ES2668450A1 - Security system by electronic documentation for access to resources, places and devices. (Machine-translation by Google Translate, not legally binding) - Google Patents

Abstract

Security system by electronic documentation for access to resources, places and devices from an electronic security element that contains data key or access card or Smartphone [1], lock or access port [2], central unit [3] ], system message display screen (5) and operating energy module [7]. The system determines if a user is authorized to access a resource [6]: place [6A] or device [6B], based on the verification of minimum and mandatory conditions that must be met (minimum security requirements) [3C] , using for said verification the original source of the data (official documentation - databases external to the device) [4], allowing access to the resource only in the case of being in compliance [3F] the mandatory fields required. (Machine-translation by Google Translate, not legally binding)

Description

  SECURITY SYSTEM FOR ELECTRONIC DOCUMENTATION FOR ACCESS TO RESOURCES, PLACES AND APPLIANCES.  SECTOR OF THE TECHNIQUE 5 The present invention relates to an electronic security system that determines whether a user is authorized to access a resource, place or device, based on the verification of certain conditions, some mandatory and others optional, that must be meet (minimum security requirements), using the original source of the data (official documentation) for said verification, allowing access only in the case of complying with the required fields required.  As 'original source of the data', a reliable source is understood from which to extract the information we need, for example, if we want to know how many points we have left on the driving license, the General Traffic Directorate 15 is the source from where to obtain such information.  BACKGROUND OF THE INVENTION The current systems of access to equipment and devices in general are fundamentally based on two systems: through a key (whether 20 physical key, biometric sensor or similar); and the introduction of data as a user, usually a pair (Identifier and password), for which it is used or an identification card with an access password or by keyboard in any access software with data display screen.  In the case of computers, a password is accessed by entering a password and other equipment can be accessed remotely easily, you will only need your domain name to access from another and allow users to connect remotely.  In the case of vehicles, traditional immobilizers block the starting of the vehicle through the Electronic Control Unit (ECU) DESCRIPTION when using an unauthorized contact key.  This authorization is a code programmed in the key, so if it does not match any of those programmed in the Electronic Control Unit (UCE), the vehicle does not start.  With this method, the immobilizer control unit is underutilized and works only as an anti-theft system without control of the driver's or vehicle's road safety nor the user is identified.  In the case of closed places, buildings and enclosures, access control is always at the entrance door of the building or enclosure, or at its perimeter, and will always be carried out by individuals, members of private security companies or by agents of the authority, which may be accompanied by trusted persons, who know the workers of the building or premises.  You must have a channel, so that people who enter and leave, can do so at the same time, avoiding 15 crowds and can facilitate documentation in the control without too much discomfort.  There are currently a large number of identification systems by contact smart card, contactless smart cards and dual and hybrid cards 20, whose use creates a complication because each one has a different CPIN access code) to be remembered and, despite this Access code, are easily duplicated, being able to grant access to people who are not authorized, being questioned the security of such smart cards for not registering the user who uses it.  Therefore, the present invention deals with an electronic security access system, which allows access to all types of resources, places and devices, with a secure and common identification to all of them, contrasting the information with the data center, complying with the identification applications of the holder thereof, electronic payment of 30 goods or services through virtual money and secure storage of information associated with the holder, improving security and avoiding copying, duplicity, manipulation and falsification of the access data, when registering all users who have access to the resource, place and / or device in a unique way increasing the security and control of their access by a single card of multiple use.  We achieve these objectives 5 by making the personal access identifier unique (using a combination between a code assigned to the device and a unique electronic signature assigned by the system to each user), and that it cannot be copied, given that the number User ID is linked to the access device you use; therefore, any attempt of manipulation will invalidate the access and will cause an alarm in the system in case of trying to use the copy.  If a loss or breakage occurs, a new one will be generated that will invalidate the previous one.  Its general application is as a single and individual electronic identification, 15 which encompasses in a single "document" the national identity document, passport, residence permit, work permit, bank card, debit bank card, health card, permit driving, professional associations, sports clubs, companies, associations, tickets to shows, transport tickets, etc. , as many resources as 20 are wanted, being configured and programmed by each authorized entity.  