With TLS encryption implemented and used in conjunction with OSDP Secure Channel, Elements can offer a secure connection from the cloud to the reader.
TLS Encryption
TLS (Transport Layer Security) protocol uses certificates (asymmetric cryptography) to authenticate the other party (gateway and controller). Once the gateway authenticates the controller, they exchange a symmetric key to encrypt the rest of the data transmission during the session. The session keys are generated using the TLS certificates on the controller and gateway. One of the benefits of TLS is it provides encryption without the need to pre-load and manage AES encryption keys.
Only factory certificates are supported for TLS protocol.
OSDP Secure Channel
Secure Channel is the encryption and authentication scheme used by OSDP V2 compliant devices to protect communication between access controllers and readers. Secure Channel creates a secure session by using various initialization messages, which perform mutual authentication and establish a set of keys that control panel to peripheral device communication. If controllers and readers do not establish a secure session, the communication link can be an attack vector. OSDP with Secure Channel prevents "man-in-the-middle" attacks (readers pulled from the wall, wires removed, and malicious data injected onto the wires). Additionally, smart card communication, powered by transparent mode, moves all card security logic off the reader and onto the controller on the secure side of the door.
Compared to low-security legacy protocols, OSDP (Open Supervised Device Protocol) offers higher security:
- More secure than most common access control communication protocols.
- OSDP Secure Channel supports high-end AES-128 encryption (required in federal government applications).
- OSDP meets federal access control requirements like PKI for FICAM.
- Constantly monitors wiring to protect against attack threats.
How to Achieve Fully Encrypted Communication
- Use a solution that supports end-to-end security: X-Series access controllers, Series 3 reader interfaces, and OSDP Secure Channel readers.
- Enable Use TLS encryption on the access controller configuration screen which enables TLS encryption between the gateway and access controller.
- Select "TLS Required" on the controller's configuration web page. (If Use TLS encryption is enabled, make sure "TLS Required" is also selected on the controller's configuration web page.)
- Enable Use Secure Channel for OSDP readers on the reader configuration screen. Use Secure Channel is enabled by default for new OSDP readers. It is disabled for previously installed OSDP readers and may need to be enabled.
- Link the Secure Channel OSDP readers to establish encrypted communication via the secure channel.
Related Topics
Configure TLS encryption on the configuration web page
Issue communicating with OSDP readers
© Honeywell International Inc. All Rights Reserved.