Embodiments illustrated and described herein generally relate to automatic identity authentication systems that authenticate users for access to secure resources, and to system architectures for identity authentication systems.
Physical access control systems (PACs) grant physical access to an authorized user through a controlled portal. Typically, the access authorization involves intrusive actions of the user such as entering or swiping an access card at a card reader or entering a personal identification number (PIN) or password. A PAC system authenticates and authorizes a person to pass through a physical access point such as a secured door. Improvements to PAC systems are described herein having innovative interplay between wireless technologies, smart phones, secure access points, and cloud infrastructure.
It is desirable for automatic authentication of a person's identity based on verifiable identity information to be fast and secure.
As will be described herein in more detail, to gain access to the physical portal 120, the mobile device 105 may identify a physical access portal 120 using a beacon signal transmitted by the secure relay device 110. The mobile device 105 initiates secure communication with the secure relay device 110 and pushes an access token for the portal to the secure relay device 110. The secure relay device 110 checks the information in the access token to determine whether to grant access. Alternatively, a Near Field Communication (NFC) tag 130 is deployed at the portal and may be used by the mobile device (“tapped”) to identify the secure relay device 110 and initiate a secure communication with the secure relay device 110. An example of the interaction of the mobile device 105 and the secure relay device 110 is described below.
UWB is a radio communication methodology that uses a wide signal bandwidth. The wide bandwidth is typically defined as either a −10 decibel (−10 dB) bandwidth greater than 20% of the center frequency of the signal, or a bandwidth greater than 500 megahertz (500 MHz) in absolute terms. Commercial UWB systems are intended to be used in complex environments such as residential, office, or industrial indoor areas. In these environments, signal reflection and diffraction play a significant role. The signal received by an antenna is the sum of the attenuated, delayed and possibly overlapping versions of the transmitted signal and may vary over time (due to movement of receiver/transmitter or change in environment). These different versions of the transmitted signal are typically referred to as multipath components. The large bandwidth of UWB systems provides a high level of resilience to frequency selective fading, which is an effect that can limit the performance of narrow-band technologies. Presence of UWB signaling from a UWB capable secure relay device 110 detected by a UWB capable mobile device 105 can be used to detect presence of the user near a physical access portal 120.
The accurate ranging capability of UWB signaling allows intent of the user (e.g., movement toward a physical access portal) to be determined. This localization-based intent of the user can be deduced by the change in distance between a UWB capable mobile device 105 and a UWB capable secure relay device 110, and by the change in angle between the mobile device 105 and the secure relay device 110. In some examples, the mobile device 105 may perform ranging using Time-of-Flight (TOF) Two Way Ranging (TWR). In TWR, radio packets are exchanged between the mobile device 105 and the secure relay device 110. The timing differences for the transmitting and receiving of the packets between the mobile device 105 and the secure relay device 110 can be used to calculate ranging information such as change in one or both of distance and angle to determine intent of the user to gain access to the physical access portal 120. The detected physical access portals 120 can then be sorted and displayed according to one or more of distance of the mobile device from the physical access portal, position of the mobile device relative to the physical access portal, and movement of the mobile device relative to the physical access portal. Examples of approaches of localization-based intent can be found in co-pending U.S. patent application Ser. No. 16/828,001, and in co-pending Paris Cooperation Treat (PCT) Applications PCT/EP2020/058197, PCT/EP2020/076428, and PCT/EP2020/058199, PCT/EP2020058216, each of which is incorporated herein by reference in its entirety. One or both of the proximity of the mobile device 105 to the secure relay device 110 and the movement of the mobile device relative to the secure relay device can be used to deduce intent of the user of the mobile device 105 to gain access to the physical access portal 120. The proximity and intent of the user can be determined by the mobile device using UWB signaling or BLE Relative Signal Strength Indicator (BLE RSSI).
At block 210, a verification application of the mobile device 105 begins the process to verify that the user has authorization for the access. To verify the authorization, the verification application sends to the secure relay device 110 the access credential information of the user, which is stored in the mobile device 105. In some examples, the access credential information is an access token that shows authorization for access to the physical portal.
