Skip to content

Configure readers for AES authentication and encryption

To use AES authentication and encryption when communicating with your readers, you need to configure the reader with the AES Authentication and Encryption component.

This feature requires BALTECH ConfigEditor v4.26 or above.
In older ConfigEditor versions, you'll find the component Security Settings (BRP Communication) with the same functionality. However, due to a bug, this component is no longer recommended.

Add AES Authentication and Encryption component

As this component is only relevant in few projects, it is not included in ConfigEditor by default, but needs to be added manually.

To add AES Authentication and Encryption:

  1. Download the component.

  2. Open BALTECH ConfigEditor.

  3. Open the BALCFG file of your existing configuration.
    If you don't have a configuration file yet, create a new one.

  4. Click the Plus icon > Import... to import the downloaded component.

    Screenshot: AES Authentication and Encryption component in BALTECH ConfigEditor

Define security levels

Define up to 3 security levels, each with its own key and permissions.

To define the first security level:

  1. Make sure Security Level 1 is enabled.
  2. In the Encryption Key field, enter an AES 128-bit key, expressed as a hexadecimal string with 32 characters.
  3. By default, full permissions are assigned to this security level. To exclude permissions, enable Restrict Permissions and deselect them.

    Screenshot: Create a security level for AES authentication and encryption in BALTECH ConfigEditor

To define additional security level:

If you need several security levels because you have multiple host applications that you want to grant individual permissions, repeat the above steps accordingly.

Each security level is defined individually, i.e. permissions you want to assign to multiple levels must be explicitly added to each of them. An exception is level 3: It is automatically assigned full permissions.

Create exceptions for plain communication

While plain communication is generally blocked, you can still retrieve reader info, e.g. firmware version or boot status, via plain communication. In addition, you can define custom exceptions.

Factory Reset

By default, the exception Allow Factory Reset via USB HID and RS-232/UART is enabled. We highly recommend you keep it enabled, so you can easily reset the reader in case of misconfiguration.

If you disable this exception, you need to assign the Factory Reset permission to at least 1 security level.

Additional Exceptions

Apart from factory reset, you can grant additional host-protocol-specific exceptions. For example, you may want to allow admin operations such as reboot via the USB HID maintenance interface.

To add additional exceptions:

  1. Enable Grant Additional Exceptions for Individual Protocols.
  2. In the drop-down, select the interface for which you want to create an exception, e.g. USB HID.
  3. By default, full permissions will be granted for plain communication via this protocol. To exclude permissions, enable Restrict Permissions and deselect them.
  4. To add an exception for another protocol, click Green Plus icon.

    Screenshot: Example exceptions for AES authentication and encryption defined in BALTECH ConfigEditor

That's it. In your host application, you need to specify the number and encryption key of the respective security level when establishing an authenticated and encrypted connection.

Title