AES-128Anti-Clone13.56 MHz
High-Security Access Cards
High-security access cards are designed for environments where a cloned credential could be costly: research laboratories, data centers, exam halls, secure storage, and dorms with restricted access. They use 13.56 MHz contactless technology with AES-128 encryption and mutual authentication between card and reader, making each tap cryptographically signed rather than a static identifier. Combine with photo personalization, anti-tamper laminate, and unique serial numbering for end-to-end credential integrity.
Ideal for
- Research lab and data centre entry
- Dormitory and student-housing access
- Exam hall identity verification
- Secure storage, archives, and pharmacy areas
Features
- AES-128 encrypted contactless authentication (mutual challenge-response)
- Diversified per-card keys (cloning a single card does not break the system)
- Anti-tamper laminate with security overlay
- Unique serial numbering and laser-etched ID
- Optional UV-only ink for visual authenticity check
- Compatible with major access platforms
Specifications
Physical
MaterialPVC / PET / Composite
SizeCR80 (85.6 x 54mm)
Thickness0.76mm standard
Technical
Frequency13.56 MHz HF
Read RangeUp to 10cm
SecurityAES-128, mutual authentication, diversified keys
Ordering
MOQ500 pieces
Lead Time2-3 weeks standard
Compatibility
| Platform / use case | Supported | Notes |
|---|---|---|
| High-security access platforms | Yes | Built for environments where a cloned credential would be costly — research labs, data centres, exam halls, secure storage. |
| Multi-factor entry workflows | Yes | Card serves as the 'something you have' factor; works alongside PIN, biometric, or tailgating-detection cameras for layered security. |
| FIPS 140-2 / CC validated platforms | Yes | Compatible with platforms requiring FIPS-validated cryptography when paired with the issuer's validated HSM. |
| Audit / SIEM integration at the reader | Yes | Each tap signs a unique transaction, giving the SIEM cryptographic non-repudiation per entry event. |
Encoding options
- AES-128 with diversified per-card keys (cloning one card does not compromise others)
- Mutual authentication on every tap (each entry is cryptographically signed)
- Optional Secure Unique NFC / Transaction MAC for replay-proof exchanges
- Per-zone authorization keyed at the panel, not on the card
Sample-kit workflow
- 1Share the high-security platform name + threat model (cloning, replay, key exfiltration).
- 2We propose a key-derivation scheme + HSM integration approach.
- 3Sample kit ships with 5 cards using your test master key.
- 4Penetration-test the cards against your threat model.
- 5Sign-off and production with master keys issued via your HSM (we never see them in plaintext).
What to watch for
Common pitfalls during a card-program rollout and how we address them.
⚠ Master key compromise risk via supply-chain
Master keys generated and held in your HSM. We receive only per-card derived keys (or generate them on-site with a vendor-supplied key-injection station you authorize).
⚠ Card lost in a high-value zone
Reader instantly revokes the credential ID at the panel level; each diversified key is per-card, so revocation doesn't affect any other credential.
⚠ Reader firmware vulnerability allows downgrade attack
AES-128 doesn't negotiate down — readers either authenticate at AES-128 or refuse. Sample-kit tests confirm no downgrade path is exposed by the panel firmware.
Frequently asked questions
- How is this different from the standard access control card?
- Standard access cards rely on the access platform for security; the chip is mostly an identifier. High-security cards push security INTO the chip — diversified keys, mutual authentication on every tap, anti-tamper laminate, and an explicit threat model the buyer can audit. Use these for lab/data-centre/exam-hall zones where a cloned credential would actually be expensive.
- What does 'diversified keys' actually buy me?
- Without diversification, every card shares the same master key — clone one card and you can clone them all. With diversification, each card's authentication key is uniquely derived from a master + the card's UID. The master never leaves the issuer's HSM. Cloning one card's behavior requires breaking AES-128 cryptography, not just stealing a card.
- Do you ever see our master keys?
- No. Master keys live in your HSM. We receive either (a) per-card derived keys you compute on your side and ship to us, or (b) we host a key-injection workflow where your HSM produces derived keys on demand during our encoding step, without exposing the master.
- What's the read range and reader compatibility?
- 13.56 MHz HF, 0-10 cm read range, ISO 14443A. Works with any modern access reader that supports AES-128 mutual authentication. We confirm the specific reader-platform combination during the sample-kit phase.
- Can these replace student ID cards for general campus use?
- They can, but you'll pay for unused security. Most campuses use these only for high-security zones and stick with standard cards for general access + dining + library. Mixed-credential issuance (standard cards for general use, high-security cards for restricted zones) is a common pattern.
Related Products
Multi-FrequencyPhoto IDNFC
Student ID Cards
RFID student ID cards for US universities and universities worldwide — campus access, dining, library, and all campus services on a single credential.
HF 13.56MHzSelf-CheckoutISO 15693
Library Cards
RFID cards for automated book checkout, attendance tracking, and resource management across campus libraries.
ContactlessAES-128NFC
Payment Cards
Cashless payment RFID cards for campus dining halls, bookstores, vending machines, and laundry facilities.
Ready to order?
Get a custom quote for high-security access cards tailored to your institution's needs.
