SE LP10 Integrated Wiegand FIPS 201-1 Compliant PIV Solution Sold through: Installed by: 1/2015 1

A Changing World Today’s security landscape has prompted significant change for the U.S. Government 2003 Department of Homeland Security is created 2004 Homeland Security Presidential Directive Twelve (HSPD-12) mandates a unified identity and authentication infrastructure for all Federal employees and contractors 2005 National Institute of Standards and Technology (NIST) publishes FIPS (Federal Information Processing Standard) 201 Personal Identity Verification (PIV) requirements for Federal employees and contractors As we are all well too aware, today’s security landscape has had a major impact on our world, especially the U.S. government. Let’s take a quick look at some of the significant events that have brought us to where we are today: After the September 11th attacks, our nation’s security was clearly the single most important issue to address, prompting the creation of the Department of Homeland Security in 2003. Shortly thereafter, the Homeland Security Presidential Directive Twelve was issued, mandating a unified identity and authentication infrastructure for all Federal employees and contractors. Then, in 2005, the National Institute of Standards and Technology published the FIPS 201 Personal Identity Verification, or PIV, requirements for Federal employees and contractors. 2

Enforcement Begins 2011 The Executive office of the President issued an official Memoranda (OM-11-11) All Federal agencies had until March 31, 2011 to issue a policy that will “require the use of the PIV credentials as the common means of authentication for access to that agency’s facilities, networks, and information systems” All new systems under development must support PIV credentials according to NIST guidelines Effective October 1, 2011 (beginning of fiscal year 2012), agencies must upgrade all existing “physical & logical” access control systems to support PIV before they can use any technology refresh funds for other projects FIPS 201-2 revision is due for publication within months, which will drive additional physical access requirements More recently, these mandates have begun to gain more traction, and we are now at a point where all existing access control systems, both physical and logical, must support PIV requirements, or the Federal agency will not be able to use any technology refresh funds for other projects. In addition, we also anticipate that the FIPS 201-2 revision will be issued in the near future and will likely mean additional physical access requirements.

Ensure Compliance SE LP10-F offers a new level of assurance FIPS 201-1 compliance for SP 800-116 Uncontrolled Security Areas A simple-to-deploy, cost-effective turnkey solution for any federal agency or facility requiring this level of security Designed specifically for secure physical access projects that must comply with Personal Identity Verification (PIV) standards under FIPS 201-1 To help you meet these PIV requirements and ensure compliance with FIPS 201, Corbin Russwin has developed the SE LP10-F Integrated Wiegand Access Control Solution. Available in two different configurations, the SE LP10-F meets SP 800-116* requirements for uncontrolled security areas. This Integrated Wiegand lock addresses your increasing security requirements with multi-layered protection designed specifically for secure physical access projects that must comply with FIPS 201-1 PIV requirements. *In support of FIPS 201-1 there are several underlying documents, guidelines and standards that provide detail on the use, application and implementation of systems. Among these is NIST SP 800-116, which deals with how to use PIV in PACS (physical access control systems).

Beyond Compliance Featuring HID® multiCLASS SE® Technology, the SE LP10-F: Supports multiple industry leading credentials Ideal for mixed credential populations Offers easy migration to higher security credentials Provides heightened security Data authenticity and privacy through multi-layered security Utilizes Integrated Wiegand locking technology to: Improve aesthetics Simplify installation and maintenance Reduce costs In addition to the requirements mandated by FIPS 201, government facilities today are also facing: Expanding technologies and applications, such as Smart card technologies, The introduction of smart phones, and Converged applications And of course, there is always the continued need to cut costs, which can be accomplished in a number of ways, including Simplified solutions with fewer components to purchase, install, and maintain Minimizing building and construction costs Lifecycle management, and Sustainability The SE LP10 incorporates HID multiCLASS SE technology to support a broad range of credentials and offer the heightened security of HID’s next generation access control platform. This Integrated Wiegand solution provides a streamlined aesthetic and simplifies installation and maintenance to reduce costs.

