Add PKI authentication and encryption
To control access to readers and protect host-reader communication, we recommend you set up authentication and encryption. This allows you to manage a host application's access permissions, require the host to authenticate with the readers, and establish an encrypted connection.
For Ethernet readers, you can implement authentication and encryption based on public key infrastructure (PKI). If you prefer to use AES, you need to order a custom configuration from us.
Non-Ethernet readers do not support PKI, but only AES.
Advantages of PKI over AES
-
BALTECH tool support
BALTECH tools currently only support PKI authentication and encryption. Thus, if you go for PKI implementation as well, so you can use our tools for convenient testing and maintenance. -
Individual key pair per device
AES is based on 1 symmetric key shared by the host and all readers. PKI is an asymmetric method, i.e. both the host and each reader have their own key pairs. This means: If one of the readers is compromised, all other keys and thus the connections to all other readers remain unaffected. -
Perfect forward secrecy
PKI provides perfect forward secrecy (PFS). This means: Even if the private keys of host and reader are compromised later on, the data exchanged cannot be reconstructed.
Start testing with BALTECH default certificates
ID-engine XE readers are shipped with preinstalled key pairs and certificates, so they're already set up for PKI authentication and encryption. While the key pairs are unique and thus safe to use in production, the certificates are BALTECH default certificates and thus only meant for testing with BALTECH tools.
To connect to a reader with a BALTECH default certificate, you need to download the PKI package "PKIAUTH_BALTECH_DEFAULT.zip" from our website and load it into the tool (learn more).
Do not use in production
For security reasons, do not use BALTECH default certificates and keys when implementing PKI authentication and encryption in a productive environment. For a secure implementation workflow, see the steps below.
Implement PKI authentication and encryption
Configure readers
When you add an Ethernet host interface component, authentication is required by default.
To define which permissions the host gets when establishing an unauthenticated connection, set the option Grant Exceptions for Plain Communication accordingly:
Option | Description |
---|---|
Full Permissions in Normal Mode and Maintenance Mode | All operations are allowed in maintenance mode and normal mode; authentication is not required. |
Full Permissions in Maintenance Mode | All operations are allowed in maintenance mode without authentication; normal mode requires authentication. |
Factory Reset in Maintenance Mode | Factory reset is allowed in maintenance mode without authentication; all other operations require authentication. |
Create your own PKI
For productive use, replace the BALTECH default certificates and host key with your own ones. To do so, create your own PKI.
Establish authenticated and encrypted connection
Now you can establish an authenticated and encrypted connection, both via BALTECH tools and your own host application.