Patent Grant
7251331
The invention relates to a method and an arrangement for controlling access in locations wherein access is restricted by a lock mechanism.
In order to access locked premises, such as home or work, keys or key cards, for example, are still required for unlocking locks. For safety reasons, it is also increasingly common that people lock the doors and gates to backyards, housing sites or commercial buildings. This can be problematic when, for example, persons should have access to locked premises to which they do not have physical keys. Such a situation may occur when, for example, a resident is away from home and somebody, e.g. a cleaning service worker or a plumber, should have access to the locked premises. Such situations have usually been solved e.g. using master keys, hiding keys or, in the case of an electronic lock, for example, using ad hoc key codes.
Handing over conventional keys or cards to outsiders does, however, involve an increased safety risk. Keys may easily be lost, which means that the locks would have to be changed. Furthermore, even if e.g. a serviceman had a key, the key could be used for only as long as a corresponding lock is in use. It is also difficult to deliver extra keys e.g. to persons who only visit locked premises once, such as chimney sweepers. The use of electronic key codes is also problematic. Key codes are difficult to remember, and such codes require separate procedures in order to be activated. Furthermore, situations occur daily wherein somebody who has been authorized to conduct a task has not informed anybody about his or her visit in advance, so it has thus not been even possible to deliver a key or a code to such a person in advance. Furthermore, taking safety aspects into account considerably complicates the cooperation between people. For example, handing over a key code on the telephone to somebody asking for access would of course be possible, but the provider of the code would then immediately have to have the codes changed so as to prevent the particular person from using the same code later and entering the locked premises or from forwarding the code. A situation wherein access to locked premises is directly remotely controllable through a remote-controllable locking system, for example, would also involve a safety problem; in such a case, the remotely-situated controller of the locking system could not be sure of the identity of the person who wishes to be let in, nor whether it would be safe to grant access to such a person.
An object of the invention is thus to provide a method and an arrangement so as to avoid the above-mentioned problems. This is achieved by a method for controlling access in a telecommunication system comprising a first transmitter-receiver unit, a second transmitter-receiver unit and a remote-controllable server. The method of the invention comprises establishing a telecommunication connection from the first transmitter-receiver unit to the remote-controllable server; transmitting an electric form from the first transmitter-receiver unit to the remote-controllable server in order to unlock a lock, the form including a digital signature and a certificate indicating the authenticity of a user of the first transmitter-receiver unit; transmitting a message from the remote-controllable server to the second transmitter-receiver unit to indicate that the electric form has been received, the message including the certificate indicating the authenticity of the user of the first transmitter-receiver unit; transmitting a command to unlock the lock from the second transmitter-receiver unit to the remote-controllable server, and unlocking at least one lock by means of the remote-controllable server on the basis of the command to unlock the lock transmitted by the second transmitter-receiver unit.
The invention further relates to an arrangement for controlling access, the arrangement comprising a first transmitter-receiver unit which includes means for establishing a telecommunication connection, means for supporting a public key infrastructure; a second transmitter-receiver unit which includes means for supporting a public key infrastructure, means for establishing a telecommunication connection; a remote-controllable server to be used as a communications device between the first and the second transmitter-receiver unit, the remote-controllable server including means for establishing telecommunication connections and means for unlocking a lock. In the arrangement of the invention, the first transmitter-receiver unit is configured to transmit an electric form to the remote-controllable server in order to unlock the lock, the electronic form including a digital signature and a certificate indicating the authenticity of a user of the first transmitter-receiver unit; the remote-controllable server is configured to transmit a message from the remote-controllable server to the first transmitter-receiver unit to indicate that the electric form has been received, the message including the certificate indicating the authenticity of the user of the first transmitter-receiver unit, and to unlock the lock on the basis of the command to unlock the lock transmitted by the second transmitter-receiver unit; the second transmitter-receiver unit is configured to transmit the command to unlock the lock to the remote-controllable server.
Preferred embodiments of the invention are disclosed in the dependent claims.
The method and arrangement of the invention provide several advantages. One of the advantages of the invention is that the authenticity of a person asking for access is indicated by including a certificate granted by a certificate authority in the communication of an arrangement comprising mobile stations and a locking system operating therebetween. The solution of the invention thus provides a safe and easy-to-use way to ensure that access to locked premises will be granted to reliable persons only. Another advantage of the invention is, for example, that no keys or codes need to be delivered to persons external to the system in connection with one-time visits to locked premises.
