Below are answers to some of the most common questions about BioStar 2 security 


Is user information encrypted? 


Below are how the information is stored in the server


• User ID - not encrypted
• E-mail - not encrypted
• Name - Encrypted with AES-256
• Login Password - SHA-256 irreversible encryption
• PIN - Encrypted with SHA-256 irreversible encryption
• Fingerprint / Face Template - Encrypted with AES-256
• CARD-ID - not encrypted

• Phone number - not encrypted


Below are how the information is stored in the device:

• User ID - not encrypted

• E-mail - not sent to device

• Name - Encrypted with AES-256

• Login Password - not sent to device

• PIN - Encrypted with SHA-256

• Fingerprint / Face Template - Encrypted with AES-256 

• CARD-ID - not encrypted (Protected with the Primary/Secondary Key)

• User phrase:  AES-256

  * personal authentication message is only available with FaceStation 2 (only available to use with the SDK) 


Note

- While the template is being sent to the device, the communication is encrypted in AES256. 

- In BioStar 2.6 there will be a feature to additionally encrypt the personal data. This article will be updated when BioStar 2.6 is released with more details. 



Is communication with the server and device encrypted?

Yes, communication is encrypted with 256 bit AES encryption. 


How does the communication encryption work?
The communication is encrypted through AES and the method is as follows.
   1. The server creates a random session key.
   2. The sever encrypts the randomly created session key with a fixed key and sends it to the device.
  3. The device decrypts the encrypted session key with a fixed key.
  4. Then the communication is encrypted through the session key.


Is communication with the web browser and server encrypted?

Yes, if you use the HTTPS protocol. Refer to the article below to configure HTTPS. 


Starting BioStar 2.5, HTTPS will be the default configuration on install.



How can I stop my device from connecting to a malicious server posing as the same server IP?

A transport layer security (TLS/SSL) feature for the communication between the server and device has been implemented in BioStar 2.4.
This feature would stop malicious users from connecting to the device by pretending to be the server with the same server IP. 

 


This security is achieved by storing a digital certificate in the device.
When the device connects to the server, it will exchange an encryption key (session key) using the digital certificate to provide server identity verification.


The applied TLS version is 1.2.

Refer to the article below to configure your server:


1) icon designed by Madebyoliver from Flaticon