The present invention relates generally to access control for building entrances, and more particularly, to entry access control using radio frequency communication.
Legacy access control systems have typically made use of a credential carried by the end user, a reader mounted at or near the access point to be secured, a server running access control software (the head end) and one or more door controllers mounted at or near the door to be controlled. In the case that connectivity between the door controller and the head end server is lost, these controllers contain a copy of the access database (credential list) and are capable of controlling the door or doors to which they are assigned.
Another approach for legacy access control systems makes use of RFID enabled battery powered locks mounted at each door to be secured. In the case of such a lock, an onboard database contains a credential list indicating who is allowed access, and at what times. Further, these lock databases often contain other data and information that we would like to synchronize with the head end access server. Examples of such information include things like access audit trails and the state of the battery charge in the lock. Since these locks often have no connection to the host they are considered to be “offline” locks. For an offline lock, a major challenge for the system designer is maintaining synchronization between the lock database (credential list) and the credential list maintained by the head end server. Additionally, when a particular lock has accumulated information that the system administrator should know, there can be delays in getting this information back to the head end server (access management system) so that the system administrator has visibility to it. Therefore, it is desirable to have improvements in entry access control to address the aforementioned issues.
In one embodiment, there is provided an access control system comprising: a lock interface module configured and disposed to receive electronic data from an access management computer; and an electronically activated lock adapted to receive short-range communication from the lock interface module; a credential reader configured and disposed to read a credential from a user; wherein the lock interface module is configured and disposed to transmit a credential list to the electronically activated lock.
In another embodiment, there is provided an access control system comprising: a first lock interface module configured and disposed to receive electronic data from an access management computer; a second lock interface module configured and disposed to receive electronic data from the access management computer; and an electronically activated lock adapted to receive short-range communication from the first lock interface module and the second lock interface module; a credential reader configured and disposed to read a credential from a user; wherein the first lock interface module is configured and disposed to transmit a first set of updated credential information to the electronically activated lock, and wherein the second lock interface module is configured and disposed to transmit a second set of updated credential information to the electronically activated lock such that credential information for the user can be added when the first set of credential information and second set of credential information is received by the electronically activated lock.
In another embodiment, there is provided a method for access control, comprising: receiving a credential list into a first lock interface module; transmitting the credential list to an associated electronically activated lock from the first lock interface module; receiving a credential from an associated credential reader configured and disposed to read a credential from a user; and preventing access of the user if the credential is not in the credential list.
The structure, operation, and advantages of the present invention will become further apparent upon consideration of the following description taken in conjunction with the accompanying figures (FIGs.). The figures are intended to be illustrative, not limiting.
Certain elements in some of the figures may be omitted, or illustrated not-to-scale, for illustrative clarity. The cross-sectional views may be in the form of “slices”, or “near-sighted” cross-sectional views, omitting certain background lines which would otherwise be visible in a “true” cross-sectional view, for illustrative clarity. Furthermore, for clarity, some reference numbers may be omitted in certain drawings.
While the aforementioned systems may provide a crude form of data synchronization between the lock and head end databases, there are a number of real world limitations that make the system impractical to be relied upon for timely updates. One important example that illustrates this point is the feature known as “blacklisting”. Blacklisting occurs when an individual end user of the system has their access privileges revoked. Now consider the case of a remote door that might only be accessed once a week or once a month. Since this system relies on viral transmission of the blacklisted individual it could take up to a week or month for the blacklisted individual to be removed from the remote lock database. This means that the blacklisted individual might have access to this remote door for up to a month resulting in an undesirable unsecure situation.
Disclosed embodiments provide techniques for entry access synchronization. A lock interface module is installed at a premises and in communication with one or more electronic locks. The lock interface module is in electronic communication with an access management system. Changes in access permissions made from the access management system are quickly propagated to the electronic locks by the lock interface module. This improves security for the premises, since persons who have become de-authorized do not have a time window to gain access to the premises.
