QUESTION: What is a Smart Card?
ANSWER:
A smart card includes an embedded integrated circuit chip that can be either a microcontroller with internal memory or a memory chip alone. The card connects to a reader through direct physical contact or a remote contactless electromagnetic interface. With an embedded microcontroller, smart cards have the unique ability to store large amounts of data, perform on-card functions (e.g., encryption and digital signatures) and interact intelligently with a smart card reader
Back to the list of questions
QUESTION: What do you mean by three technologies on one card?
ANSWER:
There is confusing terminology used in the market to refer to cards that can support a combination of technologies. Cards are described as multiple technology when multiple, independent technologies share a common plastic card and do not communicate or interact with each other (e.g., magnetic stripe and contactless or contact chip). Cards are described as having a “dual-interface” when the card has a single integrated circuit (IC) that can communicate with a smart card reader/terminal via either contact or contactless.
Back to the list of questions
QUESTION: Are contactless smart cards as secure as contact smart cards?
ANSWER:
Contactless smart card solutions are available today that offer the same cutting edge cryptography and security as contact smart card products. Security capabilities available in contact smart cards can now be applied at the full 10 cm range attainable by products meeting the ISO/IEC 14443 standard.
Back to the list of questions
QUESTION: Is there a risk of someone "listening" or "stealing" the information from a contactless card?
ANSWER:
One risk with contactless cards is the ability for the card to be activated when it enters a reader's RF range without the owner being aware of it. To prevent a contactless card activation without the card owner being aware of it, the application can be configured to always ask for the owner's authorization (password, PIN or biometric) before providing any user information or processing on the user’s behalf.
The level of security of communication required between the contactless card and the reader must be defined as part of the system design and security controls must put in place so that un-invited listeners cannot intercept the data in any meaningful way. For example, all of the contactless technologies can use data encryption to protect data on the card and during transmission; this helps to ensure that, if information is intercepted, the information cannot be used by the recipient. It is important that all of the application’s requirements be understood and defined prior to any technology selection and implementation so that the appropriate security features are designed into the system.
Additionally, the contactless chip is designed to self destruct if anyone tries to hack into it.
Back to the list of questions
QUESTION: Why are we changing to this new facility access technology?
ANSWER:
In many places on campus, and in highly secured areas, residents often swipe their cards in door readers over 30 times a day. This results in individuals having to replace their cards several times a year. There has also been a request, from some departments, to provide a higher level of access security technology.
Back to the list of questions
QUESTION: What is a biometric?
ANSWER:
A biometric is a specific and uniquely identifiable physical human characteristic. Common biometric are fingerprints, handprints, the iris and voice recognition.
Back to the list of questions
QUESTION: How do I protect my personal privacy?
ANSWER:
Your fingerprint is not stored in a database or on the contactless smartchip. For a simple explanation, an algorithm, which is a mathematical equation, is taken from measured points on your finger and that is what is stored on the smartchip. When you wave your card in front of the reader, and present your finger, once the authentication takes place, only the 16-digit CatCard ISO number is transmitted to Amer-X just as it is now using the magnetic stripe. Again, this is a simplistic explanation; more thorough explanation can be found in the technical documentation referenced on the main web page.
Back to the list of questions
QUESTION: What happens if someone gets my card?
ANSWER:
The algorithm is encrypted and if someone tries to hack the smartchip, it destroys itself. The card will only work with the individual’s finger that exactly matches the algorithm that is stored on the smartchip.
Back to the list of questions
QUESTION: What happens if the reader stops working? How do I get into the building?
ANSWER:
The same procedures you would use for a magnetic strip reader would apply to a contactless smartchip reader. Every external reader has an override key that is assigned to a particular person in your facility.
Back to the list of questions
QUESTION: I'm worried about the transmission of germs and getting ill; is this a real concern?
ANSWER:
Biometric Readers need to be on a regular cleaning schedule with housekeeping. Additionally, there is some discussion about installing hand sanitizing dispensers next to the biometric readers.
