User Guide for the iCLASS TECHNICAL NOTE

User Guide for the iCLASS
TECHNICAL NOTE
In order to provide additional levels of security, the HandReader can be used in conjunction with iCLASS
contactless smart card readers. With this card technology, there is no need to store the user information and
template in a centralized database. All of the user’s information can be stored on the credential, eliminating
the need for the user to remember a pin, and for managing templates over networks.
However, it’s helpful to understand how the iCLASS reader works when integrated into the HandReader. The
iCLASS reader, when installed on the HandReader, is programmed with a proprietary key by default. iCLASS
cards also contain a key which must match the key in the reader in order for the card to communicate and
exchange information with the card reader.
The SmartKey utility was designed by Schlage biometrics to manage the iCLASS keys used with the
HandReader family. It is a complimentary program used with Windows OS that allows the storing and
modifying of iCLASS keys on cards and the HandReader.
Below is the technical information on how to use the SmartKey. You can obtain a copy of the SmartKey
program by contacting our technical support group ([email protected]).
Before you order an iClass reader, you will need to know what you are connecting to: Lock output or Access
Panel. If you are connecting to an Access Panel, you will also need to know your card format and the iClass
key.
If you require additional information before the purchase of a HandReader with the iCLASS, please consult
your local sales representative or our technical support group at 1-866-861-2480, option 1.
Rev. A
03/2010
User Guide for the iCLASS
70200-0087A
User Guide for the iCLASS
TECHNICAL NOTE
CONTENTS OF THIS TECHNICAL NOTE INCLUDE:
WHAT IS SMARTKEY?
PROGRAM STARTUP
CONNECTING TO THE iCLASS HANDREADER
MAIN MENU SELECTIONS
1. Exit SmartKey program
2. Store user key to reader
3. Restore default key to reader
4. Change key on smart cards
5. View configuration block on smart cards
SMARTKEY
The SmartKey utility is designed by Schlage biometrics to manage the iCLASS keys used with the HandReader Family. The
program is a 32 bit console mode program for Windows. It has been successfully tested with Windows-98, Windows
2000 and Windows-XP.
The main key management functions of SmartKey are:
• Store iCLASS keys in the HandReader
• Store iCLASS keys on cards
These functions enable administrators to secure their iCLASS installation with private keys known only to them. To
change keys in a HandReader, the PC running SmartKey must be connected to the HandReader using the iCLASS cable
supplied by Schlage. To change keys on cards only, the PC running SmartKey can be connected either to a HandReader,
or to an external iCLASS card reader/writer supplied by HID.
CONNECTING TO THE HANDREADER
Use the Serial DB9 – 3-pin cable to make the connection between the computer running SmartKey and the iCLASS
HandReader. First, connect the DB9 Serial connector to an open serial port on the computer. Then, carefully connect the
3-pin connector directly to the iCLASS reader (you may have to disconnect the iCLASS reader from the HandReader to do
this). Then, attach the grounding clip to the back plate of the HandReader. Making the ground connection is very
important – otherwise, SmartKey will not be able to detect the iCLASS reader.
When you are finished using SmartKey, detach the grounding clip, disconnect the 3-pin connector and carefully reconnect the iCLASS reader cable to the main board connector. You should not have to cycle power on the reader;
however, if you encounter any immediate problems a power cycle will reset the connection and typically restore
functionality.
PROGRAM STARTUP
Save SmartKey.exe in a known folder on a Windows PC, and start the program from either the Windows "Run" dialog or
by selecting the program from Windows explorer. When the program is started, it will prompt the operator to specify
the communications port for the iCLASS device. Enter the serial port that the HandReader or an external HID
reader/writer is connected too, and press <RETURN/ENTER>. SmartKey will automatically check for a HandReader using
9600 baud, and if that fails it will then test for an external HID reader/writer at 57600 baud. If neither device is detected,
SmartKey will display an error message and quit.
If an iCLASS device is found by SmartKey, it displays its’ main menu and waits for a user selection. The operator selects
the desired menu and then presses <RETURN/ENTER>.
