EP2146328A2 - Lock for securing a safety container or area and method for securing the transport of a safety container - Google Patents

Abstract

The lock (120) comprises a closing unit for locking and unlocking of a door or a container (110). A control unit is provided for controlling the closing unit. A memory unit is provided for storing identification data for identification of the lock and for program data for representation of a user interface. A gateway is provided for sending the program data and the identification data to an attached computer (130), and for receiving of command data of the attached computer. Independent claims are included for the following: (1) a safety container comprises an inner chamber for receiving an object; (2) a system for monitoring a lock; (3) a method for controlling a lock; (4) a method for transporting a safety container; and (5) a method for protecting a safety chamber.

Description

The invention relates to a lock, a security container with such a lock, a system for monitoring the transport of the lock, a method for controlling the lock and a method for transporting the security container. Furthermore, the invention relates to a method for securing a fuse space whose door is coupled with such a lock.

In freight forwarding, goods or items are sent from a sender to a recipient. In order to protect the cargo in transit against damage and / or unauthorized access, the logistic and forwarding companies operate a high cost. For example, security containers are used for the transport of various goods, which are equipped with different locks or locking devices depending on the design of the security container. There are security containers in different sizes and with different security standards. A security container picks up the cargo and is closed by the sender. To open, the recipient must have the correct key. Depending on the design of the lock, the key may be either a conventional mechanical key or an electronic access code.

A mechanical key must either be present at the sender or at the receiver, or the mechanical key must be sent to the recipient. This makes the key itself a security risk. Although the sender can only send the security container when the key has arrived at the recipient, but this involves a considerable time and economic effort and therefore unsuitable for practice. It is also possible to copy a mechanical key.

An electronic lock can be opened with an electronic access code as a key. For this purpose, however, a circuit complexity is required in the castle, which requires a power supply. This increases both the expense of the lock and a security container with such a lock. To open a security container with such an electronic lock, the receiver first requires the access code, which must be transmitted from the sender to the recipient. The access code must also be in the electronic lock of the Security container are stored and is thus in principle visible to third parties. Although an encryption method can be used to store the access code. With an encryption method, however, sufficient protection against unauthorized access can not be achieved, since all encryption methods are based on a calculation algorithm whose structure can be determined.

Another disadvantage of an electronic lock with an access code is the need to provide a user interface for entering the access code. This is expensive and space consuming. If the safety container is subjected to vibrations during transport, the user interface can be destroyed, so that opening in the normal way is no longer possible.

In the EP 1 391 579 A2 a security container is described which is connected to a personal computer for inputting and transmitting the access code. The computer is used as an input and display medium. However, the access code to be entered via the computer is stored in the circuit of the security container and can thus be searched out by unauthorized persons with the appropriate effort during transport.

Therefore, such a key is fundamentally a security risk and can be determined by third parties with appropriate knowledge of the structure of the lock (for example, the encryption of the access code in the memory of the electronic lock). Thus, conventional electronic locks are not safe from access by third parties. In addition, a key may fall into the wrong hands as the only necessary means of opening a containment, creating another security risk. Furthermore, there is a fundamental risk that even if a security container is safely delivered to the recipient's company, unauthorized persons will gain access to the containment on the way inside the company.

It is therefore an object of the invention to provide a lock for a security container, a security container with a lock, a system for monitoring a lock, a method for controlling a lock and a method for transporting the security container, which are each effectively protected against manipulation.

The object is solved by the subject matters of the independent claims. Preferred embodiments are subject of the dependent claims.

To solve the problem, the invention proposes to equip the lock of the security container with a memory and only store data on this memory, which uniquely identify the security container and with which a user interface can be displayed on a computer. When the lock is connected to a computer by a user, this data is automatically sent to the computer and the user can control the lock via the user interface. However, to control the lock, predetermined control data is necessary, which the user can query or request from a predetermined location, for example a security server on the Internet. In other words, even an unauthorized computer or user on the computer can recognize the user interface and also enter user data via it. However, these user data are not verified by the security server and thus do not generate control data that allows the lock to be opened.

A lock according to the present invention therefore includes a mechanical or electromechanical locking device for locking a lock of a security container or door of a security room. The lock comprises a control unit for controlling the locking device and a memory. The memory stores program data representing a user interface on a screen of a computer connected to the lock. Further, identification data storing the lock is stored in the memory. The lock contains an interface for sending the program data and the identification data to the connected computer. The interface also receives the control data for controlling the lock after it has been generated in the security server.

By displaying the user interface on the connected computer, it is possible to control the lock externally. As a result, much of the intelligence of the castle is shifted to the outside. Thus, the lock can be constructed with the simplest electronic means, so that it can be produced inexpensively. Such a lock is ideal for mass production. In particular, the lock according to the invention does not require an additional key. While the user of conventional electronic locks must enter a correct access code, which is then compared internally in the lock, the user only has to know about his correct user data in the lock according to the invention, which he inputs, for example via the user interface. By the distribution of the individual data to different locations must be understood by an unauthorized third party, the control of the lock, the mechanical locking device, the encryption and in particular the generation of the control data in the security server in order to open the lock. That is, if the third party really manages to enter a correct encrypted command, then there is no guarantee that this command will trigger the correct action on the lock. Therefore, the unauthorized person would have to understand the entire encrypted instruction set as well as the effects on the lock. Thus, the security of the lock and thus of the security container or of the closed space with the lock is increased by the inventive distribution of the data required for opening / closing.

In order to make the application easy for particularly inexperienced users, the interface may be provided for receiving command data, the command data directing, in a direct and unencrypted manner, the lock for performing a particular action such as locking and unlocking. Based on this command data, the lock may send a control data request via the computer to the security server, which then generates the control data based on the identification data and user data. Upon transmission of the identification data, the connected computer may then convert the control data request based on the command data. Thus, the user only needs to know his user data and the corresponding command data, which are at best opening and closing.

Based on the command data, the lock creates the control data request, which is then sent to the security server along with the identification data and user data. There, the control data request is converted into the control data, which are then sent to the lock and with which the lock can be safely opened.

The control data may be provided for opening and closing the lock. These two commands are particularly important in freight forwarding. A sender of a security container sealed with the lock can thus be sure that only the right recipient can enter the correct control data for opening the lock, which open the security container. This also closes the security gap within the company against unauthorized access.

For the treatment of exceptional situations on the computer a first Emergency access code are entered, with a second emergency access code stored in the memory. For example, if the lock receives the first emergency access code and agrees with the second emergency access code, the control unit may itself generate control data to open the lock. Another possibility is that the first emergency access code also receives command data which is executed directly based on the comparison without generating a control data request. As a result, the lock can also be opened if, for example, no connection to the security server is possible and thus no correct control data can be sent. The emergency access code ensures that a security container locked with the lock can be opened by persons or authorities who are not authorized by the sender to open it, but who nevertheless need to open the security container for inspection purposes or in emergency situations. For example, it is possible that no suitable computer for inputting user data and no security server for converting the control data request into the correct control data are available. With the emergency access code, the security container or a room locked with the lock can still be opened. Preferably, the emergency access code may be provided for single use only. Thus, the lock is protected from repeated attempts by third parties to obtain unauthorized access to the lock with the emergency access code.