Access tokens are presented by the mobile device 105 to the secure relay device 110 to grant access to the portal when authorization of the user is verified by the mobile device 105. The access token proves that the mobile device 105 has access rights. An access token can include one or more of an Access Token ID, a Mobile Device ID, a Relay ID, any additional access control information, a start time for the access, an expiration time for the access, and a cryptographic signature. The Access Token ID is a unique identifier of the token. The Mobile Device ID and Relay ID establish that this mobile device 105 can open the portal secured by the secure relay device. The additional access control information can include additional access control rules (e.g., time of day that access is allowed). The start time and expiration time determine the validity period for which the Access Token is valid (e.g., one day, one week, etc.). The cryptographic signature is checked by the secure relay device 110, and the signature is taken over all the fields of the access token and is generated using the private key for the access tokens.
The access tokens are generated by an administration server 115 and are periodically pushed to mobile devices 105 having the corresponding Mobile Device ID. The administration server also maintains an access revocation list for every secure relay device. Each list contains the Access Token IDs that are currently invalid for the secure relay. When a new revocation list is available, the administration server pushes the new revocation list to all the mobiles devices that currently have access to the secure relay device 110. A mobile device 105 pushes the revocation lists it receives from the administration server to the secure relay device 110 during the door opening sequence where they are stored.
To verify access of the mobile device holder to a particular secure relay device 110, the secure relay device 110 compares the access token to the revocation list of Access Token IDs. At block 215, a mutually authenticated secure channel is established between the mobile device 105 and the secure relay device 110 before sending access credential information to the secure relay device 1109. Device authentication information is sent from the mobile device 105 to the secure relay device 110. The authentication information can include a certificate and a mobile device identifier (ID). The mobile device 105 may also authenticate the secure relay device 110. The secure relay device 110 may send authentication information (e.g., a certificate and a Relay ID) to the mobile device 105 which the mobile device 105 uses to authenticate the secure relay device 110. After the secure channel is established, the mobile device 105 sends encrypted access credential information via the secure channel. Cryptography in the access control system may be based on public key infrastructure (PKI).
At block 220, the mobile device 105 sends the access credential information to the secure relay device 110 when the device authentication is completed. The access credential information is encrypted and integrity protected. At block 225, the secure relay device 110 verifies the access credential information and grants access to the physical access portal 120 based on the access credential information. The mobile device 105 may display the opening status of the physical access portal 120. If the access credential information is an access token, the secure relay device 110 may check the signature, start and expiration times, and the additional access information to determine if the physical portal should be opened.
Returning to
When a mobile device 105 is introduced to the access control system, it is personalized by the verification application and the administration server 115. The mobile device 105 establishes a secure connection with the administration server 115 and authenticates the user, such as by providing a password, invitation code, and the like. The verification application generates a key pair that is sent to the administration server 115. The administration server 115 issues a certificate for the public key of the key pair and issues a Mobile Device ID with the certificate as the root. This personalization information is then sent to the mobile device 105. The personalization information includes certificates from the certificate authority (CA certificates) for the mobile device 105 and secure relay device 110. The mobile device may also receive the latest access tokens and revocation lists and stores them in its long term memory. The status request (e.g., OCSP request) may be sent as part of the personalization.
The personalization information may be stored in a secure element (SE) or secure enclave of the mobile device 105. The SE may include a secure processor or coprocessor that includes a key manager. Communication between the SE and the application processor is tightly controlled, such as by isolating the communication to an interrupt driven mailbox for example. In certain examples the information is included in a trusted execution environment (TEE) of the mobile device. The personalization information may be periodically updated by being pushed to the mobile device by the administration server 115. The information stored in the SE may also include the current response to the request sent to the administration server 115 and a CA certificate.
