Bioscrypt VPROXAH4065 V-Prox, A User Manual VeriSeries UserManual

Bioscrypt, Inc. V-Prox, A VeriSeries UserManual

UserManual.wiki >

VPROXAH4065 User Manual >

Contents

1. users manual 1
2. users manual 2

users manual 2

UNIT PARAMETER SETTINGS58 © Copyright 2002, Bioscrypt Inc. All rights reserved.Creating USER DEFINED PASS-THRU Format OptionsThe user has the ability to add custom defined PASS-THRU formats to theVeriAdmin software. These will be added to the dropdown list in the BII_UNITPARAMETER SETTINGS dialog box. In the installation directory there is a filecalled WFORMAT.DAT that contains all displayed Wiegand formats.WFORMAT.DAT contains both pre-defined formats and PASS-THRUformats. See below for and example contents of that file. All lines that begin with‘//’ are ignored. PRE-DEFINED formats follow the format:WIEGAND <MV1100_Code> <#bits> <text_string(no spaces)>WARNING: These should NOT be changed or added to unless directed by BioscryptTECHNICAL SUPPORT. Any modifications to this section could cause unreliableWiegand communications using PRE-DEFINED formats.The next section shows the PASS-THRU Formats and follows the format:WIEGAND_PASS <label> <TOTAL_BITS> <ID_START_BIT> <ID_NUM_BITS>Where:WIEGAND_PASS is the identification that this is a PASS_THRU format<label> is the Description shown in the dropdown list (no spaces)<TOTAL_BITs> is the total number of bits in the entire Wiegand String (maximum is 64)<ID_START_BIT> is the starting bit of the ID FIELD(where the first bit is 0)<ID_NUM_BITS> is number of bits in the ID FIELD (must be contiguous)

UNIT PARAMETER SETTINGS59 © Copyright 2002, Bioscrypt Inc. All rights reserved.For Example:Standard 26-bit Wiegand is -- PSSSSSSSSDDDDDDDDDDDDDDDDP(1 Parity bit, 8 SITE CODE bits, 16 ID bits, 1 Parity)- 26 total bits- ID Start Bit is 9 - (where first bit is 0)- ID Number of Bits is 16This would be represented as:WIEGAND_PASS 26-Bit-Pass_Thru 26 9 16And the text, “26-Bit-Pass_Thru” would be added to the dropdown box. Selection of this optionwould show the data in the associated boxes.As seen below, one special format ( CUSTOM –1 –1 –1 ) is also added. When this is selected,the user can enter the TOTAL_BITS, ID_START_BITS, and ID_NUM_BITS directly into theVeriAdmin user interface. These values can then be sent to the BII_UNIT. The values are NOTsaved to the WFORMAT.DAT file however. To add items directly to the file, any standard texteditor will work since WFORMAT.DAT is a text file.//// format is: IDENTIFIER MV1100_Code #bits text_string(no spaces)//WIEGAND 0 26 StandardWIEGAND 1 44 ApolloWIEGAND 2 34 NorthernWIEGAND 3 34 Northern(no_parity)WIEGAND 4 34 AdemcoWIEGAND 5 35 HID_CorporateWIEGAND 6 37 HID//// format is: IDENTIFIER text_string(no spaces) TOTAL_BITS ID_START_BIT ID_NUM_BITS// (* note: ID_START_BIT is zero-based *)//WIEGAND_PASS 26-Bit-Pass_Thru 26 9 16WIEGAND_PASS Kantech-XSF 39 22 16WIEGAND_PASS CUSTOM -1 -1 –1

UNIT PARAMETER SETTINGS60 © Copyright 2002, Bioscrypt Inc. All rights reserved.AUX PORT SECURITYThis allows the Administrator to set a password for the AUX port to DISABLEunauthorized AUX Port communications. The purpose is to prevent unauthorized usersfrom accessing the AUX port unless the password is supplied to re-ENABLE the port.In the dialog, the current state is shown. The Administrator would select DISABLEand supply a numeric password, and press the SET button. The supplied numericpassword should be remembered since it is required to ENABLE the AUX port whilecommunicating on the AUX port.Once the AUX port is disabled, no communications are accepted over the AUXport unless ENABLE PORT option is chosen in 1 of 2 ways.• If communicating over the HOST PORTo the ENABLE PORT command will enable AUX port communications and apassword is NOT required. This allows the unit to be reset over the HOST portif the AUX password is forgotten. VeriAdmin allows this since the network isconsidered secure.• If communicating over the AUX PORTo The ENABLE PORT command will enable AUX port communications ONLY ifthe correct password is supplied. All other commands will return an errorindicated a ‘locked port’ until the port is enabled properlyBioscrypt recommends that the AUX port be disabled and passwordprotectedWhen an Administrator needs to communicate with the device using the AUX Port,the procedure would be:• connect to the AUX port,• use VeriAdmin to bring up the BII_UNIT PARAMETER SETTINGS dialog• choose ENABLE PORT, supply the correct password, and press SETAll communications would then be allowed. Once all data is gathered, the Administratorwould then disable the AUX port by:• use VeriAdmin to bring up the BII_UNIT PARAMETER SETTINGS dialog• choose DISABLE PORT, supply a new password, and press SETThis would once again protect the AUX port from unauthorized use.

BROADCAST PARAMETERS61 © Copyright 2002, Bioscrypt Inc. All rights reserved.Broadcast ParametersThe Broadcast window allows you to modify settings on all units in a networkedenvironment at the same time (See Appendix B). Under most circumstances, youwill use this window when communicating over the Host Port (recall that the AuxPort primarily is for communicating with a single unit). You will note that thewindow is similar to the Unit Parameters window. Figure 21: Broadcast Parameters WindowNote: As with the BII_Unit Parameter Settings window, change onesetting at a time and click the Broadcast button after each change.For example: if you wish to change the Security Threshold and theWiegand Out string: 1) change the threshold; 2) click theBroadcast button in the security section; 3) change the string; and,4) click the Broadcast button in that section.The PC baudrate will updateautomatically.Enter the ID#,then either:enter theIndex#, or checkthe Delete allindices… box

NETWORK STATUS62 © Copyright 2002, Bioscrypt Inc. All rights reserved.Network StatusThe Net Status window displays the condition of all units networked. Figure 226: Network Status WindowEach unit defined in the UNITIDS.DAT file is represented with a TAB for each definedCommunications Port. 3 lines of text identify:• The Type of unit (Veri*, V-PASS or V-PASS-no) as defined in UNITIDS.DAT file• The Network ID• State (Idle, Busy, No Response)Comm Port TABPressingREFRESH willcheck all unitson the selectedCOMM PortRED representsthe currentlyselected unitYou can clickthe mousebutton on eachIcon to makethat UNIT thecurrentlyselected unit

NETWORK STATUS63 © Copyright 2002, Bioscrypt Inc. All rights reserved.The Veri* designates a unit is a VeriProx or VeriFlex. V-PASS designates a V-PASS productand “V-PASS-no” represents a V-PASS product with Auto Finger Detect turned OFF. A type of‘MISMATCH’ indicates the UNITIDS.DAT file does not match the actual unit on the network.

ADVANCED ENROLLMENT64 © Copyright 2002, Bioscrypt Inc. All rights reserved.Advanced EnrollmentThe Advanced Template Enrollment is the recommended tool for enrolling alltemplates. This allows multiple templates to be sampled and the correspondingtemplate created. Users can sample different finger or multiple enrollments of thesame finger. Each time an enrollment is sampled, the “best” template is identifiedbetween the current 3 samples. Users then have the option of ACCEPTing theenrollment of their choice. NOTE: No enrollments are saved until 1 of the 3ACCEPT buttons is pressed.This tool can be used to train users by demonstrating how proper finger placementis a critical aspect in obtaining a good enrollment. This tool can also show howdifferent fingers on the same person can have very different QUALITY andCONTENT ratings.Figure 27: The Advanced Enrollment Screen

ADVANCED ENROLLMENT65 © Copyright 2002, Bioscrypt Inc. All rights reserved.The Advanced Enrollment process is as follows:1. In the Template ID field, type in the Template ID (the template ID should be theproximity card ID number for the VeriProx or if a Wiegand IN device is used. Do notinclude a site code designation.) OR Press the FROM READER button and wave thecard in front of the Wiegand INPUT device to read the ID from the card.2. In the Index field, enter the index of the template.3. Click any ENROLL button.

ADVANCED ENROLLMENT66 © Copyright 2002, Bioscrypt Inc. All rights reserved.

ADVANCED ENROLLMENT67 © Copyright 2002, Bioscrypt Inc. All rights reserved.Figure 28: Advanced Enrollment – Finger Selection4. A pop-up dialog box will allow the User to choose the finger to ENROLL. Choosewhich finger by clicking the corresponding checkbox.5. The light on the current unit will glow amber requesting the enrollee to place a fingeron the sensor. Nestle the Ridgelock into the first joint line on the finger. An image isscanned and both the image and corresponding template are displayed. The fingermay be removed when the amber light goes out.6. The Advance Enrollment tool will then choose the best template among the 3 andindicate which Enrollment should be ACCEPTed.