The lock may include an encryption unit for encrypting the control data request and / or the identification data before sending and decrypting the control data after receiving via the interface. It is true that the control data request in particular can protect itself from unauthorized access by its content alone, since only one of the options is normally correct among a large number of possible responses to the control data request. By encrypting the traffic between the lock and the connected computer, however, additionally made illegible, so that further steps are necessary to understand the lock and gain access to the castle. Encryption thus further enhances security.

The lock can be constructed completely passive, so that in principle no power supply is required in the lock. This makes it possible to open the lock, even if the security container with the lock is long on the way or the lock on the door of a room has no power connection. The interface may preferably be designed as a USB interface. However, any other suitable interface may be used. This interface provides power to the lock, control unit and memory, etc., from the connected computer. Thus, the complexity and weight of the lock can be reduced. In addition, USB interfaces are particularly common in modern personal computers, so that almost every computer is able to be connected to the container or to the lock and to provide power to the lock and its components. Another advantage is in particular the fact that the program data are stored in the memory of the castle and thus can be retrieved when connected to a power supply and can be transmitted to the connected computer. That is, the computer does not need special programs to be used to open or close the lock.

In order to determine the position of the lock or the security container during transport, the lock is preferably equipped with a positioning system for detecting the position. The position is detected at predetermined times or events. Such a location system makes it possible to monitor the transport process of the lock and / or security container between sender and receiver. It can thus be used, for example, to draw conclusions as to whether a security container closed with the lock has met a predetermined route during its transport.

The security container may further comprise a transmitter for wirelessly transmitting the position data, whereby the route of the containment can be checked during transport.

Further, the security container may include an accumulator for storing electrical energy. With its own power supply, the location system can be supplied with energy in the first place. Thus, the location system can transmit the position data during transport independently of a USB connection to a computer.

The location system may determine the position of the lock based on a GPS signal. GPS signals are available globally, so the positioning system is almost unlimited in position detection. In order to enable position detection based on GPS data, a GPS receiver and a transmitter is required that captures the position data to a predetermined recipient, for example. The sender of the containment transmitted.

Alternatively or additionally, the location system can also determine the position of the lock and / or security container based on information from a mobile radio network. Here, the security container or the lock is equipped with a mobile terminal, which can send and receive. This has the advantage that the lock can also use the mobile radio terminal or network to communicate with a user, for example to send the position data.

The memory may also be provided for storing security status data indicating whether the lock has been electronically or physically manipulated. By means of this security status data, a user can recognize unauthorized access attempts to the lock and / or unauthorized access to the locked security container, although these are not visually recognizable.

The security state data may include a random number received, for example, with the command data. The random number can also be generated when receiving the command data in the lock itself. It is also possible that the random number is generated based on the reception of the control data in the lock. In all cases, this random number makes it possible to store a state in the lock which is virtually impossible to copy, depending on the random distribution of the random number. For example, if this random number has been stored in memory in connection with a closing command, it can be checked when receiving and opening the security container, whether the random number has not been changed in the memory, which the sender has stored in the memory when locking the lock. If this is not the case, a third party has at least tried to send command data to the lock.

The security state data may alternatively or additionally include a physical state of the lock and / or its closure device. This may, for example, be a degree of destruction of the lock because a third party has tried by mechanical means to open it. The advantage of this is that even then mechanical manipulations are recognized on the lock, if they are not visible to the naked eye at first glance.

The safety-state data may also contain safety-relevant regulations for controlling the lock itself. These rules are especially important if the lock should be checked when receiving in a particularly safety-relevant manner with regard to the correct recipient. This can be, for example, the input of correct data, which identify the person more accurately and ensure that even with recipients with a very large group of people, such as large companies, only the right person opens the containment.

The lock may also include a clock to generate a time stamp, with the time stamp added to the security status data. The timestamp can be used to trace the time of an unauthorized access attempt to the lock.

For example, the interface may send the security state data along with the identification data to a security server. Thus, the lock can be checked immediately after connecting to a computer for its integrity, so that any unauthorized access attempts are detected early. The security state data may be used in generating the control data in the security server. The time stamp can be used, for example, to check whether the recipient opens the security container at the right time. Thus, the time stamp can be used in the generation of the control data. This can be the case, for example, with a sender who wishes to set the recipient a certain period for opening the container. If the recipient unlocks the lock after the deadline, then even if the recipient is authorized, no control data is sent to the lock that opens the lock.

The lock may include at least one sensor for detecting its physical condition. The detection of the physical state thus further increases the security of the lock or the security container, so that it is possible to detect whether a third party has attempted by mechanical means to access the lock without authorization.

The sensor can additionally or alternatively monitor the lock and thus register mechanical access attempts by unauthorized third parties.

In addition, the sensor can additionally or alternatively monitor the control unit and thus register unauthorized access attempts of third parties by electrical means.

The sensor may be a GPS sensor for detecting a transport route.

Alternatively or additionally, the safety status data can be transmitted via the sender or the interface are sent to the sender and / or the security server. This can preferably be done during transport in order to determine unauthorized access attempts and / or transport damage immediately.

The object is further achieved with a security container having an interior for receiving an object. The interior can be closed with a cover or a lid, for example doors and gates in large security containers for Euro pallets or shipping containers. The cover or the cover is lockable on the security container with at least one lock according to the invention. Instead of a container, the lock can also be attached to a door of a room that is subject to strict safety requirements. Apart from the position detection and transmission, the above-mentioned special embodiments can also be applied to the space with a lock according to the invention.

The containment may also include one or more sensors for monitoring the physical condition. This sensor can then save its data in the memory of the lock and / or send via the transmitter and / or the interface. Thus, not only the security state of the lock alone but also the security container or space is monitored, which contains the cargo or objects to be stored.

The sensor may also be a motion sensor for detecting movement of the containment. This can be used to determine if the containment is exposed to unusual loads due to excessive movement, such as may occur in a fall. The motion sensor can also be combined with the GPS sensor in the lock so that not only the transport path of the containment but also its physical condition can be monitored.

The sensor can monitor the interior of the containment and thus allow conclusions to be drawn about the condition of the cargo itself.

The sensor may additionally or alternatively monitor at least one wall of the security container and thus determine unauthorized access attempts and / or transport damage to the shell of the security transport container.

The sensor may also be a temperature sensor for detecting an ambient temperature and / or an interior temperature of the containment and thus, for example, harmful temperature influences on the containment and / or register the goods to be transported.

A humidity sensor sensor may be used to detect moisture within and / or outside the containment to determine if the containment and / or cargo has been accidentally wet or even wet.