In practice, the set of users allowed access to a premises can change, and sometimes can change very quickly. For example, an employee of a company can be terminated immediately. In such a case, the user may be removed from the credential list maintained by the head end access server 104 by an administrator. An updated credential list is immediately sent to the lock interface module 112 via network 114. The lock interface module 112 transmits the updated credential list to the electronically activated lock 120 via a short range wireless communications channel 118. In practice, the head end access server can be located many miles from the premises 102, as long as it is reachable via network 114. In prior art systems, there can be a delay in updating the credential list of the locks, creating a security vulnerability because there is a time window between update of the server and update of the credential list in the electronically activated lock in which an unauthorized person can open an electronically activated lock. With embodiments of the present invention, the credential list is updated in real time, eliminating the aforementioned security vulnerability.
In embodiments, the lock interface module 200 serves as a bridge between the server 104, and one or more electronically activated locks 120. The lock interface module 200 can communicate with the server 104 via the Internet using protocols such as TCP/IP, UDP, SSH, and/or other suitable protocols. The lock interface module 200 is configured to receive a credential list from the server 104, and transmit the credential list to an electronically activated lock via the short range communication interface. The short range communication interface may be selected in terms of frequency and power to communicate at a range of up to about 30 meters. This allows flexibility in the placement of electronically activated locks with respect to the position of the lock interface module. The electronically activated locks can use low power communication interfaces, thereby saving power and reducing operating costs.
In some embodiments, the lock interface module 200 may further include protected storage 212. Protected storage 212 may be a read-only memory such as a protected flash, ROM, or other memory that cannot be erased or changed. The read-only memory can be fuse-enabled memory. In such memory, unique identifiers such as serial numbers, device addresses and/or security certificates can be programmed into the protected storage 212 at the factory where the devices are manufactured. Then, an e-fuse is blown in the protected storage circuit to prevent write operations to the protected storage 212. In embodiments, the data in the protected storage may be on a separate data bus from the memory 204 and/or storage 206. The data within the protected storage 212 can be used for authentication with electronically activated locks and/or the head end access server 104.
In some embodiments, the electronically activated lock 300 may further include protected storage 312. Protected storage 312 may be a read-only memory such as a protected flash, ROM, or other memory that cannot be erased or changed. The read-only memory can be fuse-enabled memory. In such memory, unique identifiers such as serial numbers, device addresses and/or security certificates can be programmed into the protected storage 312 at the factory where the devices are produced. Then, an e-fuse is blown in the protected storage circuit to prevent write operations to the protected storage 312. In embodiments, the data in the protected storage may be on a separate data bus from the memory 304 and/or storage 306. The data within the protected storage 312 can be used for authentication with the lock interface module 112.
Electronically activated lock 300 further includes a short range communication interface 310. The short range communication interface 310 may include, but is not limited to, a Bluetooth™ interface, a Bluetooth Low Energy (BLE) interface, a Zigbee interface, and/or a WiFi interface. The wireless interface greatly simplifies and speeds up the installation process, since wires do not have to be directly connected between the lock interface module and the electronically activated lock.
In embodiments, the lock interface module periodically receives a credential list from the head end access server. The most recent credential list received is then periodically sent from the lock interface module to one or more electronically activated locks. In embodiments, each electronically activated lock compares the received credential list with the currently stored credential list in its storage 306. The processor 302 detects users in the current list that are not present in the new list. The processor then performs deletions, removing those users that no longer have access from the current list. Similarly, the processor 302 detects users in the new list that are not present in the current list. The processor then performs additions, adding the new users to the current list so they can have access. In this way, the electronically activated locks maintain a current credential list, thereby improving the security of the premises.
