Professional Documents
Culture Documents
Controllers
PERPETUAL INNOVATION
User Guide
Lenel OnGuard 2010 Encryption for Controllers User Guide, product version 6.4.
This guide is item number DOC-1200, revision 1.008, March 2010
Copyright 2004-2010 Lenel Systems International, Inc. Information in this document is subject
to change without notice. No part of this document may be reproduced or transmitted in any form
or by any means, electronic or mechanical, for any purpose, without the express written
permission of Lenel Systems International, Inc.
Non-English versions of Lenel documents are offered as a service to our global audiences. We
have attempted to provide an accurate translation of the text, but the official text is the English
text, and any differences in the translation are not binding and have no legal effect.
The software described in this document is furnished under a license agreement and may only be
used in accordance with the terms of that agreement. Lenel and OnGuard are registered
trademarks of Lenel Systems International, Inc.
Microsoft, Windows, Windows Server, and Windows Vista are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries. Integral and
FlashPoint are trademarks of Integral Technologies, Inc. Crystal Reports for Windows is a
trademark of Crystal Computer Services, Inc. Oracle is a registered trademark of Oracle
Corporation. Other product names mentioned in this User Guide may be trademarks or registered
trademarks of their respective companies and are hereby acknowledged.
Portions of this product were created using LEADTOOLS 1991-2010 LEAD Technologies, Inc.
ALL RIGHTS RESERVED.
OnGuard includes ImageStream Graphic Filters. Copyright 1991-2010 Inso Corporation. All
rights reserved. ImageStream Graphic Filters and ImageStream are registered trademarks of Inso
Corporation.
Table of Contents
Chapter 1: Overview ....................................................................7
Why Use Encryption ........................................................................................ 7
Encryption Keys .............................................................................................. 7
Master Key 1 and Master Key 2 ........................................................................................ 7
revision 1 3
Table of Contents
Segmentation ................................................................................................ 14
4 revision 1
Index .................................................................................................35
revision 1 5
Table of Contents
6 revision 1
Chapter 1:
Overview
Encryption Keys
To encrypt connections, OnGuard implements the Advanced Encryption
Standard (AES). A symmetrical block cipher algorithm, such as AES, requires
that both sender and receiver use the same key. 128-bit keys are used in the
encryption between OnGuard and a Lenel controller.
Master keys are used to encrypt data packets that transfer a session key to the
controller. Master keys are the crux of the encryption process. Both ends of the
connection, the controller and host, must agree on the master key being used to
achieve a connection.
Session keys are used to encrypt any data that is communicated between
OnGuard and Lenel access controllers, except for the transfer of new session
keys. Session keys are automatically generated by OnGuard when a connection is
established with a controller. Session keys are internal to the system and never
exposed.
revision 1 7
1: Overview
installation, master key 1 will sometimes be the active master key and other times
be the inactive master key. This is also true of master key 2.
Important:
It is important to keep master key values secure. These values are shared
secretly between the controllers and OnGuard, and allow an encrypted
connection to be made.
Since the AES algorithm is public, all parties that have access to the key can
encrypt and decrypt the data.
Master key values should not be shared with anybody who is not involved in
their management. They should not be written down or electronically stored
in locations that are not secure.
8 revision 1
connection such as a short serial cable. The host machine uses the Lenel
Controller Encryption Configuration Utility to transfer master key values.
This means that an administrator must visit each controller to manually transfer
master key values. For more information, refer to the Controller Encryption
Configuration Utility User Guide available on the OnGuard Installation disc.
Firmware Types
Controller firmware changes required to support encryption have increased the
firmware size. This firmware cannot be loaded into controllers that contain 128
KB flash chips. There are many controllers in the field that contain 128 KB flash
chips. As such, two versions of firmware are now being released. One set,
referred to as AES firmware, supports encryption. The other set, referred to as
plain firmware, does not. The two sets of firmware are identical in all other
respects, supporting all of the same features.
Either version of firmware can be loaded into a controller with a 256 KB chip
while only plain firmware can be loaded into a controller with a 128 KB chip.
revision 1 9
1: Overview
If the controller contains AES firmware, .aes is shown as part of the firmware
revision, as in 3.054.aes.
LNL-500 panels shipped with serial numbers 6352 and higher already have
256 KB chips
LNL-1000 panels with serial numbers above 710 can have their chips
replaced
LNL-1000 panels with serial numbers 710 and below cannot accept a 256
KB chip
LNL-1000 panels with serial numbers 12862 and higher already contain 256
KB chips
10 revision 1
Notes:
Note:
The controller only reads DIP switch settings when it is powered up. If DIP
switch settings are changed, the controller must go through a power cycle
before the changes are recognized in the system.
revision 1 11
1: Overview
key entry. This dialog also displays when you click [Modify] in the Controller
Encryption form/tab in System Administration.
