Technical Support | Suprema

Below are the answers to some of the most common questions about BioStar 2 security 

Is the user information encrypted? 

The information is stored in the server as follows: 

• User ID - encrypted  (BioStar 2.8 has a new feature to encrypt personal data. For more details, please click here.)
• E-mail - encrypted (BioStar 2.8 has a new feature to encrypt personal data. For more details, please click here.)
• Name - encrypted (BioStar 2.8 has a new feature to encrypt personal data. For more details, please click here.)
• Login Password - SHA-256 irreversible encryption
• PIN - Encrypted with SHA-256 irreversible encryption
• Fingerprint / Face Template - Encrypted with AES-256 (Enable the option 'Secure Communication with Device' to encrypt the template data using BioStar 2.6. If you need clarification between 2.5 and 2.8, please contact Suprema team and ask for an explanation.)

• CARD-ID - not encrypted with the old version of BioStar 2 rather than 2.8.  to encrypt personal data. For more details, please click here.
• Phone number - not encrypted (BioStar 2.8 has a new feature to encrypt personal data. For more details, please click here.)

The information is stored in the device as follows:

• User ID - Encrypted with AES-256 

• E-mail - not sent to a device

• Name - Encrypted with AES-256

• Login Password - not sent to a device

• PIN - Encrypted with SHA-256

• Fingerprint / Face Template(FS2/FL/F2 both IR & Visual templates) - Encrypted with AES-256 

• CARD-ID - Encrypted with AES-256 

• CARD-ID on Access On Card/Secure Credential Card - Protected with the Primary/Secondary Key

• User phrase (User Private Message):  AES-256

  * personal authentication message is only available with FaceStation 2, FaceStation F2, and X-Station 2 (only available to use with the SDK) 

Note: 

- While the template is sent to the device, the communication is encrypted in AES256. 

- In BioStar 2.8, a new feature is also to encrypt personal data. For more details, please click here.

Is the communication between the server and device encrypted?

Yes, the communication is encrypted with 256-bit AES encryption. 

How does communication encryption work?
The communication is encrypted through AES, and the method is as follows.
1. The server creates a random session key.
2. The server encrypts the randomly created session key with a fixed key and sends it to the device.
3. The device decrypts the encrypted session key with a fixed key.
4. The communication is encrypted through the session key.

Is the communication between a web browser and a server encrypted?

Yes, if you use the HTTPS protocol. Refer to the article below to configure HTTPS. 

• How to change from HTTP to HTTPS

From BioStar 2.5, HTTPS will be the default configuration on installation.

How can I avoid connecting my device to a malicious server posing as the same server IP?

A transport layer security (TLS/SSL) feature for the communication between the server and device has been implemented in BioStar 2.4 (and later versions)
This feature would stop malicious users from connecting to the device by pretending to be the server with the same server IP.

This security is achieved by storing a digital certificate in the device.
When the device connects to the server, it will exchange an encryption key (session key) using the digital certificate to provide server identity verification.

The applied TLS version is 1.2.

Refer to the article below to configure your server:

• How to configure Secure Communication between Device and Server (TLS/SSL)

¹⁾ icon designed by Madebyoliver from Flaticon