A surface protection sensor as a sensor can detect damage to a shell of the security container and thus detect and register in particular unauthorized mechanical access attempts by third parties. The surface protection sensor may be a capacitive sensor for detecting a change in permittivity of the sheath or a resistance sensor for detecting a resistance change of the sheath.

The invention also provides a system for monitoring the transport of the containment or lock. The system contains at least the lock, a computer and a security server. The computer is connected to the lock and receives identification and program data from the lock. The computer presents the user interface based on the program data and receives user data from the user, which it sends along with identification data to the security server. The security server generates control data and sends it to the lock. This system makes it possible to easily identify the user of the computer and to identify it via a higher-level monitoring instance (security server) as the authorized recipient of a lock-locked security container. As shown above, not only the authorized user but also the location, time and condition in the generation of the control data can be considered, thereby further improving the security.

The computer may receive user-entered command data via the user interface and send it to the lock to open or close the lock of the lock. The advantage of this design is that the user of the computer can easily control the lock.

As already shown, based on the command data, the lock may send a control data request. This request can be received by the security server and / or the computer. With the security server, several locks can be monitored centrally, so that it is possible to determine when a particular lock should be opened, closed or otherwise controlled. The computer is preferably for receiving and for forwarding a control data request to the security server. This embodiment is particularly advantageous for the invention, since the computer has a network interface for a network connection to the security server to the Internet. The interface in the lock, however, can be extremely simple. As a result, central user verification via a central security server, and thus a high level of security, can be achieved even with the simplest means.

The security server may generate the control data based on the identification data and / or the user data and / or information in a database of the security server. This ensures a rudimentary recognition of the user and / or the lock when executing a command.

The security server can, however, also include the control data request in the generation of the control data. This guarantees that every executed command is authenticated at the lock.

The security server may use a time stamp sent by the lock to generate the control data. This allows for improved user monitoring since the time stamp even allows time-dependent access rights to the security container.

The generation of the control data may require the input of user data from two or more users (four eyes principle). This has the advantage that, for example, the recipient of the containment is forced to consult a second person to open the containment. This ensures, for example, that the cargo in the containment is inspected for damage by at least two persons and thus helps to better identify transport damage and corruption.

To generate control data in the security server, it may be advantageous for another user to input his user data from another computer connected to the security server. This may be, for example, the sender or another supervisor sitting at a further location. The security server may then generate the control data based on the user data from the user at the local computer and based on the user data from the other user at the other computer. This principle is called distance opening and allows, for example, a sender can co-determine whether and when a recipient may open the containment. This is particularly interesting for contract negotiations, if the sender sends a draft contract to two different potential contractors, but depending on the outcome of the contract negotiations, only one of the two contractors would ultimately like to allow access to the draft contract.

The security server may also generate, based on the security state data, seal data that provides information about the state of the containment. These seal data are then sent to the computer and displayed on it. Preferably, these sealing data contain color data for color coding of a manipulation of the containment. This is a particularly effective way to give the user a quick overview of the state of the security container or lock in the room.

The invention also provides a method of controlling the containment. The program data is transmitted from a security container to a computer to represent a user interface on the computer, which then represents the user interface. Furthermore, the identification data are transmitted to the computer. After that, user data is entered into the computer via the user interface and sent to a security server along with the identification data. In the security server, based on the received user data and identification data, control data is generated which is suitable for controlling the security container and is sent back to it. The advantage is that the control is taken over by the security server itself. Thus, any action performed by the containment can always be compared to whether a user has permission to perform that action.

In addition, command data can be sent from the computer to the containment. The command data is then converted by the containment into a request for the control data and sent to the security server. The security server then generates the control data based on this request. The advantage of this method is that the security container can be controlled via the computer. However, the conversion of a command, such as opening or closing the containment, remains a real action on the security server so that each command can be individually monitored to see if a user is actually authorized to execute a command.

The identification data, the request for the control data, and / or the user data may be sent from the lock to the security server prior to transmission encrypted and decrypted after receiving in the lock. This further enhances the security of the process since unauthorized third parties can not evaluate the traffic to artificially generate the required control data.

The security server can create a timestamp and send it to the security server along with requesting the control data. The control data can be generated based on the received time stamp. As a result, the user check can also take place in terms of time, for example to specify a specific time window in which a user may open the security container or the lock.

Before sending the command data from the containment to the security server, a random number can be determined and sent together with the command data to the security server. Furthermore, the determined random number together with a physical state of the lock, a time stamp and / or rules for controlling the lock in the memory of the security container can be stored as security status data. Even the random number known to the security server and the security container, for example for closing the security container, can be used when opening the security container to determine whether the security container has received other command data or even control data that has not been authorized by the security server. In the same way, the timestamp can be sent to the security server to determine if the timestamp in the lock's memory matches the last timestamp sent in the security server. Such verification is possible based on all security state data and increases the possibility to detect manipulation attempts.

The security state data may be sent to the security server along with the identification data. This creates, based on the security state data, seal data with a color that indicates tampering with the containment. The seal data is then sent to the computer and displayed. The color data provides the user with easy-to-understand information about the condition of the lock.

The invention further provides a method for transporting a security container. In this case, the security container is connected to a first computer, which in turn is connected to a security server. The containment is according to the preceding method with a Lock command locked, disconnected from the first computer and transported to a second computer, which is also connected to the security server. The second computer is connected to the security container and unlocked by the above-described method with an opening command. The advantage of the method is that the security server can accurately track when, where and / or by whom the security container is opened and closed.

• Fig. 1 zeigt eine Struktur eines erfindungsgemäßen Sicherheitssystems;
• Fig. 2 zeigt Komponenten eines Sicherheitsbehälters gemäß einem ersten Ausführungsbeispiel der Erfindung;
• Fig. 3 zeigt ein Blockschaltbild eines Sicherheitsbehälters gemäß einem zweiten Ausführungsbeispiel der Erfindung;
• Fig. 4 zeigt ein Blockschaltbild eines Sicherheitsservers;
• Fig. 5 zeigt eine Struktur einer Datenbank im Sicherheitsserver;
• Fig. 6 zeigt ein Ablaufdiagramm eines Verfahrens beim Schließen des Schlosses;
• Fig. 7 zeigt ein Ablaufdiagramm eines Verfahrens beim Öffnen des Schlosses am Sicherheitsbehälter;
• Fig. 8 zeigt ein Ablaufdiagramm eines Verfahrens zum Überwachen des Sicherheitsbehälters während des Transports im Sicherheitsbehälter;und
• Fig. 9 zeigt ein Ablaufdiagramm eines Verfahrens zum Überwachen des Sicherheitsbehälters während des Transports.

