Restricted Area Identity Cards (CA)
Friday, Oct 4, 2024 | 6 minute read | Updated at Friday, Oct 4, 2024
A Restricted Area Identity Card (RAIC) is the first line of defence used by Canadian aerodromes for security and authentication. It is used for identifying and managing access to secure and airside areas at Canadian airports. The system is a sophisticated security measure mandated by Transport Canada to ensure that only authorized personnel have access to secure zones of airports. The RAIC card is not merely a physical identification card, but is embedded with advanced biometric technologies to ensure stringent access control.
Purpose
- Controlling access to restricted areas
- Authenticating individuals for access to secure and airside areas
- Providing a tamper-resistant method of verifying identities
- Ensuring compliance with ICAO regulations
Types
RAICs are physical smartcards, containing information such as:
- The cardholder’s name
- A unique Identification Number
- Biometric data (for fingerprints and iris scans)
- Security clearance level
- Access privileges
The RAIC smartcard is designed to resist tampering and cloning. It employs cryptographic methods to store and protect the biometric data and other sensitive information. The card is also equipped with contactless capabilities, allowing it to be scanned by readers without direct physical contact.
Technical Architecture
Physical Card
The RAIC card is a smartcard—a plastic card embedded with an integrated circuit that stores encrypted data. The card contains information such as:
- The cardholder’s name
- Unique identification number
- Biometric data (fingerprints and iris scans)
- Security clearance level
- Access privileges The RAIC smartcard is designed to resist tampering and cloning. It employs cryptographic methods to store and protect the biometric data and other sensitive information. The card is also equipped with contactless capabilities, allowing it to be scanned by readers without direct physical contact.
Biometrics
The RAIC system leverages two key biometric identifiers: fingerprints and iris scans. These are stored on the card and are used to verify the identity of the cardholder when accessing restricted areas. The use of two-factor biometric authentication strengthens security by ensuring that the individual not only possesses the card but also matches the biometric data associated with it.
Backend Infrastructure
The RAIC system is connected to a centralized Access Control System (ACS) managed by airport authorities and Transport Canada. The ACS is responsible for:
- Issuing and revoking RAIC cards.
- Storing and managing access rights.
- Logging access attempts and generating audit trails.
- Communicating with biometric readers in real-time.
Limited information is available on the implementation details of the ACS (read: TC didn’t reply to my request), but it is likely to be based on an X.509-like architecture, where Transport Canada holds the root certificate, and each airport card issuer holds an intermediate certificate.
Implementation
Enrolment Process
Before receiving a RAIC card, individuals must undergo a security clearance process conducted by Transport Canada. This involves background checks, criminal record checks, and employment verification. Once cleared, the individual’s biometric data (fingerprints and iris scans) is captured and stored both in the central database and on the smartcard itself. After biometric data is collected, the smartcard is programmed with the individual’s unique information and clearance level. The card is then issued to the employee, who can begin using it to access restricted areas.
Access Control
Once the RAIC cards are deployed, access control is managed through a combination of proximity readers (for card scanning) and biometric readers (for fingerprint or iris verification). Each time an individual attempts to access a restricted area, the system checks:
- Whether the card is valid and active
- Whether the cardholder’s biometric data matches that stored on the card
- Whether the individual has the necessary clearance level for the specific area
This access attempt is logged in the central ACS system, creating an auditable trail.
Security Features
Biometric Identifiers
The use of biometric identifiers (fingerprints and iris scans) significantly increases the security of the system. Biometrics are inherently difficult to replicate or forge, making unauthorized access much more challenging. By requiring both possession of the RAIC card and a matching biometric scan, the system provides two-factor authentication, which is a substantial improvement over traditional access control methods (such as keycards or PINs alone).
Real-Time Access Control
The centralized backend system provides real-time updates to access permissions. If an employee’s status changes (e.g., termination, suspension, or demotion), their access can be immediately revoked across the entire system. This ensures that only individuals with up-to-date permissions can access restricted areas at any given time.
Compliance with International Standards
The RAIC system helps Canadian airports comply with international security standards set by the International Civil Aviation Organization (ICAO) and other global aviation authorities. This ensures that Canada’s airports remain secure and aligned with global best practices in aviation security.
Tamper Resistance
The smartcard technology used in RAIC cards (MiFare DESFIRE) is designed to resist tampering and copying. The cryptographic methods used to store and protect biometric data make it nearly impossible for malicious actors to create counterfeit cards.
Comprehensive Audit Trails
The RAIC system generates detailed logs of access attempts, including the identity of the individual, the time of access, and the specific area accessed. These audit trails are invaluable for investigating security breaches or suspicious activities, as well as for routine security monitoring.
Key Weaknesses
Cost of Implementation
The RAIC system requires significant investment in infrastructure, including the installation of biometric readers, smartcard issuance systems, and the backend access control infrastructure. Additionally, the ongoing maintenance of this system, including updating software, replacing hardware, and reissuing cards, can be costly for airport authorities.
Processing Time
RAICs are notorious for their multi-month long backlog for issuance. Transport Canada stated that “The usual processing time for Transport Security Clearances is between 3-5 months.” Additionally, all background checks are handled by the same bodies (the RCMP and CSIS), both of which have multi-month long backlogs of their own. Canadian pilots are usually issued an “escort pass”, which can be used at training aerodromes prior to receiving a RAIC. However, these contain none of the security features of the RAIC.
Privacy Concerns
The collection and storage of biometric data raise privacy concerns. Although the data is encrypted and securely stored, there is always a risk of data breaches or unauthorized access to sensitive personal information. Ensuring that the system complies with Canadian privacy laws and addressing these concerns through transparency and safeguards is crucial.
Technical Failures
As with any electronic system, there is the potential for technical failures. Hardware malfunctions, network outages, or software bugs could disrupt the RAIC system and prevent authorized individuals from accessing restricted areas. Redundancy and backup systems are essential to mitigate these risks.
STAR rating
- Security: RAIC is an extremely difficult system to bypass without getting caught. The use of biometrics makes threats of terrorism extremely difficult. 5/5
- Throughput: RAIC falls behind in throughput due to the length of processing time for new cards, as well as the additional overhead of iris and fingerprint scans. The use of a central database which may crash at any time is also a knock for throughput. 2/5
- Accuracy: RAIC is more prone to type 2 than type 1 errors, but the use of biometrics makes these extremely rare in either case. 4/5
- Response: RAIC infrastructure is extremely well secured, with no known breaches since its implementation into CATSA. 5/5