EP3739553A1 - A method and system for access control - Google Patents
A method and system for access control Download PDFInfo
- Publication number
- EP3739553A1 EP3739553A1 EP19461537.3A EP19461537A EP3739553A1 EP 3739553 A1 EP3739553 A1 EP 3739553A1 EP 19461537 A EP19461537 A EP 19461537A EP 3739553 A1 EP3739553 A1 EP 3739553A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- access
- user
- request message
- access request
- backend server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00309—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00571—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated by interacting with a central unit
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/20—Individual registration on entry or exit involving the use of a pass
- G07C9/28—Individual registration on entry or exit involving the use of a pass the pass enabling tracking or indicating presence
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00309—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
- G07C2009/00317—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks keyless data carrier having only one limited data transmission range
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00309—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
- G07C2009/00317—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks keyless data carrier having only one limited data transmission range
- G07C2009/00333—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks keyless data carrier having only one limited data transmission range and the lock having more than one limited data transmission ranges
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00309—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
- G07C2009/00365—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks in combination with a wake-up circuit
- G07C2009/0038—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks in combination with a wake-up circuit whereby the wake-up circuit is situated in the keyless data carrier
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00309—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
- G07C2009/00412—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks the transmitted data signal being encrypted
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00309—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
- G07C2009/00555—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks comprising means to detect or avoid relay attacks
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C2009/00753—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated by active electrical keys
- G07C2009/00769—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated by active electrical keys with data transmission performed by wireless means
- G07C2009/00793—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated by active electrical keys with data transmission performed by wireless means by Hertzian waves
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00896—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys specially adapted for particular uses
- G07C2009/00928—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys specially adapted for particular uses for garage doors
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C2209/00—Indexing scheme relating to groups G07C9/00 - G07C9/38
- G07C2209/60—Indexing scheme relating to groups G07C9/00174 - G07C9/00944
- G07C2209/63—Comprising locating means for detecting the position of the data carrier, i.e. within the vehicle or within a certain distance from the vehicle
Definitions
- the present invention relates to access control, in particular remote control of access to areas protected by access restriction devices, such as doors or barriers, wherein the access is activated via a user mobile device.
- One solution is to send an activation command directly from a user mobile device to the access restriction device.
- a system of this type is disclosed in US7205908 , which describes a system and method for proximity control of a barrier comprising a stationary wireless signal receiving device and a mobile transmitting device.
- the wireless signal receiving device may monitor at least one transmitting device within a predetermined coverage area and may be a radio frequency receiver or a spread spectrum receiver located near the barrier.
- the disadvantage of that solution is that it requires the user to be registered as an authorized user directly at the access restriction device.
- Another solution is to send an activation command from a user mobile device to a remote server that controls the operation of the access restriction device.
- a system of this type is disclosed in US9367978 , which describes application software for a mobile device that can provide an owner or operator of a premises with the ability to remotely grant a guest authorization to access an access control device on or in the premises.
- the access control device can control the operation of the one or more secondary devices, so that with the owner authorization, the guest can access the access control device to cause an action at the premises with the secondary device.
- the object of the invention is a method for controlling an access restriction device, the method comprising: monitoring the vicinity of the access restriction device to detect, via a wireless communication module an access request message from a user device, the access request message comprising a user ID (identifier); forwarding the access request message to a backend server; upon receiving an action request from the backend server, activating an access restriction module to allow access via the access restriction device.
- the access request message may be encrypted with a public key known to the backend server.
- the access request message may be encrypted by a user-unique secret value known to the access control application and the backend server.
- the access request message may further comprise a command to execute a particular action by the access restriction device.
- the access request message may be broadcast by the user device via a wireless communication interface.
- the wireless communication interface may be compliant with Bluetooth Low Energy.
- the object of the invention is also a controller for an access restriction device comprising a processor configured to operate an access verification application for performing the steps of the method as described herein.
- the system comprises three main cooperating components: a user application 110 operated at a user device 100, an access restriction device 200 and an backend server 300.
- the user device 100 comprises a memory 101 for storing typical software components such as an operating system of the device, and in particular an access control application 110 and a processor 102 for executing the operating system and the access control application 110.