The Credential FIPS 201-1 requires that the PIV card be a smart card The card body is similar to a bank credit card and conforms to the ISO/IEC 7810 specification  The card must contain both contact and contactless interfaces, which may be provided by two separate integrated circuit chips (ICC) or by one dual-interface ICC The contact interface must conform to the ISO/IEC 7816 specification, and the contactless interface must conform to the ISO/IEC 14443 specification A big part of the FIPS 201-1 requirements focus on the credential itself, or the PIV card. First, it must be a smart card and meet the ISO/IEC 7810 specifications. It must also be contain both contact and contactless interfaces. This can be accomplished with two separate integrated circuit chips or one dual-interface integrated circuit chip. The contact interface must conform to the ISO/IEC 7816 specification, and the contactless interface must conform to the ISO/IEC 14443 specification. 6 6

The PIV Card Here’s an example of a PIV card, where you can see the very specific information requirements and the areas for the afore mentioned contact and contactless interfaces.

The PIV Card The FIPS secure element is the Card Holder Unique Identifier, or CHUID The Secure Element of a FIPS 201 compliant card is called the Card Holder Unique Identifer, or CHUID (pronounced Chewid). This identifier contains several data elements which you can see listed here.

What is the FASC-N? Federal Agency Smart Credential Number (FASC-N) An identifier used as the primary identification string on all government issued credentials FASC-N is a subset of the CHUID Total size is 200 bits (25 bytes) The FASC-N (pronounced FASCAN) is the Federal Agency Smart Credential Number, and is a subset of the CHUID. This is the primary identification string on all government issued credentials. 9

The FIPS Compliant System Basic requirements to meet FIPS certification in physical access control applications: Read/write capabilities utilizing an ISO 14443A or B Integrated Circuit (IC) Must be able to write access data in a secured, encrypted strand to an approved applet residing on the ID card Must be able to “push” data back to the Federal Bridge within a specific time period (typically 24 hours) Must meet FIPS 140 security requirements for Cryptographic Modules Standard Meet FIPS 186-2 for Digital Signatures and the specified algorithms Meet FIPS 197 for Advanced Encryption Standards (AES) to protect electronic data FIPS 201 defines the identity, vetting, enrollment and issuance requirements for PIV cards Now that you have a clear understanding of the FIPS compliant credential, we’ll review the system as a whole. There are several basic requirements, ranging from read/write capabilities to encryption standards. The interaction with the Federal Bridge is also an important component. Data must be sent back to the Federal Bridge within a specific time period, which is typically 24 hours.

What are the vulnerabilities of any PACS? Identifier Trustworthy? Revoked credential (cardholder relationship with issuer is “broken”) Periodic check that credential has not been revoked Counterfeit identifier Digital signature by a trusted source ensures data object is genuine and unmodified Cloned/copied identifier (certificate only) PKI private key challenge ensures identifier has not been copied Lost/stolen card (cardholder does not match identifier) Check binding of the identity card to individual by checking either/both Something they “know” (PIN) Something they “are” (biometric) Next, we examine the vulnerabilities common in any physical access control system. Has the credential been revoked? This check ensures validation of access rights Is the credential, and its data, authentic? This check ensures only that the received identifier is genuine and unmodified Has the identifier been cloned or copied? This check ensures the binding of the identifier to the card on which it was issued Has the card been lost or stolen? This check ensures the person presenting the card is the one to whom it was issued As you are considering these points, try not to think only in terms of “cards”. Also consider things like handheld computers that are easy to program to mimic a card.

FIPS Compliant Security Levels Performing signature checks and private key challenges at enrollment is not sufficient to achieve these levels of assurance They must also be done at the time of access Revocation checking for FASC-N and CHUID modes must be done using the PIV certificate CRL Secures against cards that are Auth Modes  Revoked Counterfeit or Altered Copied or Cloned Lost or Stolen Auth Factors SP 800-116 Security Area FASC-N  None Uncontrolled CHUID+VIS 1 Controlled CAK PIV+PIN 2 Limited PIV+PIN+BIO 3 Exclusion This chart illustrates the different levels of security for FIPS 201 compliant systems, ranging from uncontrolled security areas to the most critical exclusion security areas. Currently, the SE LP10-F is available to support uncontrolled and controlled areas.

