Add AES security settings to your configuration
When implementing AES encryption, you need to add AES security settings to your reader configuration. Here, you specify the AES key, grant permissions, and define exceptions in which unencrypted access is allowed.
This feature is available in BALTECH ToolSuite as of version 4.23.00.
Create a security settings component
Open BALTECH ConfigEditor.
If you haven't installed it yet, you can download it herecall_made as part of BALTECH ToolSuite.
In the popup window, click Open.
Select the BALCFG file of your existing configuration. If you don't have a configuration file yet, create a new one.
Click Extend Configuration > Settings > Security Settings (BRP Communication).
Create security levels
A security level defines a set of permissions that the host gets when connecting to the readers. You can define up to 3 security levels. However, this is only needed if you have multiple applications accessing the readers and want to assign different permissions to each application. In all other cases, 1 security level is enough.
Make sure the correct security level is later specified in the application.
To create a security level:
- Make sure Activate Support for Security Level 1 is enabled.
- In the Encryption Key field, enter an AES 128-bit key, expressed as a hexadecimal string with 32 characters.
If you keep the default settings, all operations are allowed in this security level. To exclude certain operations and protect them with a different key, enable Restrict Allowed Operations Via This Channel and deselect the operations to exclude.
If you've excluded operations, enable one or both additional security levels and assign these operations to them.
- Operations you want to allow in multiple security levels must be enabled in all of them.
- If you enable level 3, it will automatically include full permissions.
With exceptions, you can allow certain operations even if the connection is unencrypted. For example, you may want to allow configuration and firmware updates via the USB HID maintenance interface.
To create an exception:
- Enable Allow Unsafe Communication For Some Protocols.
- In the drop-down, select the interface for which you want to create an exception, e.g. USB/HID.
- If you keep the default settings, all operations will be allowed when you establish an unencrypted connection via this interface. To exclude certain operations, enable Restrict Allowed Operations Via This Channel and deselect them. All deselected operations will then require an encrypted connection.
- To add an exception for another interface, click .
That's it. In your application, you need to specify the security level and corresponding AES key when establishing an encrypted connection.