- the device is operable by the user via an input/output interface 103, including a display and an input controller, for example a touch display.
- the device further comprises a wireless user communication module 104, preferably a low energy device, such as a BLE (Bluetooth Low Energy) communication module.
- the user device is preferably a mobile device, such as a mobile smartphone, but can be also a dedicated device e.g. a specialized module connected to an onboard car system, or even a low-power beacon device that only transmits the access request message.
- the access restriction device 200 may be a lockable door or a road barrier. It a memory 201 for storing typical software components such as an operating system of the access restriction device, and in particular an access verification application 210 and a processor 202 for executing the operating system and the access verification application 210.
- the device further comprises a wireless user communication module 204, in particular a BLE (Bluetooth Low Energy) communication module, that is able to communicate with the user communication module 104 of the user device.
- the user communication module 204 may have a range of communication adapted to the particular type of the access restriction device 200, for example the module 204 installed at office door may have the range of communication limited to 50 cm, while the module 204 installed at a garage door may have the range of communication limited to 10 m.
- the access restriction device further comprises a controllable access restriction module 205 (such as a lock or a barrier actuator) that is operable by the processor. Furthermore, the device comprises a backend communication module 206 to communicate with the backend server 300, for example any type of interface allowing access to the Internet or other type of network via which the backend server 300 is accessible.
- a controllable access restriction module 205 such as a lock or a barrier actuator
- the device comprises a backend communication module 206 to communicate with the backend server 300, for example any type of interface allowing access to the Internet or other type of network via which the backend server 300 is accessible.
- the backend server 300 comprises a memory 301 for storing typical software components such as an operating system of the backend server, and in particular a user verification application 310 and a processor 302 for executing the operating system and the user verification application 310.
- the server also comprises an access rights database 307 that stores information about users registered in the system and their permissions to activate particular access restriction devices 200.
- the server comprises a backend communication module 306 to communicate with the communication module 206 of the access restriction device 200.
- the system operates as shown in Fig. 2 .
- the user access control application When the user access control application is active, it continuously broadcasts, in step 11, an access request message, comprising at least a user ID (identifier).
- the access request message may include other information, such as the requested command for the access restriction device, in case the device is capable of performing more than one action (for example, the road barrier control device may be optionally requested to turn on the light).
- the access request message is encrypted with a secret user-unique value, as explained later.
- the access restriction device is a simple bi-state device (such as ON/OFF or OPEN/CLOSED), it is enough to transmit the user ID, since it is evident that the user intention is to have the access restriction device to move to an access enablement state (such as ON or OPEN).
- the access control application may be activated when the user device detects that it is located at a particular area (based on GPS, WiFi or other localizing module), at a particular time of day, upon detecting a signal from another module or upon manual activation by the user.
- the access verification application 210 is configured to continuously monitor the vicinity of the access restriction device 200 in order to detect the access request messages broadcast by the user devices, via the wireless communication module 204. When the access request message is detected, the access verification application forwards the access request message (along with the device identifier (ID) at which the message was received) to the backend server 300.
- ID device identifier
- the user verification application 310 receives the access request message, decrypts it (if it was encrypted, in order to check its authenticity, by checking whether it is decipherable by the security value associated with that user and/or whether it contains a correct timestamp) and reads the user ID. Next it checks, in step 13, in the access rights database 307, whether the particular user has access rights to activate the particular access restriction device 200 (or to perform a particular action as requested at the access request message). If the user does not have a permission, no action is taken or a response is sent to the access verification application that the action is denied. In case the user does have access rights, an action request (such as to activate the device or to perform the particular requested action) is sent in step 14 to the access verification application.
- an action request (such as to activate the device or to perform the particular requested action) is sent in step 14 to the access verification application.
- the access request message may be encrypted, for example with a public key of the backend server and a time stamp corresponding to the time of generating the message and/or other unique data that allows the message to change, such that the contents of the message, in particular the user ID, can be read only at the backend server 300.
- This increases the security of the system, as a malicious third party will not be able to determine the user ID, even if the broadcast access restriction message is captured.
- Fig. 3 presents an example of access rights database 307.