The invention will be described by way of non-limiting embodiments. In the drawings show:

• Fig. 1 shows a structure of a security system according to the invention;
• Fig. 2 shows components of a security container according to a first embodiment of the invention;
• Fig. 3 shows a block diagram of a security container according to a second embodiment of the invention;
• Fig. 4 shows a block diagram of a security server;
• Fig. 5 shows a structure of a database in the security server;
• Fig. 6 shows a flowchart of a method when closing the lock;
• Fig. 7 shows a flow diagram of a method when opening the lock on the security container;
• Fig. 8 shows a flowchart of a method for monitoring the containment during transport in the containment;
• Fig. 9 shows a flowchart of a method for monitoring the containment during transport.

Fig. 1 FIG. 10 shows a structure of a security system 100 of the present invention. The system has a security container 110 with a lock 120. The lock 120 is electronically connected to a first computer 130. The first computer 130 is connected to a security server 140 via the Internet. A second computer 150 is also connected to a security server 140 via the Internet. The security container 110 is provided for the transport of goods whose reception is to be made dependent on certain conditions. In the simplest case, this may be the right recipient, characterized by certain user data. Other conditions are possible, for example, whether the freight is paid. The advantage of the present invention is that a sender establishes a variety of conditions for the containment 110 can be observed during transport and when opening the containment 110. A further advantage is that the lock 120 of the security container 110 can be monitored by the sender and / or the operator of the security server 140 or other persons or companies or institutions. By a suitable configuration of the lock 120, it is ensured that only the person has access to the lock 120, and thus to the transported goods, which has actually been selected by the sender of the security container 110 as the recipient. These and other advantages of the present preferred embodiment of the invention will be described in more detail below.

When the security container 110 arrives at a receiver, the lock 120 is electronically connected to the first computer 130. After the connection, all necessary data for controlling the lock 120 is automatically transferred from the lock 120 to the first computer 130 and installed or displayed. This is preferably a graphical user interface 131 based on program data, allowing the recipient to enter user data or an instruction for the lock 120. This command is called upon receipt of the security container 110 "unlock lock". Before the receiver can send this command to the lock 120 via the first computer 130, the lock 120 must first be connected to the security server 140 via the first computer 130. This is realized in the present embodiment by the user logging on to the security server 140 with corresponding user data. If the receiver now sends the command "unlock lock" via the first computer 130, the lock 120 generates a request for corresponding control data and sends it to the computer 130. This control data request can only be answered or processed by the security server 140. Therefore, the first computer 130 sends the control data request to the security server 140. This converts the control data request into control data based on predetermined conditions and sends it back to the first computer 130. The predetermined conditions can be varied. A condition may be that the receiver is also present in a database of the security server 140. Another condition may be that a user of the second computer 150 has given his consent to unlock the lock. There may be a variety of alternative and / or additional conditions, some of which appear from the following description. Of the The first computer 130 receives the control data and forwards it to the lock 120. This then executes the command of the receiver based on the control data from the security server 140.

The advantage of the present embodiment of the invention is that the lock 120, and thus the security container 110 locked with the lock 120, can indeed be controlled by the receiver but can still be monitored by the sender or other third parties. Thus, the recipient can be deprived of authorization to open the security container 110 at any time, for example. It can also be ensured that, for example, in large companies, the right recipient really opens the security container 110 and not a doorman, for example. It is also possible that the opening of the containment 110 can be made dependent on the state. If the security container 110 has been exposed to great loads during transport, for example, this is an indication that the item to be transported is defective. For reasons of guarantee law, the recipient can then be deprived of the permission to open. Such loads during transport can be detected by suitable sensors, as described later.

In the following, two embodiments of the security container 110 with the lock 120 are given. Although in the two embodiments, the security container 110 and the lock 120 is shown as a unit, but this is not essential to the invention. The lock 120 alone may as well realize the invention. For example, it may be in the form of a conventional padlock or in the form of another removable locking mechanism to close common transport containers or spaces. Only in the preferred embodiment of the invention are security containers 110 and lock 120 interconnected to further enhance security during transport of containment 110.

Fig. 2 shows a block diagram of a security container 110 with the lock 120 according to a first embodiment of the invention. The containment 110 further includes an accumulator 250, an alarm unit 260 and sensors 270. The accumulator 250 stores electrical energy received from the lock 120. He can then deliver the stored electrical energy to the lock 120 and to the alarm unit 260 in order to operate it. The alarm unit 260 further receives data from the sensors 270 to evaluate and, based on the evaluation, determine whether the containment 110 has been subjected to unusual loads or is. These loads may be a tampering attempt when, for example, third parties attempt to gain access to the containment 110 mechanically by breaking a hull. These loads can be detected by a surface protection sensor, which will be described in more detail later. The loads can also be environmental, such as extreme temperatures or humidities that damage the cargo. Such loads can be detected with suitable temperature and / or humidity sensors. But these loads can also be caused by the transport itself, when the security container 110 falls down, for example, from a great height. All of these loads can be detected with the sensors 270 and transmitted to the alarm unit 260. The alarm unit 260 evaluates the loads, for example with regard to a degree of danger and makes them available for further processing. The alarm unit 260 may also include an internal memory that stores the load data and that may be read out at a later time. Preferably, alarm unit 260 provides the load data to lock 120.

The lock 120 has a plurality of switches 210, a motor 220, a control unit 230 and an interface 240. The interface 240 is preferably a USB interface so that the entire power supply of the lock 120 can take place over it. In addition, the accumulator 250 may be powered outside the lock 120 via the USB interface for charging. In the simplest embodiment, the lock can be built even without any accumulator. The advantage of this design is that no further energy storage for the lock 120 are necessary, so that the lock 120 is very easy, technically simple and inexpensive to implement. The main task of the interface 240 is to communicate with a connected computer 130. Through the interface 240, data such as command and control data for controlling the lock 120, identification data, command data, timestamp, security state data, etc. are exchanged. If the lock 120 receives command data, for example for unlocking or locking, via the interface 240, these are forwarded to the control unit 230. This generates a control data request based on the command data, which is then sent back to the connected computer 130 via the interface 240. Thereafter, the control unit 230 waits for the control data. After receiving the control data from the security server, the engine 220 becomes dependent the control data and the position of the switch 210 controlled so that the received command data are executed, so that an opening of the containment is possible.

The control unit 230 includes a memory 231, a controller 232, a motor controller 233, a clock 234, a safety chip 235, a voltage converter 236 and a voltage switch 237. The controller 232 has a data connection to the memory 231 and to the interface 240. From memory 231, controller 232 obtains all data to perform its functions. These can be monitoring functions and control functions. The control functions serve to control the motor 230 via the motor controller 233. To this end, the controller 232 obtains the command data from the interface 240. From the command data, the control data request is prepared by appending to the command data identification data from the memory 231 representing the lock 120 of the controller Identify security container.

