After discovering that many physical access control systems are not secure (for example, proximity cards based on 125kHz), I wanted to figure out if there was a system based on public key crypto, which would be secure. Turns out there is. The U.S. Government has been using physical access control systems based on public key crypto for years. NIST designed the system and called it PIV for Personal Identity Verification. Unfortunately, information on this technology is extremely hard to come by. I started by trying to get info from the PIV card manufacturers, but found they have no interest in speaking to anyone unless they are purchasing a large quantity of cards. Even though I had $1000 in hand I was willing to spend to get a PIV card software dev kit, my requests went unanswered.

I continued to research options and realized that the YubiKey NEO is actually a Java Card, same as the PIV cards being used by the government. Yubico had the foresight to realize PIV could be useful, and they include a PIV applet with the NEO. So after some reading of the NIST specs and some help from the excellent people at HID Global and Yubico, I was able to glue the pieces together and get a system working. It's been a fun hobby for the past six months.

It could probably be done with any number of vendor's solutions, but I used HID's pivCLASS system along with Genetec for the physical access control system.

A full write-up with detailed instructions is available at https://docs.google.com/document/d/1fOFzxfpgi8P-HVRdtnWiTNGCDRgeXcvorEqoSXA_4sE

Some code for generating the certificates and populating a YubiKey NEO can be found on GitHub.

Video of the NEO opening a door protected by pivCLASS:

I also made a video of a traditional PIV card opening the same pivCLASS system:

Enjoy. If you have questions or suggestions for improvement, please send me a message.