OnGuard supports three forms of master key entry: random master key
generation, pass phrase entry, and manual master key entry.
Note:
For more information about the Master Key Entry dialog, refer to the System
Options Folder or Segment Folder chapter in the System Administration
User Guide.
12 revision 1
Note:
If a pass phrase is lost, the 128-bit master key that was generated from it can
always be exported from the OnGuard system.
2.
These procedures require the proper user permissions which are set on the Access
Control sub-tab of the System Permission Groups form in the Users folder of
System Administration.
Systems are configured for encryption on the Controller Encryption form of the
System Options folder in System Administration. Segments are configured for
encryption on the Controller Encryption sub-tab of the Segments form in System
Administration.
A controller is configured for encryption on the Encryption sub-tab of the LNL2000, LNL-1000, or LNL-500 Access Panels form in System Administration.
revision 1 13
1: Overview
Note:
How Often
Even installations that wish to protect against an intruder intercepting packets
over a long period of time while trying to break the encryption do not need to
switch master keys often. Every six months or one year is a reasonable time
frame to address such concerns. If this type of attack is not a concern, the master
keys do not need to be changed at all.
Note:
The master key can be switched at any time if there is concern that it has
been compromised.
Segmentation
When a segment is created, all encryption related configuration data is
automatically copied from the source segment to the new segment. This allows
for a smooth operation when encrypted controllers are moved from the source
segment to the new segment. The master key values and active master key
remain the same. Thus, the controllers do not need any updates. If desired, you
can modify the master keys in the new segment after the segment creation
process is completed.
If an encrypted controller is manually moved from one segment to another, the
controller must be updated if the master key values in the two segments differ.
This is handled automatically when the new segment is an automatic key
management segment. If the new segment is a manual key management segment,
the administrator must coordinate the segment move and manually update the
master keys in the controller.
14 revision 1
Chapter 2:
Setting Up Encryption
Setup Encryption in a New Installation
Refer to Setup Encryption in an Existing System/Segment. Be sure to place the
controller online at the end of step 2.
Note:
2.
Verify each controller has the latest AES firmware. It may be necessary
to first configure the controller (in OnGuard) for a plain connection and
download the firmware. Note that the controller must have a 256 KB
chip before AES firmware can be downloaded.
b.
c.
d.
revision 1 15
Additional Procedures
Switch to a New Master Key
Master key exposure is extremely low over the encrypted connections. The
master key is only used to encrypt an initial session packet in which a random
session key is transferred to the controller. All other packets in a given session
with the controller are encrypted using that session key.
Even installations that wish to protect against an intruder intercepting packets
over a long period of time while trying to break the encryption do not need to
switch master keys very often. Every six months or one year is probably a
reasonable time frame to address such concerns. If this type of attack is not a
concern, the master keys do not need to be changed at all.
With automatic key management, however, note that new master key values are
sent to the controller over the standard access control system connection when
key changes are made. When encryption is first turned on, this is going to be
done over a plain connection. On subsequent key changes, the new keys are
transferred over the existing encrypted connection.
When you want to switch master keys, simply modify the system/segment and
modify the active master key value. By default, a new random key will be
generated. Alternatively, you can use a pass phrase or manual entry. The system
will seamlessly transfer the new master key to all encrypted controllers in the
system/segment (the next time a controller comes physically online if it is
currently physically offline) and switch to an encrypted connection using it.
16 revision 1
you on how transfer the active master key from the system/segment to the
controller.
2.
3.
When the controller comes back online with the OnGuard system, verify that
it has the latest AES firmware. If not, download it.
4.
5.
Disable Encryption
If you want to disable encryption for a controller, segment, or system, make sure
DIP switch 8 is OFF at every controller before disabling encryption. Otherwise,
when encryption is disabled in the OnGuard system, an encryption error occurs.
Degrade a Connection
If you have already marked the controller back online in the steps above, modify
it and select Allow next connection to be downgraded. Otherwise, when the
revision 1 17
controller is marked back online, select Yes when the message box asks if the
next connection can be downgraded. OnGuard will attempt to downgrade the
connection, transfer the currently active master key, and switch to the proper
encrypted connection. If DIP Switch 8 if currently ON at the controller, this may
not be successful. If the controller remains offline with an encryption error after
several minutes, DIP Switch 8 will need to be turned OFF at the controller. Once
OnGuard synchronizes and switches to a proper encrypted connection, DIP
switch 8 can be turned back ON.
18 revision 1
Chapter 3:
Setting Up Encryption
Setup Encryption in a New Installation
Follow this procedure if you are initially setting up encryption in a new system/
segment (where none of the controllers are online with the OnGuard system).