Furthermore, a time stamp from the real-time clock 234 can be appended to the command data, by means of which the transmission time of the control data request can be clearly traced. If the control data request is completed, it is encrypted via the security chip 235. The advantage of a separate security chip 235 for encryption and decryption is that the electronic key is incomprehensible for third parties. He is firmly embedded in the security chip 235 and can not be read by third parties. The security chip 235 has only one input for receiving data and one output for outputting data. With it, therefore, only data can be encrypted or decrypted. If the control data request is encrypted, it is sent to the first computer 130 via the interface 240, for example. The controller 232 now awaits a response to the request. If he does not receive a response after a predetermined time, he can recognize this as an error and store it in his memory 231. Normally, however, the control data request is answered after a predetermined time with the control data. These are also encrypted and must be decrypted by the security chip 235. Thereafter, the controller 232 may control, for example, the motor 220 via the motor controller 233 based on the control data.

The receiver requires in the present embodiment, a connection to the Internet. If this is not available, an emergency access code can be stored in memory 231. Transfers the receiver over the Computer 130 the same emergency access code to the interface 240, the command data can be executed immediately and without generating a control data request. The execution of a command based on an emergency access code can be secured in a special way. For example, controller 232 may accept an emergency access code only once, regardless of whether the received emergency access code was correct or incorrect. The advantage of the emergency access code is that an exceptional control of the lock 120 and thus access to the security container 110 is made possible if there is no possibility of generating the correct control data. This is the case, for example, when there is no connection to the Internet, or when there is no user data available to connect to the security server.

Another way to generate tax data unscheduled is, for example, to inform the sender as the responsible person. This can be done, for example, by the person wishing to unintentionally open the security containers 110, for example an employee of the customs authorities, informing the shipper of the emergency opening. For this purpose, this one unlocking request for the lock 120 via the user interface. The sender is then informed by e-mail about the desire to unlock. The sender, in turn, can now generate an access code for unlocking the lock 120 on the security server 140 and communicate it to the employee at customs. The employee can then unlock the lock 120 with the generated access code and open the security container 110. After the employee has checked the contents of the containment 110 at customs, he can close it again and lock the lock 120. At the security server 140, the state of the lock 120 is then continued with the state that the lock 120 had prior to unlocking. Alternatively or additionally, the sender can also generate different access codes for different persons. Among these persons may be, for example, an employee of the transport company, who can control the employee of the customs authorities. Alternatively, the customs representative may also be admitted to the security server 140 as a normal user, such as the sender and the recipient, to unlock the lock 120.

As already shown, the controller 232 may also be provided for performing monitoring functions. The monitoring functions may be used to determine a suspected manipulation of the lock 120 and / or or the containment 110 may be required. This, as already shown, may be a function that determines an access state by counting the number of control data requests sent but not answered and stored in memory 231. Another function may determine a tamper condition of the lock 120 upon execution of a received command based on the received control data. Such a condition may be determined based on the real-time clock 234. Furthermore, a random number scribed by the controller 232 or the control data request itself could enter the manipulation state. In this manipulation state can also enter the identification data of the lock 120 and the user data of the user who has sent the command data. If the manipulation state is created, it can be stored in the memory 231. However, the controller 232 also sends this to the security server 140 for backup purposes. When a new command is executed, it can then be checked whether the manipulation state in the memory 231 of the lock matches the manipulation state in the security server 140. Should deviations occur, these indicate an unauthorized access.

Further monitoring functions will be apparent from the second embodiment that in Fig. 3 is explained.

The control unit 230 has a voltage switch 237 which can choose between the power supply from the interface 240 or the power supply from the accumulator 250. For example, the voltage switch 237 can access the power supply of the interface 240 by default and only switch to the accumulator 250 in an emergency. In addition, it is possible that the voltage switch 237 in the case of a power supply from the interface 240, all elements of the control unit 230 and in the case of power supply from the accumulator only selected elements, such as the controller 232 and the memory 231, energized to power save and the accumulator 250 not unnecessarily burden.

The voltage converter 236 is additionally provided to convert the voltage for low-power elements such as the safety chip 235 and the motor controller 233.

Fig. 3 shows a structural diagram of a containment 110 according to a second embodiment of the invention. In this embodiment, the accumulator 250, the alarm unit 260 and the sensors 270 in the containment 110 will be described in more detail. All other elements off Fig. 3 are the same effect to the elements Fig. 2 and will therefore not be explained again.

The accumulator 250 may include a charging electronics 351 and a storage unit 352. The charging electronics 351 may be configured not only to charge the storage unit 352 with electric power but also to supply the alarm unit 260 with electric power. The alarm unit 260 has a voltage converter 361, a voltage switch 362, a microcontroller 363 and a transmission unit 364. The voltage switch 362 receives its electrical energy from the charging electronics 351 and the storage unit 352 of the accumulator 250. Otherwise, it works exactly like the voltage switch 237 in the control unit 230 and therefore will not be further described. The voltage converter 361 converts the voltage from the voltage switch 362 in the same manner as the voltage converter 236 in the control unit 230. Thus, the energy-intensive sensors 270 can be operated at a high voltage and the almost powerless microcontroller 363 can be operated at a low voltage.

The sensors 270 detect a condition of the containment 110 and / or the lock 120 to allow for evidence of tampering and / or unexpected loading on the containment 110 and / or the lock 120. However, the alarm unit 260 in the containment 110 may also detect conditions such as a position of the containment 110 itself. For this purpose, the alarm unit 260 has a transceiver 364 which can receive or transmit signals. The transceiver preferably has a GPS unit 330, a mobile radio unit 320 and / or a WLAN unit 310, via which suitable position signals can be received. The advantage of the GPS unit 330 is that global positioning is possible because GPS signals can be extraterrestrially transmitted and thus received. This is particularly advantageous in intercontinental ship transports, since GPS signals are the only signals on these routes with which a position determination is possible. Alternatively, however, the position determination in the alarm unit 260 can also take place with the mobile radio unit 320. The position is determined based on a local mobile network. Under this local mobile network is in principle an existing network structure to understand, which may for example also be a wireless network. It does not matter whether the WLAN network is set up ad-hoc or with a fixed base station. Thus, the position can not only over a mobile network but over any network structure can be derived from which position information can be derived. The advantage of this embodiment is the bidirectional data connection, wherein with the received position signal at the same time, for example, data can be sent to the security server. This will be described in more detail below.

The microcontroller 363 receives the status signals from the sensors 270 and the position signals from the transceiver 364. The received signals are converted to digital state data with an analog-to-digital converter and sent to the control unit 230, which writes them into its memory 231. Alternatively, however, these status data may also be provided to the transceiver 364, which may send the status data to the security server 140. Preferably, the transmission is wireless because it allows a completely independent transmission of the measurement data from any infrastructure. In addition, the transceiver 364 does not need to be additionally expanded in the data transmission over the mobile network, since the mobile radio unit 320 is already present in the transceiver 364 for position determination. For data transmission to the security server 140 all common protocols such as GPRS, GSM or UTMS can be used. The form of data transmission is arbitrary. For example, the mobile unit 320 may send a short message service (SMS) to the security server 140, which contains the status data. Alternatively, a telephone connection may be established, with the mobile radio unit 320 operating as a modem.