ADVANCED ENROLLMENT68 © Copyright 2002, Bioscrypt Inc. All rights reserved.

ADVANCED ENROLLMENT69 © Copyright 2002, Bioscrypt Inc. All rights reserved.Figure 29: Advanced Enrollment – Recommended Choice7. Repeat Steps 3-6 to Enroll additional sample templates. A current template can bereplaced by choosing the finger to be Enrolled and pressing the ENROLL button.NOTE: Users can indicate which finger by selecting the corresponding checkbox in theFINGER sub-window. The checkboxes represent the fingers as if both hands whereplaced flat on the display with fingertips touching as shown in Figure 26.

ADVANCED ENROLLMENT70 © Copyright 2002, Bioscrypt Inc. All rights reserved.Figure 30: Advanced Enrollment – Finger Selection Option8. Although NOT recommended by Bioscrypt, users have the option of choosing adifferent Enrollment other then the one recommended. Simply press the ACCEPTbutton even though it is hidden by the red “NO” symbol. A warning message will bedisplayed to confirm this un-recommended action is desired.Figure 31: Advanced Enrollment – OVERRIDE Recommended Choice9. Once an Enrollment has been selected, the normal EDIT TEMPLATE window appearsso that fields can be verified and additional data added. Here is where the User Typeand Security Threshold can be set. See the section is this manual on EDITTEMPLATES for more details on saving the template to either the current unit or thePC disk.

LED TABLE SETTINGS71 © Copyright 2002, Bioscrypt Inc. All rights reserved.Figure 32: LED Table Settings LED Table SettingsChoosing the LED Table Settings menu item will allow the user to definehow the reader’s LED will function under specific operations. Selectingthis option will display the dialog shown in figure 30. The dropdownselection box chooses the function (enroll, verify, idle, etc.) to modify.Below that is each possible state for the selected operation. Line 1represents GREEN LED, Line 2 represents RED LED, and Line 3represents the Buzzer.In the example shown, the ENROLLfunction is chosen. The first two states aredisabled since they have no meaningfor the ENROLL function.Both Line 1 and Line 2 are chosen toindicate PLACE FINGER. This will turnGREEN and RED LEDs on creating aYELLOW LED.The REMOVE FINGER operation issignaled by clearing all LEDs, thusmaking the LED turn off.If a FINGER NOT DETECTEDhappens, then the RED LED is shownfor 600 milliseconds.A PASS is indicated by both turning theLED GREEN and sounding theBUZZER for 600 milliseconds.To indicate a FLASHING LED, choosethe duration and set the INTERVALtime (1350 is normal).Figure 33: LED Table SettingsThe USE TABLE checkbox indicates whether to use these setting for non-Wiegandinitiated commands (like commands coming from PC). Repeat process of other functionsthen press the ACCEPT to transfer to the current unit. If the ACCEPT is not pressed, thechanges are ignored.

SENSOR CONFIGURATION72 © Copyright 2002, Bioscrypt Inc. All rights reserved.Sensor ConfigurationNote: This feature has been disabled in recent versions ofVeriAdmin, including v4.3Choosing the Sensor Configuration menu item will allow the reader’ssensor settings to be altered. It is recommended that only advancedusers attempt to modify these settings since they can drastically affectthe fingerprint reader’s performance. Please call Bioscrypt TechnicalSupport with any questions before attempting modifications.The Bioscrypt sensor needs to becalibrated for optimal performance.For Veridicom Sensors:To perform this task the user should place theirfinger on the sensor of the reader identified bythe current Communication settings. Next, pressthe CALIBRATE button and hold the fingersteady until the progress bar completes. Thenew values will be displayed and the VeriAdminsoftware will ask if you want to see a test image.With the finger still on the sensor, select YES. Animage will be scanned and displayed. If theimage looks good, choose YES to accept the newvalues.For Authentec Sensors:To perform this task the user should NOT placetheir finger on the sensor of the reader. Press theCALIBRATE button.The TEST IMAGE button will scan and displaya fingerprint image.Figure 34: Sensor Configuration MenuFigure 35: Sensor ConfigurationNOTE: A Network ID of –1 isNOT valid for these operations

UPDATE FIRMWARE73 © Copyright 2002, Bioscrypt Inc. All rights reserved.Figure 37: Update Firmware Menu OptionUpdate FirmwareChoosing the Update Firmware menu item willallow the reader’s DSP firmware to be field-updated. Also, for V-Smart units, the externalstorage device (ESI) can also be programmedin the field. It is recommended that onlyadvanced users attempt to perform thisoperation. Please call Bioscrypt TechnicalSupport with any questions.Figure 36: Update Firmware MenuOptionChoosing this option will begin theUpdate Firmware Wizard. Follow thesteps and choose the correct firmwarefile. This process can take between 1-10minutes depending on the current baudrate settings.NOTE: Before attempting this operation,make sure the current communicationsettings are correct and that the PC andreader are communicating properly. It isrecommended that the HELP, ABOUT VERIADMIN menu option is used both before and afterthis operation to ensure the firmware version changed. Depending on the prior version,downloading a new firmware version may also cause an extra step to be performed after thefirmware download. If this happens, the user will be given informational messages indicatingthe additional steps. Although not necessary, it is recommended that all templates be backed-up to the PC before a firmware update. If power is disconnected during a firmware update, theBioscrypt unit may become inoperable.Figure 34: Update FirmwareWizard

RESTORE FACTORY DEFAULTS74 © Copyright 2002, Bioscrypt Inc. All rights reserved.Restore Factory DefaultsChoosing the Restore Factory Defaults menu item will allow the Bioscrypt reader to bereset to the default firmware setting. It is recommended that only advanced users attemptto use this operation. Please call Bioscrypt Technical Support with any questions.Figure 38: Reset BII_Unit to Factory Defaults Menu Option

RESTORE FACTORY DEFAULTS75 © Copyright 2002, Bioscrypt Inc. All rights reserved.Two options are given: RS-485 Default and RS232. The associated Factory Default settingsare identified for each option. Proper communication must be established with the readerbefore this operation can successfully performed.Press the button of the option desired and each Parameter will be set on the reader.Figure 39: Reset ParametersNOTE: A Network ID of –1 is NOT valid for this operation.

TEMPLATE CONVERSION76 © Copyright 2002, Bioscrypt Inc. All rights reserved.Template Conversion Choosing the Template Conversion menu item willallow the user to convert templates stored on the PCfrom the larger Searching templates used with the V-PASS to the smaller 1:1 Verification Templates usedwith the VeriProx and VeriFlex (see Appendix C fordetails).It is recommended that only advanced users attempt toperform this operation. Please call Bioscrypt TechnicalSupport with any questions.Figure 40: Template Conversion MenuFigure 41: Template Conversion Dialog

TEMPLATE CONVERSION77 © Copyright 2002, Bioscrypt Inc. All rights reserved.Using the Template Conversion Dialog, users can choose the Source (V-PASS template)and Destination (VeriProx/VeriFlex template) directories by pressing the appropriateSTORAGE FOLDER button and selecting the desired directory.Next, highlight the V-PASS Searching templates that you wish to convert (or press theSEL ALL button to select all appropriate templates in the selected directory).Pressing the Right Arrow button will convert all selected V-PASS templates toVeriProx/VeriFlex templates. The names will remain the same, but the extension willchange from “.mtm” to “.tem”.

VERIFICATION ACTION RESPONSE78 © Copyright 2002, Bioscrypt Inc. All rights reserved.Figure 42: Verification Action ResponseVerification Action ResponseChoosing the Verification Action Response menu item will allow users tocustomize the way the unit responds to a Verification Action.Under Normal operations, the Veri-Series unit will respond based onhow a Verification Action was initiated. When a Wiegand INPUTinitiates the action, a Wiegand OUTPUT is used to respond. When aVerification Action is initiated over a communications port by using theBioscrypt DLL or low-level commands (described in the MV1100 SDK),then the response packet isreturned on the samecommunication port (either HOST or AUX). Thismenu allows the user to select other Verification Responses in addition to the normalresponse.The Line Trigger is a signal line that will trigger for the defined number of seconds on asuccessful verification. Although not a true TTL level signal, this trigger could be used toinitiate a relay or other device. The Line Trigger is the GREEN wire on the Veri-Seriespigtail.It is recommended that only advanced users who are working with the SDK and writingtheir own custom software attempt to enable the HOST or AUX ALWAYS operations.Please call Bioscrypt Technical Support with any questions.Figure 43: Verification Action Dialog

WIEGAND UTILITIES79 © Copyright 2002, Bioscrypt Inc. All rights reserved.Figure 45: Wiegand Card Utilities DialogWiegand Utilities(* requires firmware v3.2 or higher)Choosing the Wiegand Utilities menu item will allow users to definespecific Administrator IDs that will not require a fingerprint to initiate theENROLL and DELETE actions.Under Normal operations, ENROLL and DELETE COMMAND CARDSrequire a fingerprint verification to be performed that ensures the correctperson is using the ADMIN card.The Wiegand Utilities Dialog allows Administrators to create specific IDsthat can initiate the following operations: Figure 44: Wiegand Utilities- Create ENROLLMENTAdministrator Command Card- Enroll User/Card- Create DELETE AdministratorCommand Card- Delete User/CardBy entering a Card ID in theappropriate box and pressing theSAVE key, that ID will be stored inthe VeriSeries Unit memory. Whena card that contains that ID ispresented to the VeriSeriesProduct, the appropriate action willbe initiated.This feature has been added toallow installers to create ENROLLand DELETE ADMIN CommandCards without a PC if the unit hasbeen properly pre-configured forspecific card IDs by using thisfeature. Once these initial cardshave been created, we recommenddeleting the pre-configured IDs withthe CLEAR ALL buttons.

