-
|
*We are trying to communicate wit a PD that seems to require SCB on for BIOREAD, BIOREADR , BIOMATCH and BIOMATCHR , all other commands and replies work fine . The manufacturer of the device used the libosdp . Question is : Where in the code can they turn off the SCB for the stated or preferably all messages and then I can advise them how to rebuild the code . |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments
-
|
By "disable SCB" I assume you mean "disable Secure Channel" and not "disable Secure Channel Block" (a part of the packet structure). The former can be achieved by setting What is the need to disable secure channel? If it down't work for some reason, we can fix that. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks
On our CP / ACU we implemented a minimal set of the OSDP 2.2 commands to
allow communication with multiple vendor Face recognition systems . We
implemented this interface with Invixium , and other companies with no
trouble - all were not using the security/encryption.
We then tried to interface to ZS Timmy from China who had implemented the
libosdp , and unbeknown to us, used the encryption in their PD . We spent
weeks on line talking past each other as when we sent the BIOREAD 0x73 we
never received a reply . Only after they sent us the HEX string that they
sent for BIOREAD the problem became clear . I asked them to disable the
security / encryption just for testing purposes and all worked perfectly .
In summary - we had written our own OSDP from the spec as a minimal
implementation . When we have spare resources we will implement the
security portion to be fully compliant . Our enrollment station is
unfortunately written in C# , but the CP reader controller is in C .
Thanks for your prompt response.
…On Fri, Jun 28, 2024 at 8:08 AM Siddharth Chandrasekaran < ***@***.***> wrote:
By "disable SCB" I assume you mean "disable Secure Channel" and not
"disable Secure Channel Block" (a part of the packet structure). The former
can be achieved by setting osdp_pd_info_t::scbk to NULL during CP setup.
What is the need to disable secure channel? If it down't work for some
reason, we can fix that.
—
Reply to this email directly, view it on GitHub
<#188 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB244KQNJD5MGUECDABYCKDZJT4UNAVCNFSM6AAAAABKBGWBTCVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TSMBRGEZDS>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the context. Since the CP is the one who initiates secure channel, and your CP does not have support for it, I expect the LibOSDP PD to just respond in plain-text and everything to just work. If this does not happen, the PD vendor has used the LibOSDP specific init-time flag EnforceSecure which is the recommended best practice for production use. You can ask them to allow a way to not pass this flag for debugging purposes only. Let me emphasise so this response is not misunderstood: using EnforceSecure is absolutely the right way to setup your CP/PD in a production OSDP bus (read more here).
I'm honestly surprised that so many companies don't implement secure channel out of the box. OSDP is straight up pointless if you don't use the secure channel feature. Not that it provides a best in class security (that is a different discussion) but it is something. In future, if you wish to transition to using LibOSDP instead of your own implementation of secure channel, feel free to write me an email. I can take a look at your setup and make some "smart" suggestions to ease the transition :D. |
Beta Was this translation helpful? Give feedback.
By "disable SCB" I assume you mean "disable Secure Channel" and not "disable Secure Channel Block" (a part of the packet structure). The former can be achieved by setting
osdp_pd_info_t::scbkto NULL during CP setup.What is the need to disable secure channel? If it down't work for some reason, we can fix that.