Alternatively, the transceiver 364 may be connected to a network or computer at predetermined waypoints on its transport with a cable and thus transmit the condition data.

The sensors 270 may include a plurality of different individual sensors 371, 372. These may be the surface protection, temperature and / or humidity sensors for the safety container already described. For example, it is also possible to use sensors which monitor the lock 120 and detect mechanical access attempts such as sawing the lock 120.

Therefore, the sensors do not necessarily have to be mounted on the security container 110, but may also be present in the lock 120. The same applies to the alarm unit, which can also be accommodated in the lock 120.

Hereinafter, the security server 140 will be described in more detail. Fig. 4 shows a structural image of the security server 140. This can be two-tiered be constructed. An ordinary personal computer 510 serves to execute certain applications, which will be described later. Connected to the personal computer 510 is a hardware copy 520 of a lock 120 according to the invention.

This hardware copy 520 is needed to copy the functionality of the security chip 235 of the lock 120 and to ensure the encryption and decryption of the message traffic between security server 140 and lock 120. As already described, the security chip 235 of the lock 120 is an electronic circuit which is firmly embedded in a housing of the security chip 235. Thus, the functionality of the circuit of the security chip 235 can not be understood in a normal technical way. Therefore, it is particularly easy for the security server 140 if the functionality of the security chip 235 of the lock 120 is incorporated as a hardware copy into the security server 140 architecture. As a result, the encryption of the message traffic between security server 140 and lock 120 can not be reconstructed even if the security server is attacked by hackers. Since the hardware copy 520 of the lock 120 does not have to realize any further functions of the lock 120, it only has an interface 521 and a control unit 522. The control unit 522 includes a controller 524 for receiving data via the interface 521 and the security chip copy 525, which is powered by a voltage converter 523. The elements work together in exactly the same way as in the lock 120.

For a plurality of locks 120, all monitored by the security server 140, it is sufficient to use a single hardware copy 520 of a lock 120. However, if the traffic or overhead for all locks 120 with the single hardware copy 520 becomes too large, then multiple hardware copies may be used simultaneously to manage and encrypt the traffic. These requirements are system-specific.

The personal computer 510 of the security server 140 further includes an Internet interface 511, a message filter 512, a server application 513, a database 514, and a network interface 515.

The Internet interface 511 receives data from the first computer 130, which data may be provided for logging on the user at the security server or requesting control data. The received Data is supplied to the message filter 512, which checks whether the data is really from the first computer 130. Thus, a preliminary test is already undertaken to detect possible manipulation attempts at an early stage. Data to be sent can also be saved by the message filter 512 so that the first computer 130 can verify that the data was sent from the security server 140.

The message filter 512 sends the receive data to the server application 513 and receives data to be sent therefrom. The server application 513 now distinguishes whether it is data that a user wants to log in to the security server 140 or whether it is a control data request.

In the case of a user login, the server application 513 checks the state of the respective lock 120 and / or security container 110. The state can be retrieved from the memory 231 of the lock 120 by the security server 140 sending a corresponding request for the state data via the first computer 130. Alternatively, the status data can also be transmitted to the security server 140 immediately upon the user's login. Another alternative is that the security server has already stored them internally, since the lock 120 and / or the security container 110 has transmitted this data via the transceiver 364.

Based on the security data, the server application 513 creates a security seal. This security seal is data indicating how the security state of the lock 120 and / or the containment 110 is to be displayed on a screen. For example, this data may contain a specific image or color. The security seal is then sent via the Internet interface 511 to the first computer 130 and displayed by the latter in the user interface 131. This gives users a quick overview of the security status of the security container 110 and / or the lock 120.

In addition, the server application 513 compares the user data with the user data that it has stored in its database 514 and, based on this comparison, logs the user on to the security server.

If the server application 513 receives a control data request, it first checks whether the corresponding user is logged on. If this is not the case, it can either provide a negative answer or simply store only the control data request as a tamper attempt in database 514.

If the corresponding user is logged in, the server application 513 forwards the control data request to the hardware copy 520 in order to decrypt it. This is done in the same way as the encryption and decryption in the lock 120. The decrypted control data request is then returned to the server application 513, which generates the corresponding control data based on a predetermined number of comparisons.

The comparisons may be an authorization comparison of whether the corresponding logged in user who forwarded the control data request is authorized to execute the corresponding command. This authorization can also be issued, for example, from the second computer 150. For this purpose, the server application 513 on the one hand send a query to the second computer 150 with a user of the second computer 150 can release the generation of the control data. However, this release can also be carried out in advance by the second computer 150 and stored in the database 514 of the security server 140. In either case, when a second or more users need to release the generation of the control data from a computer other than the first computer 130, it is called a distance opening. Alternatively, the server application 513 may also check if at least two users have logged on to the first computer 130 and / or if at least two logged in users have each received a valid control data request before the control data is generated. In this case, one speaks of the four-eyes principle. It can also be combined with the distance opening.

Further possible comparisons prior to the generation of the control data may be the calibration of the security state of the container or a time comparison which determines at which time the user at the first computer 130 can open the security container. This is particularly relevant when a sender of the security container 110 wants to grant a recipient access to the cargo only in a very specific time window.

If all necessary comparisons in the server application 513 are positive, this generates the corresponding control data, encrypts them again with the hardware copy 520 of the lock 120 and sends the encrypted control data to the lock 120 via the first computer 130. Preferably, a confirmation is sent from the lock 120 after executing the respective command. This confirmation includes a state of the lock 120 that is unique for the time of transmission from the lock 120 to the security server 140. With this confirmation, as already described, the manipulation state of the lock 120 can be determined. For this purpose, the confirmation contains a transmission time, a random number and identification data of the lock 120. The contents of the confirmation store lock 120 and security server 140 in the memory 231 and in the database 514, respectively. At the next connection between lock 120 and security server 140 via any computer, the content of that acknowledgment can be retrieved and compared. If the airtime, random number and identification data are unchanged, a tamper-free lock can be assumed.

In the following, the database 514 will be described in more detail. Fig. 5 12 shows a structure image of the database 514 in the security server 140. Thereafter, the database 514 has various structures 610-690 with which various variables 611-613, 641-643 can be stored.

The structure user 610 uniquely identifies a user of the lock by, for example, storing his name 611 and his address 612. Furthermore, it can also be stored which rights 613 the user possesses. These rights 613 may be administrative rights to set up the security server 140, rights to set up the lock 120, or application rights to lock and / or unlock the lock.

For example, the structure user group 620 may allow easier management of different user groups to manage unified rights for these user groups. For example, employees of an entire department in a large corporation may be given the right to unlock the lock 120 of the containment, for example, if a particular employee of that department is designated as the recipient.

