Traditional cryptography involves the creation and sharing of a secret key for the encryption and decryption process. A "shared secret" (or "private key") system, however, has the significant flaw that if the shared key is discovered or intercepted by someone else, messages can easily be decrypted. In public key cryptography only the public key is (freely) shared and the private key never leaves the user (see further description below). For this reason, public key cryptography and the Public Key Infrastructure (PKI) is the preferred approach when there are many users such as within the Federal Government.

PKI is the foundation of trust in the Federal Government’s PIV (Personal Identity Verification) program. PIV credentials are issued with up to four PKI certificates, each based on a unique public-private key pair. The certificates are issued by a government certified - and therefore "trusted" - Certificate Authority (CA).

Two of the certificates on a PIV are appropriate for use in physical access: the Personal Identity Certificate and the Card Authentication Certificate. The private key to the personal certificate (the "PAK") can only be challenged over the contact interface and requires entry of the PIN, while the private key to the card authentication certificate (the "CAK") can be challenged over the contactless interface and does not require a PIN. Either certificate can be used to increase the assurance level of an access control transaction. Use of the personal certificate provides high-assurance 2-factor authentication, creating confidence that the credential is valid and being presented by its true owner.

Use of PKI certificates in physical access systems serves to protect against use of revoked credentials and it mitigates the potential use of cloned cards. Two steps in the PKI mechanism must be utilized: first, the certificate must be checked against its Certificate Revocation List (CRL) at enrollment and periodically thereafter (typically every 18 hours) to be sure that it remains valid. If the certificate ever shows as revoked, access should immediately be denied. The second PKI mechanism is the use of challenge-response. At enrollment when the system checks the CRL status it should also issue a challenge to the private key associated with the certificate’s public key. This involves the issue of a random challenge to the credential which is signed by the private key and "verified" using the public key. A successful verify means that the private key is paired to the public key, which indicates the certificate has not been cloned.

To maintain the integrity of the PKI process, when the credential is presented for access at the door, the reader should perform the same process. This is accomplished by using the public key of the issuer CA to check the certificate's digital signature, which assures the FASC-N identifier is genuine. Using a digital certificate for the first authentication factors and executing a PKI private key challenge insures the FASC-N is not copied. Finally, entry of the PIN insures the credential is being presented by its owner. Provided the signature verifies, the reader then sends the FASC-N to the system for the authorization decision.

This PKI procedure requires that the reader have access to the public key of the CA. Awareness of a CA’s public key requires the reader either have on-line connectivity or have stored a list of all CA's and their respective keys. This is normally done by flash upgrading the readers with each CA's public key.