Physical Security Interoperability Alliance (PSIA) - Experts & Thought Leaders

The PSIA announced that two of its members actively supporting the PKOC specification will be speaking at the CONSULT 2024 Symposium. Since its inception, eight years ago, CONSULT has emerged as one of the premier and most unique events in the security industry. The symposium fills a largely unmet need in the security industry for manufacturers and consultants to interact with each other, to better understand security technologies, trends, and techniques as they impact security consultants, and to create an environment for the development of valuable relationships. Security by Design Ed founded Security by Design over 50 years ago and has built it into an international powerhouse Jason Ouellette, a 30-year veteran of the security industry and the Chairman of the PSIA will be joined by Ed Chandler, one of the most respected consultants in the industry.  Ed founded Security by Design over 50 years ago and has built it into an international powerhouse, serving an impressive list of enterprise customers. Latest development in PKOC “We look forward to having Ed Chandler and Jason Ouellette explain the latest development in PKOC at CONSULT 2024. Past years’ presentations have not only increased the understanding of PKOC, but have added to the enthusiasm behind it,” said Ray Coulombe, Founder and Managing Director of Security Specifiers, the sponsor of CONSULT 2024. “I envision that this year will be no different. Congratulations to PSIA for making PKOC a reality and valuable resource to the industry,” noted Coulombe. Commercial and security advantages At Consult, Jason and Ed will be providing participants an update on the PKOC specification, its capabilities and opportunities. “The session offers a chance to dig in to the details of PKOC: how it works, why it makes sense, how to specify it, what is available from the manufacturers to create a fully functional PKOC environment. We are looking forward to seeing all of you,” noted Chandler. PKOC creates truly secure and interoperable credentials. The commercial and security advantages of the asymmetric key based credential over traditional symmetric keys which they have been using for decades is finally attainable with the PKOC standard. A public key-based solution can not be underestimated in its value over traditional credential solutions. PKOC Bluetooth 3.0 specification The 3.0 spec features enhanced cryptography, which keeps all Bluetooth hardware The PSIA recently introduced the PKOC Bluetooth 3.0 specification at GSX 2024. The 3.0 spec features enhanced cryptography, which supports all Bluetooth hardware. In addition, the spec has been optimized to reduce the time it takes to authenticate. The PKOC specification leverages the concept of PKI without the need for the typical complex, expensive identity Infrastructure necessary for PKI. Private-public key handshake PKOC uses the device itself to generate the private & public key pair (known as Keygen) enabling the private-public key handshake to authenticate the credential. The beauty of PKOC is that the private key never leaves the device, and the public key becomes the “badge #” which can be easily shared with any system or device used to control access.  With PKOC the USER literally “owns” the encryption keys and does not require any complicated process for managing or sharing keys. Furthermore, PKOC enables you to “Bring Your Own Credential” (BYOC).

The PSIA had another impressive and compelling demonstration of its PKOC spec at GSX 2024. Some of the major lock and physical access control (PACS) vendors were able to see PKOC in action, with commercially available readers, cards, and apps all relying on the open specification, showing seamless interoperability.  PKOC product lines “It was gratifying to see all of the hard work of the PKOC technical committee come together at the demonstration at GSX 2024,” said David Bunzel, Executive Director of the PSIA. “Many new manufacturers and customers of the security industry were not only impressed, but discussing ways to include PKOC into their product lines and deployments.” Secure and interoperable credentials The simplicity of PKOC, ease of integration, and the significant advantage of asymmetric encryption The simplicity of PKOC, ease of integration, and the significant advantage of asymmetric encryption were some of the drivers that were most interesting to the companies and customers who were able to see the demonstration. PKOC creates truly secure and interoperable credentials. “The commercial and security advantages of the asymmetric key-based credential over traditional symmetric keys which we have been using for decades are finally attainable with the PKOC specification." Public key-based solution "A public key-based solution can not be underestimated in its value over traditional credential solutions. You now get security, availability, interoperability, and purchasing options all in one,” says John Cassise, Chairman of the PSIA’s PKOC Work Group, and Chief Product Officer, of SAFR at RealNetworks. “While changing from traditional access control products is never easy, the vulnerabilities they have, make more robust solutions, like PKOC, an obvious choice for security, and a more flexible choice for the future.” PKOC specification PKOC uses the device itself to generate the private & public key pair enabling the private-public key handshake The PKOC specification leverages the concept of PKI without the need for the typical complex, expensive identity Infrastructure necessary for PKI. PKOC uses the device itself to generate the private & public key pair, (known as Keygen) enabling the private-public key handshake to authenticate the credential.  Bring Your Credential The beauty of PKOC is that the private key never leaves the device, and the public key becomes the “badge #” which can be easily shared with any system or device used to control access.  With PKOC the USER literally “owns” the encryption keys and does not require any complicated process for managing or sharing keys. Furthermore, PKOC enables you to “Bring Your Own Credential” (BYOC).