Rev. A
03/2010
User Guide for the iCLASS
70200-0087A
User Guide for the iCLASS
TECHNICAL NOTE
MAIN MENU SELECTIONS
1. Exit SmartKey program
This is used in the main menu to exit the program. The sub-menus accessed via the main menu also use selection 1 as an
exit choice.
2. Store user key to reader
This selection allows the operator to define a 16-digit iCLASS key to be saved in the HandReader. In any iCLASS system,
the card reader/writer and the cards being presented must share the same key value. This selection stores the desired
key to the HandReader, so iCLASS cards having the same key can be read and written by the HandReader.
NOTE: iCLASS keys are 64-bit values. SmartKey requires values as 16 hexadecimal digits. A hexadecimal digit is one of the
characters 0 thru 9 and A thru F. An example is: 9876543210ABCDEF. Always specify exactly 16 digits for key values using
SmartKey. Even leading 0’s are significant.
3. Restore default key to reader
This selection restores the HandReader iCLASS key back to factory default. The default ‘con-configured, nonprogrammed’ value is stored on blank cards. The key on the blank cards is read internally by SmartKey, and it is used
during card key changes without this selection being accessed. This menu selection is provided only in the event that an
operator encounters some unforeseen need to restore the HandReader key to its default value.
4. Change key on smart cards
This selection allows the operator to store keys on iCLASS cards that match the key value stored in the HandReader.
When this menu is selected, a sequence of sub-menu steps is initiated which prompt the operator for key values and
other choices. At the conclusion of entering these selections, the operator is prompted to present a card to the iCLASS
device. When the card is detected, the new key is stored to it. For convenience, SmartKey can repeat this sequence of
detecting cards and storing keys.
NOTE: If you change keys, you will need to document the new key and store it in a safe place. Once cards are
programmed, you can’t reconfigure them without knowing the key on the card.*
1) The first sub-menu step when changing card keys requests the operator to indicate the iCLASS key that is
already on the card. In order to perform this action, the user must know the current key on their cards provided
by the card distributor. This is required because storing new keys on cards requires SmartKey to authenticate
with the existing card key. If the card is new, then select option 2 to use the default key for blank cards.
Alternately, if the card key was previously changed by SmartKey or some other utility, then select option 3 to
manually specify the key value. Note that if option 2 for using the default key is selected, SmartKey will actually
attempt card authentication using first the ‘configured, non-programmed’ key and then with the HID ‘nonconfigured, non-programmed’ key. This check occurs without any operator interaction.
2) The second sub-menu step when changing card keys requires the operator to indicate the new key value to be
stored on the card. If the desired key has already been stored in the reader, then option 2 can be selected to
store that same key on a card. Alternately, the operator can use option 3 to manually specify a key value. In this
case, the key is written only to the card, and the reader key value is left unchanged.
3) The third sub-menu step when changing card keys gives the operator a choice to blow the card fuse during the
key change. It is recommended that the operator answer yes to this prompt. Blowing the card fuse fixes the
portion of the card that is secured by the HandReader key. Specificly, the HandReader uses card key 2 to access
blocks 19 thru 31 in the base page of cards. When the card fuse is blown by SmartKey, the card application limit
Rev. A
03/2010
User Guide for the iCLASS
70200-0087A
User Guide for the iCLASS
TECHNICAL NOTE
is set to block 18 and the fuse bit is cleared. When this is complete, only card key 2 will authenticate blocks 19
thru 31.
NOTE: Caution, blowing the fuse will disallow any future re-configuration to the key structure***
4)
The fourth sub-menu step when changing card keys prompts the user to present a card to the reader. When the
card is detected, the card key storage function is performed. The operator can follow prompts to repeat the
operation on multiple cards.
5. View configuration block on smart cards
NOTE: This menu is not required for managing iCLASS keys with SmartKey.
This menu is provided as a tool for administrators who are familiar with the technical details of iCLASS card configuration
blocks.
After selecting this menu, present a card to the iCLASS reader. SmartKey will detect the card and display the
configuration block information. This is the data from block 1 in the base page of the card.
Rev. A
03/2010
User Guide for the iCLASS
70200-0087A