NFC

Telcred's solution utilizes NFC (Near Field Communication) for communication between the device and the reader. NFC will soon be in a large share of new mobile phones and is already available for smart cards and USB-dongles. NFC is a radiocommunication protocol that works over short distances - typically less than 10 cm. There are many potential applications for NFC including payments, tickets for public transportation, and smart packaging and posters. In the context of physical access control, the short range implies several security benefits. Eavesdropping becomes more difficult and, as opposed to e.g. Bluetooth with its 10 meter range, there can never be any doubt who is actually trying to open a door. Furthermore, NFC is user friendly in the sense that it is fast and does not require complex user interaction. The user simply swipes the device in front of the reader. More information about NFC can be found on Wikipedia and the NFC-forum. NFC builds on, and is compatible with, two older technologies used in contactless smartcards, namely MIFARE and FeliCa.

Provisioning of devices

The backend system is used to create user accounts and to assign credentials, or access rights, to users. The actual distribution of these credentials to the device is done differently depending on the type of device.

Mobile phones are provisioned over-the-air. In this case, the backend system connects to a Trusted Services Manager, or TSM, which is a role defined and endorsed by the GSM Association or GSMA. A TSM acts as a conduit between providers of individual services and mobile operators. This way, the service providers do not need to worry about how to interact with a particular mobile operator or phone model - this is all handled by the TSM. The TSM has access to a protected area in the phone called a secure element. This area can store confidential information and is tamper proof. In Telcred's case, both the application that communicates with the reader and the credentials, or access rights, are stored in the secure element.

USB-dongles are provisioned via an Internet connected computer. When the dongle is inserted in the computer, it automatically launches an application that connects to Telcred's backend and checks if new access rights are available. If so, these are downloaded and stored on the dongle's secure element. Communication with the reader is done through NFC in the same way as with an NFC mobile phone.

Smart cards are provisioned in a similar fashion as USB-dongles. An NFC reader/writer is attached to an Internet connected computer. When the card is held to the reader, a software on the computer will check with Telcred's backend if new access rights are available for this card. If so, they are downloaded and written to the card. Communication with the reader is still done through NFC.

Authentication and authorization

At the core of Telcred's patented solution is the method by which authentication and authorization are done. In short, a trust chain from the server to the reader is created using electronically signed certificates. The device carries with it both authentication data and its current access rights. As a result, the reader does not need to be connected to a database of users and corresponding access rights. Nor does it need to keep such a database locally - it gets all the information it needs from the device itself.

In other words, the reader does not need to have any knowledge about the users in the system. It only needs to know its own identity and how to verify the credentials it gets from the device. This approach allows the reader to be offline and also simplifies system administration tremendously, since there is no need to maintain access control lists or similar.