Back to the list of questions
QUESTION: Could somebody unlawfully use my finger and the card to gain access?
ANSWER:
No. The fingerprint reader authenticates the finger by measuring it against a body temperature range.
Back to the list of questions
QUESTION: Who is eligible to receive this card and get this access system?
ANSWER:
The Keating Building (BIO5 Institute) and Medical Research Buildings (MRB) will be the pilot test for this technology out of which procedures and business rules will be established. These business rules and procedures can serve as a template for future applications.
Back to the list of questions
QUESTION: Who will pay for the card?
ANSWER:
Departments that require access to MRB and Keating are working directly with the CatCard Office on details regarding payment options. Departments not associated with MRB or Keating are currently not eligible for the card.
Back to the list of questions
QUESTION: I want my department to have this technology immediately; what do I need to do to upgrade to this new technology?
ANSWER:
Contact Diane Tatterfield at the CatCard Office to discuss your request. Her phone number is 621-1709 or you can email her at tatterfieldd@arizona.edu.
Back to the list of questions
QUESTION: What is the difference between ISO/IEC 14443 Type A and ISO/IEC 14443 Type B?
ANSWER:
The ISO/IEC 14443 standard defines a way to provide power and communicate between a reader and a contactless smart card. The standard specifies 13.56 MHz as the frequency and also defines a communication protocol between the card and the reader. Type A and Type B are the two communication methods defined by the standard. Differences include the modulation of the magnetic field used for coupling, the coding format and the anticollision method (i.e., how the cards and readers respond when more than one card responds at the same time to a reader’s request for data). In 1994, when standardization began, Type A and Type B had slightly different application focus. Today’s technological advances have removed this application differentiation. By including both in the final version of the ISO/IEC 14443 standard, the widest base of vendors are able to offer standardized contactless technology.
Back to the list of questions
QUESTION: Are MIFARE and ISO/IEC 14443 Type A the same?
ANSWER:
MIFARE and ISO/IEC 14443 Type A are not the same. While MIFARE is often viewed as an extension to or subset of ISO/IEC 14443 Type A, it is a proprietary encryption/conditional access protocol owned and licensed by Philips Semiconductors to multiple vendors of card ICs and reader ICs. Because MIFARE has been so predominantly used with products employing ISO/IEC 14443 Type A technology, it has mistakenly become synonymous with the standard. However, ISO/IEC 14443 Type A is a completely open standard when used independently of the MIFARE encryption/conditional access scheme.
Back to the list of questions
QUESTION: What changes to contactless standards and technology are expected in the future?
ANSWER:
Many vendors are actively developing new technologies to address the increasing market need for secure contactless technologies for a wide variety of applications. Changes in government regulations will also provide opportunities for enhancing contactless technology performance. It is important to note, however, that standards development is a lengthy process so it takes time for new technology developments to be reflected in standards that help to drive the availability of interoperable solutions. A few examples of new technologies that are expected include:
- Changes to technology based on the ISO/IEC 15693 standard. Contactless cards supporting the ISO/IEC 15693 standard currently operate at 1.65 Kb/sec to meet FCC limits on sideband power in this frequency range. The FCC is expected to lift its restriction in late 2002, which would allow cards based on the ISO/IEC 15693 standard to improve their data rates.
- Changes for higher speed operation. ISO working groups plan to add higher speed modes of operation to ISO/IEC 14443. This will increase the speed supported by this standard from 106 Kb/sec to the 848 Kb/sec that has already been demonstrated by IC manufacturers.
- Alternative access control reader networking solutions. Wireless readers offer a significant advantage in lower costs of installation, particularly in older facilities. New security approaches can ensure strong authenticated channels between hosts or panels and new wireless readers. IP readers also permit direct connectivity to LANbased management and control applications.
- The ability for a single contactless chip in a card to operate in full ISO/IEC 14443 and ISO/IEC 15693 modes.
Back to the list of questions