GETTING SERVICE AND SUPPORT80 © Copyright 2002, Bioscrypt Inc. All rights reserved.Getting Service and SupportBioscrypt, Inc. is available to provide information and assistance. ContactBioscrypt using methods discussed below.Before calling, copy down the following version information about your unit:• Software• DLL• Algorithm• Kernel• PIC• ESI (if applicable)This can be found in the Help menu under the About menu. The ESI version canbe found under the Smart Card Manager in the upper left (V-Smart only).Technical SupportFor assistance with technical matters, contact the Technical SupportDepartment by sending e-mail to support@bioscrypt.com. To speak directlywith a technician, call (818) 501-3908.Customer Service and Sales SupportBioscrypt is here to assist you with your questions. Contact our CustomerService and Sales support departments by calling (818) 501-3908.World Wide Web SiteSee our World Wide Web site for breaking information, and other services. Theaddress is www.bioscrypt.com.

APPENDIX A – QUALITY AND CONTENT81 © Copyright 2002, Bioscrypt Inc. All rights reserved.Appendix A – Quality and ContentSection A.1 - Basic Biometric ConceptsBiometric DefinitionsEnrollment is the operation of scanning a fingerprint, determining thequality of the fingerprint scan, and storing a good template with associateddata within the memory of the Veri-Series product.Verification is the operation of presenting the user ID, either by waving aproximity card or typing the ID into the Verify dialog box, requesting theuser to place their finger on the fingerprint sensor, scanning the finger,comparing the current scan against stored fingerprint templates for thatuser, and then notification of a successful validation or a failure.Searching is the operation of the user placing their finger on the V-PASSfingerprint sensor, scanning the finger, comparing the current scan againstALL stored fingerprint templates for V-PASS unit, and then notification of asuccessful validation or a failure. Searching is only possible on a V-PASS.Fingerprint Template is the term used to describe the data stored on theVeriProx that mathematically represents the ridge pattern of an enrolledfingerprint. This data is not the raw image of the fingerprint, but the result ofprocessing a raw image through our unique algorithmic process, preparingthe data for later comparisons, and compressing the data for maximumstorage. An image of the uncompressed template data does resemble theraw image, but whereas a raw image is 90K bytes, the compressedtemplate is only 348 bytes for the VeriProx or VeriFlex and 2352 bytes forthe V-PASS.Fingerprint Core is the term used to describe distinguishing printcharacteristics usually found in the area of the print where the topographyshows the tightest curvature. Although the entire fingerprint has significantdata, the “core” is the most data-intensive area and therefore veryimportant.

APPENDIX A – QUALITY AND CONTENT82 © Copyright 2002, Bioscrypt Inc. All rights reserved.Scanning an ImageWhen the unit properly reads a fingerprint, it looks for image quality and fingerprintcontent. When a raw image is collected from the sensor, the Veri-Series unit searchesfor the fingerprint core.Content scores are based upon the amount of non-ambiguous data in the regionof the core. The higher the content, the greater the degree of useful information.See Section A.3 for a thorough discussion of contentQuality scores are based on how well the ridge pattern is defined within the image.For best image quality, be sure that the sensor window is clear of dirt, residue, orother material that can block the BII_Units view of the fingerprint. See Section A.3for a thorough discussion on quality.Once the image is scanned, the BII_Unit then creates and stores the resultingfingerprint template.Storing User Templates on the UnitThe Veri-Series unit recognizes users by matching current images to storedtemplates of previously enrolled fingerprints. Along with the fingerprint, theVeriProx and VeriFlex require a proximity card with a unique user ID number.The Veri-Series readers allow associating multiple fingerprints with a singleTemplate ID. Each instance of a template with a specific ID has a unique index (upto 256 indices possible (0-255)). This allows a VeriProx and VeriFlex users to havea single proximity card, but be able to enroll multiple fingers. DuringVERIFICATION, a user waves their card at the VeriProx / VeriFlex reader andplaces their finger on the sensor. The unit will then scan the current fingerprint andcompare it against all enrolled templates for that specific ID. If there are multipletemplates enrolled under one ID, then the VeriProx / VeriFlex will check templatesin the numerical order based on their index.Example: On Card # 123, a person ENROLLs both their left and right indexfingers. The next time that user goes to verify, they wave Card #123 and place a finger on the sensor. The VeriProx scans thecurrent finger and compares it against the first template (the rightindex finger, Template ID 123 0). If a match is found, theVERIFICATION is PASSED and the operation ends. If a match isnot found, the VeriProx will check the second print (the left indexfinger, Template ID 123 1). If a match is found, theVERIFICATION is PASSED and the operation ends. If the match

APPENDIX A – QUALITY AND CONTENT83 © Copyright 2002, Bioscrypt Inc. All rights reserved.is not found and since all templates have been compared, theVERIFICATION is FAILED.NOTE: The initial finger scan takes ~0.5 seconds and each comparisontakes ~0.5 seconds. So if the first template results in a successfulverification, the total time is ~1.0 seconds. Successful verificationon the second templates requires ~1.5 seconds, and so on.Section A.2 - Proper Finger PlacementThe basics for successful operation of the Veri-Series units are simple but important.System performance improves dramatically with consistent finger placement. It isimportant to make sure that the position of the finger allows the unit to record the uniquefeatures of the print. Here are the steps to follow for trouble-free fingerprint recognition.• Bioscrypt has designed the Ridge-Lock to create “simple user instruction” and“consistent” finger position. With the fingertip raised, position the finger so thatthe Ridge-Lock rests comfortably within the first indentation of the finger. Next,lower the finger onto the sensor and apply moderate pressure.Common mistakesCorrect finger placement is a significant component for reliable fingerprint imaging.The following list some common mistakes to avoid.• Sliding the fingertip into place instead of lowering it onto the sensor will causedistortion of the fingerprint and will degrade image quality. Keep the fingertipraised while locating the Ridge-Lock, then lower the fingertip.• Rotating the finger into position also will cause distortion of the fingerprint,subsequently making verification less reliable.• Positioning the finger to one side and leaving a portion of the sensor exposed willdegrade image quality.• Placing the finger at an angle to the finger guide is another common mistake.Rotation of the fingertip will not provide a reliable image of the fingerprint.Image qualityDry skin is another factor that can contribute to an unreliable image of a fingerprint. Anormal amount of moisture on the skin makes the ridges and valleys of the fingerprintstand out to the sensor. Too little moisture makes the image “noisy” and will “cause

APPENDIX A – QUALITY AND CONTENT84 © Copyright 2002, Bioscrypt Inc. All rights reserved.the Veri-Series unit to reject the image during processing. Lightly moisturizing thefinger will enhance the contrast of the print and provide more reliable verification. Theincreased sensitivity of the silicon sensor is dramatically reducing problems in thisarea.Image consistencyOnce a user’s fingerprint template has been enrolled, the best performance in thecandidate matching process depends on consistency. Obviously, the user must usethe same finger for ID verification as was used to form the original template. It also isimportant to position the finger correctly for each verification, as was done when thetemplate was enrolled, so the Veri-Series unit “sees” approximately the sameinformation each time.

APPENDIX A – QUALITY AND CONTENT85 © Copyright 2002, Bioscrypt Inc. All rights reserved.Section A.3 - Using Content and Quality during EnrollmentsAs described in section A.1, Quality and Content scores are returned in the enrollmentprocess. These scores give an indication of the performance of the template enrolled. To alarge degree, the verification algorithm compensates for deficiencies in image quality andloss of information content. Nonetheless, knowledge of these parameters and what theymean helps ensure optimal performance.False Acceptance and False RejectionIn order to understand the effects of poor image quality and poor information content itis necessary to understand how to measure performance. Performance of the Veri-Series unit is presented in terms of False Rejection and False Acceptance.False Rejection indicates that the unit incorrectly rejected a fingerprint thatcorresponds to the person’s template. False Rejections rarely occur andprimarily result from the inability to get a good image of the finger.False Acceptance indicates that the unit accepted a fingerprint that doesnot correspond to the template it was compared against. FalseAcceptances also are rare and primarily result when a fingerprint templateis characterized by low information in the enrolled print.The algorithm on the Veri-Series units has been tuned so that the false acceptanceand false rejection rates are equal at the medium security level (level 3), delivering theindustry leading accuracy. This is known as the Equal Error Rate. Increasing thesecurity (e.g., changing the security level from 3 to 1) will decrease the chance forfalse acceptance at the expense of increased false rejection. Reducing the security(e.g., changing the security level from 3 to 5) will decrease the chance of a falserejection at the expense of false acceptance. The table below indicates the expectederror rates at the different security levels.Security Level False Rejection Rate False Acceptance RateVery Low (5) 1 / 10,000 1 / 100Low (4) 1 / 5000 1 / 200Medium (3) 1 / 1000 1 / 1000High (2) 1 / 200 1 / 5000Very High (1) 1 / 100 1 / 20,000

