Algunos de los contenidos técnicos de este sitio web solo están disponibles en inglés.

Configuring wallet key settings in Space

Introducción

Wallet key functionality is license-dependent and available in Space from version 6.12 onwards. See Registering and licensing Space for more information or contact your Salto representative.

Wallet keys refer to digital keys that reside in the corresponding Wallet app on your phone. By using NFC to communicate with electronic locks, the same technology used by contactless key fobs or keycards, they offer a fast and reliable digital key experience on Android and Apple devices.

There are three wallet key credential provider options in Space:

  • Salto: must be active when using Apple Wallet keys (iOS) provided by Salto.
  • Transact: must be active when integrating the Space software with the Transact system.
  • Third party: allows configuration of wallet keys from various third-party credential providers.

To use these key types in your installation, select the Wallet option so it displays under the Active keys panel.

Wallet keysSelect the 'Wallet' option so that it is shown under the 'Active keys' panel

See also the Wallet keys section in General options for more information on how to configure wallet keys settings.

Salto settings

To configure the Salto settings, do the following:

  1. Select System > SAM & Issuing options.

  2. Select Wallet as required in Active keys.

  3. In the Credential Provider panel, select Salto.

Wallet Salto settingsWallet Salto settings

  1. Enter the corresponding value in the TCI field. This is an hexadecimal value made up of 6 characters. Contact your Salto partner or tech support team for more information on this value.

  2. Click Save. The new settings are saved and the Generate key button is enabled.

Make sure the dongle, that is, the Ethernet Ncoder in dongle mode, is correctly connected before clicking the Generate key button. Otherwise, the key won't be generated.

  1. Click Generate key. The Salto settings are now configured and you can start using the Salto wallet keys.

Salto statuses

Status messageDescripción
The configuration is pendingYou must enter the TCI field and follow the steps above to complete the Wallet key Salto configuration.
The configuration is correctThe wallet key Salto configuration has been successfully completed.

Transact settings

To configure the Transact settings, do the following:

  1. Select System > SAM & Issuing options.

  2. Select Wallet as required in Active keys.

  3. In the Credential Provider panel, select Transact.

Wallet Transact settingsWallet Transact settings

  1. Enter the corresponding key in the Activation key field. This is an hexadecimal value made up of 100 or 132 characters. Contact your Salto partner or tech support team for more information on this value.

  2. Click Save. The new settings are saved. The Transact settings are now configured and you can start using the Transact Wallet keys.

Third party settings

The Third party option allows you to configure wallet keys from various credential providers with flexible parameter settings. This configuration involves adding both non-sensitive parameters (stored in plain text) and sensitive parameters or secrets (stored as encrypted or secure tokens).

To configure Third party settings, do the following:

  1. Select System > SAM & Issuing options.

  2. Select Wallet as required in Active keys.

  3. In the Credential provider panel, select Third party.

Third party optionThird party wallet settings

Format configuration

Configure the format settings in the Format configuration panel.

  1. Enter the TCI value.

  2. Enter the AID value.

  3. Enter the File number. In a DESFire card's file system, an application (identified by the AID) can contain multiple data files. The File number is the specific identifier for the file within that application where the credential data is stored. It tells the reader which file to access.

  4. Enter the Key number. Access to files and applications on a DESFire card is protected by cryptographic keys. An application can have several keys. The Key number is the identifier for the specific key that the reader must use to authenticate itself and gain permission to read the data from the specified File number.

  5. Select the Auth type. This specifies which version of the DESFire protocol the lock's reader should use to communicate with and authenticate the mobile credential in a phone's wallet. You can choose between these two versions:

    • EV1 AES
    • EV2 AES
  6. Select the Diversification type. Key diversification is a process used to create unique keys for each card or user from a single master key. The options available are:

    • None: If you select None, no diversification is applied. The same base key is used for every mobile credential created. This option might be used in specific, controlled scenarios or if the third-party credential provider handles uniqueness in a different way.
    • Salto: If you select Salto, it means that Salto's proprietary key diversification algorithm will be used. The key provided by the third party (like Apple or Google) will be treated as a master key. Space will then use this master key and its algorithm to generate a unique, derived key for each individual mobile credential.
  7. If you are not going to enable random ID credentials, click Save and proceed to the next section on Security token management. If you are going to enable random ID credentials, continue with the next step.

