Card, mobile credential, payment and security
Asymmetric encryption forms the backbone of this vendor-neutral approach to identity management
Jason Ouellette, Vice President of Innovation and Technical Partnerships for ELATEC and Chairman of the Board for the Physical Security Interoperability Alliance (PSIA), discusses the Alliance’s latest specification called Public Key Open Credential (PKOC).
“PSIA is dedicated to bringing open standards and specifications to solve complex problems for access control,” he says, noting that the group has long recognized the industry challenge of siloed, non-interoperable credential systems.
Ouellette stresses the importance of interoperability. He outlines how PKOC improves on typical credential technologies by shifting from symmetric to asymmetric encryption.
With asymmetric encryption, there is no key. Thus, there's no argument of who owns it or how to secure it.
Symmetric systems rely on shared secrets between reader and credential manufacturers, creating vulnerabilities and key ownership challenges. In contrast, PKOC’s asymmetric model uses hashing rather than shared keys. He says this provides a much higher degree of security and eliminates debates over key ownership or control.
Ouellette emphasizes PKOC’s role in easing transitions for institutions with large installed infrastructures. He highlights the difficulty many organizations face when considering wholesale reader replacement or campus-wide credential reprovisioning.
“Using something like PKOC enables the ability to migrate slowly over time in a way that you can afford,” he explains.
PKOC-enabled devices support multiple technologies, allowing old credentials to function with new readers and vice-versa until the migration is complete. This staged approach reduces disruption while ultimately leading to a fully modernized, more secure system.
Although PKOC is still emerging – with only about three years since inception and its first commercial deployment occurring this year – Ouellette encourages stakeholders to explore PSIA’s educational resources, including a detailed Q&A available on the Alliance’s website.
To watch the full interview, click the image at the top of this page.
TRANSCRIPT
In this episode of CampusIDNews Chats, we spoke with Jason Ouellette, Vice President of Innovation and Technical Partnerships for ELATEC, who also serves as Chairman of the Board for the Physical Security Interoperability Alliance. He discussed the Alliance’s new Public Key Open Credential (PKOC) standard, which provides interoperability to both mobile and smart card credentials.
Here’s what he said:
I'm Jason Ouellette and I'm the Vice President of Innovation and Technical Partnerships for ELATEC, but I also serve as Chairman of the Board for the Physical Security Interoperability Alliance, a consortium of companies aimed at trying to bring open standards and specifications to solve complex problems for access control and specifically credentials today.
So PSIA or the Physical Security Interoperability Alliance has been around for over 15 years. It is made up of a lot of players that are in either physical access control, credentials, locks, identity management, integrators – so a community that has understood the challenge of not having an interoperable solution for using credentials.
We've come together to one common table to try to solve this problem, which is where Public Key Open Credential (PKOC) comes from.
The alliance previously brought out the Physical Logical Interoperability Access Standard or PLAI, which is commercialized today, and now our second specification that's been released is the Public Key Open Credential.
So one of the first questions people really come to is what are the benefits of interoperability? Why is this important? Why should I care?
The challenge is we're living in a world where typically my credential works with my reader, and what that causes is the problem of being able to get one credential that can work across an entire ecosystem.
So interoperability is about solving that problem, bringing down the complexity and being able to use one credential for everything.
Public Key Open Credential is a higher degree of security over what most credentials offer today, with the difference really being symmetric versus asymmetric encryption.
What that comes down to is symmetric encryption is based on a shared secret, meaning there's a key that must be shared with reader and credential manufacturers in order for them to work together.
Asymmetric has none of this.
It uses a hash to verify the source that sends it, but there is no shared secret, making this a much higher degree of security around the use of a credential.
As an add-on to talking about the difference between asymmetric and symmetric, with asymmetric, there is no key.
Thus, there's no argument of who owns it or how to secure it.
Now we get to the point of just being able to focus on how do we enroll it, because we've already solved the fact that there is no key or ownership issues to worry about creating a proprietary solution.
One of the things that we always have to face, and really doesn't matter what vertical or industry you're coming from, is that there tends to be whatever's in place today, and the idea of having to rip and replace all the readers or reprovision all of the students and faculty is overwhelming and very costly.
Using something like PKOC and PKOC-enabled devices that are multiple technology for the reader and credentials, which also can support multiple technology, now enables the ability to migrate slowly over time in a way that you can afford. But at the same time not creating a pain point for the people who are using the credentials.
Old credentials get through new readers and new credentials get through old readers just alike until the migration is complete, at which point you can now turn off all the older weaker technology and you end up in a more secure place.
So PKOC is really new. It's only been around right now for about three years since its initial inception.
This year we are in our first commercial deployment, so when you think about standards and specifications that's really fast, but it's probably too early to be reaching out and asking for a quote.
It's still largely an education process and figuring out how and what's the best move for you.
So on the Physical Security Interoperability Alliance website under the Secure Credential Initiative is a white paper or a Q&A paper that addresses almost any question you could have about what PKOC is.
I certainly recommend that you pick that up. It's everything from one-page answers to the deeper dive of everything you wanted to know and more.