- the access restriction devices D1, D2, D3 are bistate devices, therefore it is enough to specify whether the user has permission to access or not.
- the access restriction device D4 has more elaborate functionality, such as Open or Lights functions.
- the user U1 is allowed to access devices D1, D2 and D4 (with Open and Lights function permissions).
- the user U2 is allowed to access devices D2 and D4 (with Open function permission only).
- the user U3 is allowed to access device D3 only.
- the database 307 may comprise a "secret" value unique for the user that is a symmetrical key used to verify the authenticity of messages sent by the user application.
- the user may send packets containing a User ID (and preferably a timestamp to effect a change of the message content, so as to avoid transmitting repeatedly the same message and its re-use by unauthorized entities) that are encrypted by the secret value S1-S3 that is known to the access control application at the user device and the backend server.
- the action request is received by the access verification application 210, in step 15 it sends an activation command to the access restriction module 205, such as to open a door lock or lift a road barrier.
- Fig. 4 shows an example embodiment of operation of a road barrier 200, e.g. a barrier allowing access to a parking space.
- a user with a smartphone 100 drives a car and approaches the parking space.
- the smartphone geolocation module recognizes that the user is in the vicinity of the road barrier to be operated and sends a command to activate the access control application 110 to broadcast the access request message in step 11.
- the access request message is received by the access verification application 210 at the road barrier 200 and forwarded to the backend server 300 in step 12.
- the backend server 300 checks whether a user with the user ID contained in the access request message has permission rights to open that road barrier and if so, sends a command to open the barrier in step 14.
- the access verification application 210 upon receiving the command from the server, activates the road barrier actuator 205 to open the barrier.
- the same backend server 300 can also handle access control for other access restriction barriers D2, D3, D4 located at various other locations.
- the advantage of the system is that it provides safety, ease of use and low resources to operate.
- the user device only needs to be capable of broadcasting the access request message via a low-power wireless communication interface, such as BLE.
- the user device does not need to be capable of communicating with the backend server, since the access request message is forwarded to the server by the access restriction device.
- the access restriction application (controller) can be universal and mounted to any kinds of access restriction devices and does not have to include the database of users, since the database can be central and provided at the backend server, while the controller at the access restriction device must be only able to receive messages from users, forward them to the backend server and respond to instructions received from the server.
- the presented method and system therefore provides an alternative solution for controlling access rights.
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Telephonic Communication Services (AREA)
Abstract
A method for controlling an access restriction device (200), the method comprising: monitoring the vicinity of the access restriction device (200) to detect, via a wireless communication module (204) an access request message from a user device (100), the access request message comprising a user ID (identifier); forwarding the access request message to a backend server (300); upon receiving an action request from the backend server (300), activating an access restriction module (205) to allow access via the access restriction device (200).
Description
- The present invention relates to access control, in particular remote control of access to areas protected by access restriction devices, such as doors or barriers, wherein the access is activated via a user mobile device.
- There are known various solutions to remotely control access restriction devices, such as door locks or road barrier actuators.
- One solution is to send an activation command directly from a user mobile device to the access restriction device. A system of this type is disclosed in
US7205908 , which describes a system and method for proximity control of a barrier comprising a stationary wireless signal receiving device and a mobile transmitting device. The wireless signal receiving device may monitor at least one transmitting device within a predetermined coverage area and may be a radio frequency receiver or a spread spectrum receiver located near the barrier. The disadvantage of that solution is that it requires the user to be registered as an authorized user directly at the access restriction device. - Another solution is to send an activation command from a user mobile device to a remote server that controls the operation of the access restriction device. A system of this type is disclosed in
US9367978 - Therefore, there is a need to improve the access control systems to achieve at least one of the following technical objectives: ease of use usability, secure access, low requirements for the user mobile device.
- The object of the invention is a method for controlling an access restriction device, the method comprising: monitoring the vicinity of the access restriction device to detect, via a wireless communication module an access request message from a user device, the access request message comprising a user ID (identifier); forwarding the access request message to a backend server; upon receiving an action request from the backend server, activating an access restriction module to allow access via the access restriction device.
- The access request message may be encrypted with a public key known to the backend server.
- The access request message may be encrypted by a user-unique secret value known to the access control application and the backend server.