CHUID Reader for Uncontrolled Openings Unlock Wiegand {note there is animation on this slide} Here we can see how the SE LP10-F fits into the access control system for uncontrolled openings. {click} The lock or reader is used to reads the CHUID, or Card Holder Unique Identifier {click} It passes the unauthenticated ID number up to the PACS over a Wiegand connection {click} Authorization is given by the PACS and an unlock command is returned {click} This method is suitable for Uncontrolled openings per SP 800-116 200 bit CHUID SP 800 116 Uncontrolled 13

Flexibility and Advanced Security Beyond FIPS 201-1 compliance requirements, SE LP10-F offers facilities a number of additional benefits: Supports multiple industry leading credentials Ideal for mixed credential populations Offers easy migration to higher security credentials and mobile access Provides heightened security Data authenticity and privacy through multi-layered security Uses Integrated Wiegand locking technology to: Improve aesthetics Simplify installation and maintenance Reduce costs Facilities today are facing: Expanding technologies and applications More smart card technologies Introduction of smart phones Converged applications Increasing security requirements Multi-layered protection Breach Resistant And of course, there is always the continued need to cut costs, which can be accomplished in a number of ways, including Simplified solutions with fewer components to purchase, install, and maintain Minimizing building and construction costs Lifecycle management, and Sustainability The SE LP10 incorporates HID multiCLASS SE technology to support a broad range of credentials and provide the heightened security of HID’s next generation access control platform. This Integrated Wiegand solution provides a streamlined aesthetic and simplifies installation and maintenance to reduce costs. 14

The Security Continuum Solutions for Every Opening The Security Continuum illustrates the broad range of technologies from ASSA ABLOY, designed to pair the appropriate locking technology to the specific requirements of every opening. Careful consideration of each opening based on usage requirements allows proper selection of access control, enhancing the security of a facility and keeping costs in line. The Corbin Russwin SE LP10 multiCLASS lock falls within the online segment of the Continuum, providing a new level of flexibility for Integrated Wiegand technology.

A New Level of Flexibility SE LP10 uses HID® multiCLASS SE ® technology to offer: Simultaneous support for multiple credential technologies: High Frequency (13.56 MHz): Secure Identity Object™ (SIO) on iCLASS Seos, iCLASS SE/SR, MIFARE DESFire EV1, MIFARE Classic Standard iCLASS Access Control Application, ISO14443A (MIFARE) CSN, ISO14443B CSN, and ISO15693 CSN NFC-enabled mobile phones (Bluetooth Smart support coming soon) ISO14443A/B transparent FASC-N read of PIV credential Low Frequency (125 kHz): HID Prox®, AWID, EM4102 A single solution for mixed credential populations Easy migration to smart card credentials and mobile access Enhanced identity security using SIO technology The SE LP10 brings a new level of flexibility to our Integrated Wiegand access control solutions. Featuring HID® multiCLASS® SE™ technology, the SE LP10 supports multiple industry leading credentials, making it ideal for mixed credential populations and facilities transitioning to higher security credentials. The range of supported credentials includes a variety of 125 kHz prox credentials; HID 13.56 MHz iCLASS as well as several CSN reads; HID iCLASS SE and SE for DESfire EV1 and MIFARE Classic. When configured for the SE data model, it uses HID’s SIO technology for the highest level of security.