APPENDIX A – QUALITY AND CONTENT86 © Copyright 2002, Bioscrypt Inc. All rights reserved.QualityThe quality score is based on how well the ridge pattern is defined within thefingerprint image that was enrolled. In other words, quality measures how clearlythe unit imaged the fingerprint. Poor quality enrollments can result in an elevatedrate of false rejection making it difficult for the user to verify reliably.The score is given in stars («) and ranges from zero to five stars, with five beingthe best quality (rarely obtained) and zero being the worst. Quality scores of threestars and higher perform well with the Bioscrypt verification algorithm. In thisrange, the algorithm readily compensates for differences in fingerprint quality. Itstatistically is still true that the larger the quality score the better the performanceof an enrollment.As a general rule of thumb, quality scores less than three stars require interventionon the part of the Enroller or administrative software. Sources of low scoresinclude dry fingers and dirty sensors.If the quality score falls below three stars, Bioscrypt recommends the followingoptions:• Ensure that the sensor and finger are clean.• If the finger and sensor are clean and a dry finger is suspected, try re-enrollingone more time, leaving the finger on the sensor for several seconds prior toenrollment. Frequently finger moisture accumulates over time to provide agood image.• Fingerprint quality can vary among individual fingers for the same person. Tryenrolling an alternate finger to see if the score improves.• Alter the security level for that particular template by decreasing the threshold aminimum of 1 level (e.g., change the value from medium [3] to low [4]). This willoffset the false rejection for that template by making it easier to match. If use ofthat template indicates that raising the threshold one level still produces falserejections, try setting the value to its lowest security (level 5).Warning:Decreasing a template’s security may increase the risk of afalse acceptance for that template.Very LowQualityVery Highquality

APPENDIX A – QUALITY AND CONTENT87 © Copyright 2002, Bioscrypt Inc. All rights reserved.A thorough enrollment procedure will ensure streamlined and reliable verificationfor users. It is recommended that all four options be performed in the order listedabove to maximize the performance of the device.ContentThe Content score is based upon the amount of usable information the Veri-Seriesunit sees in the fingerprint. Templates that are characterized by low content scoresmay result in elevated rates of false acceptance.Again, the score is given in stars («) and ranges from zero to five stars, with fivebeing the most content and zero being the least. Content scores of three stars andhigher perform well with the Bioscrypt Algorithm. In this range the algorithm hasenough information to distinguish between different fingerprints with a high level ofaccuracy. Templates with content scores above two stars do not vary in terms ofthe error rates.Content scores less than three stars require intervention on the part of the Enrolleror administrative software. Sources of poor content include improper fingerpositioning and extremely bland fingerprints.If the content score falls below three stars, Bioscrypt recommends the followingoptions:• Try re-enrolling the same finger if finger positioning seems to be the issue(see section A.2). Ensure that the user can comfortably place the finger onthe sensor while maintaining the core region in the image.• Fingerprint content can vary among individual fingers for the same person.Try enrolling an alternate finger to see if the score improves.• Alter the security level for that particular template by increasing thethreshold a minimum of 1 level (e.g., change the value from medium [3] tohigh [2]). This will offset the false acceptance for that template by making itmore difficult to match. If use of that template indicates that raising thethreshold one level still produces false rejections, try setting the value to itshighest security (level 1).Very HighContentLow Content

APPENDIX A – QUALITY AND CONTENT88 © Copyright 2002, Bioscrypt Inc. All rights reserved.Warning: Increasing a template’s security may increase the risk of a falserejection for that template.A thorough enrollment procedure will ensure streamlined and reliable verificationfor users. It is recommended that all three options be performed in the order listedabove to maximize the performance of the device.Content and Quality SummaryTable 1: Quality and Content Minimum ThresholdsScore Poor Range Normal RangeQuality Less than three stars Three or more starsContent Less than three stars Three or more starsTable 2: VeriAdmin Management application map of score versus categoryScore Quality/ContentCategory«Very poor«« Poor««« Fair«««« High««««« Very highRecommended Enrollment Process• Have the user pick one of the following fingers for enrollment: Left Index,Left Middle, Right Index, or Right Middle.• Enroll the chosen finger and note the quality and content results.• If either is below the minimum threshold, follow the directions outlined in theprevious section.• If both are above their minimum thresholds, either accept the createdtemplate, or attempt another finger trying to achieve the best qualitypossible.

APPENDIX A – QUALITY AND CONTENT89 © Copyright 2002, Bioscrypt Inc. All rights reserved.• If multiple fingers are attempted and only one finger is required, choose thetemplate where both quality and content are above the threshold, and whichthe quality is maximized.

APPENDIX B – UNDERSTANDING THEBROADCAST OPTION IN RS-485 BASED NETWORKS90 © Copyright 2002, Bioscrypt Inc. All rights reserved.Appendix B – Understanding the BROADCAST option inRS-485 Based NetworksThe BROADCAST feature allows a command to be sent to ALL units connected on thesame PC COMM Port. Using a NETWORK ID of –1 enables “Broadcast Mode”. Althoughthis is often a very convenient feature, it also has some inherent issues that the user shouldbe aware of and understand. Bioscrypt recommends that only advance users attempt theBROADCAST features.NO REPLIES. When in Broadcast mode, no replies from the receiving unit are possible.This is because that since all units receive the command at the same time, all units wouldthen normally reply at the same time. On a RS485 network, it more then one unit iscommunicating at the same time, the communications electrically collide and cannot beunderstood. This is an inherent shortcoming of the RS485 protocol. This collision will alsohappen if 2 or more units are the same NETWORK ID, since they will both respond at thesame time and cause the same problem. When in Broadcast mode, the Bioscrypt readersare instructed NOT to REPLY.NO ERROR CHECKING. The Bioscrypt communication protocol has various errorchecking methods built into the interface. This error checking requires two-waycommunication between the PC and the Bioscrypt reader to ensure that command packetswhere received and all data contained. Because NO REPLIES are possible, the errorchecking is disabled in Broadcast mode.This can become an issue when using a network of Bioscrypt readers since the reader itselfcannot process a communication packet during Verification. Although this time is veryshort, if a command is received during portions of a Verification the unit would normallyrespond with a BUSY error code. However, if in Broadcast mode, no response can begiven and the VeriAdmin will not know that the command was ignored by that particular unit(even though it would have been accepted by all other units.) Manual verification is oftenrequired to ensure all units successfully received a Broadcast command. An example ofthis can be seen in the BROADCAST PC TEMPLATE section. The VeriAdmin Software willBroadcast the TRANSFER command, but then manually verify that the template wassuccessfully transferred to each and every unit after the Broadcast command is complete.Since Broadcast commands cannot have the Bioscrypt reader reply, using a Network IDhas been disabled in Reset to Factory defaults and Sensor Settings.NOTE: A Broadcast command will be received by all units on the same PC COMM port. Ifa network consists of multiple COMM ports, the Broadcast command will have to be sent oneach COMM port in order to reach all units on the network. This is automatically done bythe VeriAdmin Software for BROADCAST PC TEMPLATES and for all commands in theBROADCAST PARAMETERS window based on the UNITIDS.DAT file. However, this isnot for other commands where the user specifies a Network ID of –1.

APPENDIX C – V-PASS TEMPLATE DIFFERENCES91 © Copyright 2002, Bioscrypt Inc. All rights reserved.Appendix C – V-PASS Template DifferencesThe V-PASS product is similar in size and shape to both the VeriFlex and VeriProxproducts. However, it incorporates a very different biometric comparison process. TheVeriFlex and VeriProx perform a 1:1 verification. One finger is compared with one templateto decide if there is a match. A Template ID is mandatory to determine which of the storedtemplates to compare with the current live fingerprint image.The V-PASS performs a “searching” algorithm that will compare the current live fingerprintimage with ALL templates that reside on the V-PASS unit (up to 200 with firmware version3.0). This is often referred to as 1:many (one to many) or “identification”. Whereas theVeriProx and VeriFlex are typically used with a proximity card or external device to indicatea user’s ID, the V-PASS no longer requires this extra form of identification, only thefingerprint is required.To perform this quick database search of all enrolled templates, the V-PASS requires afingerprint template that is different then the fingerprint templates required for the VeriFlexand V-Pass. The VeriFlex / VeriProx templates are 348 bytes of data, whereas the V-PASStemplate is 2,532 bytes of data.The V-PASS template contains all the data from a VeriFlex/VeriProx template and more.Bioscrypt provides a way to generate a 1:1 VeriFlex / VeriProx template from a V_PASStemplate. This conversion is available in our SDK for software developers, or as part of theVeriAdmin Management Software for end-users.Users should be aware of the following:1. V-PASS templates are different then VeriFlex / VeriProx templates.2. V-PASS templates should use the default extension of “.mtm”3. VeriProx / VeriFlex templates should use the default extension of “.tem”4. Only a V-PASS can create (“enroll”) a V-PASS template.5. A V-PASS template CAN BE converted to a VeriFlex / VeriProx template.6. A VeriProx / VeriFlex template CANNOT be converted to a V-PASS template.7. Administrators need to be aware of these differences if BOTH products are used.8. A Veri-Series unit will reject a template if the wrong type is sent. This means that aVeriProx / VeriFlex will return an error if a V-PASS template is sent to that unit. Thesame is true if a V-PASS unit is sent a VeriFlex / VeriProx template.9. Administrators should use caution when attempting Broadcast commands on a“Mixed” Network.. Broadcast commands will work, but #8 above will apply. ContactBioscrypt Technical Services for more information.