- The access request message may further comprise a command to execute a particular action by the access restriction device.
- The access request message may be broadcast by the user device via a wireless communication interface.
- The wireless communication interface may be compliant with Bluetooth Low Energy.
- The object of the invention is also a controller for an access restriction device comprising a processor configured to operate an access verification application for performing the steps of the method as described herein.
- The invention is shown by means of example embodiments on a drawing, wherein:
-
Fig. 1 shows a structure of modules of the system for access control; -
Fig. 2 shows communication between system modules; -
Fig. 3 shows example of a database with user access rights; -
Fig. 4 shows an example embodiment of the system. - The system comprises three main cooperating components: a
user application 110 operated at auser device 100, anaccess restriction device 200 and anbackend server 300. - The
user device 100 comprises amemory 101 for storing typical software components such as an operating system of the device, and in particular anaccess control application 110 and aprocessor 102 for executing the operating system and theaccess control application 110. The device is operable by the user via an input/output interface 103, including a display and an input controller, for example a touch display. The device further comprises a wirelessuser communication module 104, preferably a low energy device, such as a BLE (Bluetooth Low Energy) communication module. The user device is preferably a mobile device, such as a mobile smartphone, but can be also a dedicated device e.g. a specialized module connected to an onboard car system, or even a low-power beacon device that only transmits the access request message. - The
access restriction device 200 may be a lockable door or a road barrier. It amemory 201 for storing typical software components such as an operating system of the access restriction device, and in particular anaccess verification application 210 and aprocessor 202 for executing the operating system and theaccess verification application 210. The device further comprises a wirelessuser communication module 204, in particular a BLE (Bluetooth Low Energy) communication module, that is able to communicate with theuser communication module 104 of the user device. Theuser communication module 204 may have a range of communication adapted to the particular type of theaccess restriction device 200, for example themodule 204 installed at office door may have the range of communication limited to 50 cm, while themodule 204 installed at a garage door may have the range of communication limited to 10 m. The access restriction device further comprises a controllable access restriction module 205 (such as a lock or a barrier actuator) that is operable by the processor. Furthermore, the device comprises abackend communication module 206 to communicate with thebackend server 300, for example any type of interface allowing access to the Internet or other type of network via which thebackend server 300 is accessible. - The
backend server 300 comprises amemory 301 for storing typical software components such as an operating system of the backend server, and in particular auser verification application 310 and aprocessor 302 for executing the operating system and theuser verification application 310. The server also comprises anaccess rights database 307 that stores information about users registered in the system and their permissions to activate particularaccess restriction devices 200. Furthermore, the server comprises abackend communication module 306 to communicate with thecommunication module 206 of theaccess restriction device 200. - The system operates as shown in
Fig. 2 . - When the user access control application is active, it continuously broadcasts, in
step 11, an access request message, comprising at least a user ID (identifier). Optionally, the access request message may include other information, such as the requested command for the access restriction device, in case the device is capable of performing more than one action (for example, the road barrier control device may be optionally requested to turn on the light). Preferably, the access request message is encrypted with a secret user-unique value, as explained later. In case the access restriction device is a simple bi-state device (such as ON/OFF or OPEN/CLOSED), it is enough to transmit the user ID, since it is evident that the user intention is to have the access restriction device to move to an access enablement state (such as ON or OPEN). Since the broadcasting of the access request message data is performed via a low energywireless communication module 204, the power usage performed by this step is relatively low. In order to avoid the broadcasting at times when it is not necessary, the access control application may be activated when the user device detects that it is located at a particular area (based on GPS, WiFi or other localizing module), at a particular time of day, upon detecting a signal from another module or upon manual activation by the user. - The
access verification application 210 is configured to continuously monitor the vicinity of theaccess restriction device 200 in order to detect the access request messages broadcast by the user devices, via thewireless communication module 204. When the access request message is detected, the access verification application forwards the access request message (along with the device identifier (ID) at which the message was received) to thebackend server 300. - At the
