Patent Grant
10970949
This application relates to secure access control systems of the type using secure access modules to authenticate smart card credentials.
Access control systems typically consist of one or more door controllers, a plurality of sensors and relays and a plurality of identification cards readers. The controller may be a computer system that has a database of cardholders and access policy, a set of I/O ports and it may be responsible for applying the access policy. The sensors and relays are used to monitor doors states and activate the door strikes to unlock doors when required. Identification card readers communicate with user identification badges and retrieve the users' credentials. That information is conveyed to the door controller, for example by the means of an RS485 bus, a network connection or other communication mechanism. The controller then decides to activate the door strike relay (can also be a magnetic lock) or not.
In low security systems, the identification credential often is an RFID card or fob that provides a serial number when prompted. The serial number received at the card reader is transmitted to the access controller that checks if the serial number is permitted access. With these systems, if the card or fob is read by a third party, it is possible to make a copy of the RFID card or token that can grant access to an intruder.
In higher security systems, the credential can include a cryptographic processor that provides authentication while avoiding the need to exchange a secret or other information that would allow a third party to make a copy of the RFID card or token. Such credentials can be “smart cards”.
When authenticating a smart card, it is known in the art to use secure access modules that can be similar in design to smart cards and provide the counterpart cryptographic processing to establish the identity of the RFID card presented to the reader device. A secure access module (SAM) provides for storage for the cryptographic keys and algorithms that is more secure than when a regular computer platform is used, because the SAM has a tamper-proof package whose memory is not readable from the outside. As is known in the art of financial transaction point-of-sale (POS) terminals, a secure access module or SAM can be connected to a slot in a device that has a card reader and PIN keypad. The cryptographic exchange between the client's smart card and the SAM is done using keys that are securely stored in the SAM and smart card, and the communication can be encrypted so that no compromising eavesdropping is possible. The SAM provides to the controller or microprocessor of the device a message that the card is authenticated, and the device transmits the authentication information over a bus or network connection.
In access control systems, it is known to use a SAM inside the reader itself or in a module associated with the reader located a small distance from the reader inside of the protected premises. In this case, using a SAM allows the smart card of the user to be authenticated, and the authentication information is then sent to an access controller for making the decision as to whether the user of the card should be granted access. It will be appreciated that the authentication information sent from the reader to the access controller also is best to be encrypted to prevent interception. This requires managing cryptographic keys for that communication.
According to a first broad aspect of the present application, a SAM associated with a reader for reading an RFID card, badge or token for secure access control is located at the access controller so that encrypted or secure communication between the reader and the SAM is used to ensure security of the communication between the reader and the access controller. This can avoid the need to manage cryptographic keys for that communication outside of the smart card to SAM communication protocol.
According to a second broad aspect of the present application, one or more SAMs are associated with a greater number of readers for reading an RFID card, badge or token for secure access control. In this way, fewer SAMs are required.
In some embodiments, an access controller for use in a secure access control system having a number of smart card readers and door controllers, can be operative to communicate with the smart card readers and door controllers for authenticating users and enabling authorized access to secured premises. The access controller can comprise at least one communication interface connectable to the number of smart card readers and door controllers, a plurality of secure access module (SAM) interfaces, each one of the SAM interfaces able to connect to a corresponding one of a plurality of SAMs.
In some embodiments, an access control method comprises:
In one embodiment, the system comprises:
In some embodiments, there is provided an access control system controller comprising:
In order to process multiple requests in parallel, the process of authenticating cards may operate asynchronously with regards to the SAM dispatching/reservation process, be it with threads, processes or other parallel programming technique.
In a variant, the Waiting queue may be substituted for a Priority Queue. This may be used to prioritize certain access points over other.
In some embodiments, there is provided an access control system, while in other embodiments, there is provided a method of performing access control.
In some embodiments, there is provided an end-to-end encrypted access control system comprising:
In some embodiments, there is provided an end-to-end encrypted access control method comprising:
Establishing an access permission associated with the access card can further comprise exchanging further encrypted communication with the access card, the further encrypted communications being exchanged via the card reader without decryption thereby.
The invention will be better understood by way of the following detailed description of embodiments of the invention with reference to the appended drawings, in which:
Access control systems typically consist of one or more door controller, a plurality of sensors and relays and a plurality of identification cards readers, as shown schematically in
In high security applications, it is useful to ensure that user identification cannot be stolen, cloned or otherwise tampered with. To this end, contactless smart cards are often used to securely store the user's credential and are comprised of some nonvolatile memory with a small processor all built in the same tamper proof integrated circuit, known as a secure access module or SAM. A cryptographic challenge can prevent access to the stored information without knowledge of a secret key. The secret key can then also be known by the Access Control System.