With this programmable electronic identification, depending on the configuration and permissions in each case, it gives access to places and devices that contain: administration data, health data (medical history), access to the judicial system, access to the boot system of any type of motor transport vehicle (cars, motorcycles, trucks, buses, trains, airplanes, ships, etc. ), access doors to places, safes, alarms, Internet, computers, hard drives, printers, photocopiers, peripherals, industrial facilities, military barracks, 30 centralized air conditioners, bank tellers, electronic wallet, electronic payment, mobile phones, purchase of tickets shows, transport tickets, electronic payment of goods or services through virtual money and secure storage of information associated with the sole holder in a secure way.  Although it is true that this invention has multiple potential uses, in order to be able to use all its functionalities, in most cases a modification in the processes of the company that incorporates it is necessary to accommodate this innovation.  For example, if a company wants to use the invention to control the entry of workers to a specific building, it will have to be physically and separately installed, register workers in the system (or connect it to the database of workers of the company), at the same time that each employee would have to be provided with a personal identifying element.  If you already had one, you would have to associate it with the user's profile in the company so that the worker could finally have access to the building according to the rules established by the company in the new access system.  The permits and documentation that will be used to validate and grant access to the user in question, will vary according to the type of resource that you want to access and the laws in force in each country, so that this device adapts to the relevant laws.  A simple example: In our house we have this system installed.  Each member of the family unit has a "key" electronic support to enter.  If you also have someone hired to help with household chores, for example, on Tuesdays, the key that identifies that person will only give access to the house on the specified day in the specified time range, thus increasing the Control and security.   EXPLANATION OF THE INVENTION For a better visualization and understanding we detail three sections 1. -GLOSSARY OF THEMES TO USE.  5 2. -S brief description of the invention.  3. -RISK ANALYSIS.  one. - GLOSSARY OF TERMS TO USE - Actuator: Inherently mechanical device whose function is to provide force to move or "act" another mechanical device - User identification number: Number that uniquely identifies the user in the system.  Identifying element: Electronic or biometric element that the user carries and that, if it is an electronic element, contains the encrypted user's identification number and if it is biometric (p. and.  a fingerprint), is associated with a user identification number within the system.  Key: Particular case of identifying element.  Electronic identifying element or identifying device (e.g. and.  a USB key or a magnetic card 20).  Va / idador: Device that is associated with the identifying element and varies according to it.  It is the link of the central unit with the outside and is responsible for validating that the information contained in the identifying element is correct and corresponds to a user registered in the system.  In case of being a biometric validator, it is in charge of associating the user with an identification number within the system.  Key: Number.  During this text, we will use almost indiscriminately key and number.  Actually, the number is not accurate, since the user's identification number is alphanumeric, so the term "key" is 30 more correct.   2. - BRIEF DESCRIPTION OF THE INVENTION The present invention relates to a security system by electronic documentation for access to resources, places and devices, which determines if a user is authorized to access a resource: place and / or device, based on the verification of minimum and mandatory conditions that must be met (official documentation and minimum security requirements) allowing access only in the case of complying with the required required fields.  10 The system consists of 4 parts: The user identification element, the validator that verifies that the identifier entered is correct, the central unit, which contains the actions to be performed according to the user trying to access and a validation unit (in the form of databases) queried to verify the identity of the user.  The databases of 15 data can be external (as in the case of databases of public administrations), internal (if we are trying to access private elements that do not need external interaction, such as access to a home) or a combination of both (with an internal database to give initial access to the resource and an external database 20 for use permissions on that resource).  The element that identifies the user and the validator, maintain a close dependence: depending on the support used to identify the user, the validator element will be one or the other.  For example, as a user identifier we can use biometric devices such as a fingerprint, or an eyeprint, or electronic devices such as cards, USB keys, Smartphone, etc. ; In general, any storage device that can contain a key that identifies the user and that is capable of sending it for validation to the validator element (bluetooth, wi-fi, contactless cards, magnetic stripe 30, USB port, etc. ) In case of using a biometric device as an identifying element As a user, security is implied, since copying a fingerprint or eyeprint is very complicated.  