backend server 300, theuser verification application 310 receives the access request message, decrypts it (if it was encrypted, in order to check its authenticity, by checking whether it is decipherable by the security value associated with that user and/or whether it contains a correct timestamp) and reads the user ID. Next it checks, instep 13, in theaccess rights database 307, whether the particular user has access rights to activate the particular access restriction device 200 (or to perform a particular action as requested at the access request message). If the user does not have a permission, no action is taken or a response is sent to the access verification application that the action is denied. In case the user does have access rights, an action request (such as to activate the device or to perform the particular requested action) is sent instep 14 to the access verification application. - The access request message may be encrypted, for example with a public key of the backend server and a time stamp corresponding to the time of generating the message and/or other unique data that allows the message to change, such that the contents of the message, in particular the user ID, can be read only at the
backend server 300. This increases the security of the system, as a malicious third party will not be able to determine the user ID, even if the broadcast access restriction message is captured. -
Fig. 3 presents an example ofaccess rights database 307. The access restriction devices D1, D2, D3 are bistate devices, therefore it is enough to specify whether the user has permission to access or not. The access restriction device D4 has more elaborate functionality, such as Open or Lights functions. The user U1 is allowed to access devices D1, D2 and D4 (with Open and Lights function permissions). The user U2 is allowed to access devices D2 and D4 (with Open function permission only). The user U3 is allowed to access device D3 only. - As an optional feature, the
database 307 may comprise a "secret" value unique for the user that is a symmetrical key used to verify the authenticity of messages sent by the user application. In that case, the user may send packets containing a User ID (and preferably a timestamp to effect a change of the message content, so as to avoid transmitting repeatedly the same message and its re-use by unauthorized entities) that are encrypted by the secret value S1-S3 that is known to the access control application at the user device and the backend server. - Once the action request is received by the
access verification application 210, instep 15 it sends an activation command to theaccess restriction module 205, such as to open a door lock or lift a road barrier. -
Fig. 4 shows an example embodiment of operation of aroad barrier 200, e.g. a barrier allowing access to a parking space. A user with asmartphone 100 drives a car and approaches the parking space. At that time, the smartphone geolocation module recognizes that the user is in the vicinity of the road barrier to be operated and sends a command to activate theaccess control application 110 to broadcast the access request message instep 11. The access request message is received by theaccess verification application 210 at theroad barrier 200 and forwarded to thebackend server 300 instep 12. Thebackend server 300 checks whether a user with the user ID contained in the access request message has permission rights to open that road barrier and if so, sends a command to open the barrier instep 14. Theaccess verification application 210, upon receiving the command from the server, activates theroad barrier actuator 205 to open the barrier. Thesame backend server 300 can also handle access control for other access restriction barriers D2, D3, D4 located at various other locations. - The advantage of the system is that it provides safety, ease of use and low resources to operate. The user device only needs to be capable of broadcasting the access request message via a low-power wireless communication interface, such as BLE. The user device does not need to be capable of communicating with the backend server, since the access request message is forwarded to the server by the access restriction device. The access restriction application (controller) can be universal and mounted to any kinds of access restriction devices and does not have to include the database of users, since the database can be central and provided at the backend server, while the controller at the access restriction device must be only able to receive messages from users, forward them to the backend server and respond to instructions received from the server. The presented method and system therefore provides an alternative solution for controlling access rights.
Claims (7)
1. A method for controlling an access restriction device (200), the method comprising:
- monitoring the vicinity of the access restriction device (200) to detect, via a wireless communication module (204) an access request message from a user device (100), the access request message comprising a user ID (identifier);
- forwarding the access request message to a backend server (300);
- upon receiving an action request from the backend server (300), activating an access restriction module (205) to allow access via the access restriction device (200).
2. The method according to claim 1, wherein the access request message is encrypted with a public key known to the backend server (300).
3. The method according to claim 1, wherein the access request message is encrypted by a user-unique secret value (S1-S3) known to the access control application and the backend server (300).
3. The method according to any of previous claims, wherein the access request message further comprises a command to execute a particular action by the access restriction device (200).
4. The method according to any of previous claims, wherein the access request message is broadcast by the user device (100) via a wireless communication interface (104).
5. The method according to any of previous claims, wherein the wireless communication interface (104) is compliant with Bluetooth Low Energy (BLE).