With reference to
The data communication between a smart card and a SAM is typically encrypted. As is known in the art, it can involve an exchange of data that allows the smart card and the SAM to perform mutual authentication, for example using asymmetric encryption. This mutual authentication uses messages that do not allow an eavesdropper to be able to obtain information that could be used by the eavesdropper to gain authenticate in the future. The result of the authentication can be used, for example, to establish a temporary or ephemeral session key that then allows the smart card to transmit encrypted credential data to the SAM. The ephemeral key can originate at either end or can be negotiated between the two ends. In one example, the SAM can make the ephemeral key available to the controller by recording it in system memory of the controller. In this case, the SAM provides the ephemeral key to the controller, but the authentication is being done using the encrypted credentials sent from the badge to the controller without the SAM decrypting the credentials. The credential data can be, for example, an employee ID. For many installations, this is considered sufficient security, and is very simple for the user. The employee ID can be sent to the access controller where it can be determined whether the employee has permission to enter for the given door at the given time. The access controller communicates with the reader over a bus. Because the credential data is confidential data, this link can use secure communication with the establishment of encryption keys.
Authentication of the badge holder can use a variety of techniques. As an alternative example, the SAM can be used to decrypt information using asymmetric encryption that is then used to identify the badge holder.
In some cases, the smart card can also provide the SAM with biometric data or PIN data for the employee, so that when a PIN keypad, fingerprint reader or iris scanner is included at the reader, the logic controller of the reader (or the access controller, when the comparison is to be done at the access controller) can verify that the input given by the user matches what was stored in the smart card.
The logic controller can also control an audio or visual indicator for user feedback when a card cannot be read and/or when the access controller confirms or denies an authentication request. This can be important when the door control mechanism is a magnetic latch, whose release makes no significant audible sound when the door is opened.
The data link between the access controller and the door control mechanism can be encrypted or not as desired. The credential database can be local to the access controller or it can be remotely located over a secure data network.
In the embodiment of
By providing a Secure Access Module (SAM) in the controller, the whole chain (badge to reader and reader to controller) can be secured by the same set of keys and the reader can be completely transparent. One particular architecture of such a solution uses n Secure Access Modules, centrally located with the controller, for serving authentication requests for m doors, where m may be larger (even much larger) than n. This takes advantage of the fact that while m doors may require m authentication requests, these are unlikely to be accessed simultaneously. The time for an authentication to complete using a conventional SAM can also be less than the time for a conventional door (particularly a door having a dampened automatic door closer) to be opened and closed by a person entering a secure area. Taking advantage of this fact, one or more SAMs or other encryption resources may be shared among doors using a sharing scheme, e.g. by providing a FIFO waiting queue for allocating incoming requests to secure access modules. Because the usage ratio of the SAMs may be low, a few SAM cards may suffice to support many doors. Using waiting queue theory, Applicant has determined that three SAMs may be used to accommodate up to nine independently distributed authentication requests per second with reasonable service times. It has been determined for a given conventional SAM that the probability of the wait time being less than 100 ms when 3 SAMs are used to handle 9 requests per second is about 85% with a maximum wait time of about 200 ms. Whereas, it has been determined that when 2 SAMs are used to handle 9 requests per second, there is only a 50% chance of a response time that is less than 300 ms and about a 70% chance of a response time less than 500 ms. This solution also minimizes the hardware requirements and simplifies deployment.
When a request comes in, the system can attempt to allocate one of the free SAMs. If a SAM is available, it can be reserved and allocated for the duration of the authentication request. If no SAMs were available, the request can be put in a waiting queue and the request is not immediately answered. When a request completes, the controller takes the next request from the waiting queue, if one was present, and assign the SAM to that request which may then proceed. The SAMs must be equivalent, so that users have a homogenous experience regardless of which of the SAM process their request.
In the variant embodiment of
The access controller can be a computer having the interfaces for the readers. The connection to the door or turnstile control mechanism or door controller can be through a local bus or link, or it can be over a control network. Over this link, the access controller can send instructions to unlock a door, for example. Alternatively, the instructions can comprise waiving or disabling an alarm associated with opening a door or passage in an area that is not subject to an otherwise locked door or gate. The credential database can be a local database within the computer, or it can be a remote database accessed over a secure connection.
While the location of the SAM at the access controller does not change the exchange between the SAM and the smart card, it provides the advantage that the smart card credential data decrypted by the SAM are now at the access controller instead of the reader. This means that the credentials need not be encrypted by the reader for secure transmission to the access controller, and this means not having to manage encryption keys for this data link. The data link is of course used for communication of the exchange of cryptographic data between the SAM and the smart card, however, as previously mentioned, this is encrypted.
In the embodiments of
The SAM interface as shown in
The SAM interface can alternatively be implemented by using a USB smart card reader for each SAM card and by connecting a number of such USB card readers to the bus of the host computer, for example using a USB hub. The SAM interface in this variant embodiment can then make use of software control to recognize each USB device and to perform the handling of the flow of data between the externally connected card readers and the internally connected SAM card readers. In this situation, it will be appreciated that the embodiments of
When the application program in memory starts on the host processor, it can eventually try to detect the presence of the SAM interface microcontroller by querying the operating system for serial ports matching the expected USB device identifiers. It can then confirm the presence and functioning of the microcontroller by using its hello protocol. If the microcontroller is detected and functioning, its attached SAM cards can be detected. For each SAM card found, a card unlock procedure can be executed (this can be a cryptographic procedure to put the card in a ready state to process authentication requests). An entry with the card address can be added in a “card ready” FIFO stack for each card where the authentication procedure succeeded. The choice of a FIFO stack is for convenience and troubleshooting only. It could alternatively be a LIFO (stack) but a FIFO stack allows it to easily use all×SAM cards by badging×times and detect any faulty SAMs easily. A LIFO stack would require multiple simultaneous badging.
