University opts to own encryption keys to foster flexibility
For the full deployment, UGA contracted with a company in Atlanta for its card reader installs. We’re installing 800 readers on an aggressive timeline of 30-40 per day,” says McGee. “But it’s an easy swap for readers, and the wiring is fairly straightforward.”
It’s about having a more open platform. There’s no keys shared between vendors, and the cards work transparently between vendors.
On the card issuance side, UGA ordered 20,000 cards initially. “To date, we have issued about 17,000 cards. We are using our existing issuance equipment, but WaveLynx supplied an API and we wrote an interface program to encode cards,” explains McGee. “We’re swiping the card to catch our student number and then, via a USB reader, securely linking that number to the student account.”
UGA is currently in year two of a planned, four-year implementation window. “We’ll still print the barcode and have the mag stripe on the card,” says Michael Wharton, Building Controls Engineer for University Housing. “As we go through each system, we will change that process over time. Eventually we’ll no longer have the barcode or mag stripe. We just needed a bridge short term to get us from where we were to where we wanted to go.”
“We will also be recarding select areas of campus that use the access control readers for housing, academic buildings, study areas, and more,” adds Wharton. “We’re pulling data from the system to see who is using the readers today, and we’ll target them via university email to make sure we don’t miss anyone during the recarding process.”
Why own your own keys?
A major factor for UGA in their search for the right card technology was the ability for the university to have ownership of its own encryption keys, rather than ceding that control over to a vendor or manufacturer.
“Owning your own keys lets you choose which vendors you want to work with, how your cards are secured, and what vendor you’ll buy from,” says Wharton. “If you don’t own your keys then you rely totally on your vendor and you’ll be forever down the path of buying their product.”
Working with WaveLynx has enabled UGA to take more control over their card system. “It’s about having a more open platform,” says Wharton. “There’s no keys shared between vendors, and the cards work transparently between vendors.”
The element of the system that enables UGA to realize this flexibility is the LEAF protocol, developed by WaveLynx. LEAF defines the data format for the DESFire EV2 cards establishing application areas and files that card issuers like UGA can utilize. “While other vendor solutions utilize DESFire EV2 cards, if they use a proprietary protocol or data format, the ability to incorporate readers from other manufacturers or purchase cards from other suppliers is hindered,” explains Wharton.
Though LEAF was developed by WaveLynx, it is an open protocol so other hardware and access control reader manufacturers can freely use it to build compatible products.
“For other reader manufacturers, it should be a fairly simple development effort because the chipset in the DESFire EV2 card puts out a standard reader model,” Wharton says. “Just a few fields need to be changed to be compatible with LEAF, which already aligns very closely with the standard model that DESFire EV2 follows.”
“The LEAF concept frees a university up and doesn’t tie it to one particular vendor,” says Wharton. “And LEAF makes the system implementation easier to pull off than writing the code yourself.”
Boosting security and future functionality
“The cards can be encoded with as many apps as you want because there’s a lot of memory on the DESFire EV2 cards,” says Wharton. “Most apps are just a database field or two so they’re small.”
UGA wanted to add custom keys for access control, so it produced a set of three campus apps with separate read keys on the card. “An access control number is preconfigured on the card. We utilize first two apps for full card number and abbreviated card number,” says Wharton.
For now, the third app is being reserved for a possible future use. “We can code these apps ourselves, so we’ve left that reserved for something down the line,” Wharton adds.
UGA has discussed possible use cases for that third app, but nothing is lined up at this time. “Things like attendance to conferences, classes or events are possible. Also a tie in with city transit is likely,” says Wharton. “Beyond that, there are rewards programs, athletic ticketing or anything else that leverages a number and needs to be secured could be added.”