As explained previously herein, the mobile device may identify the physical access portal 120 from a beacon signal broadcast by the secure relay device 110. In some examples, mobile device 105 identifies the physical access portal using an NFC tag 130. The NFC tag 130 is located near the physical access portal. The NFC tag 130 may include a smart card (e.g., a JavaCard enabled smart card). The user may bring the mobile device 105 close to the NFC tag 130 (e.g., to “tap” the NFC tag with the mobile device), and the mobile device 105 authenticates the NFC tag 130. The information read from the NFC tag can be encrypted or otherwise cryptographically protected.
The communication between the NFC tag 130 and the mobile device 105 is secure. The mobile device 105 authenticates the NFC tag 130 and, in some examples, asymmetric cryptography is used for authentication. In some examples, symmetric cryptography is used, but symmetric cryptography may use more power and require more complicated key management by the verification application of the mobile device 105. The NFC tag 130 can include a tag private key and a tag ID. The NFC tag 130 is personalized by the administration server 115. The administration server chooses a Tag ID and generates a key pair on the card and the public key of the key pair is read out. The administrator issues a certificate for the public key and the Tag ID is issued with the tag certificate authority (Tag CA) as root. Afterward the NFC tag 130 can be locked from further changes. The mobile device 105 may store tag certificates to authenticate NFC tags. The certificates may be received as part of the personalization of the mobile device 105.
After authenticating the NFC tag 130, the mobile device 105 connects wirelessly to the secure relay device 110, such as via BLE signaling 135 for example. The mobile device 105 and the secure relay device 110 then authenticate each other as described previously herein. In this manner, the verification application of the mobile device 105 does not need to run all the time. The verification application may automatically open in response to reading the NFC tag 130. In some examples, the user may need to unlock the mobile device before “tapping” the NFC tag 130 to automatically launch the verification application. In some examples, such as for mobile devices employing iOS, the user may need to unlock the mobile device 105 and launch the verification application before “tapping” the tag and initiating communication with the secure relay device. In some examples, such as for mobile devices employing iOS, the mobile device 105 may present a notification (e.g., an icon) of the verification application on a display screen of the mobile device 105.
Using NFC tags in a physical access control system may be more convenient than using the mobile device 105 to scan for beacons from physical access portals. Users may find the tapping of the NFC tag 130 with the mobile device 105 more intuitive or convenient, especially if the verification application automatically launches in the mobile device 105 in response to the tapping (e.g., an Android mobile device). Without using NFC tags there may be less chance that the user is actually standing in front of the portal that the user desires to open. With a scanning approach, an unauthorized user may try to open doors that are physically far away from the mobile device. The NFC tag 130 provides proof of location of the user at the physical access portal.
The physical layer circuitry 440 transmits and receives information wirelessly. The physical layer circuitry 440 may broadcast a beacon signal readable by a mobile device to identify the secure relay device 410, or the physical layer circuitry 440 may include separate circuitry (beacon module 442) for providing beacon functionality. The beacon signal may be a BLE signal and the secure relay device acts as a BLE central device for communication with the mobile device as the peripheral device. The beacon module 442 may act as an iBeacon device. The beacon module 442 may include a separate processor used for the beacon functionality. The beacon module 442 may be connected to the main microcontroller 445 using the inter-integrated circuit (I2C) protocol. Upon startup, the main microcontroller 445 sends the Relay ID that the beacon should advertise to the beacon module 442. The beacon module 442 may store the Relay ID in major and minor version fields of the advertising data and begins advertising the Relay ID using the out of band signaling.
