 digits), forming another number. Another method is to combine the agency code and system code into a number represented as the traditional “facility code” and store the credential number as the traditional “card number.”

This is often done to avoid updating panel firmware and head-end software to support larger identifiers.

PIV-I Card Identifiers

PIV-I cards are intended for non-federal issuers. The number of organizations that could potentially deploy it is so large that the agency code-system code-credential number method used by PIV cards would not work. Therefore, with PIV-I, the FASC-N can no longer be used as the card identifier. In fact, the first 14 digits of the FASC-N on a PIV-I card are all 9s.

Therefore, if a system can read only a partial FASC-N, all PIV-I cards would appear the same.

PIV-I credentials must use a different numbering system called the globally unique identifier (GUID), which also is found in the CHUID container. The construction of the GUID has some important properties that impact physical access control systems. A GUID is generated in a way that ensures uniqueness across the planet, even if the machine generating it is “off the grid.” The GUID is always 128 bits, which is more than double the size of the 16-digit truncated FASC-N.

The Reader

The reader must be able to recognize that the credential is a PIV-I card. The correct way for the reader to do this is to read the CHUID and check the first 14 digits of the FASC-N. If it is not all 9s, it then outputs the FASC-N. If it is all 9s, it outputs the GUID. The panel must be able to accept cards of both formats—FASC-N or GUID.

The Panel

PIV-I credentials require the control panel and the head end to store larger values for identifiers. These values can still be broken into smaller pieces for ease of storage, but because the GUID is a series of 128 bits rather than a string of binary coded digits, the panel must employ a different method for splitting a GUID received from a reader.

Splitting must be done by bits, not digits. When a PIV-I GUID arrives on the reader port, the panel must split the GUID and compare it with pieces of GUIDs previously received from the head end.

The Head End

Because head-end computers usually have larger memory capacities and more sophisticated database engines, the PIV-I GUID can often be stored as a single 128-bit value. In fact, Microsoft SQL Server supports the GUID as a data type. Regardless, head-end software must be able to accept a GUID as card identifier from the enroller and must be able to send the complete GUID to the panel. The panel must be capable of storing the GUID in a way that it can quickly be compared with the GUID arriving on a reader port.

Remember, there are many things to keep in mind when determining if your PACS supports PIV-I “end-to-end” and whether your access control system truly has the capability to support PIV-I cards.

This article originally appeared in the June 2012 issue of Security Today.

Featured

  • It Always Rains in Florida

    Over the years, and many trips to various cities, I have experienced some of the craziest memorable things. One thing I always count on when going to Orlando is a massive rainstorm after the tradeshow has concluded the first day. Count on it, it is going to rain Monday evening. Expect that it will be a gully washer. Read Now

    • Industry Events

  • Live from GSX 2024 Preview

    It’s hard to believe, but GSX 2024 is almost here. This year’s show runs from Monday, September 23 to Wednesday, September 25 at the Orange County Convention Center in Orlando, Fla. The Campus Security Today and Security Today staff will be on hand to provide live updates about the security industry’s latest innovations, trends, and products. Whether you’re attending the show or keeping tabs on it from afar, we’ve got you covered. Make sure to follow the Live from GSX page for photos, videos, interviews, product demonstrations, announcements, commentary, and more from the heart of the show floor! Read Now

    • Industry Events

  • Elevate Your Business

    In today’s dynamic business environment, companies specializing in physical security are constantly evolving to remain competitive. One strategic shift these businesses can make to give them the advantage is a full or partial transition to a recurring revenue model, popularly called a subscription service. This approach will bring numerous benefits that not only enhance business stability but also improve customer relationships and drive innovation. Recurring monthly revenue (RMR) or recurring annual revenue (RAR) are two recurring cadence choices that work simply and effectively. Read Now

  • Playing a Crucial Role

    Physical security technology plays a crucial role in detecting and preventing insider cybersecurity threats. While it might seem like a stretch to connect physical security with cyber threats, the two are closely intertwined. Here’s how physical security technology can be leveraged to address both external and internal threats. Read Now

Most   Popular

Featured Cybersecurity

Webinars

New Products

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3