Card-Connected System — Functional Specification
Note: This document provides example functional specification material for CoreStreet-Enabled smart card based physical access control systems. Insert the appropriate material from this document into the relevant sections of the security system specification under development.
This document describes the requirements specific to a smart card based access control system. Systems that do not provide all of the features described below shall be unacceptable.
Definition of Terms
Where the term “smart card” is used in this specification, alternate read/write security media or devices may be substituted, such as RFID key fobs, as long as all system requirements can be met by the use of the alternate media or devices.
The term “card reader” is used to indicate a smart card reader that is capable of both read and write operations, and contains the required intelligence for its operation resident as firmware in reader’s micro-chip integrated circuits.
Where the term “card reader” is used, compatible intelligent locksets with a built-in smart card reader capability may be used as an alternate.
The access control system shall be centrally managed, which means that regardless of the quantity or location of card readers, management of the entire card system can be performed from a central server and optionally from workstations networked to the central server.
Access Control Independent of Network Infrastructure
The system shall extend access control beyond wired or wireless network infrastructure by using a combination of networked and standalone smart card readers and/or intelligent locksets, under a distributed decision approach.
The system shall utilize a distributed decision approach that allows card readers to perform access decisions based solely on the data they have, without accessing data in any other device or system. Reader access decisions shall be based upon comparing proof of cardholder access privileges stored on smart cards against access rules and invalid card lists stored in readers.
Card-Connected and Network-Connected Readers
The system shall provide “Card-Connected” capability for readers, whereby access cards carry system messages between network-connected readers and readers with no network connection. The network-connected readers shall write invalid card lists and proof of cardholder access privileges to cards, and retrieve messages (such as “access granted”) from cards for storage in the system historical database. The network-connected readers shall read messages written to the access cards by the Card-Connected readers including access history (granted, denied), low battery and door held open messages, and transmit these messages to the central server for processing and storage. The network-connected readers shall transmit their system messages to the central server in real time.
No Degraded Mode
Access control decisions made at network-connected readers shall be performed in the same way Card-Connected readers perform them, so that a temporarily loss of the network connection shall have no effect on access decision making and no degraded mode is required.
Card Data Expirations and Updates
The system shall provide a short user-definable time interval (such as 24 hours) after which data stored on smart cards expires, and must be updated by card presentation at a network-connected reader. The result of short expiration time intervals is that lost or stolen cards automatically become invalid for access (within the short time interval), which keeps the invalid card list empty or very small. Expiration intervals as small as 1 hour shall be supported so as to severely limit the time period in which a lost or stolen card can remain valid, as an anti-theft/anti-forgery measure.
Invalid Card List Distribution
Whenever any card is cancelled or revoked, the system shall immediately transmit the current invalid card list to all network-connected readers, which in turn shall write the invalid card list to all cards presented, so that Card-Connected readers can read the current invalid card list from any card presented to them.
Network Communications and Security Protocols
The system shall utilize or be compatible with IT industry-standard TCP/IP based protocols for network and smart card-based secure messaging including:
- X.509 compliant digital certificates
- Compliance with Federal Information Processing Standard 201 (FIPS-201) in support of Homeland Security Presidential Directive 12 (HSPD-12)
- RSA digital signature algorithm (FIPS 186-2)
- ISO 14443 – the international standard for contactless proximity cards operating at 13.56 MHz in up to 5 inches distance, such as MIFARE® and MIFARE® DESFire smart cards and readers
Compliance or compatibility with the above standards is intended to enable multiple application use of the smart cards, such as for logical security, purchasing and convenience uses.
No Separate Public Key Infrastructure
The system’s use of digital certificates and secure information protocols shall not require a separate Public Key Infrastructure (PKI) solution.
UL 294 Requirement
The system card readers shall be UL 294 listed as an access control system accessory.
Multiple Systems May Share Readers
The system shall support the management of access roles, rules and privileges for Card-Connected readers by cooperating independent multiple authorities who use separate access control systems. For example, access to common area readers such as restrooms, exercise rooms, utility rooms, cafeteria, etc. could be established by separate organizations, each with its own system, such as the Army and the Navy.
Note: Fill in the appropriate system capacity quantities below, as appropriate to take into account the actual capacity requirements desired for the installed system.
The system shall support up to ___________ card readers with biometric functions, and up to ___________ card readers without biometric functions, for a maximum of up to ___________ total card readers. The system shall support up to __________ cardholders.
For readers configured as card-only readers, regardless of how many cards and/or PINs are presented simultaneously at any number of system readers, the response time from the presentation of a card to door unlock shall be less than 1.0 seconds for an electric strike and less than 2.0 seconds for an electro-mechanical lockset.
For readers configured as card-and-PIN readers, regardless of how many cards and/or PINs are presented simultaneously at any number of system readers, the response time from completion of PIN entry to door unlock shall be less than 1.0 seconds for an electric strike and less than 2.0 seconds for an electro-mechanical lockset.
Smart Card Memory Capacity
The system shall require smart cards with a minimum memory capacity of 64K. If the cards will be used for multiple applications, the total card memory capacity for all applications should be calculated using 64K as the minimum amount of memory that shall be allocated for physical access control technology.
Factory Warranty Requirements
Card readers shall include a factory warranty stating that the equipment is free from defects in design, material, manufacture and operation.
The factory warranty period shall be for the lifetime of the product. The manufacturer shall not be responsible for installation, handling or use of product that does not comply with manufacturer’s published instructions.
Acceptable card reader manufacturers are Indala and SARGENT.
Acceptable cards must meet the specifications described under the Network Communications and Security Protocols section
For a complete list of acceptable manufacturers visit corestreet.com/enabled