A task can constantly read from the virtual com port and reconstruct complete messages from the byte stream. Complete messages can be posted on a message queue to the SAM management task. Truncated or invalid messages are silently discarded.
While a queue can be used, it will be appreciated that it is possible that the access card presented to a reader could also be given no reply message when all of the SAMs are not available. In this way, the access card and/or reader can simply try again.
The SAM management task can track the state of the SAMs and accept requests (AcquireSam, ReleaseSam, SendSamCommand). The Acquire request may block the calling application until a SAM is available. In which case, the task is put in a waiting queue. The ReleaseSam request may unblock a task from the waiting queue if it was not empty. Otherwise, the released SAM can be added to the “card ready” FIFO stack. The SendSamCommand can send a command to the previously acquired SAM and block the caller until a response is received or a timeout is reached.
One can support at least two different modes of operations depending on the configuration. The first mode of operation uses only the hardware cryptographic engine present on the SAM. The second mode of operation uses the SAM to authenticate the badge then dumps the ephemeral cryptographic key to the host processor memory where the cryptographic operations pertaining to reading the credential is performed. This second mode of operation is faster, since the SAM is released immediately after the authentication but may be disallowed by the SAM configuration.
The sequence of events for the first mode of operation (SAM crypto only) can be as shown in
When the second mode of operation is used, the GenerateMac command can be replaced by a DumpSessionKey command. Its response can contain the ephemeral session key. The SAM can be released immediately after. The host can then perform the deciphering by itself. This mode of operation reduces the SAM usage time by 1 round trip to the card and 1 round trip to the SAM, namely between about 60 ms to 100 ms depending on conditions.
As will be appreciated from
In the embodiment of
The access controller must maintain a list of connections and manage the switching or relaying of the data. In
The operation of the access control system of
The access controller then relays messages from the smart card and the SAM to complete the authentication transaction between the reader and the available SAM. When the transaction is done, the access controller takes the credential data and does not sent that back to the reader, but instead it uses it to determine if an access control signal should be issued to the door latch mechanism or the like. The access controller also marks in the list or table that the SAM is now available.
The number ‘m’ of SAM's used to serve ‘n’ readers can be chosen in a number of ways. A typical SAM may process two or three authentications per second. A typical time from the same reader being used for reading the badge of one user to the next is about 2 to 6 seconds depending on the door or turnstile operation. While this may suggest that one SAM can be used with about 4 to 18 readers, a delay in authentication will occur in the worst-case scenario that all SAMs are busy when a reader is presented with a badge. When the access controller is built to provide a large number of slots or connectors for SAMs, the operator of the access controller can decide on how many SAMs to purchase, and to balance the number of SAM's installed with any user complaints that the readers are slow or unresponsive. Alternatively, a model of expected reader activity and response times can be developed so that the number of SAM's can be selected for the desired maximum wait time that can be tolerated. In most cases, the number of SAM's can be less than about one half of the number of readers without causing any issues, and in some cases, the number of SAM's can be less than about one third of the number of readers without causing issues.
This patent application claims priority of U.S. provisional patent application Ser. No. 62/667,149 filed on May 4, 2018, the content of which is hereby incorporated by reference.
| Number | Name | Date | Kind |
|---|---|---|---|
| 20030088777 | Bae | May 2003 | A1 |
| 20040162105 | Reddy | Aug 2004 | A1 |
| 20050127172 | Merkert, Sr. | Jun 2005 | A1 |
| 20050138380 | Fedronic | Jun 2005 | A1 |
| 20050211766 | Robertson et al. | Sep 2005 | A1 |
| 20080097924 | Carper et al. | Apr 2008 | A1 |
| 20120022902 | Gressel | Jan 2012 | A1 |
| 20130221094 | Smith | Aug 2013 | A1 |
| 20130222107 | Herscovitch et al. | Aug 2013 | A1 |
| 20140281586 | Loisel et al. | Sep 2014 | A1 |
| 20150350199 | You | Dec 2015 | A1 |
| 20170039789 | Neely | Feb 2017 | A1 |
| 20180287788 | Pital a Garcia | Oct 2018 | A1 |
| Entry |
|---|
| PCT/CA2019/050592 search report dated Aug. 14, 2019. |
| PCT/CA2019/050592 written opinion dated Aug. 14, 2019. |
| Number | Date | Country | |
|---|---|---|---|
| 20190340858 A1 | Nov 2019 | US |
| Number | Date | Country | |
|---|---|---|---|
| 62667149 | May 2018 | US |