As explained previously herein, the secure relay device 410 authenticates the mobile device and provides authentication information to the mobile device. The processing circuitry may implement transport layer security or TLS (e.g., TLS 1.2). As explained herein, key material may be stored in a secure element of the secure relay device. If the out of band signaling is BLE, initially all the incoming BLE data is forwarded using the TLS handshaking procedure and the responses are sent back using BLE. During the TLS handshake, the Mobile ID is extracted (e.g., from the serial number of the peer certificate) and is used throughout the session. Once the handshake is complete, all BLE traffic is first TLS unwrapped. Once a full TLS frame is received, the command stored in the frame is processed by the processing circuitry, the response to the command is wrapped and sent to the mobile device. For a BLE disconnect or a general failure, the TLS handshake is reset and the handshake should be completed again. The processing circuitry of the secure relay device 410 decodes authentication information received from the mobile device and encodes its authentication information for sending to the mobile device. When the devices authenticate, the secure relay device 410 receives encrypted access information from the mobile device and the processing circuitry decrypts the access information to grant or deny access to the user. A relay circuit 455 is enabled when the access is granted, and the relay circuit may cause an automatic lock (e.g., automatic lock 125 in
The secure relay device 410 may open the physical access portal in response to an “Open” command received from the mobile device with a valid access token. In response to the Open command, the secure relay device 410 may perform the sequence that follows. The secure relay device 410 checks that a successful “Push OCSP data” command was performed within the current TLS session, parses the access token supplied in the Open command, checks the signature of the access token and validity of the access token, verifies that the access token is not included in the revocation list, and opens the door if the access token is valid and not on the revocation list. The “Push OCSP data” is a response to a valid OCSP response received from the mobile device and includes the sequence that follows. The secure relay device 410 parses the OCSP response, checks the OCSP response signature and validity of the OCSP response, and returns revocation list information to the mobile device if the OCSP response is valid.
The secure relay device 410 may receive a revocation list when the verification application of the mobile device performs a “Push revocation list” command. The secure relay device 410 checks whether a “Push OCSP data” command was performed within the current TLS session. If the command was performed, the secure relay device 410 parses the revocation list and checks the revocation list signature and validity. If the revocation list currently stored by the secure relay device 410 is an earlier version, the secure relay device 410 stores the later pushed version of the revocation list.
The secure relay device 410 can include a secure element 450 to store one or more cryptographic keys for operation of the secure relay device 410. The secure element 450 may store one or more of a Relay private key, Relay certificate, Relay ID, a mobile device CA certificate, and a mobile device certificate response public key. The access information may include an access token, and the secure element 450 may store an access token private key for access token decryption. The secure relay device 410 may also store an access token revocation list. As explained previously herein, the secure element 450 may include a secure processor or coprocessor that includes a key manager. In some examples, the secure element 450 performs the cryptographic operations. The secure element 450 may communicate with the main microcontroller 445 using I2C.
Data, such as any policies or revocation lists or other updated data, that the secure relay device 410 needs is pushed to the secure relay device 410. Specifically, the administration server 115 would push such information to several or all mobile devices 105, and when such mobile device 105 interacts with a given secure relay device 410, the updated data is pushed to the secure relay device 410. Thus, the policies and revocation lists are updated in the secure relay devices 510 even though the secure relay devices 410 may be offline.
As explained previously herein, an access token may include a start time for the access and an expiration time for the access by the user, and the secure relay device 410 may grant access according to time policy. To keep time, the secure relay device 410 can include a real time clock (RTC) circuit 460. It can be important for the RTC to be accurate so the secure relay device can perform accurately. The access control system may include many secure relay devices 410 and the RTC of the secure relay devices 410 may eventually deviate from each other and/or from the real time. To synchronize the RTCs with each other and/or to the real time, the secure relay devices 410 can recurrently communicate to an external time server, which may be the same or different from the administration server. However, the communication with the time server should be secure. When the time comes to synchronize the RTC, the processing circuitry of the secure relay device 410 establishes a secure communication channel with the secure time server and reads a real time clock value to synchronize the RTC of the secure relay device 410 to the RTC of the external secure time server. In some examples, the communication between the secure relay device 410 and the time server is via a mobile device acting as a network gateway.
The secure relay device 410 should not lose the time in the event of a power cutoff. A battery backup can be used to provide backup power to the RTC circuit 460, but a battery should be periodically checked and replaced. To provide power backup to the RTC, the secure relay device 410 can include a super-capacitor 465. A super-capacitor 465, sometimes called an ultra-capacitor, refers to a capacitor having a different dielectric material than a conventional capacitor (e.g., a non-solid dielectric material) and has an energy density much greater than the energy density of electrolytic capacitors (e.g., 10,000 times)). A super-capacitor 465 can provide power for the RTC circuit for multiple days.