Taglio has announced the commercial availability of its first PKOC compatible card, the P1190-DF1. This card implements the PKOC NFC specification for Public Key cryptography at the door combined with a Mifare® DESFire® credential. The Taglio cards will provide support for PKOC on its PIVKey and Taglio PIV Card products combining PKOC physical access with the Taglio Logical access solutions. Taglio cards will be demonstrated at the JCI stand (Booth 18033) in conjunction with readers and biometric systems. “The Taglio PKOC-enabled cards will make it possible for organizations to migrate smoothly from proprietary legacy technologies to open standards using proven cryptographic technologies,” said G. W. Habraken, Managing Director of Taglio LLC.  Enabling public key cryptography The PKOC specification enables the use of Public Key cryptography for physical access The PKOC specification enables the use of Public Key cryptography for physical access. This eliminates the need for proprietary and complex symmetric key management systems and provides a high security, interoperable solution. “Taglio is part of a growing number of smart card vendors embracing the PKOC specification which supports NFC cards. While PKOC was initially developed to work in Bluetooth mobile applications, the PSIA recognized the significant market for secure smart cards,” said David Bunzel, Executive Director of the PSIA. “We understand that mobile credentials may represent the future of access control, but smart cards are likely going to be relied on for the foreseeable future,” said Bunzel. Taglio LLC is the foremost independent provider of smart card technologies. The company was established in 2012 and is based in Austin, Texas.  Physical and logical access “Working with our OEM partners, Taglio’s products are deployed in identity and logical access projects at more than 75,000 organizations worldwide," said G. W. Habraken, co-founder and managing director of Taglio. “Organizations want a single credential for both physical and logical access. The support of the PKOC Physical Access technology in our products makes that a commercial reality today.”

PKOC stands for Public Key Open Credential. It is a new standard that will meet a 30-year industry challenge and strip away much of the complexity and cost involved in protecting and administering credentials for access control. It could also accelerate the transition from cards to mobile access control. PKOC is a standards-based mobile credential that is essentially free, vendor-agnostic, and interoperable across multiple devices and systems. It is a highly secure access credential that can live on a mobile phone, in a plastic access card, or in any device capable of generating a public-private key pair. Access control systems PKOC is the newest standard of the Physical Security Interoperability Alliance (PSIA), a tax-exempt organization created to define, recommend, and promote standards for IP-enabled security devices and systems. PSIA introduced the Physical Logical Access Interoperability (PLAI) specification in 2013 to normalize identity data across disparate physical access control systems. The PKOC specification was introduced in 2021. We’re convinced this is the future A challenge for PSIA in promoting the PKOC mobile credential is to explain it quickly and in layman’s terms “We see the benefit of implementing the PKOC technology and doing it well,” says Sam Siegel, Senior Field Applications Engineer for ELATEC, a manufacturer of credential-agnostic readers/writers. “We wanted to get involved and join the discussion.” ELATEC has been participating in PSIA for more than a year. “This is a better way to do things,” says Siegel. “The PSIA, myself included, are convinced this is the future. The challenge is to get enough people to understand that it is a seismic shift away from what has been in place for so long.” A challenge for PSIA in promoting the PKOC mobile credential is to explain it quickly and in layman’s terms. The explanation spans the concept of public key infrastructure (PKI) and the difference between symmetrical and asymmetrical digital keys. Protecting symmetrical keys A symmetrical key system, which has been used historically in the access control market, involves the use of a single proprietary digital key to both encrypt and decrypt information. This means that digital public keys must be incorporated into each access control reader in the form of a module or a license, which the reader uses to read any compatible cards. Protecting symmetrical keys has been an expensive technology challenge the access control world The need to share these digital keys (in effect, the ability to read every compatible card) securely among access control manufacturers, integrators and end users involves extra administration and costs to ensure the security of the system. Protecting symmetrical keys has been an expensive technology challenge the access control world has borne for decades. The use of proprietary keys also promotes dependence on a single manufacturer or vendor to expand the ecosystem. The use of asymmetrical keys takes away these challenges. Advantages of using asymmetrical key pairs PKOC embraces the principle of PKI (public key infrastructure), a two-key asymmetrical system used to ensure confidentiality and encryption. In effect, there are two digital "keys," one public and one private, that are used to encrypt and decrypt information, in this case, a credential for an access control system. The secure credential