In this embodiment, the lock interface module 412 may be installed at a distance that exceeds the range of the short range communication interface of the electronically activated lock. In this case, a wireless repeater 432 may be installed that is located between the electronically activated lock 420 and the lock interface module 412. In some embodiments, the short range communication may utilize WiFi and/or low power WiFi, in which case, a wireless repeater 432 can serve as a range extender so that the electronically activated lock 420 and the lock interface module 412 can communicate with each other. Such an embodiment may be well suited for a large premises such as a warehouse, airport, hotel, or other large venue. In embodiments that use Zigbee, a wireless repeater may be used to extend the distance over which the electronically activated lock 420 and the lock interface module 412 can communicate with each other. Any other short range protocol that can be used with repeaters/range extenders can be used in these embodiments. The lock interface module 412 can communicate with the head end access server 404 via network 414. In embodiments, network 414 includes the Internet.
In this embodiment the electronically activated lock 520 is in communication with two lock interface modules, indicated as 512 and 515. Both lock interface modules can communicate a new credential list to the electronically activated lock 520. In embodiments, the electronically activated lock is programmed such that it processes one or more deletions in its stored credential list if the credential list is received from at least one of the first lock interface module or the second lock interface module. In this way, there is redundancy in propagating a deleted user to the electronically activated lock 520. If one of the lock interface modules (512, 515) is offline or otherwise unreachable, the other lock interface module can relay the deletion to the electronically activated lock. Similarly, in embodiments, the electronically activated lock is programmed such that it processes one or more additions in its stored credential list if the credential list is received from at least one of the first lock interface module or the second lock interface module. In this way, there is redundancy in propagating a newly added user to the electronically activated lock 520. If one of the lock interface modules (512, 515) is offline or otherwise unreachable, the other lock interface module can relay the new user to the electronically activated lock. Lock interface module 512 and lock interface module 515 can communicate with the head end access server 504 via network 514. In embodiments, network 514 includes the Internet.
In some embodiments, the electronically activated lock is programmed such that it processes one or more additions in its stored credential list if the credential list is received from both the first lock interface module and the second lock interface module. In this way, there is improved security in terms of adding users. In these embodiments, the electronically activated lock 520 only accepts a new user if it receives a credential list from both lock interface module 512 and lock interface module 515. In this way, if a malicious actor tries to add a user by spoofing a single lock interface module, the user is not added. Thus, this scheme considerably hampers the ability of a malicious actor to add an unauthorized user to the credentials list. In embodiments, the first set of credential information and the second set of credential information are identical.
Similarly, in some embodiments, the electronically activated lock is programmed such that it processes one or more deletions in its stored credential list if the credential list is received from both the first lock interface module and the second lock interface module. In this way, there is improved security in terms of removing users. In these embodiments, the electronically activated lock 520 only deletes a user if it receives a credential list from both lock interface module 512 and lock interface module 515. In this way, if a malicious actor tries to remove a user by spoofing a single lock interface module, the user is not removed. Thus, this scheme considerably hampers the ability of a malicious actor to remove a user to the credentials list (e.g. as part of a denial of service attack).
Thus, in embodiments, the electronically activated lock comprises a processor, a memory coupled to the processor, a locking mechanism, where the memory contains instructions, that when executed by the processor, perform the steps of processing one or more deletions in the credential list if the credential list is received from the lock interface module. In some embodiments, the electronically activated lock comprises a processor, a memory coupled to the processor, a locking mechanism, where the memory contains instructions, that when executed by the processor, perform the steps of processing one or more additions in the credential list if the credential list is received from the lock interface module. Note that while two lock interface modules are shown in
The mobile device can be used to determine if both the lock interface module and the electronically activated lock are in range of each other. In embodiments, the lock interface module and the electronically activated lock are each programmed to periodically send out a handshake signal. For example, in embodiments, the handshake signal may be sent every ten seconds. The mobile device can be programmed to receive this handshake signal. The installer then can perform a range check at step 756 by standing near the electronically activated lock and checking the mobile device to determine if the lock interface module handshake is received at that location. If yes, then the installation completes at step 760. If no, then the installer installs a repeater 758 at an intermediate location between the electronically activated lock and the lock interface module (see
In some embodiments, an association is established between a lock interface module and an electronically activated lock as part of an installation process. Both the lock interface module and the electronically activated lock may implement a “learn” mode, where data can be exchanged between the two devices. The data may include a serial number, device address, certificate, or other digital data that can be used to authenticate the devices to each other. In embodiments, the authentication data shared between each lock interface module and each electronically activated device may be encoded with check digits to improve security. In embodiments, an ISO 7064 Mod 97-10 scheme may be used to encode device serial numbers, adding another level of complication for malicious actors attempting to spoof a device. For example, the table below lists exemplary 8 digit codes that can be used:
Each of the codes above complies with the ISO 7064 Mod 97-10 scheme, in that each code results in a value of 1 when a MOD-97 operation is performed. These codes are merely exemplary. In practice, other check digit schemes, hash schemes, and/or checksum schemes may be used to generate valid authentication codes.
