pivCLASS Reader Service

The integration provides TPK, biometric template, FIPS 140-2, PKI-AUTH and PKI-CAK challenge/response verification and other data in real-time to fixed readers.
Fixed Reader Services provides: 
  • Current assurance level (including TWIC mode)
  • PKI-CAK, PKI-AUTH key challenge/response verification, supporting RSA and ECC authentication
  • CHUID verification (RSA and ECDSA)
  • Certificate Revocation List (CRL) status
  • Biometric templates
  • Download/upload TWIC Privacy Key (TPK)
  • TWIC CCL status
  • Cardholder name
  • Cardholder photo

The badge verification works as follow:
Credential is swiped. Depending on current assurance profile, PIN is entered. Reader requests pivCLASS Reader Service to verify CHUID, and generate a cryptographic challenge, which reader passes to the card.  If the current status of the card is revoked*, the transaction terminates, and the reader indicates “Access denied – see administrator.” Card passes the signed challenge to the reader which passes it to pivCLASS Reader Service. pivCLASS Reader Service verifies the challenge, using the public key in the PIV or Card Authentication certificate stored in the pivCLASS credential database. Depending on current assurance profile, reader prompts for biometric sample and compares with stored sample provided by pivCLASS Reader Service. For TWICs, card can be presented contactlessly, and reader requests TPK from FRS. If card is cancelled or (in the case of PIV) associated certificate path cannot be validated, an indication is returned to the reader so that it can issue an “Access denied – see administrator” message. pivCLASS Reader Service sends “Access Denied” to OnGuard if card is revoked. For verified badges the reader send the badge information to OnGuard access panel. Based on the information OnGuard grant/deny access.
OnGuard License Requirements:
Component License Option Part Number Comments
DataConduIT Maximum Number of DataConduIT Clients (SWG-1140) SWG-1140 One (1) DataConduIT license is required
Note: A single DataConduIT license is used for all pivCLASS certified products. All communications between pivCLASS products and an OnGuard system are managed by a single DataConduIT session.
pivCLASS Reader Service v1.2 is certified with OnGuard 6.5 and 6.4.500.