Add PKI encryption
Non-Ethernet readers do not support PKI encryption.
Advantages of PKI over AES
While PKI encryption is more complex to implement than AES, it offers the following advantages:
BALTECH tool support
BALTECH tools currently only support PKI encryption. Thus, we recommend you implement PKI encryption as well, so you can use our tools for convenient testing and maintenance.
Individual key pair per device
AES encryption is based on 1 symmetric key shared by the host and all readers. PKI encryption is an asymmetric method, i.e. both the host and each reader have their own key pairs. This means: If one of the readers is compromised, all other keys and thus the connections to all other readers remain unaffected.
Perfect forward secrecy
PKI encryption provides perfect forward secrecy (PFS)call_made. This means: Even if the private keys of host and reader are compromised later on, the data exchanged cannot be reconstructed.
Start testing with BALTECH default certificates
ID-engine XE readers are shipped with preinstalled key pairs and certificates, so they're already set up for PKI-encrypted communication. While the key pairs are unique and thus safe to use in production, the certificates are BALTECH default certificates and thus only meant for testing with BALTECH tools.
To connect to a reader with a BALTECH default certificate, you need to download the PKI package "PKIAUTH_BALTECH_DEFAULT.zip" call_made from our website and load it into the tool (learn more).
Do not use in production
For security reasons, do not use BALTECH default certificates and keys when implementing PKI encryption in a productive environment. For a secure implementation workflow, see the steps below.
Implement PKI encryption
Create your own PKI
For productive use, replace the BALTECH default certificates and host key with your own ones. To do so, create your own PKI.
Create security settings
To block unencrypted connections, add security settings to the reader configuration. As an option, you can also restrict permissions.