At block 515, the mobile device 105 starts advertising its OOB service (e.g., BLE service) and waits for the secure relay device 110 to connect. In normal operation, the mobile device 105 does not advertise, and the advertising may only be performed as part of the verification and opening sequence. At block 520, the mobile device 105 stops the advertising when the secure relay device 110 connects. At block 525, the mobile device 105 performs a TLS handshake with the secure relay device using OOB signaling. At 530, the mobile device 105 receives the Relay ID from the secure relay device 110.
At block 535, the mobile device 105 retrieves its current OCSP response from long term storage and pushes the OCSP response data to the secure relay device 110. At block 540, the secure relay device 110 returns the version of the access token revocation list it currently stores or an indication that no revocation list is stored. At block 545, the mobile device 105 determines if the version of its revocation list is greater (i.e., later) than the revocation list of the secure relay device 110 or if there is no revocation list is currently stored in the secure relay device 110.
At block 550, pushes its version of the access token revocation list if the secure relay device 110 has an earlier version, or if the secure relay device 110 does not have a revocation list stored. At block 555, the mobile device 105 sends the access token with an Open command to the secure relay device. The secure relay device 110 grants or denies access based on the information in the access token and the revocation list. The mobile device 105 may present status of the opening of the physical access portal 120 to the user.
The administration server 115 can be implemented as a set of command-line scripts (e.g., python scripts) and may include a graphical user interface (GUI). The set of command-line scripts can include server initialization scripts, access token generation scripts, revocation list generation scripts, secure relay device personalization scripts, NFC tag 130 personalization scripts, and mobile device provisioning scripts.
Server initialization generates keys, certificates, and the file system structure, and the initialization can include the sequence that follows. A CA key pair and certificate are generated for a mobile device, a CA key pair and certificate are generated for a secure relay device, a tag CA key pair and certificate are generated, an access token signing key pair may be generated, and a revocation list signing key pair may be generated. These key pairs and certificates are generated for each physical access portal 120. Additionally, OCSP responses are signed by the mobile device CA key pair.
Generating access tokens by the administration server 115 can include providing Mobile Device ID, Relay ID, start time, and end time to the access token generation script. The script composes and access token using the provided information, signs the access token using an access token signing private key, and writes the new access token to a server database. The script maintains the current access token ID in the data base and may increment the access token ID for each generated access token.
Generating revocation lists by the server can include providing Relay IDs and Access Token IDs to the revocation list generation script. The script composes a revocation list with this information, signs the revocation list using a revocation list public key, and writes the new revocation list to the server database. The revocation list generation script maintains a revocation list for every secure relay device and may increment the revocation list version every time it generates a new revocation list for the secure relay device.
The secure relay device 110 personalization script takes a Relay ID as input and performs the sequence that follows. The current time and the Relay ID are sent to the secure relay device. Mobile device certificates, an access token public key, an OCSP key, and a revocation public key are sent to the secure relay device. The script triggers key pair generation on the secure relay device. The administration server 115 receives the public key of the key pair, sends a CA certificate to the secure relay device 110, and stores the certificate in the server database. The secure relay devices 110 may be personalized using an NFC interface of the secure relay device 110.
The NFC tag 130 personalization script takes the NFC tag ID as input and performs the sequence that follows. The script sends a tag ID to the NFC tag 130 and triggers key par generation. The administration server 115 receives the public key of the key pair, sends a CA certificate to the NFC tag, and stores the certificate in the server database.
