Page 1-2 Overview
PLT-01067, Version: A.7 July 2017
1.1 Main Concepts
To get the most out of the iCLASS SE Encoder, there are several concepts that should be understood.
1.1.1 Key Management
iCLASS SE Encoder is an HID Global product that provides solution to encode user credentials and
reader configuration data. To provide a high level of security, the encoder device uses a smart card
chip (an ISO 7816 compliant device) to perform the key management as well run the encoding
applications. This component of the encoder device is called Secure Access Module (SAM).
A typical encoding operation requires knowledge of default/transport keys of the credential, your
credential or reader configuration data and the new keys to be used to protect the credential. The
keys that are involved in encoding operation could be ones that are managed by HID Global or ones
created by the customer and provisioned in SAM.
To do secure key management, we follow state of the art security practices and use cryptographic
algorithms and practices that have been validated by our industry to provide secure solutions for
our customers. The rest of the document describes different types of keys and their management.
1.1.2 Administration Keys
To load, update, and delete configuration data and keys used during encoding operations Simple
Network Management Protocol (SNMP)
version 3 messages are used. SNMP is an Internet-standard
protocol for managing devices on IP networks and defined by RFC 3411-RFC 3418. Though the
protocol is intended for IP devices HID makes use of it over other transport and application
protocols such as ISO 7816-3 (APDU) for PC/SC readers.
A typical SNMP message is encrypted and signed using 16-byte keys and also contains metadata
about the cryptographic mechanism used to protect the message. The message defines its actions
using verbs, such as GET, SET etc. The keys that are used for encryption are called SNMP encryption
and SNMP privacy keys and the keys used for signing are called the SNMP signing and SNMP
authentication keys.
A device or a software application implementing the SNMP standard is called an SNMP endpoint or
engine and is identified using one or more engineId/username pairs.
The encoder SAM is an SNMP endpoint that has two identities: the HID Admin and the OEM Admin.
Each identity is recognized using an engineId and username pair as described in the SNMP
standard. Each identity includes two associated keys: SNMP encryption and signing.
The purpose of HID Admin identity is to manage the keys and configuration data that originate from
HID. The OEM Admin identity can be used to create custom keys and perform operations that do
not require high levels of security.
When a customer receives an encoder, it has OEM Admin SNMP keys that are set to default/public
values. When the host application is started for the first time, it prompts you to change the keys to
be managed. The host application then stores the changed OEM Admin keys in the local database
and the keys are encrypted using your password of the application.
To Next Page
Loading...