What is SIO™? Secure Identity Object™ from HID Global Technology-independent, standards-based data model Securely stores and transports identity information in a single object Makes identities secure, portable and flexible Ensures data authenticity/privacy through multi-layered security SIO data binding inhibits data cloning by binding an object to a specific credential HID's TIP (Trusted Identity Platform) enables secure provisioning EAL5+ certified secure element hardware provides tamper-proof protection of keys/cryptographic operations What is Secure Identity Object, or SIO? SIO is a new portable, digital credential methodology from HID Global that supports advanced applications, mobility and heightened security. It ensures data authenticity and privacy through multi-layered security: SIO data binding inhibits data cloning by binding an object to a specific credential Secure provisioning Tamper-proof protection of keys and cryptographic operations An SIO can be an ID number – but it can also be any other data element (such as fingerprint data or stored value….) For our purposes today, we’re talking about an ID number It uses multi-layered security to ensure the integrity and authenticity of the data, and is not limited to traditional credentials, meaning it can reside anywhere (such as a Key fob or a Mobile key on a phone…)

Advanced Security and Performance Featuring HID Global's next generation access control platform: Featuring HID multiCLASS SE technology, the SE LP10 leverages HID’s next generation access control platform to deliver advanced security and performance. Let’s take a look at how that works. The graphic here illustrates that the user carried SIO is securely read by an SIO enabled device. That reader can be part of a traditional access control system, but can also employ additional HID services on the backend.

SIO-Enabled (SE) Locks SE LP10 Integrated Wiegand locks bring this advanced security and flexibility to an integrated lockset Consolidates all components into the lock for easier installation and improved aesthetics Card reader DPS, REX and latchbolt monitoring Corbin Russwin ANSI/BHMA Grade 1 electromechanical lock hardware Open architecture platform offers compatibility with popular access control systems Online access control provides the highest level of security, including lockdown capability The SE LP10 is SIO-enabled, to support HID’s next generation access control platform. It combines the advanced security of SIO technology with SARGENT integrated Wiegand locks for a superior solution. The integrated lockset consolidates all standard access control components into the lock, including SIO enabled card reader, DPS, REX and latchbolt monitoring, and ANSI/BHMA Grade 1 electromechanical lock hardware. Its open architecture platform ensures compatibility with popular access control systems, and Online access control provides the highest level of security, including lockdown capability

Simplified, Advanced Access Control Superior aesthetics Simplified installation and maintenance Reduced costs Materials, labor, and over the life of the product In short, the SE LP10 provides a simplified, advanced access control solution that offers: Superior aesthetics Simplified installation and maintenance, as well as Reduced costs – for materials, labor, and over the life of the product

Simplified, Elegant Access Control Superior aesthetics Integrated components maintain architectural integrity around the door Common levers and hardware finishes suite with mechanical openings and provide the flexibility to match any environment 16 finishes available Available with black or gray reader 48 lever options With an integrated lockset, there is no disruption the architecture around the door. This approach provides a streamlined appearance, eliminating the need for numerous components around the door. To ensure compatibility with any environment, the SE LP10 is available in a wide variety of hardware finishes, your choice of two-tone gray or all black reader, and Corbin Russwin Museo decorative levers.

Finishes Available 606 (US4) 613 (US10) 619 (US15) 630 (US32D) As you can see here, there is a broad range of hardware finishes to choose from, all of which are also available with MicroShield technology, a silver-based antimicrobial coating designed to inhibit the growth of bacteria. 613L 626 (US26D) 612 (US10) 611 (US11) 722 (US10A) 625 (US26)

Decorative Levers Superbly Stylized Trim 48 Lever Designs (standard, Vineyard, and Museo) 6 Roses 1 Roseless Collar 14 Finishes Custom Designs The broad array of Museo levers far surpasses any other offering for access control locks in the industry, for a consistent aesthetic throughout a facility and the ability to blend into any environment.

Simplified, Advanced Access Control Superior aesthetics Simplified installation and maintenance Reduced costs Materials, labor, and over the life of the product The next key benefit for the SE LP1 is simplified installation and maintenance. We’ll take a look at a comparison between traditional access control installations and our integrated approach to illustrate the clear advantages of the SE LP10.