APPENDIX C – V-PASS TEMPLATE DIFFERENCES92 © Copyright 2002, Bioscrypt Inc. All rights reserved.For installations using a “Mixed” network where both V-PASS units and VeriFlex / VeriProx /V-Smart units are used, Bioscrypt recommends the follow guidelines to help manage templates:1. A PC-based enrollment stations using the VeriAdmin software should be used forall template enrollments.2. All enrollments should be done using a V-PASS and stored on the PC.3. V-PASS templates can be converted to VeriProx / VeriFlex templates using theVeriAdmin Software (see the Template Conversion section). After this process,the Administrator will have both a V-PASS compatible template and a VeriProx /VeriFlex compatible template for each user.4. Use the Bioscrypt designated extensions of “.tem” for VeriFlex / VeriProxtemplates and “.mtm” for V-PASS templates.Example:• PC Enrollment station is setup with an attached V-PASS unit and running theVeriAdmin Management software.• Using the Advanced Enrollment dialog, the Administrator will enter an ID (ex:1122) and sample enroll 3 different fingers and chose the best one as indicatedby the software.• This fingerprint template will be save to the PC (ex: 1122_0.mtm).• The Administrator will use the Template Conversion utility to create a VeriFlex /VeriProx template (ex: 1122_0.tem).• Template 1122_0.mtm will then be transferred to all V-PASS units.• Template 1122_0.tem will then be transferred to all VeriFlex / VeriProx / V-Smart units.

APPENDIX D – V-SMART OPERATIONS93 © Copyright 2002, Bioscrypt Inc. All rights reserved.Appendix D – V-Smart OperationsThe V-Smart product is similar in size and shape to both the VeriFlex and VeriProxproducts. However, it incorporates a new method for template management. The V-Smartincorporates a contactless smart card reader using MIFARE technology. This allows auser’s template to be written to a smart card during enrollment and then later read from thesmart card during verification. Since the template is stored on the card itself, there is noneed for network-based template management operations typically associated withbiometric installations.Smart cards used by the V-Smart can now be used by another application. V-Smartoperation uses only the part of the Smart Card defined by the layout, so that otherapplications can now use any remaining free sectors.Contact your Bioscrypt Sales representative when purchasing smart cards to ensure theywill work correctly with the V-Smart.Administrator’s NoteThe Administrator / Enroller needs to understand the different states that the V-Smartoperates to effectively use the unit. The most important aspect to understand is thedifference between HOST and SLAVE mode. HOST mode is the normal operating state ofthe V-Smart. In this mode, the unit is actively looking for a smart card with a template on it.When a card is seen, one or both templates is automatically read and a Verification action isstarted. While the Verification action is happening, the V-Smart cannot process othercommands coming over the AUX channel from the PC. The only time this becomes anissue is when using the VeriAdmin software.When writing a template to the smart card as part of the enrollment process, it is importantto wait for VeriAdmin to display a message saying, “PLACE SMART CARD CLOSE TOREADER”. If the Administrator places the card before the message, the V-Smart may treatthis as described above, and initiate a Verification action. The V-Smart will then be busytrying to verify a live image and will not be able to process the Enrollment. You can tellwhen this happens because the top LED will turn yellow. If this does happen, simply placea finger and let the V-Smart complete the Verification attempt. Then press the SAVE TOSMART CARD button and wait for the “PLACE SMART CARD CLOSE TO READER”prompt.NOTE: It is essential that the Administrator read and fully understand theinformation presented in Appendix E: Administrator SiteKey Management. Failure touse the V-Smart in the proper way can make the V-Smart less secure and potentiallyunusable if Site Keys are forgotten or compromised.

APPENDIX D – V-SMART OPERATIONS94 © Copyright 2002, Bioscrypt Inc. All rights reserved.V-Smart TerminologyV-Smart – Term used to designate the complete hardware product. The V-Smartactually contains an embedded MV1200 with expanded I/O functionality, anExternal Storage Interface (ESI) module and a MIFARE smart card reader.External Storage Interface (ESI) – This module is internal to the V-Smart andacts as an interface between the MV1200 and the smart card reader. Externalpigtail wires connect the MV1200 and ESI together.Primary Template – This is the template that resides in the first template slot onthe smart card. When a verification is initiated, this primary template is the firstfingerprint that is used in that verification process.Secondary Template – This is an optional second template stored on the smartcard. Currently, in the v5.80 (or later) V-Smart firmware, this second template willalso be used in the verification process if the primary template verification fails.Administrator SiteKey – This is a key (or password) used by the V-Smart toencrypt data stored on the smart card. This key is stored on the ESI and mustmatch the key used by the smart card in order for the V-Smart to read the smartcard data. See the next section for further details regarding Administrator SiteKeys.WARNING! It is extremely important that Administrators do not forget the SiteKeyused. If the SiteKey is forgotten, the administrator will not be able to ENROLL,DELETE or read templates from the smart card, nor will they be able to CHANGEthe SiteKey.Site Key Verification – Certain VeriAdmin and V-Smart processes are onlyallowed if the Administrator enters the correct Site Key. The SiteKey entered inVeriAdmin must match the key stored on the V-Smart and the key used to encryptthe smart card data. See Appendix E for father details.

APPENDIX D – V-SMART OPERATIONS95 © Copyright 2002, Bioscrypt Inc. All rights reserved.V-Smart Smart Card PlacementThe picture below demonstrated the proper placement of the smart card so the V-Smart canread the data stored on the card or write data to the card.

APPENDIX D – V-SMART OPERATIONS96 © Copyright 2002, Bioscrypt Inc. All rights reserved.Section D.1 – HOST Mode versus SLAVE Mode OperationThe V-Smart has two modes of operation that the Administrator needs to be familiar with.These are HOST mode and SLAVE mode.HOST MODEHOST mode is the normal mode of operation and simply means that the V-Smart is waitingfor a smart card to be presented to the unit. When a smart card is “seen”, the card Site Key(see next Appendix) is compared with the V-Smart’s Site Key. If they match, the templateis read from the card and the V-Smarts attempts a Verification operation. The top LED willturn amber indicating the user should “PLACE FINGER ON SENSOR”. When a fingerplaced, a live image is recorded. When the live image is done recording, the top LED willgo off. At this time, the user can remove their finger. The V-Smart will then compare thelive image against the template read from the smart card. If a successful match made, thetop LED will turn GREEN. A RED LED indicates a failed comparison. Once a Verificationattempt has been made, the card must be moved away from the reader and then broughtclose again to re-attempt Verification.SLAVE MODESLAVE mode is when the V-Smart is communicating with the PC. When a serial commandis received by the V-Smart on the AUX communications port, SLAVE mode is automaticallyentered. While in SLAVE mode, the V-Smart will NOT make Verification attempts when acard is “seen”. This makes it easier for Administrators to place the card, near the readerand perform various operations like enrollments without the unit performing a Verificationjust because a card is sensed. The V-Smart will return to HOST mode in one of two ways:1) a command is sent to the V-Smart telling it to specifically return to HOST mode2) 180 seconds have passed since the last communication on the AUX portIn VeriAdmin, when you bring up the SMART CARD MANAGER, the V-Smart is put intoSLAVE mode because a STATUS is sent to the ESI as the dialog is brought up. When theuser exits the SMART CARD MANAGER by pressing the OK or CANCEL buttons,VeriAdmin will instruct the V-Smart to return to HOST mode.

APPENDIX D – V-SMART OPERATIONS97 © Copyright 2002, Bioscrypt Inc. All rights reserved.Section D.2 – Transferring a Template to a Smart CardVeriAdmin version 4.00 adds a new capability to transfer a previously enrolled fingerprinttemplate to a smart card. The user can either transfer a template from the PC to a smartcard or from the internal memory on the V-Smart to a smart card. To transfer a previouslyenrolled template that is currently stored on the PC to a smart card, press the FROM PC àSMARTCARD button. The user will be allowed to browse to the desired PC template.Once the template is chosen, the EDIT TEMPLATE dialog is brought up and the templatedata is displayed. Pressing the SAVE TO SMART CARD button will then attempt to writetemplate data to the smart card. This process involves a SiteKey verification window toappear (see appendix E). Once the proper Site Key is entered, the user is prompted to

APPENDIX D – V-SMART OPERATIONS98 © Copyright 2002, Bioscrypt Inc. All rights reserved.place the smart card near the V-Smart. When this is done, the template is then copied tothe smart card.Section D.3 – Enrolling a Template Directly to a Smart CardUsing VeriAdmin, the smart card Enrollment process is very similar to a typical enrollmentprocedure as described in the QUICK ENROLL section or in the ADVANCED TEMPLATEENROLLMENT section. Once a finger is registered and a template created and accepted,the EDIT TEMPLATE window is displayed as described in the TEMPLATE MANAGERsection. However, for release v4.0 and above the EDIT TEMPLATE window has beenmodified to allow for saving the template directly to a Smart Card. As seen below, optionsnow exist to save the template to the CURRENT UNIT, the PC, or a SMART CARD. Bypressing the SAVE button under SMART CARD, the V-Smart will attempt to write thetemplate to a smart card held near the smart card reader. Note that a SiteKey verification isperformed before the data is written to the smart card (see appendix E for details).