All we need is a reader of the appropriate footprint and an internal database of authorized users (repository) with which to compare the entered one.  5 If, on the other hand, we use an electronic device as a user identification element, an additional check is necessary, since these elements are more easily subtractable or lost than an eye or a finger: we add an entry PIN that together with the contained key In the identifier element (user identification number), the validator recognizes that the bearer of the identifier element is the user himself.  This solves the fact of having to remember multiple access codes, being solved this problem with a single key to remember.  The third part of our system is the central unit: once we have verified that the identifier element entered is valid, we have in the central unit the number that uniquely identifies the user in the system.  We use this number to validate a series of rules, some mandatory and some optional.  Regardless of what the invention applies to, the first of the 20 rules is common and mandatory: we verify that the user (through his identification number) has permissions to access the system.  If there is conformity, the user is in the list of authorized users, so we can continue evaluating the following rules.  The rest of the rules imply the permissions that the user has within the system, for example, a user may have permission to start a car, but there may be a rule that restricts him at weekends.  Finally, we have the databases that are consulted to validate each of the rules: to verify access (the first rule).  We use as a source of original data a local database that is located within the central unit.  Previously, authorized users have had to be registered by someone with sufficient permission to do it (usually the owner of the resource we want to access).  For each of the rest of the rules, the database (reliable source of information) that corresponds in each case is consulted.  Using the example that we have used before, if we want to know 5 how many points we have left on the driving license, the General Traffic Directorate is the source from which to obtain such information.  The new system in its entirety (the 4 parts), is more complete and safer than the one seen in the background: The 10 user identification element (key, card, Smartphone etc. ) in any current and future information storage format, it carries encrypted information (encrypted and signed user data) that uniquely identifies the holder thereof and that is only read by the Central Unit through the data entry port ( validator).  This Central Unit 15 reads the information, ensures that the individual has permission to access the resource (place and / or device) and is responsible for verifying that the user meets the conditions that have been programmed in it by the legal owner of the resource, as well as entities authorized for consultation.  In this way we act to improve access security, 20 avoiding the copying, duplication, manipulation and falsification of access data.  In case of external manipulation, access is denied or blocked (see next section on "Risk analysis").  In reality, this is an inherent characteristic of the system, given that any alteration in the user's identification device, apart from not granting access, will generate an entry in the system event lag and the handling of the central unit becomes complicated. having to avoid security elements such as physical access to the unit, administration credentials that are not open and the encryption of the data it contains, so it would probably result in an unusable piece 30 after any modification.   3. - RISK ANALYSIS In this section we analyze the possible risks of the invention and how the system would react to each of them: 5 Type of risk: By physical access to the system or any of its parts.  one. -Description: Alteration of the user identification element (key).  Mitigation measures: The identifier element contains an encrypted certificate with the serial number of the identifier element 10 itself, so that if it is not the original, the system denies access.  2. -Description: Attempted access through the port exposed to the outside Mitigation measures: If you try to access the central unit 15 through the validation port with the intention of destroying the system (for example, by applying a voltage higher than the one supported), the unit will be unusable, blocking access to the resource.  3. -Description: Breakage of security elements that give physical access 20 to the central unit (for example, a glass or a protection console) 25 Mitigation measures: Optionally, in case of wanting to mitigate this risk, detection sensors will be installed. intrusion (for example, glass breakage), which will send a signal to the central unit to block access to the resource immediately.  Type of risk: By remote access 1. -Description: Attempt to access the central unit through the external internet connection 30 Mitigation measures: The unit's external access is made to through the public network of an operator (3G, 4G, etc. ) by means of a SIM card, which greatly hinders the possibility of finding out the IP address of the system.  