Conventional physical access control systems include a credential device that holds the users access credentials, a reader device to check the credential and a controller device to grant physical access. The credential device stores an access credential that is presented to the reader device receives and authenticates the access credential. If the reader device grants access, the reader device may send notification (e.g., a signal or message) to an access controller to open the physical access portal. The reader device and the access controller can be incorporated into one device. The reader device and access controller may communicate with a backend system of the access control system (e.g., a backend server). The access credential is authenticated by an authentication engine of the backed system. The present systems, devices, and methods described herein provide a secure access control system in which the roles of the reader device, the access controller device, and the backend server are performed by a mobile device 105 and a secure relay device 110. A secure validated connection is established between the secure relay device 110 and the mobile device 105, and the access credential is securely transferred between the mobile device 105 and the secure relay device 110 using any of the methods described herein. This transfer can occur while the secure relay device 110 and the mobile device 105 are offline from the access control system backend. The mobile device 105 provides updated information (e.g., a revocation list) to the secure relay device 110 again while the devices are offline form the backend system. Thus, each of the mobile device 105 and the secure relay device 110 play part of the role of the backend system of a conventional access control system. This reduces the complexity of verification and granting access to a physical portal and thereby reduces the complexity of the device or devices needed per physical access portal (e.g., per door).
With reference specifically to
Memory 602 can be used in connection with the execution of application programming or instructions by processing circuitry, and for the temporary or long-term storage of program instructions or instruction sets 616 and/or authorization data 618, such as credential data, credential authorization data, or access control data or instructions, as well as any data, data structures, and/or computer-executable instructions needed or desired to support the above-described device architecture. For example, memory 602 can contain executable instructions 616 that are used by a processor 604 of the processing circuitry to run other components of device 600, to calculate encryption keys to communicate credential or authorization data 618, and/or to perform any of the functions or operations described herein, such as the functions as operations of a mobile device described regarding the method of
Memory 602 can comprise a computer readable medium that can be any medium that can carry, contain, store, communicate, or transport data, program code, or instructions for use by or in connection with device 600, such as instructions for a verification application for example. Memory can include memory contained in a secure element of the mobile device. The computer readable medium can be, for example but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device. More specific examples of suitable computer readable medium include, but are not limited to, an electrical connection having one or more wires or a tangible storage medium such as a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), Dynamic RAM (DRAM), any solid-state storage device, in general, a compact disc read-only memory (CD-ROM), or other optical or magnetic storage device. Computer-readable media includes, but is not to be confused with, computer-readable storage medium, which is intended to cover all physical, non-transitory, or similar embodiments of computer-readable media.
The processing circuitry of the device 600 is configured (e.g., by firmware) to perform the functions of mobile devices described herein. Such as the functions and operations of the mobile device described regarding the method of
Antenna 606 can correspond to one or multiple antennas and can be configured to provide for wireless communications between device 600 and another device. Antenna(s) 606 can be operatively coupled to physical layer circuitry comprising one or more physical (PHY) layers 624 to operate using one or more wireless communication protocols and operating frequencies including, but not limited to, the IEEE 802.15.1, Bluetooth, Bluetooth Low Energy (BLE), near field communications (NFC), ZigBee, GSM, CDMA, Wi-Fi, RF, ultra-wide band (UWB), and the like. In an example, antenna 606 may include one or more antennas coupled to one or more physical layers 624 to operate using UWB for in band activity/communication and Bluetooth (e.g., BLE) for out-of-band (OOB) activity/communication. However, any RFID or personal area network (PAN) technologies, such as the IEEE 502.15.1, near field communications (NFC), ZigBee, GSM, CDMA, Wi-Fi, etc., may alternatively or additionally be used for the OOB activity/communication described herein.
Device 600 may additionally include a communication module 608 and/or network interface device 610. Communication module 608 can be configured to communicate according to any suitable communications protocol with one or more different systems or devices either remote or local to device 600. Network interface device 610 includes hardware to facilitate communications with other devices over a communication network utilizing any one of a number of transfer protocols (e.g., frame relay, internet protocol (IP), transmission control protocol (TCP), user datagram protocol (UDP), hypertext transfer protocol (HTTP), etc.). Example communication networks can include a local area network (LAN), a wide area network (WAN), a packet data network (e.g., the Internet), mobile telephone networks (e.g., cellular networks), Plain Old Telephone (POTS) networks, wireless data networks (e.g., IEEE 802.11 family of standards known as Wi-Fi, IEEE 802.16 family of standards known as WiMax), IEEE 802.15.4 family of standards, and peer-to-peer (P2P) networks, among others. In some examples, network interface device 610 can include an Ethernet port or other physical jack, a Wi-Fi card, a Network Interface Card (NIC), a cellular interface (e.g., antenna, filters, and associated circuitry), or the like. In some examples, network interface device 610 can include a plurality of antennas to wirelessly communicate using at least one of single-input multiple-output (SIMO), multiple-input multiple-output (MIMO), or multiple-input single-output (MISO) techniques. In some example embodiments, one or more of the antenna 606, communication module 608, and/or network interface device 610 or subcomponents thereof, may be integrated as a single module or device, function or operate as if they were a single module or device, or may comprise of elements that are shared between them.