APPENDIX D – V-SMART OPERATIONS99 © Copyright 2002, Bioscrypt Inc. All rights reserved.Section D.4 – Using the Smart Card ManagerVeriAdmin version 4.00 adds a new toolbar option (shown above) for accessing the SmartCard Manager dialog box. Pressing the “SMART” button will bring up a dialog box like theone shown below.

APPENDIX D – V-SMART OPERATIONS100 © Copyright 2002, Bioscrypt Inc. All rights reserved.This dialog initially shows the ESI information and a blank card. Pressing the READSMART CARD button will instruct the V-Smart to read the template list from the card anddisplay the list of stored templates. In the example shown, there are two templates. Thedisplay shows the Template ID:INDEX followed by the NAME field from the template. Theupper right hand corner of the card has symbol indicating the card is secured.Pressing either template button (primary or secondary) will instruct the V-Smart to attemptto read the full fingerprint template data from the smart card. VeriAdmin will prompt theuser for the Site Key (depending on security settings) and if the Site Key entered matchesthe Site Key stored on both the V-Smart and the smart card, the template will be read andthe normal Template Editor window will be displayed.Note: It is possible to edit a template on the card and change either the ID or the Index,then save the template back to the card. This is NOT recommended because any Wieganddata associated with the original template will not be saved with the new template.The DELETE TEMPLATE (1) button will instruct the V-Smart to erase the primary templatestored on the smart card. VeriAdmin will perform a Site Key verification before allowing theerase to take place. The DELETE TEMPLATE (2) button will instruct the V-Smart to erasethe secondary template stored on the smart card.Version 4.2 (and above) of VeriAdmin includes a checkbox for READ/WRITE WIEGANDSTRING TO SMART CARD DURING ENROLL/VERIFY. This is a setting which tells the V-Smart to attempt to read a Wiegand string from the Smart Card during a verify, and sendthis Wiegand string out the Wiegand out lines if successful. This check box also means thatVeriAdmin will attempt to save the Wiegand string onto a Smart Card when enrolling. To doso, it will require that a Wiegand string be read from an external Wiegand input device (theFROM READER button during Quick or Advanced Enroll). Once you have read in theWiegand string, a check box (WIEGAND STRING READ) next to this button will bechecked. If VeriAdmin has not received the Wiegand string, the following dialog will bedisplayed:

APPENDIX D – V-SMART OPERATIONS101 © Copyright 2002, Bioscrypt Inc. All rights reserved.Also, when you have this setting checked, VeriAdmin will remind you that it is saving theWiegand string when saving to a Smart Card. The WRITE WIEGAND STRING checkboxbelow the “Save” button for Smart Cards will be checked.As of VeriAdmin version 4.3, there is also the ability to delete Wiegand Strings associatedwith a template. The DELETE WIEGAND STRING (1) button will prompt the user for a SiteKey and then delete the Wiegand string associated with the Primary Template. TheDELETE WIEGAND STRING (2) will perform the same task for the Secondary Template. Itis possible to use this function even if a Wiegand String has not been associated with atemplate, so long as a “User Data” block has been placed in the Smart Card layout (see thesection on Smart Card Layout).Also new to version 4.3 of VeriAdmin is the ability to secure and un-secure (Reset) smartcards. The SECURE CARD button will secure a new smart card which has not beenupdated with the proper Site Key (i.e., it still has the manufacturer’s default keys). You willnot need to enter the current Site Key to perform this function. Simply press this button andpresent the card to the reader. Only the sectors of the smart card being used by the V-Smart will be secured; all other sectors will remain untouched. Performing this function on asmart card which has already been secured will have no effect, but is allowed. The RESETCARD button will allow the user to un-secure a smart card (the reverse process) afterproviding the proper Site Key. This will ERASE all V-Smart data on the card, includingtemplates, Wiegand Strings, and other user data, as defined in the smart card layout andset the Site Key back to the original manufacturer’s default. This will essentially transformthe card back into a fresh, unused card, with the exception of those sectors not defined inthe layout (sectors used by another application, for example). Currently threemanufacturer’s settings are supported: Gem+ Flow A, Gem+ Flow B, and HID Flow B.Please refer to the documentation provided by these manufacturers or from whom youreceived your smart cards for more information.At the top of the SMART CARD MANAGER dialog, you will see a radio button to select theMAX TEMPLATES PER CARD. Currently, this can be set to either one or two templates,although future cards with more memory may support additional templates. If twotemplates option is selected, the Smart Card Layout must have two templates defined.Otherwise when attempting to save a second template to the card, the user will receive an“Invalid Smart Card Layout” error. If the maximum is set to only one template, attempting tosave a second template to a card will result in the error message “ESI – Storage Space isFULL”. The ESI VERIFICATION TIMEOUT is a user definable setting which controls howlong the ESI will wait between verification from one card to the next. When a smart card ispresented, the ESI will read the template(s) and Wiegand data (if available), go into SLAVEmode, and send the data to the main unit for verification with the live finger image. It willthen wait for a number of seconds (default is 15) before returning to HOST mode, where itcan accept a new card. This is the verification delay.

APPENDIX D – V-SMART OPERATIONS102 © Copyright 2002, Bioscrypt Inc. All rights reserved.Pressing the SECURITY SETTINGS button will bring up the following dialog box:This dialog will allow the user to adjust how often the Site Key verification is performed.The default is EVERYTIME and VeriAdmin will reset to this default setting every time theapplication is started. To change, select the desired choice and press the SAVE ADMINSETTINGS button. A Site Key verification is performed before the change is accepted.This dialog also contains two checkboxes to enable the use of a 1-way hashing function onthe Site Key prior to sending to the V-Smart (Use software HASH). This is an extrasecurity step that will convert a simple text password to a 120-bit encrypted string everytime it is transmitted to the V-Smart. See Appendix E: Administrator SiteKey Managementfor precautions related to changing Site Keys and using the hashing function.The VeriAdmin Security Settings dialog box also allows the Administrator to change thePrimary and Secondary SiteKeys and to chose whether those new keys will be hashed ornot. Pressing the CHANGE SITEKEY button will always perform a Site Key Verificationbefore changing the current primary and secondary keys regardless of the timeout settings.A new addition to this dialog is the ESI Site Key Security option. The checkbox USE ESISITEKEY ENCRYPTION is used in conjunction with the drop-down box. This deals withhow Site Keys are managed on the smart card itself and there are 3 available settings. Thedefault setting is use ESI Site Key Encryption with Key B for Read/Write. The other twoavailable options do not use ESI Site Key Encryption, and are provided for compatibility withother applications which want to read and/or write data to the smart card. The checkboxmust be unchecked to enable these options. Note that Key A and Key B do not correspondto PRIMARY and SECONDARY Site Keys; please read the manufacturer’s documentationfor more information. Only advanced users should change this setting!

APPENDIX D – V-SMART OPERATIONS103 © Copyright 2002, Bioscrypt Inc. All rights reserved.Pressing the CONFIGURE CARD LAYOUT button will bring up the Smart Card Managerdialog box:This dialog will allow the user to define a custom layout for all MIFARE compatible smartcards.Bioscrypt recommends that only advanced users attempt to configure the smart cardlayout. Improper changes made to the layout may render the unit unusable with somesmart cards.This section should be read completely before attempting to change the default layout providedby Bioscrypt (as shown on the left above). The Smart Card Layout used by the V-Smartconsists of the following components: A layout block (brown), an Admin block (red), a PRIMARYtemplate (blue), a SECONDARY template (purple, optional), and User Data (green, optional).