UID retrieval

Configure the random ID credentials settings. This is only required if the third-party wallet platform (like Apple or Google) uses random IDs for their mobile credentials. UID retrieval is a process that allows the Salto reader to securely authenticate with the mobile credential and retrieve its true, static UID.

  1. Check Enable random ID credentials to enable this setting.

  2. Enter the AID value.

  3. Select the Auth type:

    • EV1 AES
    • EV2 AES
  4. Enter the Key number.

Security token management

After clicking Save, the non-sensitive parameters are saved and the Generate secure token button is enabled. In this step, you must enter the secret cryptographic keys provided by the third-party wallet platform (like Apple or Google). They are required to create and validate the mobile credentials that will be used in their respective wallet apps. This data is used by a dongle encoder to generate a secure token which is then sent to the Salto lock readers. The readers use this information to authenticate users' mobile credentials.

Generate secure token'Generate secure token' window

You can enter the following secrets based on your requirements:

Click Generate secure token to provision the secrets and generate the secure token.

Sensitive parameters are encrypted using an encoder dongle and stored as secure tokens in the database for security compliance. Make sure the dongle, that is, the Ethernet Ncoder in dongle mode, is correctly connected before clicking the Generate secure token button. Otherwise, the secure token won't be generated.

Once the secure token is generated, these parameters become read-only.

Key rotation process

Key rotation is a process of replacing security tokens to limit the impact of vulnerability if credentials become compromised. Effective rotation involves generating and updating new security tokens followed by a brief transition period where both old and new security tokens are accepted to prevent service disruption. Once the transition is considered finished, the old security tokens are automatically revoked.

The process generally consists of the following steps:

  1. Click Start key rotation to begin the process.
  2. Enter new values when prompted.
  3. A second secure token is generated, allowing locks to accept both old and new keys.
  4. After the transition period, click End key rotation to stop using the old secure token and thus all old keys produced with it.

Key rotation actionsKey rotation actions

See the available key rotation actions in the table below for more information.

Available actions

ActionDescriptionWhen Available
Reset secure tokenRemoves current configuration to allow corrections. This action permanently deletes the current wallet key configuration and all associated secure tokens. Any key using the current secure token will stop working.When a secure token exists
Start key rotationStarts the process of key rotation. It creates a new secure token. During this process, new keys and old keys will coexist.When a secure token exists
End key rotationEnds the process of key rotation. The old secure token is revoked and thus old keys will stop working.During key rotation process
Cancel key rotationCancels key rotation in progress. This action cancels the key rotation process and permanently deletes the new secure token. Any new key will stop working while the old ones will keep working.During key rotation process

Third party statuses

The following table describes the various status messages you may encounter when configuring third-party wallet keys.

Status messageDescription
Configuration is pendingNon-sensitive parameters need to be configured and saved
Secrets pending provisioningNon-sensitive parameters are saved but secure token needs to be generated
Configuration is completeAll parameters are configured and secure token is generated
Key rotation in progressKey rotation has been started but not finalized

Usage restrictions

Third-party wallet keys can only be assigned to non-hotel users or visitors. They cannot be used for hotel guest check-ins with Salto encoders. Consult with your Salto technical support team for more detailed information on any of these options.

Salto Systems, S. L. utiliza dispositivos de almacenamiento y recuperación de datos de terceros para permitir una navegación más segura y comprender mejor cómo interactúan los usuarios con el sitio web con el fin de mejorar nuestros servicios. Puedes aceptar todas las cookies haciendo clic en el botón "Aceptar cookies" o rechazar su uso pulsando en el botón "Rechazar cookies". Para más información, visita nuestra Política de cookies