For more information, refer to Configure Manual Encryption and Set Keys in
System Options Folder or Segments Folder chapter in the System Administration
User Guide.
1.
2.
Note:
3.
revision 1 19
4.
Note:
a.
b.
Verify the controller has the latest AES firmware. If not, download it.
Note that the controller must have a 256 KB chip before AES firmware
can be downloaded.
c.
Update master key 1 with the value configured (in step 1). If you
modified master key 2, update this key as well. Note that master key
values can be exported from the access control system to a file. The
Controller Encryption Configuration Utility supports loading keys from
a file. To cut down on possible key exposure, a user may alternatively
wish to use a pass phrase that they remember and may not wish to use
the export function.
d.
e.
Place the controller on its standard connection that will be used in the
access control system.
b.
c.
For more information, refer to Access Panels Folder chapter in the System
Administration User Guide.
2.
Note:
3.
Verify each controller has the latest AES firmware. If not, download it. Note
that the controller must have a 256 KB chip before AES firmware can be
downloaded.
4.
20 revision 1
Note:
b.
Update master key 1 with the value configured (in step 1). If you
modified master key 2, update this key as well. Note that master key
values can be exported from the access control system to a file. The
Controller Encryption Configuration Utility supports loading keys from
a file. To cut down on possible key exposure, a user may alternatively
wish to use a pass phrase that they remember and may not wish to use
the export function.
c.
d.
Place the controller on its standard connection that will be used in the
access control system.
5.
Note:
b.
For more information, refer to Access Panels Folder chapter in the System
Administration User Guide.
2.
Verify the controller has the latest AES firmware. If not, download it. Note
that the controller must have a 256 KB chip before AES firmware can be
downloaded.
3.
4.
5.
6.
b.
c.
revision 1 21
Verify the controller has the latest AES firmware. If not, download it using
the OnGuard system. The controller must have a 256 KB chip before AES
firmware can be downloaded.
2.
Note:
a.
b.
c.
d.
3.
b.
Additional Procedures
Switch to a New Master Key
Master key exposure is extremely low over the encrypted connections. The
Master key is only used to encrypt an initial session packet in which a random
session key is transferred to the controller. All other packets in a given session
with the controller are encrypted using that session key.
Even installations that wish to protect against an intruder intercepting packets
over a long period of time while trying to break the encryption do not need to
switch master keys very often. Every six months or one year is a reasonable time
frame to address such concerns. If this type of attack is not a concern, the master
keys do not need to be changed at all.
The master key can be switched at any time if there is concern that it has been
compromised.
22 revision 1
If you want the access control system to randomly generate the new key, the
first step is to modify the inactive key value in the access control system/
segment and generate a new random key. Do not activate this key yet.
Alternatively, if you want to use a pass phrase or manually pick a key, the
inactive key value can be updated as the first step, or can be updated later.
Note that the master key values can be exported from the access control
system to a file. The Controller Encryption Configuration Utility supports
loading keys from a file. To cut down on possible key exposure, a user may
also wish to user a pass phrase that they remember and may not wish to use
the export function.
2.
Important:
3.
Connect the controller using its standard access control system connection.
The controller should come back online with an encrypted connection using
the currently active master key. Note that if possible, controllers marked
logically offline in the access control system should be updated as well. This
will allow them to easily be marked back online in the future.
4.
After every controller has been updated, activate the inactive key in the
access control system/segment. If the new key value was set in the access
control system in step 1, this is all that is needed. Otherwise, enter the new
key value in addition to making the inactive key is made active. After the
inactive key is made active, the access control system should begin making
encrypted connections to the controllers using the newly activated master
key.
revision 1 23
Note:
1.
2.
3.
Verify the controller has the latest AES firmware. If not, download it. Note
that the controller must have a 256 KB chip before AES firmware can be
downloaded.
4.
Load both master key values from the system/segment into the new
controller. Note that both key values can be exported from the access control
system into a file (generally on a diskette) and then loaded from that file into
the Lenel Controller Encryption Configuration Utility. Alternatively, you can
memorize a pass phrase to load into the keys.
5.
Connect the new controller to the OnGuard system. It should come online
with an encrypted connection using the current active master key.
If it is not possible for an authorized person to load keys into the new
controller prior to bringing it online, the controller in OnGuard must be
changed to a plain connection and DIP switch 8 must be turned OFF at the
controller. Later, you can establish an encrypted connection by following the
steps in Enable Encryption for an Existing Controller in an Encrypted
System/Segment on page 22.