APPENDIX D – V-SMART OPERATIONS104 © Copyright 2002, Bioscrypt Inc. All rights reserved.The Smart Card Layout Manager will NOT allow a user to configure a layout which is missingthe Admin block, the Layout Block, or a PRIMARY template. These are the minimum layoutcomponents required to enable normal operation.The memory structure for MIFARE compatible smart cards consists of 16 sectors (numbered 0through 15) of 4 blocks each (numbered 0 through 3). Each block contains 16 bytes. The firstblock at sector 0, block 0 contains manufacturer information and is not available. Also, the lastblock of each sector contains Site Key and access information which secures that sector and isthus unavailable for application data. Unavailable blocks are shown in VeriAdmin in black anddo not allow layout components to be placed there. This leaves 47 available blocks of 16 byteseach, for a total of 752 available bytes. The Bioscrypt default layout contains space for twotemplates and Wiegand information (stored in the green User Block) and will use all availablespace. If space for non-Bioscrypt data is desired, include only the PRIMARY Template(Template (1)) or do not include a User Block.Place components on the layout on the right (under the “New Layout” section) by clicking one ofthe buttons under the “Set Starting Block” section. You will then see flashing text whichinstructs you to select one of the white, unused blocks above. Since the one-to-one templatesused by the V-Smart are 348 bytes, they will require 22 blocks of space (348 bytes / 16 bytes-per-block = 22 blocks). All other layout components require a single block of space. You willnotice when placing a template on the layout that the blocks will wrap around whatever blocksare in the way, consuming blocks from top to bottom. Templates may NOT wrap around frombottom to top, and if there is insufficient space for a template, a warning will pop up and you willnot be able to place the template. If you would like to move a layout component or take if off ofthe layout, you must remove it by first clicking on the Remove Item button and then clicking onthe item which is to be removed.You will notice when you first enter the Smart Card Layout Manager that the Admin Block hasalready been placed for you in sector 8, block 1. You may remove it and place it elsewhere,however it is recommended that the Admin Block be left in this sector. The reason for this isthat the ESI will be able to read cards with a different layout than the one which is defined hereso long as the Admin Block is in this location. This allows for some flexibility with different cardlayouts, however Bioscrypt still recommends that each site or facility use the same layout foreach card.Layout Placement: It is recommended that the Admin Block be left in sector 8, block 1.Bioscrypt recommends first placing the Layout Block, then the PRIMARY Template, and finally aUser Data block to hold the Wiegand Strings associated with each template. Note: If you do notplace at least ONE User Data block, VeriAdmin will be unable to read or write Wiegand Stringdata, and you will receive an error during enrollment. As of version 4.3, only TWO User Datablocks may be placed on the layout. If two are placed, the first will be used for Wiegand data (ifused) and the second will be available for user data. These two blocks may be written to orread using the Bioscrypt SDK, but not using VeriAdmin. When all other blocks have beenplaced and there is sufficient space, place the SECONDARY template. You will not be able toplace Template (2) if you have placed two User Blocks because there will be insufficient space.Finally, there is a convenient way to make the V-Smart layout wrap around sectors where non-

APPENDIX D – V-SMART OPERATIONS105 © Copyright 2002, Bioscrypt Inc. All rights reserved.Bioscrypt data is located (or is planned to go). Select the Unavailable Block button, then holddown the SHIFT key to place multiple blocks. Do this before placing the other layout items sothat when they are placed they will automatically wrap around those blocks. Click Set Layout tofinalize the layout. You will need to provide the current Site Key. Upon successfully setting thelayout, the Smart Card Layout Manager will close, returning to the Smart Card Manager.If at any time you would like to RESET the layout back to Bioscrypt defaults, click on the ResetLayout button and provide the current Site Key. This will set the layout as shown in the screenshot shown above.There are some things to keep in mind when changing the Smart Card layout. First, note thatthe number of templates defined on the layout should be greater than or equal to the MaxTemplates per Card option. In other words, you should NOT define only one template and setthe maximum templates per card to TWO. This will result in an ESI Storage Full error uponenrollment of a second template. Second, remember that changing the layout after some SmartCards have already been created with a different layout may cause those cards not to workproperly with the V-Smart. You will see a flashing or steady red LED on the unit when trying toverify or you will receive an error in VeriAdmin indicating that the ESI cannot recognize thelayout. Third, it is important to realize that although you may write both Bioscrypt data and non-Bioscrypt data to a Smart Card, each sector has its own Site Key which unlocks data on thatsector. Data may only be read from or written to a particular block if the proper Site Key for thatsector is provided. The ESI will use the same Site Key for all sectors being used by the V-Smart, including sectors where only one or two blocks are actually being used. It isrecommended that any non-Bioscrypt data be placed on different sectors so that different keysmay be used for that data. Finally, keep in mind that if a third party application is used toread/write any of the V-Smart data or the same Site Key is to be used for the entire card, theESI Site Key Encryption MUST use one of the un-hashed modes for compatibility. Please referto the documentation from the manufacturer from whom you have purchased your Smart Cards.

106 © Copyright 2002, Bioscrypt Inc. All rights reserved.Section D.5 – Verification Using a Smart CardAfter enrolling a template on a smart card, you can then use the card to perform a Verification.Exit the SMART CARD MANAGER dialog so the V-SMART is placed back into HOST MODE.Place the smart card near the reader as shown earlier in this section. The Top LED willindicate:In our example, the top LED should turn YELLOW, indicating “PLACE FINGER”. Remove thecard, place your finger and hold until the LED goes blank. Once the LED goes blank, you canremove your finger. The LED will then either turn RED or GREEN indicating a FAIL or a PASS.Best Performance Practices / Finger placementThe V-Smart unit should be mounted in a position that takes these factors into consideration:ease of use, at a height that allows for proper finger placement, in line with other switch platesor fixtures, and in accordance with Americans with Disabilities Act where applicable.Recommended mounting height is 48-54” from floor to sensor level.Typically, using either the index or middle finger provides the best performance. Werecommend you do NOT use thumbs or pinkies (little finger), but we do recommend that youenroll an alternate finger on your other hand (total of 2 fingers enrolled). Please refer toAPPENDIX A for more details about maximize fingerprint performanceIndicator MeaningRED Not VerifiedGREEN Verified / Enrollment AcceptedIndicator MeaningYELLOW Template READ; Place Finger on SensorRED No Template on smart cardFLASHING RED Invalid SiteKey, can not read card data

APPENDIX E – V-SMART ADMINISTRATORSITEKEY MANAGEMENT107 © Copyright 2002, Bioscrypt Inc. All rights reserved.Appendix E – V-Smart Administrator SiteKey ManagementIt is essential that the Administrator understand the use of V-Smart SiteKeys and handlesthem appropriately. SiteKeys are the mechanism used by the V-Smart and the smart cardsto ensure that only authorized smart cards are used.In this appendix, the following topics will be covered:• What is a SiteKey?• Why do I Need a SiteKey?• What is the “Default” SiteKey?• Where is the SiteKey Stored?• What is the Difference Between PRIMARY and SECONDARY SiteKeys?• How do I Initially Set a SiteKey for V-Smarts at My Installation?• How do I Set the SiteKey on Individual Smart Cards?• How do I Change the SiteKey if I Already Have a User Base of PreviouslyCreated Smart Cards?• What Happens if I FORGET My SiteKey?• What Happens if Someone Else Learns My Installation’s SiteKey?• What is the 1-Way Hashing Function Option in VeriAdmin for SiteKeys?What is a SiteKey?A SiteKey is a “password” used by VeriAdmin, the V-Smart and the smart cards. Each ofthe 3 must use the same “password” to communicate and transfer information. If theSiteKey stored in the V-Smart does not match the SiteKey used by the smart card, that V-Smart will not be able to read or write to that smart card. By checking the SiteKey eachtime, the V-Smart ensures that only authorized smart cards are used at a specificinstallation. Similar to a computer logon password, if the smart card’s SiteKey does notmatch the V-Smart’s SiteKey, that card will not be allowed to be used by that unit.The V-Smart uses a maximum of 120-bits (15 characters) for the SiteKey.Typically, the Administrator will set all V-Smart’s at a single installation to the same SiteKey.Why do I Need a SiteKey?Each installation must set their own SiteKey to distinguish their V-Smart smart cards fromevery other installation of V-Smarts. If SiteKeys are not used, then any V-Smart wouldaccept smart cards created by any other V-Smart and a site’s installation could easily becompromised. By using a unique SiteKey at each installation, you ensure that the onlysmart cards that are accepted by V-Smarts are your site, are smart cards personally

APPENDIX E – V-SMART ADMINISTRATORSITEKEY MANAGEMENT108 © Copyright 2002, Bioscrypt Inc. All rights reserved.created at your site. It also ensures that data on the smart cards created at your site cannot be read by anyone that does not know your chosen SiteKey.What is the “Default” SiteKey?All V-Smarts are shipped from Bioscrypt with the SiteKey set to an empty string (120 bits ofall zeros). This allows Administrators to use the V-Smart in a non secure mode until theyare ready to set their personal SiteKey and secure the system. When using the DefaultSiteKey in non secure mode and VeriAdmin performs a SiteKey Validation, simply do notenter any key and just press the OK button. After the V-Smart verifies it is using the defaultSiteKey and it verifies the smart card is also using the default SiteKey, the operation will beperformed.Where is the SiteKey Stored?The SiteKey is stored within the internal memory of the V-Smart and is encrypted andstored on the smart card itself. The SiteKey is NOT stored within VeriAdmin, they are NOTstored on the PC, and they can NOT be retrieved from the V-Smart. It is theresponsibility of the Administrator to remember the SiteKey and take measure toprevent the SiteKey from being forgotten.What is the Difference Between PRIMARY and SECONDARYSiteKeys?The V-Smart can store two SiteKeys. The PRIMARY SiteKey is used in normal operationsand is the SiteKey the Administrator used with performing a SiteKey verification operationwithin VeriAdmin. The SECONDARY SiteKey is only used to update older cards when anew PRIMARY SiteKey is set. See “How do I Change the SiteKey if I Already Have aUser Base of Previously Created Smart Cards?” for further details on how and when touse the SECONDARY SiteKey.

