Add PKI encryption

To secure communication with Ethernet readers, we recommend you use public key infrastructure (PKI) call_made encryption based on X.509 certificates instead of AES encryption.

Non-Ethernet readers do not support PKI encryption.

Advantages of PKI over AES

While PKI encryption is more complex to implement than AES, it offers the following advantages:

  • BALTECH tool support
    BALTECH tools currently only support PKI encryption. Thus, we recommend you implement PKI encryption as well, so you can use our tools for convenient testing and maintenance.

  • Individual key pair per device
    AES encryption is based on 1 symmetric key shared by the host and all readers. PKI encryption is an asymmetric method, i.e. both the host and each reader have their own key pairs. This means: If one of the readers is compromised, all other keys and thus the connections to all other readers remain unaffected.

  • Perfect forward secrecy
    PKI encryption provides perfect forward secrecy (PFS)call_made. This means: Even if the private keys of host and reader are compromised later on, the data exchanged cannot be reconstructed.

Start testing with BALTECH default certificates

ID-engine XE readers are shipped with preinstalled key pairs and certificates, so they're already set up for PKI-encrypted communication. While the key pairs are unique and thus safe to use in production, the certificates are BALTECH default certificates and thus only meant for testing with BALTECH tools.

To connect to a reader with a BALTECH default certificate, you need to download the PKI package "PKIAUTH_BALTECH_DEFAULT.zip" call_made from our website and load it into the tool (learn more).

Do not use in production

For security reasons, do not use BALTECH default certificates and keys when implementing PKI encryption in a productive environment. For a secure implementation workflow, see the steps below.

Implement PKI encryption

Create your own PKI

For productive use, replace the BALTECH default certificates and host key with your own ones. To do so, create your own PKI.

Create security settings

To block unencrypted connections, add security settings to the reader configuration. As an option, you can also restrict permissions.

Establish encrypted connection

Now you can establish encrypted connections, both via BALTECH tools and your own host application.