Configuring wallet key settings in Space
Introducción
Wallet key functionality is license-dependent and available in Space from version 6.12 onwards. See Registering and licensing Space for more information or contact your Salto representative.
Wallet keys refer to digital keys that reside in the corresponding Wallet app on your phone. By using NFC to communicate with electronic locks, the same technology used by contactless key fobs or keycards, they offer a fast and reliable digital key experience on Android and Apple devices.
There are three wallet key credential provider options in Space:
- Salto: must be active when using Apple Wallet keys (iOS) provided by Salto.
- Transact: must be active when integrating the Space software with the Transact system.
- Third party: allows configuration of wallet keys from various third-party credential providers.
To use these key types in your installation, select the Wallet option so it displays under the Active keys panel.
Select the 'Wallet' option so that it is shown under the 'Active keys' panel
See also the Wallet keys section in General options for more information on how to configure wallet keys settings.
Salto settings
To configure the Salto settings, do the following:
Select System > SAM & Issuing options.
Select Wallet as required in Active keys.
In the Credential Provider panel, select Salto.
Wallet Salto settings
Enter the corresponding value in the TCI field. This is an hexadecimal value made up of 6 characters. Contact your Salto partner or tech support team for more information on this value.
Click Save. The new settings are saved and the Generate key button is enabled.
Make sure the dongle, that is, the Ethernet Ncoder in dongle mode, is correctly connected before clicking the Generate key button. Otherwise, the key won't be generated.
- Click Generate key. The Salto settings are now configured and you can start using the Salto wallet keys.
Salto statuses
| Status message | Descripción |
|---|---|
| The configuration is pending | You must enter the TCI field and follow the steps above to complete the Wallet key Salto configuration. |
| The configuration is correct | The wallet key Salto configuration has been successfully completed. |
Transact settings
To configure the Transact settings, do the following:
Select System > SAM & Issuing options.
Select Wallet as required in Active keys.
In the Credential Provider panel, select Transact.
Wallet Transact settings
Enter the corresponding key in the Activation key field. This is an hexadecimal value made up of 100 or 132 characters. Contact your Salto partner or tech support team for more information on this value.
Click Save. The new settings are saved. The Transact settings are now configured and you can start using the Transact Wallet keys.
Third party settings
The Third party option allows you to configure wallet keys from various credential providers with flexible parameter settings. This configuration involves adding both non-sensitive parameters (stored in plain text) and sensitive parameters or secrets (stored as encrypted or secure tokens).
To configure Third party settings, do the following:
Select System > SAM & Issuing options.
Select Wallet as required in Active keys.
In the Credential provider panel, select Third party.
Third party wallet settings
Format configuration
Configure the format settings in the Format configuration panel.
Enter the TCI value.
Enter the AID value.
Enter the File number. In a DESFire card's file system, an application (identified by the AID) can contain multiple data files. The File number is the specific identifier for the file within that application where the credential data is stored. It tells the reader which file to access.
Enter the Key number. Access to files and applications on a DESFire card is protected by cryptographic keys. An application can have several keys. The Key number is the identifier for the specific key that the reader must use to authenticate itself and gain permission to read the data from the specified File number.
Select the Auth type. This specifies which version of the DESFire protocol the lock's reader should use to communicate with and authenticate the mobile credential in a phone's wallet. You can choose between these two versions:
- EV1 AES
- EV2 AES
Select the Diversification type. Key diversification is a process used to create unique keys for each card or user from a single master key. The options available are:
- None: If you select None, no diversification is applied. The same base key is used for every mobile credential created. This option might be used in specific, controlled scenarios or if the third-party credential provider handles uniqueness in a different way.
- Salto: If you select Salto, it means that Salto's proprietary key diversification algorithm will be used. The key provided by the third party (like Apple or Google) will be treated as a master key. Space will then use this master key and its algorithm to generate a unique, derived key for each individual mobile credential.
If you are not going to enable random ID credentials, click Save and proceed to the next section on Security token management. If you are going to enable random ID credentials, continue with the next step.
UID retrieval
Configure the random ID credentials settings. This is only required if the third-party wallet platform (like Apple or Google) uses random IDs for their mobile credentials. UID retrieval is a process that allows the Salto reader to securely authenticate with the mobile credential and retrieve its true, static UID.
Check Enable random ID credentials to enable this setting.
Enter the AID value.
Select the Auth type:
- EV1 AES
- EV2 AES
Enter the Key number.
Security token management
After clicking Save, the non-sensitive parameters are saved and the Generate secure token button is enabled. In this step, you must enter the secret cryptographic keys provided by the third-party wallet platform (like Apple or Google). They are required to create and validate the mobile credentials that will be used in their respective wallet apps. This data is used by a dongle encoder to generate a secure token which is then sent to the Salto lock readers. The readers use this information to authenticate users' mobile credentials.
'Generate secure token' window
You can enter the following secrets based on your requirements:
- Apple key
- Google/Samsung key
- UID retrieval key (only displays if you enabled random ID credentials in the previous step)
Click Generate secure token to provision the secrets and generate the secure token.
Sensitive parameters are encrypted using an encoder dongle and stored as secure tokens in the database for security compliance. Make sure the dongle, that is, the Ethernet Ncoder in dongle mode, is correctly connected before clicking the Generate secure token button. Otherwise, the secure token won't be generated.
Once the secure token is generated, these parameters become read-only.
Key rotation process
Key rotation is a process of replacing security tokens to limit the impact of vulnerability if credentials become compromised. Effective rotation involves generating and updating new security tokens followed by a brief transition period where both old and new security tokens are accepted to prevent service disruption. Once the transition is considered finished, the old security tokens are automatically revoked.
The process generally consists of the following steps:
- Click Start key rotation to begin the process.
- Enter new values when prompted.
- A second secure token is generated, allowing locks to accept both old and new keys.
- After the transition period, click End key rotation to stop using the old secure token and thus all old keys produced with it.
Key rotation actions
See the available key rotation actions in the table below for more information.
Available actions
| Action | Description | When Available |
|---|---|---|
| Reset secure token | Removes current configuration to allow corrections. This action permanently deletes the current wallet key configuration and all associated secure tokens. Any key using the current secure token will stop working. | When a secure token exists |
| Start key rotation | Starts the process of key rotation. It creates a new secure token. During this process, new keys and old keys will coexist. | When a secure token exists |
| End key rotation | Ends the process of key rotation. The old secure token is revoked and thus old keys will stop working. | During key rotation process |
| Cancel key rotation | Cancels key rotation in progress. This action cancels the key rotation process and permanently deletes the new secure token. Any new key will stop working while the old ones will keep working. | During key rotation process |
Third party statuses
The following table describes the various status messages you may encounter when configuring third-party wallet keys.
| Status message | Description |
|---|---|
| Configuration is pending | Non-sensitive parameters need to be configured and saved |
| Secrets pending provisioning | Non-sensitive parameters are saved but secure token needs to be generated |
| Configuration is complete | All parameters are configured and secure token is generated |
| Key rotation in progress | Key rotation has been started but not finalized |
Usage restrictions
Third-party wallet keys can only be assigned to non-hotel users or visitors. They cannot be used for hotel guest check-ins with Salto encoders. Consult with your Salto technical support team for more detailed information on any of these options.
Atrás
Non configurable