Below are answers to some of the most common questions about BioStar 2 security
Is user information encrypted?
Below are how the information is stored in the server:
• User ID - not encrypted
• E-mail - not encrypted
• Name - not encrypted
• Login Password - SHA-256 irreversible encryption
• PIN - Encrypted with SHA-256 irreversible encryption
• Fingerprint / Face Template - Encrypted with AES-256 (From Biostar 2.6 or higher version than 2.6 , Enable the option 'Secure Communication with Device' to encrypt the template data)
• CARD-ID - not encrypted
• Phone number - not encrypted
Below are how the information is stored in the device:
• User ID - not encrypted
• E-mail - not sent to device
• Name - Encrypted with AES-256
• Login Password - not sent to device
• PIN - Encrypted with SHA-256
• Fingerprint / Face Template(FS2/FL/F2 both IR & Visual templates) - Encrypted with AES-256
• CARD-ID - not encrypted (Protected with the Primary/Secondary Key)
• User phrase (User Private Message): AES-256
* personal authentication message is only available with FaceStation 2 (only available to use with the SDK)
- While the template is being sent to the device, the communication is encrypted in AES256.
- In BioStar 2.8 there is a new feature to additionally encrypt the personal data. For more details, please click here.
Is communication with the server and device encrypted?
Yes, communication is encrypted with 256 bit AES encryption.
How does the communication encryption work?
The communication is encrypted through AES and the method is as follows.
1. The server creates a random session key.
2. The sever encrypts the randomly created session key with a fixed key and sends it to the device.
3. The device decrypts the encrypted session key with a fixed key.
4. Then the communication is encrypted through the session key.
Is communication with the web browser and server encrypted?
Yes, if you use the HTTPS protocol. Refer to the article below to configure HTTPS.
Starting BioStar 2.5, HTTPS will be the default configuration on install.
How can I stop my device from connecting to a malicious server posing as the same server IP?
A transport layer security (TLS/SSL) feature for the communication between the server and device has been implemented in BioStar 2.4.
This feature would stop malicious users from connecting to the device by pretending to be the server with the same server IP.
This security is achieved by storing a digital certificate in the device.
When the device connects to the server, it will exchange an encryption key (session key) using the digital certificate to provide server identity verification.
The applied TLS version is 1.1 and 1.2.
Refer to the article below to configure your server:
1) icon designed by Madebyoliver from Flaticon