standard is generated independently of a third-party credential issuer. It is generated within the device. In the access control scenario, the smartphone generates a key pair in the secure element of the phone, including a private key, which is stored on the smartphone, and a public key, which serves as the user’s ID number in the access control system. Sharing the public key is not a security risk because it is worthless without the private key that is locked away on the smartphone. PKOC-enabled smartphone The smartphone must contain the private key in order to interface with the access control system When a PKOC-enabled smartphone approaches a PKOC-enabled reader, the reader sends a one-time random number (a ‘nonce’) to the smartphone, which then encrypts it using the private key, and sends it along with the public key back to the reader. The reader uses the public key to decrypt the random number, which confirms the authorized access associated with the smartphone. The signals are sent via Bluetooth Low Energy (BLE).  Importantly, the private key never leaves the smartphone and is never shared with any other elements of the access control system. Therefore, there are no administrative or technical costs associated with protecting it. The smartphone must contain the private key in order to interface with the access control system using the public key. Mobile credentialing system For ELATEC, embracing PKOC provides a new way to highlight the company’s value proposition and promote it to a new group of companies; i.e., those who adopt the PKOC approach to mobile credentialing. The ‘universal’ configuration of the ELATEC reader hardware is credential-agnostic “PKOC serves as a great way to show off our value and what we do best,” says Siegel. ELATEC provides credential readers/writers that operate in a variety of card and reader environments, incorporating an integrated BLE module to support mobile ID and authentication solutions, including PKOC. Using applicable firmware, the ‘universal’ configuration of the ELATEC reader hardware is credential-agnostic and so compatible with any RFID card or mobile credentialing system, all in a small form factor (around 1 1/2 inches square). How readers and smartphones interact The PKOC standard addresses the variables of how the reader and the smartphone share information. Currently, the PKOC standard addresses communication via BLE, but the principle is the same for systems using near-field communication (NFC), ultra-wideband (UWB), or any future protocols. PKOC also defines how device manufacturers can enable devices (readers, locks, control panels, biometric devices, etc.) to securely consume the credential for authentication and access. PKOC can be used with smart cards as well as with smartphones. In the case of a smart card, the public and private keys are contained on the smart card, which communicates via NFC with the reader. The encryption/decryption scenario is exactly the same. PKOC enables users to ‘bring your own credential’ (BYOC). Public key number ELATEC is proud to have played an instrumental role with the PSIA in the implementation of PKOC" BLE offers a broader read range than NFC; the read range can be managed using software and/or by signaling intent or two-factor authentication. Because private keys remain secure inside a smartphone, they do not have to be incorporated into a digital wallet for security purposes, although they could be incorporated for matters of convenience.  To simplify administration, the public key number can be used as a badge number. If badge numbers have already been assigned, a column could be added to the database to associate badge numbers with public key numbers. “ELATEC is proud to have played an instrumental role with the PSIA in the implementation of PKOC,” said Paul Massey, CEO of ELATEC, Inc. “End-users should not be limited in their solution mix to one or two vendors due to their proprietary technology. PKOC now provides the ideal combination of security, convenience, interoperability, and cost for industry participants, by industry participants.” ‘Experience PSIA’ will promote PKOC at ISC West ISC West participants include PSIM manufacturer Advancis Software and Services The flexibility of PKOC will be on display at ISC West 2023, where ‘Experience PSIA’ will register attendees and provide them with a PKOC credential that can be used with a variety of readers throughout the show. Also showcasing the PLAI standard, PSIA’s presence at ISC West will include ELATEC along with several other vendors/manufacturers. A special PSIA event will be held from 5:30 to 7:30 p.m. on March 29 at the Venetian Ball Room B&C in Las Vegas. ISC West participants include PSIM manufacturer Advancis Software and Services, which acquired Cruatech software in 2012; and Idemia, specializing in identity-related security services including facial recognition and other biometrics. Integrated security systems Also involved are Johnson Controls (JCI), an integrated security systems provider that offers a range of security products and services; and Siemens, which offers its own range of security solutions and systems. Other participants include Last Lock, which has a unique spin on internet-enabled locks; while SAFR from Real Networks offers accurate, fast, unbiased face recognition and additional computer vision features, and Sentry Enterprises provides the SentryCard biometric platform for a privacy-centric, proof-of-identity solution. Finally, rfIDEAS manufactures credential readers.