The server log 630 and bin log 650 structure may be used to time log the status data of the lock 120 or the security server 140 to understand any problems such as tampering attempts.

The structure container 640 may store the identification data 641 of the lock, such as a particular lock number. With the variable receiver 642, for example, when sending the security container 110 with the lock 120 a user from the structure user 610 can be deposited as a receiver, so that upon receipt of a control data request a quick comparison is possible, whether the user who has sent the control data request to unlock the lock 120 is also entitled to unlock the lock 120. Further, in the variable state 643, the security state of the lock 120 may be stored after execution of control data.

With the VSeal 660 structure, the security status for all Locks 120 can be clearly managed. This can then be referenced by the variable state 643 in the structure container 640 to the structure VSeal 660.

The structures transactions 670 and logs 680 also provide an overview of certain operations that have expired at the security server 140 or between the security server 140 and the lock 120.

The variables within the individual structures do not have to be clearly assigned. Rather, it is possible to assign the individual variables several times and to refer them between the individual structures.

Regarding Fig. 6 For example, a method of locking the lock 120 is shown. The locking takes place at the location of the second computer 150, which is connected to the security server via the Internet. In step S710, a user prepares the containment 110 by filling the cargo into the containment 110. Thereafter, in step S720, it connects the lock 120 to the computer 150 via a USB connection. In step S730, all data is then automatically transferred from lock 120 to computer 150 necessary to present a user interface, computer 150 automatically presenting that user interface to the screen upon receipt. In step S740, the user logs on to the security server 140. Thereafter, in step S750, he selects a security configuration with which the lock is to be closed. As shown, this configuration can be very diverse. Among other things, it may contain the four-eye principle or the distance opening. If the security configuration is selected, the user commands the lock 120 to "lock" in step S760. The lock authenticates the instruction in step S770 as already described. In summary, for authentication, that command belongs to the lock 120 in step S771 that the lock 120 sends a control data request to the security server 140 in step S772, the security server checks the request in step S773 and sends control data to the lock 120 based on the check in step S774, with which the lock 120 in step S775 can lock. In step S780, the lock 120 generates state data that is sent to the security server 140 to generate the security seal. This also runs in the manner already described. In step S781, the lock 120 sends its status data to the security server 140. There, the security server 140 updates its status data in step S782 and additionally checks whether the status data indicates, for example, a physical manipulation of the security container 110 and / or the lock 120. From the updated state data, the security server generates a security seal in step S783 and sends it in step S784 to the computer 150, which displays it in step S785 with the user interface. If the security seal is free from warnings or errors, the user sends the security container 110, for example, to the location of the first computer 130 in step S780.

Fig. 7 shows a flow diagram of a method when unlocking the lock on the security container. Arrived at the location of the first computer 130 in step S810, in steps S820 and S830, the lock 120 is connected to the computer 130 in the manner already described and the user interface is displayed thereon. In step S840, a state comparison of the lock 120 with the security server now takes place again. For this, in step S841, the status data of the lock 120 is transmitted to the security server. Here, the state data from the lock 120 is completely compared with the state data in the security server 140 in step S842. Based on this comparison, then, in step S843, the security seal is generated, which indicates whether the compared states are the same. The security seal is finally transferred to the computer 130 in steps S844, S845, as already indicated, and displayed thereon. After displaying the security seal on computer 130, in step S850 the recipient may log on to security server 140 with his user data via computer 130. If the login has been accepted, the receiver may command the lock 120 to unlock the lock 120 in step S860. The execution of the command takes place in step S870 in the same manner as in the lock in step S770. If the lock 120 is unlocked, the receiver can check the transported goods in step S880 and confirm receipt in step S890. This completes the transport.

In Fig. 8 For example, the method of monitoring the containment 110 during shipment will be described in more detail. To do this, the lock 120 is disconnected from the computer 150 at step S910 at the beginning of the transport. In step S920, the control unit 230 of the lock 120 checks all states of the switches 210 and the sensors 270. In the next step, it is determined whether the lock S120 is again connected to a computer 130, 150. In this case, the routine is ended in step 970. In the other case, the position of the lock 120 and thus of the security container 110 is determined in step S940. The determined position and the states of the switches and sensors are then transmitted to the security server 140 in step S950. Last, in step S960, the lock goes to stand-by for a predetermined time before restarting the routine in step S920.

Fig. 9 FIG. 12 shows a flowchart of the method for the security server 140 monitoring the status data during the transportation of the containment 110. When the security server 140 receives the data from the lock 120 at step S1010, it updates its position at step S1020. Thereafter, it checks the switch and sensor states in step S1030 and decides in step S1040 whether the check has revealed a suspected manipulation. If not, then the security server ends the routine in step S1050. wherein optionally the state data can still deposit in the structure container log 650. If a suspicion of manipulation arises, then a prevention routine can be started in step S1060. This may be, for example, that the security server 140 informs all administrators, the recipient and the sender of the security container by e-mail from this suspected manipulation.

Preferably, the interface (240) is for receiving command data from the connected computer (130), and the control unit (230) is for requesting the control data via the interface (240) based on the received command data.

In particular, the closure device (220) can be opened or closed based on the control data.

In addition, the interface (240) may be provided for receiving a first emergency access code, wherein a second emergency access code is stored in the memory (231) is stored and the locking device (220) can be opened in accordance with the first Notanzangcode with the second.

The lock may in an advantageous embodiment, an encryption unit (235) for encrypting the request of the control data based on the command data, the identification data and / or security status data before sending and decrypting the control data after receiving via the interface (240).

Further, the interface (240) may be a USB interface, wherein at least one of the components (220, 230, 231, 235) of the lock via the USB interface from a connected computer (130) can be supplied with energy.

Moreover, the lock may be provided with a location system (310, 330) for detecting a position of the lock (120), preferably at predetermined times or events.

The lock may be equipped with a transmitter (310, 320) for wirelessly transmitting the position data and / or security status data (660).

Vorzusgweise, the lock on an accumulator (250) for storing electrical energy for powering components (220, 230, 231, 235) of the lock and / or the location system (310, 330).

In particular, the location system (310-330) is provided for determining the position of the lock (120) based on information from a mobile radio network.

In a particular embodiment, the location system (310-330) is provided for determining the position of the lock (120) based on information from a WLAN network or determining the position of the lock (120) based on a GPS signal.

The memory (231) may be provided for storing security status data (660) indicating electronic and / or physical manipulation of the lock (120).

The transmitter (310, 320) and / or the interface (240) may be provided for transmitting the security state data (660).

Preferably, the security state data (660) includes at least one random number received with the command data and / or a physical state of the lock or container, particularly the closure device (220), and / or provisions for controlling the closure device (220).

The lock can be used with a clock (234) to create and insert a Timestamp in the security state data (660).

