Security Features; Card Passthrough; Pam Operation Without Card Passthrough - HID PIVCLASS M2000 Installation And Configuration Manual

PLT-01628, Rev. D.2

3.2 Security features

Security features include:
All TCP ports are closed except for a single port that only accepts authenticated requests from the
pivCLASS Reader Services. The default port is 10200.
Communicates with the pivCLASS Reader Services by way of 256-bit AES encrypted over Ethernet
TCP/IP.
Web interface for initial PAM configuration (or enabling SSH). Accessed with a DIP switch setting on the
PAM.
FIPS 140-2 certified.
Cryptographic firmware.

3.3 Card Passthrough

The PAM, through version 5 of the PAM firmware, controls the reader in slave mode. With the reader in slave
mode the PAM controls all of the functions of the reader, this includes:
when the reader polls (looks for a card in the RF field and contact if equipped).
how it polls (what technologies it polls for).
all of the Audio Video (AV) feedback to the end-user.
These polling operations are usually requested from the PAM in 100ms - 200ms intervals.
When operating in a PIV/TWIC - PKI only mode, the PAM will issue a command to the reader to poll the High
Frequency (HF) range of the reader to detect a card. Once a card is found, the PAM will determine the card
type. If the card is a PIV, TWIC, PIV-I, CIV, or FRAC card, the PAM will then process the data and perform
validations per the current configuration. If the card is determined to not be a PIV, TWIC, PIV-I, CIV, or FRAC
card, it will flag the card as a non-vaild card and stop processing it.
When Card Passthrough is enabled on the PAM, the PAM will poll for the PIV/TWIC (or like card) as described
above, and will then issue an additional command for the reader to autonomously poll. When the reader
preforms an autonomous poll, the reader will poll for any technology that it is configured for and then
process the card internally in the reader. The processed data is then sent down to the PAM. The PAM will
recognize the data as not being from a PIV/TWIC (or like card) and then pass it through to the panel (hense
the "Passthrough"). This allows the reader to poll and process technologies such as iCLASS, Seos, Prox,
Mifare, DESFire, etc.

3.3.1 PAM operation without Card Passthrough

The PAM polling cycle when not in Card Passthrough mode is performed completely in slave mode. The PAM
will issue a command to scan the HF field and then to scan the contact slot interface:
1. Scan for PIV or like card
2. Get Response
3. Scan for contact card
4. Get response
5. Disconnect (this step may not be needed)
6. Get response
7. Start over
January 2019
Module description
11