1 main concepts, 1 key management, 2 administration keys – HID iCLASS SE Encoder User Guide User Manual

Overview

Page 1-2

PLT-01067, Version: A.3

April 2014

1.1

Main Concepts

To get the most out of the CP1000 iCLASS SE Encoder, there are several concepts that should be
understood.

•

Key Management

•

Credential Credit Management

•

Formats

•

Plugin Architecture

•

Work Orders

•

Work Instructions

•

Creating Custom Applications

1.1.1

Key Management

iCLASS SE Encoder is an HID Global product that provides solution to encode user credentials and
reader configuration data. In order to provide a high level of security the encoder device uses a
smart card chip (an ISO 7816 compliant device) to perform the key management as well run the
encoding applications. This component of the encoder device is called Secure Access Module
(SAM).

A typical encoding operation requires knowledge of default/transport keys of the card, the user
credential or reader configuration data and the new keys to be used to protect the credential. The
keys that are involved in encoding operation could be ones that are managed by HID or the ones
created by the customer and provisioned in SAM.

In order to do a secure key management we follow state of the art security practices and use
cryptographic algorithms and practices that have been validated by industry to provide secure
solutions for us and our customers. The rest of the document will describe different types of keys
and their management.

1.1.2

Administration Keys

In order to load, update and delete configuration data and keys used during encoding operation we
use Simple Network Management Protocol (SNMP)

version 3. SNMP is an internet-standard protocol

for managing devices on IP networks and defined by RFC 3411-RFC 3418. Though the protocol is
intended for IP devices we make use of it over other transport and application protocols such as ISO
7816-3 (APDU) for PC/SC readers.

A typical SNMP message is encrypted and signed using 16 byte keys and also contains metadata
about the cryptographic mechanism used to protect the message. The message defines its actions
using set of verbs, such as GET, SET etc. The key that is used for encryption is called SNMP
encryption/privacy key and key used for signing is called SNMP signing/authentication key.

A device or a software application implementing the SNMP standard is called an SNMP endpoint or
engine and is identified using one or more engineId/username pairs.

The encoder SAM is an SNMP endpoint that has two identities. The first identity is that of HID Admin
and other is that for OEM Admin. Each identity is recognized using an engineId and username pair
as described in the SNMP standard, and with each identity are two associated keys (SNMP
encryption and signing keys).