The invention is now described in closer detail in connection with the preferred embodiments and with reference to the accompanying drawings, in which
The preferred embodiments of the invention can be applied to telecommunication systems that include a remote-controllable server, one or more base transceiver stations and a plurality of terminals communicating with one or more base transceiver stations. The essential parts of the structure of the telecommunication system may resemble those shown in
Today, various methods are known which enable the mutual trust of different parties that communicate in telecommunication systems to be improved. One such method is a so-called Public Key Infrastructure (PKI), which enables a safe way of communicating in a public network, such as the Internet. The PKI enables the mutual trust between communicating parties to be enhanced by means of trusted third parties. In practice, this is implemented using a Public Key Cryptography (PKC), digital signatures and certificates that tie the public keys to the communicating parties. Certificate Authorities (CA), which grant digital certificates and confirm the authenticity of the certificates to be used, serve as Trusted Third Parties (TTP).
The creation of digital signatures utilizes private keys and asymmetric encryption algorithms known per se. The certificates, in turn, tie the name to a public key, thus providing a way to indicate the authenticity of a holder of a public key. The certificates, which are based on the IETF standard X.509, for example, include at least a public key, the name of the holder of the key, the name of the certificate authority (certificate granter), the serial number and validity time of the certificate, and the digital signature of the certificate authority. The idea of the certificate is that if a communicating party knows the public key of the certificate authority and trusts the certificate authority, the communicating party can also trust the material the certificate authority has signed.
In an embodiment of the invention according to
Similarly, the second transmitter-receiver unit 106 shown in
In the example of
Examine the function of the system according to
Next, at the first transmitter-receiver unit 102, the information required in the electric form, such as the name of a visitor or the reason of a visit, is filled in. Furthermore, at the PKI unit 105 of the first transmitter-receiver unit 102, the digital signature of the visitor is included in the form. A digital signature is a character string, which is formed using cryptographic methods known per se so as to enable the identity of the transmitter and the integrity of the transmitted material to be ensured. In addition to the digital signature, a certificate to indicate the authenticity of the visitor is included in the form at the PKI unit 105, the certificate including the visitor's name and public key, the name of the certificate authority, i.e. the granter of the certificate, the serial number and validity time of the certificate, and the digital signature of the certificate authority. Next, the first transmitter-receiver unit 102 transmits the electric form, including the digital signature and the certificate attached thereto, to the server 104.
Next, the remote-controllable server 104 sends the second transmitter-receiver unit 106 a message, such as a push message, indicating that the electric form has been received; the server 104 has also included the certificate received from the first transmitter-receiver unit 102 into the message. Since the second transmitter-receiver unit 106 is thus provided with the certificate which is signed by a trusted certificate authority and which comprises the visitor's name and public key, it is safe to trust that the holder of the public key, i.e. the visitor, is provided with exactly the same name as indicated in the certificate. Next, the authenticity of the visitor's name is confirmed at the PKI unit 105 of the second transmitter-receiver unit 106 by using the public key provided in the certificate. Next, if the holder of the second transmitter-receiver unit 106 accepts the reason of the visitor's call, a command to unlock the lock can be transmitted from the second transmitter-receiver unit 106 to the remote-controllable server 104.
The certificate authority 119 releases Certification Revocation Lists (CRL) in order to prevent unauthorized use of the certificates. Those who have misused their certificate are listed in a CRL. Those who have been granted a certificate may check the CRL before trusting the certificate. Therefore, before transmitting the command to unlock the lock, a telecommunication connection, such as an Internet connection, can first be established from the second transmitter-receiver unit 106 to the certificate authority 119 to make sure that the visitor's certificate is not on the CRL. Information about the authenticity of the certificate can be provided e.g. on the display of the second transmitter-receiver unit 106 by means of the protocol used by the certificate authority 119, such as protocols called Online Certificate Status Protocol (OCSP), Simple Certificate Validation Protocol (SCVP) or XML Key Management Specification (XKMS).
When the remote-controllable server 104 has received the command to unlock the lock transmitted by the second transmitter-receiver unit 106, the lock 126 is unlocked, controlled by the lock controller 124 and the control unit 122.