Disable Encryption
If you want to disable encryption for a controller, segment, or system make sure
DIP switch 8 is OFF at every controller before disabling encryption. Otherwise,
when encryption is disabled in the OnGuard system, an encryption error occurs.
24 revision 1
Notes:
Note:
If the same values for the master keys are used in all segments, no other
steps are required. If the master key values (1 or 2) are different in the
old and new segment, you need to visit any controller that is being
moved and using the Lenel Controller Encryption Configuration Utility,
transfer the master key values from the new segment to the controller.
These steps can be done in either order. However, once either step is done,
the controller will be offline with a controller encryption error - master key
mismatch, until the other step is done.
revision 1 25
26 revision 1
Chapter 4:
Connection Errors
There are three types of connection errors that can occur: the controller does not
support encryption, the controller requires an encrypted connection, and a master
key mismatch. When any of the errors occur, OnGuard may still be able to
connect with a connection mismatch (that is either an upgraded or downgraded
connection). For more information refer to Connection Mismatch and Upgrading
and Degrading Connections on page 30.
revision 1 27
Notes:
28 revision 1
The master key loaded into the controller and OnGuard do not match.
A new master key is activated in the OnGuard system, but the controller is
not updated.
The active master key is updated in OnGuard and the controller is placed
back on the standard OnGuard connection without OnGuard being updated.
Notes:
Connection Mismatch
A connection mismatch error means a connection was made between the
controller and the OnGuard system, however the connection was made by
upgrading or downgrading the connection. For more information, refer to
Upgrading and Degrading Connections on page 30.
revision 1 29
To correct this problem, both OnGuard and the controller must agree on the type
of connection that is to be made (encrypted with the same master key or plain).
Notes:
Upgrade Connections
Upgraded connections are always attempted when a controller requires
encryption but has been configured in OnGuard for a plain connection.
System/segments attempt upgraded connections in the following order:
1.
2.
3.
4.
Degrade Connections
Degraded connections are attempted when there is a connection error due to a
controller not supporting encryption or due to a master key mismatch.
30 revision 1
Notes:
2.
3.
4.
Note:
revision 1 31
Note:
Whether a controller is online but the current connection does not match the
configured connection. This is indicated via separate icons on the system
status and map views, as well as reported events, current device status text,
and through additional text that can be viewed in the Properties dialog.
The following icons display in the System Status window and as default state
icons in the map view for the access controller group:
32 revision 1
Indicates the access controller is online with a plain connection or, the
access controller is online and the user is not allowed to know whether the
connection is plain or encrypted.
Indicates the access controller is online but the current connection does
not match the configured connection.
revision 1 33
Degraded to plain connection due to no controller encryption support indicates an encrypted connection was configured but could not be achieved
because the controller does not support encryption. OnGuard degraded to a
plain connection to get the controller online.
Encrypted with inactive master key due to active master key mismatch indicates an encrypted connection was configured but could not be achieved
with the current active master key due to a key mismatch. OnGuard was able
to get the controller online by using the inactive master key.
Encrypted with default master key due to active master key mismatch indicates an encrypted connection was configured but could not be achieved
with the current active master key due to a key mismatch. OnGuard was able
to get the controller online by using the factory default master key.
34 revision 1
Index
A
Automatic key management .......................... 8, 12
Automatic key management errors ..................... 29
C
Changing master keys .........................................
how often .....................................................
Choosing a pass phrase entry..............................
Configuring a controller for encryption..............
Connections
mismatch error .............................................
Controller does not support encryption ..............
Controller requires encrypted connection...........
14
14
13
13
29
27
28
Segmentation ......................................................
enable encryption for existing controller.....
enable encryption for new controller in
new segment .........................................
Setting up encryption ................................... 15,
existing system/segments ..................... 15,
new installations ................................... 15,
Swap encrypted controllers in the field ....... 16,
Switch to a new master key ................................
E
Enable encryption
existing controller in encrypted system ....... 22
existing controller in system/segment ......... 15
new controller in encrypted system ...... 16, 21
Encryption keys .................................................... 7
Errors
connection mismatch ................................... 29
controller does not support encryption ........ 27
controller requires encrypted connection..... 28
Master key mismatch................................... 28
14
22
16
19
20
19
24
16
W
Which form of key management to choose .......... 9
Why use encryption .............................................. 7
F
Firmware types ..................................................... 9
Flash chip size..................................................... 10
L
Lenel Controller Encryption Configuration
Utility........................................................... 19
M
Manual key entry ................................................ 13
Manual key management ............................... 8, 16
Manual key management errors.......................... 28
Mark an encrypted controller back online ... 17, 25
Master key
management................................................... 8
mismatch error ............................................. 28
storage............................................................ 8
Master Key Entry dialog..................................... 11
revision 1 35