6. A controller for an access restriction device (200) comprising a processor (202) configured to operate an access verification application (210) for performing the steps of the method of any of previous claims 1-5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP19461537.3A EP3739553A1 (en) | 2019-05-11 | 2019-05-11 | A method and system for access control |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP19461537.3A EP3739553A1 (en) | 2019-05-11 | 2019-05-11 | A method and system for access control |
Publications (1)
Publication Number | Publication Date |
---|---|
EP3739553A1 true EP3739553A1 (en) | 2020-11-18 |
Family
ID=66625914
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP19461537.3A Withdrawn EP3739553A1 (en) | 2019-05-11 | 2019-05-11 | A method and system for access control |
Country Status (1)
Country | Link |
---|---|
EP (1) | EP3739553A1 (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7205908B2 (en) | 2004-03-18 | 2007-04-17 | Gallen Ka Leung Tsui | Systems and methods for proximity control of a barrier |
US9367978B2 (en) | 2013-03-15 | 2016-06-14 | The Chamberlain Group, Inc. | Control device access method and apparatus |
US20160196706A1 (en) * | 2014-02-12 | 2016-07-07 | Viking Access Systems, Llc | Movable barrier operator configured for remote actuation |
US20180047227A1 (en) * | 2016-08-09 | 2018-02-15 | Vivint, Inc. | Authentication for keyless building entry |
US20180293823A1 (en) * | 2015-10-12 | 2018-10-11 | Communithings Sa | System and Method for Access Control |
-
2019
- 2019-05-11 EP EP19461537.3A patent/EP3739553A1/en not_active Withdrawn
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7205908B2 (en) | 2004-03-18 | 2007-04-17 | Gallen Ka Leung Tsui | Systems and methods for proximity control of a barrier |
US9367978B2 (en) | 2013-03-15 | 2016-06-14 | The Chamberlain Group, Inc. | Control device access method and apparatus |
US20160196706A1 (en) * | 2014-02-12 | 2016-07-07 | Viking Access Systems, Llc | Movable barrier operator configured for remote actuation |
US20180293823A1 (en) * | 2015-10-12 | 2018-10-11 | Communithings Sa | System and Method for Access Control |
US20180047227A1 (en) * | 2016-08-09 | 2018-02-15 | Vivint, Inc. | Authentication for keyless building entry |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11044608B2 (en) | System and method for access control via mobile device | |
US8045960B2 (en) | Integrated access control system and a method of controlling the same | |
US9367978B2 (en) | Control device access method and apparatus | |
EP2492878B1 (en) | Methods and apparatus to control access | |
US9196104B2 (en) | Wireless access control system and related methods | |
US9591693B2 (en) | Communication method and system | |
US20160086400A1 (en) | Wireless access control system including distance based lock assembly and remote access device enrollment and related methods | |
US20140365773A1 (en) | Systems and methods for controlling a locking mechanism using a portable electronic device | |
JP2011511350A (en) | Access control management method and apparatus | |
WO2019203306A1 (en) | Sharing system | |
US9972146B1 (en) | Security system with a wireless security device | |
KR20190029920A (en) | Control system and control mehtod for vehicle | |
US9437061B2 (en) | Arrangement for the authorised access of at least one structural element located in a building | |
EP3300033B1 (en) | Access control system, portable user device, and method of controlling access | |
KR20130126193A (en) | Car auto door lock opening system using smart device and method thereof | |
KR101765080B1 (en) | smart door lock system based on iot and the method thereof | |
KR101861057B1 (en) | Digital door lock based on composite signal and the method for operating the same | |
KR101406192B1 (en) | Car access control system using smart terminal and method thereof | |
US20150109097A1 (en) | Electronically Controlled Locking System and Electronic Key for Controlling the Locking System | |
KR101763140B1 (en) | Authentification Method by User Terminal Connecting Access Controller, Software therefor, and Program Distributing Server Storing the Software | |
US11285917B1 (en) | Vehicle control system | |
EP3739553A1 (en) | A method and system for access control | |
WO2019221016A1 (en) | Shared system and control method therefor | |
CN102542643B (en) | One-touch security system and method | |
KR101638585B1 (en) | entrance system exploiting smart phone |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20210519 |