APPENDIX E – V-SMART ADMINISTRATORSITEKEY MANAGEMENT109 © Copyright 2002, Bioscrypt Inc. All rights reserved.How do I Initially Set a SiteKey for V-Smarts at My Installation?You will need to set your installation’s SiteKey prior to creating secure user smart cards.Once you become familiar with V-Smart operations and are comfortable enrolling users, youshould then chose your own SiteKey. The SMART CARD MANAGER section of VeriAdminallows the user to create and change SiteKeys.1) Enter your desired SiteKey in the NEW PRIMARY box2) Enter the previous SiteKey in the NEW SECONDARY box if you are changingSiteKeys and you already have a user base of smart cards created with the previousSiteKey and you want to update those cards to the NEW PRIMARY SiteKey. If thereis not a previous user base of cards that need updated, then enter a “-1” in theSecondary box to turn off the auto SiteKey update function.NOTE: DO NOT leave the NEW SECONDARY box blank unless you truly want toupdate all Default SiteKey smart cards to the NEW PRIMARY SiteKey. This couldcompromise security since any smart card created by any V-Smart using the DefaultSiteKey would automatically be updated to the new Primary SiteKey3) Press the CHANGE SITEKEY button4) You will be presented the following Warning dialog box

APPENDIX E – V-SMART ADMINISTRATORSITEKEY MANAGEMENT110 © Copyright 2002, Bioscrypt Inc. All rights reserved.5) Read the information carefully press the YES button if you accept.6) You will be prompted to enter the CURRENT Primary SiteKey (this will be the DefaultSiteKey if this is the first time you are changing the SiteKey)7) If the CURRENT SiteKey entered is correct, you will be presented with a dialog boxindicating the changes were made.8) Now all newly created smart cards from this specific V-Smart will use the NEWPRIMARY SITEKEY and all older smart cards that use the defined SECONDARYSITEKEY will be updated to the NEW PRIMARY the next time they are used by theV-Smart.9) You will need to set the same PRIMARY SITEKEY on all V-Smarts in yourinstallation in order for the smart cards to work at each V-Smart.

APPENDIX E – V-SMART ADMINISTRATORSITEKEY MANAGEMENT111 © Copyright 2002, Bioscrypt Inc. All rights reserved.How do I Set the SiteKey on Individual Smart Cards?The V-Smart will attempt to set the SiteKey on the smart card during the enrollmentprocess.• When an attempt is made to store a template on a smart card, the V-Smart will checkthe key currently used by the Smart Card. If the V-Smart Primary SiteKey matchesthe key on the smart card, the template is written.• If the above fails, the V-Smart will check if its Secondary SiteKey matches the key onthe smart card. If they match, the key on the smart card is updated to the V-Smart’sPrimary SiteKey and the template is written (this adds ~0.5 seconds to the process).• If both Primary and Secondary SiteKeys fail, the V-Smart will compare the smart cardkey with the standard default MIFARE smart card key. If they match, the key on thesmart card is updated to the V-Smart’s Primary SiteKey and the template is written.• If all of the above 3 fail, the V-Smart can not read or write to that smart card

APPENDIX E – V-SMART ADMINISTRATORSITEKEY MANAGEMENT112 © Copyright 2002, Bioscrypt Inc. All rights reserved.How do I Change the SiteKey if I Already Have a User Base ofPreviously Created V-Smart Smart Cards?Let’s say you initially set the SiteKey during installation. For example, the Primary SiteKeywas set to “cat” and the Secondary was set to “-1” because you have no previous SiteKeysto update. You then enrolled 100 users and created 100 smart cards. The smart card keyon each of those cards would be “cat”.Now you want to change the password because the SiteKey of “cat” was compromisedwhen non-authorized personnel where told the SiteKey and the installation is no longercompletely secure. Let’s say you want to change the SiteKey from “cat” to “dog”.• In the Smart Card Security Settings window, enter “dog” as the New PRIMARY andenter “cat” as the New SECONDARY• Press the CHANGE SITEKEY button and you will again be presented with thewarning that you need to always remember the SiteKey.• After pressing the ACCEPT button, you will be prompted for the CURRENTPRIMARY SiteKey. Enter “cat” since that is the currently stored SiteKey on the V-Smart.• You should then be presented with a dialog indicating the SiteKey was changed.Typically, you will need to repeat this “change” process on all V-Smarts at yourinstallation.• At this point, all previously created smart cards still contain the previous key of “cat”.However, when a smart card is presented to the V-Smart it will follow the followingsteps:1. When a card is presented and the V-Smart tries to read the data from the card,the V-Smart will check the key currently used by the Smart Card. Since thekey on the card is “cat” and the V-Smart Primary key is now “dog”, this keycheck will fail.

APPENDIX E – V-SMART ADMINISTRATORSITEKEY MANAGEMENT113 © Copyright 2002, Bioscrypt Inc. All rights reserved.2. Next, the V-Smart will check if its Secondary SiteKey matches the key on thesmart card. In our example, they do match so the key on the smart card ischanged (updated) to the V-Smart’s Primary SiteKey. This “update” adds ~0.5seconds to the process, but only happens the first time the older card ispresented. After that, the new Primary is already on the smart card step #1above will PASS from now on.If neither the Primary nor the Secondary SiteKey on the V-Smart matches the smartcard’s key, the V-Smart will not be able to use that card. You must use the previousSiteKey as the SECONDARY SiteKey or all previously created smart cards will beunusable.Once the entire user base of cards has been updated to the NEW PRIMARY SiteKey,you should once again perform the “change SiteKey process”. This time keep theprimary SiteKey the same, but enter a “-1” for the Secondary SiteKey. This will disablethe ‘auto update’ feature and any remaining smart cards with “cat” on them will no longerwork.What Happens if I FORGET My SiteKey?DO NOT LET THIS HAPPEN! If an Administrator forgets the Primary SiteKey then allpreviously created smart cards will continue to work, but the following will happen:• They can no longer create new smart cards• They will not be able to READ templates from current smart cards• They will not be able to CHANGE the SiteKey on the V-Smarts• The V-Smarts will have to be returned to Bioscrypt for reprogramming and oncereprogrammed, the previously enrolled smart cards will no longer be usable.What Happens if Someone Else Learns My Installation’sSiteKey?SiteKeys need to be protected just like computer passwords and should not be told tounauthorized personnel. In the event that the SiteKey has been compromised, follow thesteps defined in the previous “How do I Change the SiteKey if I Already Have a UserBase of Previously Created Smart Cards?” section to change the SiteKey andautomatically update all user base smart cards.

APPENDIX E – V-SMART ADMINISTRATORSITEKEY MANAGEMENT114 © Copyright 2002, Bioscrypt Inc. All rights reserved.What is the 1-Way Hashing Function Option In VeriAdmin forSiteKeys?VeriAdmin allows Administrators to add additional security by optionally performing a 1-way Hash function on entered SiteKeys. This is DIFFERENT from the ESI SiteKeyEncryption option. This function will take the user-entered password and create anencrypted 120-bit SiteKey from that password. This encrypted version is then used asthe SiteKey for the V-Smart and smart cards in place of the user-defined password. Inextreme cases, this can make it more difficult for criminals to “sniff” internal networksand capture passwords during serial communications. DO NOT USE THIS OPTION IFYOU INTEND TO SHARE SMART CARD DATA WITH OTHER APPLICATIONS!To the Administrator, this all happens behind the scenes and you never have toremember anything other then the simple password. You just have to make sure that ifyou set a NEW SiteKey with the HASH checkbox selected, then afterwards you need toalso check the “Hash the CURRENT SiteKey” so that each time the SiteKey Verificationprocess happens, a hashed current SiteKey will be compared with the stored hashedPrimary SiteKey.The HASH function check box is ignored if the SiteKey textbox is empty (for non secureV-Smart default key use), or if “-1” is entered the SECONDARY SiteKey text box (forturning OFF the auto update feature).PLEASE NOTE:The HASH function check box has been moved from the Security SettingsDialog to the Site Key Dialog for VeriAdmin v4.10. Each time the Site Key isentered, the check box determines whether to HASH the key for the Current Key.

115 © Copyright 2002, Bioscrypt Inc. All rights reserved.Bioscrypt Contact InformationTechnical Support Contact Information:Telephone : 1-888-982-4643 (toll free)1-818-501-3908Email: support@bioscrypt.comAddress Bioscrypt IncTechnical Support Dept5000 Van Nuys Blvd, Suite 300Sherman Oaks, CA, 91403Corporate & Canadian Office5450 Explorer Drive, Suite 500Mississauga, ON, Canada L4W5M1T 905 624 7700F 905 624 7742www.bioscrypt.comU.S. Office5000 Van Nuys Blvd.,Suite 300Sherman Oaks, CA 91403U.S.A.T 818 501 3908F 818 461-0843support@bioscrypt.com