Simplified Installation and Maintenance Traditional Access Control Discreet components add cost and complexity A very common method of adding access control to a door is using discrete components, including electric strike, card reader, door position switch and request-to-exit. This requires multiple cable pulls from different locations around the door, back to an access control panel, where access decisions are made. Student: 3 UP/Integrated Wiegand

Simplified Installation and Maintenance Integrated Wiegand Access Control Integrated components streamline installation and maintenance, significantly reducing installation time and costs Open architecture platform ensures compatibility with popular access control systems Using the SE LP10, rather than having discrete components around the perimeter of the door, everything you need is consolidated into one integrated lock: Grade 1 lock or exit device HID SIO-enabled reader Door Position Switch Request to Exit sensor The lock and all it’s components are wired to an ElectroLynx Molex connector which plugs into a 12-wire ElectroLynx cable run through the door from the Lock Prep to the Center Hinge location. This then connects to a QC-12 electrified hinge or other transfer device. The jamb side of the hinge then connects to an ElectroLynx cable that runs up the jamb, above the ceiling and is wired to the access control panel the same as discrete components would be. Student: 3 UP/Integrated Wiegand

ElectroLynx® Universal quick-connect system from ASSA ABLOY Simplifies the electrification of the door opening Reduces installation time and costs Improves reliability Before After ElectroLynx is a significant advancement in access control wiring. Prior to its conception, all companies had their own way to wire the products. ASSA ABLOY established a common means of wiring and connecting, using an off-the shelf, non-proprietary connector. This allows us to set the standard for the industry in terms of ease of installation and ensuring reliable installations. The photos here show you the benefits – with a hinge before and after ElectroLynx. Installation is clean, fool-proof, and future-proof.

Easy to Maintain Integrated lock Installs just like a mechanical lock Eliminates risk of incompatibility among discreet components Simplifies maintenance Installs just like a mechanical lock ElectroLynx® connectors simplify wiring On-site lock shop can replace and maintain Reader is protected by the handle No exposure to damage from carts or hallway traffic In addition to easier installation, maintenance is also simplified. With a single, integrated lock, there is no risk of incompatibility among discreet components. Because the SE LP10 installs in a very similar fashion as a mechanical lock, with ElectroLynx connectors to simplify wiring, your on-site lock shop can easily replace and maintain locks as needed. Additionally, because the reader is against the door, it is protected by the lever from damage from hallway traffic.

Simplified, Advanced Access Control Superior aesthetics Simplified installation and maintenance Reduced costs Materials, labor, and over the life of the product Simplified installation and maintenance results directly in cost savings. Fewer components reduce material and installation costs, and simplify maintenance over the life of the product.

Reduced Costs Easy migration to higher security credentials Allows gradual transition from 125 kHz Prox cards to 13.56 MHz smart cards, rather than having to replace all credentials at once Installation ElectroLynx® connectors speed installation and improve reliability A single, integrated lockset significantly reduces installation time, minimizing labor costs Total opening cost Integrated lock reduces material costs as compared to multiple discreet components Power consumption Intelligent power management reduces reader power consumption up to 75% EcoFlex™ mortise lock is GreenCircle certified to reduce power consumption up to 96% versus traditional solenoid mortise locks As we’ve discussed, you can see that the overall cost savings for the SE LP10 are significant. The ability to stagger credential switchovers within a larger user population eliminates the need to purchase new credentials all at once. Installation time is significantly improved – fewer components to install and simple, fool-proof wiring using ElectroLynx connectors mean lower labor costs, as well as easier ongoing maintenance. The total cost of the opening is also reduced by the reduction in components. In addition, the SE reader uses intelligent power management to reduce power consumption by as much as 75%.

Flexibility and Advanced Security Featuring HID® multiCLASS SE® Technology, SE LP10 supports: Multiple industry leading credentials Ideal for mixed credential populations Offers easy migration to higher security credentials and mobile access Heightened security Data authenticity and privacy through multi-layered security Integrated Wiegand locking technology Improves aesthetics Simplifies installation and maintenance Reduces costs In conclusion, the SE LP10 incorporates HID multiCLASS SE technology to support a broad range of credentials and provide the heightened security of HID’s next generation access control platform. This Integrated Wiegand solution provides a streamlined aesthetic and simplifies installation and maintenance to reduce costs.

Questions? Thank you!