User interface 612 can include one or more input devices and/or display devices. Examples of suitable user input devices that can be included in user interface 612 include, without limitation, one or more buttons, a keyboard, a mouse, a touch-sensitive surface, a stylus, a camera, a microphone, etc. Examples of suitable user output devices that can be included in user interface 612 include, without limitation, one or more LEDs, an LCD panel, a display screen, a touchscreen, one or more lights, a speaker, etc. It should be appreciated that user interface 612 can also include a combined user input and user output device, such as a touch-sensitive display or the like.
Power source 614 can be any suitable internal power source, such as a battery, capacitive power source or similar type of charge-storage device, etc., and/or can include one or more power conversion circuits suitable to convert external power into suitable power (e.g., conversion of externally-supplied AC power into DC power) for components of the device 600. Device 600 can also include one or more interlinks or buses 622 operable to transmit communications between the various hardware components of the device. A system bus 622 can be any of several types of commercially available bus structures or bus architectures.
Example 1 includes subject matter (such as a method of operating an access control system) comprising receiving, by a mobile device, an identification of a physical access portal; establishing a secure communication channel with a secure relay device associated with the physical access portal; sending an encrypted access token stored in the mobile device to the secure relay device; and granting access by the secure relay device to the physical access portal according to information stored in the encrypted access token.
In Example 2, the subject matter of Example 1 optionally includes sending an encrypted access token that includes a cryptographic signature taken over an access token identifier and one or more of a mobile device identifier, a secure relay device identifier, an access start time for the physical access portal, and an access expiration time for the physical access portal.
In Example 3, the subject matter of one or both of Examples 1 and 2 optionally includes initiating, by the verification application of the mobile device, a request for status to a verification device for the access credential information of the user; receiving a response to the request; and including the response to the request in the access credential information.
In Example 4, the subject matter of one or any combination of Examples 1-3 optionally includes reading cryptographically protected information from a near field communications (NFC) tag that identifies the physical access portal.
In Example 5, the subject matter of Example 4 optionally includes a verification application of the mobile device beginning executing in response to the reading the cryptographically protected information from the NFC tag.
In Example 6, the subject matter of Example 4 optionally includes presenting a notification of the application on a display screen of the mobile device, starting execution of the application in response to detecting contact with the display screen, and reading the cryptographically protected information from the NFC tag after the application is started.
In Example 7 the subject matter of one or any combination of Examples 1-6 optionally includes receiving the identification of the physical access port in a Bluetooth low energy (BLE) signal.
In Example 8, the subject matter of one or any combination of Examples 1-7 optionally includes establishing a secure communication channel between the secure relay device and a time server, synchronizing a real time clock circuit of the secure relay device with the time server using the secure communication channel, and further granting access by the secure relay device to the physical access portal according to a time policy and a time determined by the real time clock circuit.
Example 9 can include subject matter (such as a secure relay device of an access control system) or can optionally be combined with one or any combination of Examples 1-8 to include such subject matter comprising physical layer circuitry and processing circuitry operatively coupled to the physical layer circuitry. The physical layer circuitry is configured to receive information wirelessly. The processing circuit is configured to decode first authentication information received wirelessly from a mobile device, encode second authentication information for sending to the mobile device, decrypt an access token received from the mobile device in response to the second authentication information, determine validity of the access token, and grant access to a physical access portal according to the decrypted access information.
In Example 10, the subject matter of Example 9 optionally includes a secure element configured to store one or more cryptography keys.
