1.0 Introduction

2.0 Data Encryption

1. The Doors.NET™ system uses 128-bit AES encryption to protect the data between the Application Server and the Gateways/Clients. AES-128 indicates the use of a 128-bit key and is the algorithm/bit strength supported between the controller and the Gateway.
2. The Gateway communications to each controller connected to that Gateway is also encrypted.
   
3. The gateway can also be configured to require TLS and option TLS certificate verification:
   
   
   
   
4. Network socket communications are encrypted between the Application Server and all incoming connections and the Application Server is the only component that connects to the database.
   
5. When using the most recent versions of Doors.NET, all passwords (not just admin) are stored using a one Hash algorithm that is unique to that system.  There is no way to determine a password in the database.
   

3.0 Controller Security

3.1 PXL-500 With LAN-520

1. PXL-500 controllers when using LAN-520 modules - You can configure the LAN-520 with a Telnet password, or additionally, you can also disable Telnet setup and disable the web configuration manager.
   

2. You can also change the TCP/IP communication port number.
   

3.2 NXT-MSC Controllers

1. NXT-MSC controllers can be configured to use 128-bit AES encryption.
   
2. NXT-MSC controllers can be configured with TLS, password, TLS+password and optionally IP address restriction when communicating with the gateway.
   
3. The NXT-MSC have an enhanced security policy that requires someone to be physically near to the controller before they can log into the controller using the default username and password.
   

3.3 Mercury EP and LP Controllers

1. The LP controllers use 128bit AES automatically when communicating with S3 downstream devices on the RS-485.
   
2. EP/LP controllers can be configured with TLS, password, TLS+password and optionally IP address restriction when communicating with the gateway.  

1. All LP controllers can be configured with 802.1X  if a RADIUS server is available on the network for authentication.  802.1X is a network authentication protocol that opens ports for network access when an organization authenticates a user’s identity and authorizes them for access to the network. The user’s identity is determined based on their credentials or certificate, which is confirmed by the RADIUS server.
   

4.0 Reader Security

4.1 NXT Readers

1. When Using NXT readers, the data between the reader and the credential is fully encrypted.
   
2. The readers are also 'fully supervised' - so if the reader cable is severed or disconnected an offline notification event will appear almost immediately in the software.
   

4.2 OSDP Readers

1. Use AES-128-bit encryption to prevent ‘man-in-the-middle’ attacks.
   
2. Supports encryption between the reader and the controller which is independent of the reader and credential communication protocols.
   
3. Again, as with NXT readers, they are continuously monitored, ensuring that the system is protected against threats.