In any case, the system has a protection firewall, 5 blocking access by unauthorized ports and filtering authorized 2. -Description: Network scanning to find out the IP Mitigation measures: The external connections of the system are 10 only to update the databases and the IP changes after each connection 3. -Description: Interception of the transmission and usurpation of the data source 15 Mitigation measures: In these attacks, an inhibitor is used so that the signal quality goes down to 2G and to exploit the vulnerabilities of this type of networks and put what is called "man in the middle" to impersonate the data server.  Apart from the encryption of the usual information provided by the network (less in the case of 2G), 20 communications with external servers will have their own encryption, making it difficult to impersonate 4. -Description: Brute force attack through "man in the middle" Mitigation measures: Advanced case of the previous risk.  In case of having intercepted the signal, having reduced the quality and managed to usurp the external servers, it is still necessary to break the encryption of the information, which is done by brute force.  This type of attack takes longer than it takes for the system to download the database update (a few seconds) and then change the IP again, 30 causing the potential intruder to waste time.   BRIEF DESCRIPTION OF THE DRAWINGS To complement the description that is being made and in order to help a better understanding of the characteristics of the invention, a set of drawings is attached as an integral part of said description, where it is illustrative and not In limitation, the following has been represented: - Figure 1 - Logical design of the system, represents the phases of the process 10 from beginning to end (from the identifying element to the granting or denial of access) divided into 4 logical parts according to their functionality.  - Figure 2 - Block diagram, is a schematic representation in block diagram of the system of access to resources, places and / or 15 devices, by electronic documentation of the present invention and its industrial application.  20 The following is a list of the different elements represented in each of the figures that make up the invention: Figure 1: The elements are listed below: Part 1: Interaction with the user Part 2: Data entry port 25 Part 3 : Central unit Part 4: Validation unit (databases) lA: User identification element ACCESS: Granting or denial of access 2A: Validator 30 2B: Repository 3: Central unit 3G: System Logs 3e: Internal Database 4: External Database 5 Figure 2: The elements are listed below: l: User identification element.  2: Validator or access port.  3: Central unit.  10 4: External databases of the origin of documents.  s: Information display screen.  6: Resource to access (place or device).  7: Energy module.  In the following list we list and define the subsystems and processes used in the development of the present invention: lA: User identification element (both biometric and electronic).  20 2A: Validator of the user identification element.  Data entry port  3A: UNCREDITED: reading user data with encryption and signing them or processing the biometric fingerprint.  Note: The 2A and 3A functionalities may be linked depending on the validator's capabilities.  POSSIBLE: Check if the data read is valid or not, in this case it goes out.  3B: CREATION OF CONSULTATION: together with the validated user information and the list of rules, we create the necessary data queries and send them to the appropriate external databases.   3C: INTERNAL DATABASE WITH RULES: list of the rules to be applied, and containing references to official documents (external databases) from which to extract the reliable information necessary to validate each of the rules stored in the central unit.  5 3D: CONSULTATION: user connection, rules and databases.  3E: ANSWER: the response of the query is sent to the central unit.  3F: VERIFICATION: decides if the results obtained in the query satisfy the user's rules.  10 MEETS: can be positive: YES allowing access or be negative: NO and goes Outside.  OUT: In case the data obtained is not valid, an output is produced and the reasons for that output are shown on the screen.  ACCESS: Access to the resource is granted by the indicated user.  15 4A: External database of the origin of documents.  4B: External database of the origin of documents.  4C: External database of the origin of documents.  40: External database of the origin of documents.  5: System message display screen.  20 6A: Place.  6B: Apparatus.  7A, 78: External power adapter (depending on whether it is alternating or continuous and its intensity, the adapter will vary).  7C: Backup battery: in case of failure in the supply of external power 25, the backup battery is activated.   DETAILED DESCRIPTION OF THE INVENTION Note: In square brackets, we will indicate the parts of the diagram in Figure 1 to which the text refers.  5 1.  Part 1: System inputs and outputs.  As the main entry of the system we have the user identifier element [lA].  This element can be biometric, mechanical or electronic: • Mechanical element: It is the traditional method to access resources, places or things.  Normally it is a key, which by means of a lock mechanism grants access.  We discard this method for not providing the security and versatility that we need to take full advantage of the features of our system.  • Biometric element: It is characterized in that it uses physical and behavioral characteristics (in this case of a person) that are unique.  The most widespread are the fingerprint and the eyeprint, but any physical or personal behavior element is valid as long as there is a device capable of validating it and associating it with a person uniquely.  