Skip to content

Configure readers for AES authentication and encryption

If you want to use AES authentication and encryption when communicating with your readers, you need to specify the AES key and the host application's access permissions in the reader configuration. In addition, you can define exceptions in which unauthenticated access is allowed.

This feature requires BALTECH ConfigEditor v4.26 or above.
In older ConfigEditor versions, you'll find the component Security Settings (BRP Communication) with the same functionality. However, due to a bug, this component is no longer recommended.

Add AES Authentication and Encryption component

As this component is only relevant in few projects, it is not included in ConfigEditor by default, but needs to be added manually.

To add AES Authentication and Encryption:

  1. Download the component.

  2. Open BALTECH ConfigEditor.

  3. Open the BALCFG file of your existing configuration.
    If you don't have a configuration file yet, create a new one.

  4. Click the Plus icon > Import... to import the downloaded component.

    Screenshot: AES Authentication and Encryption component in BALTECH ConfigEditor

Create security levels

A security level defines a set of permissions that the host gets when connecting to the readers. You can define up to 3 security levels. However, this is only needed if you have multiple applications accessing the readers and want to assign different permissions to each application. In all other cases, 1 security level is enough.

Make sure the correct security level is later specified in the application.

To create a security level:

  1. Make sure Security Level 1 is enabled.
  2. In the Encryption Key field, enter an AES 128-bit key, expressed as a hexadecimal string with 32 characters.
  3. By default, all operations are allowed in this security level. To exclude certain operations, enable Manage Permissions and deselect the operations to exclude.

    Screenshot: Create a security level for AES authentication and encryption in BALTECH ConfigEditor

If you want to assign different permissions to other applications, repeat the above steps to create additional security levels.

  • Operations you want to allow in multiple security levels must be enabled in all of them.
  • If you enable level 3, it will automatically include full permissions.

Create exceptions for plain communication

With exceptions, you can allow certain operations even if the host application does not authenticate with the readers.

Factory Reset

By default, the exception Allow Factory Reset via USB HID and RS-232/UART is enabled. We highly recommend you keep it enabled, so you can easily reset the reader in case of misconfiguration.

If you disable this exception, you need to allow factory reset via at least 1 security level.

Additional Exceptions

Apart from factory reset, you can grant additional host-protocol-specific exceptions. For example, you may want to allow admin operations such as reboot via the USB HID maintenance interface.

To add additional exceptions:

  1. Enable Grant Additional Exceptions for Individual Protocols.
  2. In the drop-down, select the interface for which you want to create an exception, e.g. USB HID.
  3. By default, all operations will be allowed for unauthenticated access via this protocol. To exclude certain operations, enable Manage Permissions and deselect the operations you do not want to allow for unauthenticated access.
  4. To add an exception for another protocol, click Green Plus icon.

    Screenshot: Example exceptions for AES authentication and encryption defined in BALTECH ConfigEditor

That's it. In your application, you need to specify the security level and corresponding AES key when establishing an authenticated and encrypted connection.

Title