This article originally appeared in the September 2020 issue of Security Business magazine. When sharing, don’t forget to mention @SecBusinessMag on Twitter and Security Business magazine on LinkedIn.
On the long march towards security industry hardware interoperability, we have seen impressive strides in recent years. IP-enabled communication enabled many of these changes, but industry forums like ONVIF and OSDP have helped foster an environment where end-users are free to pick and choose best-of-breed hardware to meet their specific needs.
That said, one area that has remained largely untouched is access control, where proprietary data models have long been the norm. Enter LEAF Identity (not an acronym), a consortium of industry partners seeking to define open and interoperable standards for access control components.
The main goal of LEAF is to define a set of standards for access control readers and credentials that would enable full interoperability between manufacturers – allowing any LEAF credential to be read on any LEAF-compatible reader or end-device.
The LEAF Consortium has developed technical specifications and reference designs for how access control data should be stored and read and has focused only on industry-standard secure transaction protocols. You will not find mention of 125kHz proximity or magstripe anywhere in the LEAF standards, for instance. The consortium is backed by an impressive cross-section of industry heavyweights including Allegion, ASSA ABLOY, Idemia and Wavelynx Technologies.
Inside the Standards
The LEAF consortium initially devised two standards. The intent of LEAF Secure Issuance (Si) was to come with a standard set of keys, precluding an end-user from needing to manage keys for their organization. LEAF Custom Cryptographic (Cc) was developed for end-users wishing to own their own encryption keys – which itself has rapidly become the most widely used standard.
LEAF Cc adds an additional layer of security by requiring a reader to be loaded with a user’s key before it will read the LEAF Cc credential. A LEAF Cc credential comes pre-programmed with 24 unique keys (16 dedicated to access control applications), so different keys can be used for device types, regions or user groups. For example, if an end-user uses different card reader manufacturers in different locations, they can share a different key with each manufacturer. Both keys will enable the card reader to read the badge number, but if a key is compromised or a manufacturer is phased out, the key can be disabled without effecting devices across the entire organization.
LEAF is based on the MIFARE DESFire EV2 credential configured with full AES 128-bit encryption. Both 4K and 8K memory sizes can be used. End-users who have DESFire EV2 readers in the field can already take advantage of LEAF credentials, permitting they have programmed the reader with the correct encryption key. An added benefit is that end-users with readers wired using OSDP can boot load the encryption keys to their readers remotely.
While the LEAF standard is based on DESFire EV2, the LEAF consortium chose to ensure backward compatibility with EV1, since EV2 has been slow to propagate the industry. Compatibility with EV3 – currently available – is on the LEAF roadmap.
The Impact
“A 100-percent LEAF-enabled world means that users will have a secure credential for all applications, and this will enable them to use a single card or mobile credential (coming soon) for secure access to those applications,” explains Laurie Aaron, EVP for WaveLynx Technologies, a reader and credential manufacturer that has been at the forefront of LEAF.
Since its inception, the LEAF Consortium has focused on secure transactions. “Today, the homogeneous credentials that are used are convenient, but they are not secure,” Aaron continues. “Magnetic stripe, QR codes and low-frequency proximity are compatible for most applications, but they are easily cloned and thereby compromised. In order to really have a secure credential, it must be encrypted, which poses compatibility challenges.
“LEAF-enabled devices have been configured to recognize the LEAF data structure,” Aaron adds. “LEAF Cc empowers the end-user to share their key with multiple device manufacturers as necessary, meaning that everything from card readers to vending machines can operate using the same secure credential. When LEAF credentials and devices are used in concert, it results in unlimited interoperability, meaning the secure LEAF Cc credential can be used for all applications that are LEAF Cc enabled.”
Future Initiatives
With a gradual trend towards mobile credentialing, LEAF is poised to be at the forefront of the adoption curve. “Similar to the LEAF Cc DESFire EV2 card credential, the LEAF Consortium is devising a mobile data structure that will be openly available to all manufacturers who wish to enable their mobile apps and their Near Field Communication (NFC) devices to read an end-user's custom key mobile credential (LEAF CcM),” Aaron explains. “The difference being the credential resides in the smartphone, utilizing the Apple or the Google Wallet rather than a person's back-pocket wallet. This is not available today, but it is actively being developed.”
According to Aaron, the LEAF adoption curve is strong, but has been driven predominantly by end-users. “The end-users motivate the manufacturers, so as they roll out their secure encrypted LEAF Cc credentials (most are transitioning from low frequency proximity to DESFire Ev2) they replace their peripheral devices as well as their access control readers,” she says. “As they do that, they reach out to more manufacturers. Today there are approximately 12 manufacturers who have enabled multiple devices to read LEAF credentials.”
As adoption grows, so do the use cases for integrators to use for proof of concept. “Coca Cola Vending achieved LEAF read capability within two weeks of a request from a major educational institution,” Aaron reports. “As end-users transition to LEAF, manufacturers will engage.”
Learn more about LEAF – including a list of current LEAF-compatible manufacturers, and downloadable Technical Specifications – at http://leafidentity.com.
Brian Coulombe is Principal and Director of Operations at DVS, a division of Ross & Baruzzini. Contact him at [email protected], through Linked in at www.linkedin.com/in/brian-coulombe, or on Twitter @DVS_RB.