The Physical Security Interoperability Alliance (PSIA) was founded in 2008 with a goal of creating ‘plug-and-play interoperability’ among physical security devices, systems and services. Since then, the organization’s mission has both expanded to include logical security and focused more narrowly on identity, a critical aspect of security today. In recent years, PSIA has concentrated on its PLAI (Physical Logical Access Interoperability) specification, which provides a means to enable disparate physical access control systems (PACS) to communicate to each other and share employee identity data. This is especially important for companies who have made acquisitions and inherited different incompatible PACS systems. “PLAI can unify a security environment through one trusted source, even if there are multiple PACS systems,” says David Bunzel, Executive Director of the Physical Security Interoperability Alliance (PSIA). Bridge between disparate PACS The PLAI specification provides a bridge between disparate PACS, allowing a single trusted source for identity management. Leading PACS vendors including JCI (Software House), Lenel, and Kastle Systems and biometric vendors including Eyelock, Idemia, and Princeton Identity, have each implemented PLAI adapters, supporting this specification. AMAG will have their adapter in the coming months, and Honeywell and Siemens have it on their road maps. At ISC West last April, PSIA was able to demonstrate five of these vendors sharing records and the ability to add and terminate an employee and have it updated across each PACS and biometric system. PSIA was able to demonstrate five of these vendors sharing records at ISC West last April The Physical Security Interoperability Alliance (PSIA) has evolved from supporting physical security to also integrating logical security. Access to facilities and secure areas of buildings is increasingly dependent on software and hardware systems which can validate a person’s identity. “The PSIA has chosen to focus on interoperability between identity management systems and access control devices,” says Bunzel. “We have successfully demonstrated the technology, and it is now being specified by consultants, integrators and enterprise customers in actual security systems. We expect to see some large companies announcing PLAI implementations in the next quarter.” Open standards processes PSIA relies on an open standards process, with collaboration among leaders in the various parts of the security industry. Specifications are architected, discussed, drafted, and reviewed by members of the organization in technical committees. The process is dynamic, with periodic updates added, which will improve and enhance the specifications as appropriate. The PSIA has focused on identity management for enterprise customers, says Bunzel. “We have active members who make devices that support access hardware (for example, locks and biometric systems) who by design complement PACS vendors and HR management systems.” PLAI also enables a variety of services for enterprise customers that may rely on a security credential" “We continue to add more PACS and biometrics vendors to the PLAI ecosystem, expanding the value of the specification in the market,” says Bunzel. “PLAI also enables a variety of services for enterprise customers that may rely on a security credential, including printing services, parking, and facility management. In the near future, the PSIA expects to extend PLAI into elevators. There are other identity management capabilities, and the PSIA will evaluate opportunities as the market demands them,” says Bunzel.   In addition to PLAI, PSIA has several ‘legacy’ specs, but they are not actively working on further iterations. PSIA could always consider new development on legacy specs if the market demanded it. Some legacy specs address video, and security cameras often work with access control systems. However, PSIA currently is leaving video to ONVIF. The near-term direction and plan for the PSIA is to focus on PLAI and its commercialization.

Industry standards make it possible for systems and technologies to connect and work together. Standards enable today’s integrated systems. But does adherence to standards stifle innovation? Does the necessity to interface using an industry-wide standard slow down the implementation of newer (and possibly not standards-compliant) capabilities? Or do standards eliminate extraneous variables, empower more integration and encourage greater innovation? We asked this week’s Expert Panel Roundtable: How does the use of standards either stifle or jump-start innovation?