Home' RTCA Documents for Review : DO-230H FRAC Contents 112
© 2017, RTCA, Inc.
What forms of credential are required on mobile devices for PACS?
The types of credentials suitable for secure physical access control that may be hosted on a smart mobile
device should be far superior to the simple identifiers that are used with such legacy tokens as 125 kHz
RFID tags. Smart mobile credentials should be based on symmetric, or asymmetric cryptographic keys that
may be used to protect credentials; as well as prove that a device contains a shared secret, or that it is the
sole owner of a secret that could be validated externally. Currently, asymmetric key-based Digital
Certificates and Public Key Infrastructure (PKI) provide the most secure and accommodating mechanisms
for device and user authentication for both logical and physical access control. Other types of credentials
include mobile identifiers that are signed and encrypted using symmetric keys (e.g., AES 128 and AES
Whichever technology is chosen it should be noted that the PACS system will probably need to be updated
to match the mobile credentials and the level of update will increase with the level of security.
Mobile devices may host additional information that supports user identification and authentication, such
as user name, organization, facial image, and fingerprint biometrics. However, these types of data elements
and other potential Personal Identifying Information (PII) should be kept to a minimum, and only used for
“as needed” purposes and in compliance with organization and governmental, both federal and state
What technologies are required of mobile devices to host and use a PACS credential?
A mobile device suitable as a host for a PACS credential must be able to satisfy stated privacy objectives,
communicate with enterprise credentialing systems to obtain credentials, securely load, store and protect
credentials, communicate with access control system readers, and support the authentication of the
credential during physical access requests. Mobile devices should ideally be able to communicate with the
reader even when the battery is too low for other normal operations/functions. Contemporary smart phones
contain all of the features required to support these requirements. These features include sophisticated
microprocessors, ample memory storage, hardware cryptographic engines, wireless communications
interfaces (i.e., cellular services, Wi-Fi, NFC, and Bluetooth Low Energy), and secure cryptographic key
stores. At present, most devices provide OS-based protected-memory key stores, with a limited number of
manufacturers providing smart phones with specialized hardware modules, known as “secure elements”,
that provide tamper-resistant storage for keys, encrypted identifiers, and other valued data objects.
A crucial element in the interface between the mobile-device and the reader would be the wireless
communications mechanism and protocol that transport the command requests and responses supporting
identification and authentication of the mobile device and its user. There are two candidate communications
mechanisms that are now supported by most smart phones: Near Field Communications (NFC) and
Bluetooth Low Energy (BLE).
NFC on smartphones has been utilized in the payment arena for years, taking the place of credit cards at
retail checkout counters. NFC implements a set of open standard protocols that operate at short distances
(i.e., 10 cm / ~4 in) at a frequency of 13.56 MHz and data transfer rates ranging from 106 Kbit/s to 424
Kbit/s. One of the protocols that NFC implements is based on the ISO 14443 standard, which is the same
protocol implemented by PIV cards in use with U. S. federal agencies. It has been demonstrated that NFC-
enabled Android smartphones could emulate a PIV smartcard with existing, commercial PACS without
modification to the systems’ card readers. Unfortunately, just as with most PIV card PACS
implementations, NFC does not employ a standard, secure data encryption mechanism during contactless
transactions. Secure messaging has to be implemented a layer above NFC within any smartphone
application employing it, as well as within PACS device readers. NFC was introduced into Android
Links Archive Navigation Previous Page Next Page