Let us next view a method according to an embodiment of the invention shown in
In step 300 in
As distinct from the example of
In step 306, a message, such as a push message, indicating that the electric form has been received is transmitted from the remote-controllable server to the second transmitter-receiver unit. The push message indicates the reason of the visit and that the visitor using the first transmitter-receiver unit is requesting the lock to be unlocked. The push message further contains the digital certificate of the visitor. Since the holder of the second transmitter-receiver unit controlling the remote-controllable server can trust the certificate signed by a trusted certificate granter and the digital signature, next, the process may directly proceed to step 310, wherein a decision is made about whether or not to accept the request to unlock the lock. Alternatively, the process may further proceed from step 306 to step 308 to confirm the state of the visitor's certificate. In step 308, a telecommunication connection, e.g. an Internet connection, is established to a certificate authority in order to check that the visitor's certificate is not on a Certification Revocation List, CRL. In step 308, it is possible to transmit a message to the certificate authority and ask the certificate authority to send the second transmitter-receiver unit a reply indicating whether or not the visitor's certificate is authentic.
If, in step 310, for one reason or another, the visitor's request is not to be accepted, the process moves to step 312, wherein the request to unlock the lock is rejected. Information about the rejection is transmitted to the remote-controllable server, which may e.g. transmit a message indicating the rejection to the first transmitter-receiver unit. If, on the other hand, in step 310 a decision is made to accept the request to unlock the lock, the process moves to step 314, wherein a command to unlock the lock is transmitted to the remote-controllable server. Information about the acceptance of the request to unlock the lock can also be transmitted to the first transmitter-receiver unit e.g. as a text message. The communication between the second transmitter-receiver unit and the remote-controllable server can utilize identification methods between, server and client known per se in order to encrypt the communication therebetween and to ensure the authenticity of the server and the transmitter-receiver unit. The command to unlock the lock may include the digital signature of the holder of the second transmitter-receiver unit and a time stamp. The digital signature can be used for ensuring that no one that has gained unauthorized access e.g. to the second transmitter-receiver unit is able to use it for unlocking the lock. When the digital signature is used, the remote-controllable server must also be provided with equipment to enable the identification systems to be used. The use of a time stamp also prevents outsiders from monitoring and copying the command to unlock the lock and using this command to unlock the lock later.
In step 318, the remote-controllable server unlocks the lock on the basis of the received command to unlock the lock. Alternatively, the server may also unlock several locks in a specific order, should the locked premises reside behind several locked doors. In such a case, the first transmitter-receiver unit and the remote-controllable server can agree upon which lock is to be unlocked at a given time; however, the authorization granted by the second transmitter-receiver unit is valid only for a predetermined, limited period of time.
Although the invention has been described above with reference to the example according to the accompanying drawings, it is obvious that the invention is not restricted thereto but can be modified in many ways within the scope of the inventive idea disclosed in the attached claims.
| Number | Date | Country | Kind |
|---|---|---|---|
| 20020688 | Apr 2002 | FI | national |
| Number | Name | Date | Kind |
|---|---|---|---|
| 5614703 | Martin et al. | Mar 1997 | A |
| 6075861 | Miller, II | Jun 2000 | A |
| 6161005 | Pinzon | Dec 2000 | A |
| 6295448 | Hayes, Jr. et al. | Sep 2001 | B1 |
| 20020035515 | Moreno | Mar 2002 | A1 |
| 20020087429 | Shuster | Jul 2002 | A1 |
| 20020099945 | McLintock et al. | Jul 2002 | A1 |
| 20020180582 | Nielsen | Dec 2002 | A1 |
| 20030018753 | Seki | Jan 2003 | A1 |
| 20030050806 | Friesen et al. | Mar 2003 | A1 |
| 20030179073 | Ghazarian | Sep 2003 | A1 |
| 20050165612 | Van Rysselberghe | Jul 2005 | A1 |
| Number | Date | Country |
|---|---|---|
| 0 762 707 | Mar 1997 | EP |
| 0 810 559 | Dec 1997 | EP |
| 1 271 418 | Jun 2001 | EP |
| WO 9401963 | Jan 1994 | WO |
| WO 0140605 | Jun 2001 | WO |
| WO 0163425 | Aug 2001 | WO |
| WO 0223880 | Mar 2002 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 20030194089 A1 | Oct 2003 | US |