In embodiments, attempts to authenticate with numbers that do not adhere to the encoding scheme are rejected, thereby reducing the risk of an authentication with a compromised device. Additionally, embodiments, during initialization, may exchange rolling code data. The rolling code data can include a set of codes, and/or a seed for a pseudorandom number generator, such that each device can generate a matching set of codes. In such embodiments, each electronically activated lock may periodically transmit a code from the rolling code set. The lock interface module receives this code, and confirms if it is the next code in the rolling code set. In embodiments, lock interface module may implement a window of acceptance for the rolling codes, in case an electronically activated lock goes offline temporarily. If the rolling code is outside of the acceptance window, the lock interface module may send an empty credential list to that electronically activated lock, causing all the users to be deleted from the credential list of the electronically activated lock, essentially preventing all access at that entrance. The lock interface module may then send a message to the head end access system alerting security administrators to the situation of a potentially compromised electronically activated lock.
In yet other embodiments, the lock interface module may send a message to the head end access server indicating a low battery condition of the lock interface module and/or an associated electronically activated lock. The head end access module can then alert security personnel of the low battery condition so it can be addressed. Additionally, the head end access module may perform a periodic transmitting of the credential list in response to receiving the low battery condition. In this way, in the event any information is lost during the battery replacement, it is quickly replenished so the electronically activated lock is back online and operating properly as soon as possible.
As can now be appreciated, in embodiments of the present invention, by using techniques such as the authentication data and rolling codes, the risk of security breaches due to compromised devices is reduced. Furthermore, embodiments provide techniques that enable easy installation of locks that have credential lists that stay synchronized to the head end access server, reducing the risk of a newly unauthorized person gaining access to a premises. Thus, the overall security of a premises can be increased using embodiments of the present invention.
Although the invention has been shown and described with respect to a certain preferred embodiment or embodiments, certain equivalent alterations and modifications will occur to others skilled in the art upon the reading and understanding of this specification and the annexed drawings. In particular regard to the various functions performed by the above described components (assemblies, devices, circuits, etc.) the terms (including a reference to a “means”) used to describe such components are intended to correspond, unless otherwise indicated, to any component which performs the specified function of the described component (i.e., that is functionally equivalent), even though not structurally equivalent to the disclosed structure which performs the function in the herein illustrated exemplary embodiments of the invention. In addition, while a particular feature of the invention may have been disclosed with respect to only one of several embodiments, such feature may be combined with one or more features of the other embodiments as may be desired and advantageous for any given or particular application.
Number | Name | Date | Kind |
---|---|---|---|
6721900 | Lenner | Apr 2004 | B1 |
20140143860 | Druckman | May 2014 | A1 |
20140282937 | Farber | Sep 2014 | A1 |
20140373111 | Moss | Dec 2014 | A1 |
20150028996 | Agrafioti | Jan 2015 | A1 |
20150187151 | Lagerstedt | Jul 2015 | A1 |
20150222623 | Lowe | Aug 2015 | A1 |
Number | Date | Country | |
---|---|---|---|
20180211462 A1 | Jul 2018 | US |