Can a smart card be used securely for multiple applications (and among multiple companies)? End users are demanding such interoperability, and they also want openness to switch out their access control systems in the future without being “locked in” to one vendor.
Those are the goals of the LEAF Identity consortium, a collection of companies that can share encrypted access codes for numerous applications to enable MIFARE DESFire EV2 chip cards to be used across multiple vendors.
Smart card systems - more secure
Almost everyone in the industry now knows that low-frequency (125 kHz) “prox” cards are not secure; in fact, low-cost cloning equipment is readily and inexpensively available. As the industry transitions to encrypted cards, challenges of interoperability persist.
Keeping smart card systems more secure are encrypted “keys” – strings of 32 alphanumeric characters encoded onto the card chips. Information is exchanged via radio frequency (RF) in a challenge-response interaction when a card is presented to a reader. The most recent EV2 card enables one encrypted key to be used for up to 16 devices (and among a variety of manufacturers).
|LEAF Identity Consortium enables interoperability with encrypted Smart Cards|
LEAF consortium enables encryption sharing using protocols that ensure each manufacturer’s systems can interface with a card chip in the same way. Specifically, each card has a “shared data structure,” which means that the location of information is arranged on a card chip in a predictable and consistent manner. Member companies adhere to that structure in order to be interoperable using a single credential. There are no license fees or intellectual property rights involved.
The approach involves a LEAF Custom Cryptographic (Cc), a “secret” key owned by the end user but managed by a third party.
“When we present these concepts to integrators, they realize that, first, they need to get their clients to pay attention to the risks around proximity cards and to migrate to encrypted card technology,” says Laurie Aaron, Executive Vice President, WaveLynx Technologies Corp. “Then we explain the benefits of custom-owned keys and of the LEAF data structure. Then integrators can differentiate themselves by selling the value of the end user staying in control and having unlimited interoperability.”
Access control manufacturer WaveLynx is implementing the LEAF concept, which is the brainchild of CEO Hugo Wendling, who saw the advantages of leveraging the ability of an EV2 chip card to authenticate access to multiple applications.
Key management service
WaveLynx set up the specification, maintains the website, and is involved when a manufacturer wants to become LEAF-enabled. They provide a key management service (for life) to end users based on LEAF capabilities.
End users “own” the keys and can ask to share them with any other manufacturer. Sharing a key involves two key custodians (engineers), each of whom only has access to half of the encrypted key in order to keep it secure.
The LEAF consortium provides a way for smaller manufacturers to work together to increase their market share without putting anyone’s intellectual property at risk. Working together, smaller manufacturers can assemble systems to compete more effectively with larger manufacturers. In effect, they combine their capabilities rather than compete.
LEAF Consortium partners include Allegion, ASSA ABLOY, Brivo, Eline by DIRAK, Linxens, RFIDeas, and Telaeris. Biometric partners include Idemia and IrisID. Biometric devices may either store their biometric on the card or on a central database and access it through the badge number. The LEAF standard continues to evolve in terms of where a biometric template is stored on the chip.
Although the standard does not currently offer mobile credentials, mobile functionality will be available by the second quarter of 2021 (or sooner).