In particular, the security state data (660) together with the identification data (640) is transferable via the interface (240).

Furthermore, at least one sensor (210) is provided for detecting at least one physical condition of the lock, the container, the closing device (220) and / or the control unit (230).

The embodiment of the containment may include a sensor (270) for detecting a physical condition of the interior of the containment (110) and / or a physical condition of at least one wall and / or the containment of the containment (110), preferably at least one sensed physical condition can be combined with the security state data (660) and / or stored in the memory (231) of the lock (120).

In this case, the sensor (270) may be at least one of the following sensor types: a motion sensor for detecting a movement of the safety container (110); a temperature sensor for detecting an ambient temperature and / or an interior temperature of the containment vessel (110); a humidity sensor for detecting moisture within and / or outside of the containment (100); and / or a surface protection sensor for detecting damage to a sheath of the containment (100), wherein the surface protection sensor is a capacitive sensor or a resistance sensor.

In the system for monitoring a lock (120), the lock (120) may be provided for sending a control data request based on the command data to the computer (130) and / or the security server (140), preferably the computer (130) is provided for forwarding the control data request to the security server (140).

In addition, the security server (140) may generate the control data based on the control data request, and / or the identification data (640), and / or the user data (610) and / or a timestamp sent from the lock (120), and / or to be stored in a database (514) information stored (610-490).

In addition, to generate the control data, user (610) input from one, two, or more users may be required, with the number of required inputs of user data stored in the security server (140).

Next is the security server (140) for receiving further user data (610) from another computer (150) connected to the security server (140), the security server (140) generating the control data based on the user data (610) from the user at the local computer (120) and at further user data ( 610) from another user at the other computer (150).

Preferably, the security server (140) may be provided for generating seal data based on security state data (660) and for sending the seal data to the computer (120), the computer (120) being for displaying the seal data, the seal data being color data for color Indicating a manipulation of the lock included.

Claims (15)

Castle with: - A locking device (220) for locking and / or unlocking a door or a container (110); a control unit (230) for controlling the closing device (220); - a memory (231) for storing identification data (640) for identifying the lock and program data for displaying a user interface; an interface (240) for sending the program data and the identification data (640) to a connected computer (130) and receiving command data from the connected computer (130) and transmitting a control data request to a security server and for receiving control data from the security server Controlling the locking device (220), wherein the control unit (230) is provided for requesting the control data via the interface (240) based on the received command data. The lock of claim 1, wherein the closure device (220) is openable or closable based on the control data. A lock according to claim 1 or 2, wherein the interface (240) is for receiving a first emergency access code, and a second emergency access code is stored in the memory (231), the closure device (220) being openable upon first and second emergency access codes match , A security container having an interior for receiving an article and a cover for closing the interior, the cover and the security container (110) having at least one lock (120) according to any one of claims 1-3 are locked or unlocked. A system for monitoring a lock (120), comprising: a lock (120) according to any of claims 1-3, a computer (130), and a security server (140), the computer (130) being connectable to the lock (120) and to receive identification data (640) and / or program data from the lock (120) and to represent a user interface on the computer (130) based on the program data from the lock (120), for receiving user data (610) and / or command data via the user interface, and for sending at least the identification data (640) and the user data (610) to the security server ( 140) is provided; wherein the security server (140) is provided for generating control data and for transmitting the control data to the lock (120), the lock (120) for sending a control data request based on the command data to the computer (130) and / or the security server (140) is provided and the computer (130) is preferably provided for forwarding the control data request to the security server (140). The system of claim 5, wherein the security server (140) generates the control data based on the control data request, and / or the identification data (640), and / or the user data (610) and / or a timestamp sent from the lock (120) , and / or on data (610-490) stored in a database (514). The system of any of claims 5-6, wherein the generation of the control data requires input of user data (610) from one, two, or more users, wherein the number of required inputs of user data is stored in the security server (140). The system of claim 6 or 7, wherein the security server (140) is for receiving further user data (610) from another computer (150) connected to the security server (140), the security server (140) generating the control data based on the user data (610) is provided by the user at the local computer (120) and further user data (610) from another user at the further computer (150). The system of any one of claims 5-8, wherein the security server (140) is for generating seal data based on security state data (660) and for sending the seal data to the computer (120), the computer (120) providing the seal data is. The system of claim 9, wherein the seal data includes color data for color coding manipulation of the lock. A method of controlling a lock (120) connected to a security server (140) via a computer (130), comprising the steps of: - sending (S730, S830) identification data (640) and program data for a user interface from the lock (120) to the computer (130); Representing the user interface on the computer (130); - inputting (S740, S840) user data via the user interface into the computer (130); Sending the identification data (640) and the user data (610) to the security server (140); Generating (S140, S280) control data based on the received identification data (640) and the user data (610) in the security server (140); and - sending the control data to the lock (130). The method of claim 11, comprising the steps of: Sending (S771, S871) command data (S123) from the computer (130) to the lock (120) after inputting the user data (610); and Transmitting (S772, S872) a control data request (S130) based on the command data to the security server (140), wherein the control data is generated based on the control data request. The method of claim 11, comprising the steps of: Encrypting the identification data (640), the control data request, and / or the time stamp before sending from the lock (120) to the security server (140); and Decrypting the encrypted identification data (640), the control data request and / or the time stamp in the security server (140); and preferably sending a time stamp together with the control data request from the lock (120) via the computer (130) to the security server (140), the control data being generated based on the received time stamp and Determining a random number in the computer (130) prior to sending the command data; Sending the random number along with the command data to the lock (120); Storing the random number, a physical state of the lock (120), a time stamp and / or rules for controlling the lock (120) in a memory (231) of the lock (120) as security state data (660) Sending (S781, S841) the security status data (660) with the identification data (640) to the security server (140); Creating (S783, S843) seal data with color data indicating a manipulation of the lock (120) based on the security state data (640); Sending (S784, S844) the seal data to the computer (130); and Representing (S785, S845) the color data from the seal data at the computer (130). A method of transporting a containment (140) according to claim 4, comprising the steps of: - connecting a lock (120) of the security container (110) to a first computer (130) connected to a security server (140); - Closing and locking the security container (110) with a closing command according to one of the methods of claim 30-35; - separating the first computer (130) from the lock (120); - transporting the security container to a second computer (150) connected to the security server (140); - connecting the lock (120) of the containment (110) to the second computer (150); - Unlocking and opening the containment (110) with an opening command according to any one of claims 30-35. A method of securing a security room, the door of which is lockable with a lock (120) according to any of claims 1-3, comprising the steps of: - connecting the lock (120) of the security room to a first computer (130) communicating with a security server (140); - Closing and locking the security room with a closing command according to one of the methods of claim 30-35; - separating the first computer (130) from the lock (120); - connecting the lock (120) to a second computer (150); - Unlocking and opening the security room with an opening command according to any one of claims 30-35.

Images