In Example 11, the subject matter of one or both of Example 9 and 10 optionally includes a real time clock circuit coupled to the processing circuitry, and processing circuitry configured to establish a secure communication channel with a time server, synchronize the real time clock circuit with the time server via the secure communication channel, and grant access by the secure relay device to the physical access portal according to the decrypted access credential information, a time policy, and a time determined by the real time clock circuit.
In Example 12, the subject matter of one or any combination of Examples 9-11 optionally includes a super-capacitor coupled to the real time clock circuit to power the real time clock circuit.
In Example 13, the subject matter of one or any combination of Examples 9-12 optionally includes physical layer circuitry configured to transmit a beacon signal readable by the mobile device.
In Example 14, the subject matter of one or any combination of Examples 9-13 optionally includes processing circuitry configured to decrypt an access token that includes an access token identifier, a mobile device identifier, and a secure relay device identifier.
Example 15 includes subject matter (or can optionally be combined with one or any combination of Examples 1-14 to include such subject matter) such as a machine-readable storage medium including instructions that, when executed by processing circuitry of a mobile device, cause the mobile device to perform acts including receiving an identification of a physical access portal, exchanging authentication information with a secure relay device of the physical access portal and establishing a secure channel with the secure relay device, and sending an encrypted access token stored in the mobile device to the secure relay device using the secure communication channel.
In Example 16, the subject matter of Example 15 optionally includes a machine-readable storage medium including instructions that cause the mobile device to perform acts including initiating a request to a verification device for access credential information of the user, and decoding the access credential information received in response to the request.
In Example 17, the subject matter of one or both of Examples 14 and 15 optionally includes a machine-readable storage medium including instructions that cause the mobile device to perform acts including receiving the identification of the physical access port in a Bluetooth low energy (BLE) signal.
In Example 18, the subject matter of one or any combination of Examples 15-17 optionally includes a machine-readable storage medium including instructions that cause the mobile device to perform acts including receiving the identification of the physical access port in encrypted information received using near field communication (NFC).
In Example 19, the subject matter of Example 18 optionally includes a machine-readable storage medium including instructions that cause the mobile device to perform acts including comparing an access token for the physical access portal stored in the mobile device to a revocation list of invalid access tokens.
In Example 20, the subject matter of one or both of Examples 18 and 19 optionally includes a machine-readable storage medium including instructions that cause the mobile device to perform acts including presenting a notification of a verification application on a display screen of the mobile device, wherein the verification application initiates sending the encrypted access token to the secure relay device; starting execution of the application in response to contact detected using the display screen; and initiating a request for the identification of the physical access port using the verification application.
In Example 21, the subject matter of one or any combination of Examples 15-20 optionally includes a machine-readable storage medium including instructions that cause the mobile device to perform acts including retrieving a cryptography key from a secure element or a trusted execution environment of the mobile device.
These non-limiting Examples can be combined in any permutation or combination. The above detailed description includes references to the accompanying drawings, which form a part of the detailed description. The drawings show, by way of illustration, specific embodiments in which the invention can be practiced. The above description is intended to be illustrative, and not restrictive. For example, the above-described examples (or one or more aspects thereof) may be used in combination with each other. Other embodiments can be used, such as by one of ordinary skill in the art upon reviewing the above description. The Abstract is provided to allow the reader to quickly ascertain the nature of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims. In the above Detailed Description, various features may be grouped together to streamline the disclosure. This should not be interpreted as intending that an unclaimed disclosed feature is essential to any claim. Rather, the subject matter may lie in less than all features of a particular disclosed embodiment. Thus, the following claims are hereby incorporated into the Detailed Description, with each claim standing on its own as a separate embodiment, and it is contemplated that such embodiments can be combined with each other in various combinations or permutations. The scope should be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled.
This application claims priority to U.S. Provisional Patent Application Ser. No. 63/132,947, filed Dec. 31, 2020, the disclosure of which is incorporated herein in its entirety by reference.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/EP2021/075234 | 9/14/2021 | WO |
Number | Date | Country | |
---|---|---|---|
63132947 | Dec 2020 | US |