In this case, security is intrinsic to the element itself, since it is difficult to copy, steal or lose a finger or an eye, which makes them reliable elements for the univocal identification of a user.  • Electronic element: They are electronic storage devices such as cards, USB keys, Smartphone, or, in general, any electronic storage device that may contain a key that identifies the user (user identification number).  These elements have to ensure that the bearer of the element is the user himself, · so we need an additional check.  In order to perform this identification, 30 we will add a keyboard from where a personal PIN will be entered, which together with the key contained in the electronic identifier, we it ensures with high probability that the bearer of the electronic identifier is the user himself.  The information contained in the user's electronic identifier is an encrypted key (number) (AES algorithm), digitally signed 5 that uniquely identifies the user.  This code is also associated with the serial number of the electronic identifier.  In this way, it is very complicated to copy the user identification element, guaranteeing with high probability the security of the system.  10 As outputs of the system we have two possibilities, that access is granted or that [ACCESS] is denied.  In either case, the access attempt will be registered in the system logs [3G].  The granting or denial of access does not represent a physical element 15 but an interface between the system and a possible external actuator, if necessary to mechanically activate the access to the protected element.  Information on the granted or denied access and the causes will be displayed on a display screen, so that the user can know what is happening at all times.  2.  Part 2: User Validation.  The user validator [2A] is physically integrated into the system, since it is the entrance to it: the lock.  25 It is in charge of collecting the user's information in the form of a fingerprint, or of an encrypted identification number and obtaining the unique identification number of the user from said entry.  The validator has to be adapted to the type of expected input: as has been said repeatedly, it can come from an electronic or biometric identifying element.  In case of using a biometric identifier element [lAt we must have an internal database (repository) [2B] with which to compare the entered footprint, so that we are able to uniquely identify the user.  In that same database the fingerprint is related to an alphanumeric user key (with a 1: 1 ratio, so the key 5 will also be unique), which will be how we identify the user within the system: user identification number.  If, on the other hand, we choose the option of the electronic identification element as the input key [lA], the validator [2A] must also be adapted to the type of device to be used: 10 approach sensor, magnetic stripe card reader, USB port for USB keys, etc.  As we have said, this device will contain the encrypted and signed user identification number.  The process is as follows: • The alphanumeric key contained in the user identifier element 15 (encrypted user identifier number) is decrypted with a private key contained in the system.  In this way we will obtain the decrypted key (user identification number).  • We check the digital signature of the key obtained using as a 20 signature key the serial number of the user's own identifying element, obtaining the certainty that the information stored in the user's identification device is authentic, as well as the device itself.  The fact that the signature is checked with the serial number of the device guarantees that the key has not been copied, since the serial number would be different and also, that it has not been re-signed with the serial number of the new device, since to encrypt it they would need the key that is contained in the system.  • After applying the decryption algorithm and verifying the digital signature we will obtain an alphanumeric key, but only if the signature on the decrypted identifier is the correct one, the key that We will obtain a correspondence with a user ID within the system.  In any other case, meaningless gibberish will be obtained.  At this point, we will have a unique user identification element, which together with the PIN entered, is sufficient to verify with the internal database, that the user is who he claims to be.  Otherwise, access will not be granted and the attempt will be recorded in the system log file [3G] along with the current date and time and GPS coordinates.  10 3.  Part 3: Central unit.  The user who tried to access the resource is registered in the system.  The following is to apply the rules contained in the internal database [3e].  We have to say that the central unit [3] has a connection to 15 mobile internet and GPS module.  Rules are applied to each registered user, some are common to all users and others.  The first of the rules is common to all users, and it is to verify that the user can access the resource, place or device.  The following 20 rules serve to restrict the use and access to the resource even more, being able, for example, to define a time range for the access of said user (on Thursday and Tuesday afternoons); or a certain area (in case of trying to access a mobile resource such as a vehicle).  To validate the rules, we need a reliable source from which to obtain the data we need to apply each rule: using the examples above, to check a time restriction, we need a clock, and we have the system clock (at the correct time always thanks to internet connection); to check a physical situation restriction, we have the integrated GPS; If you want to start a vehicle protected by our system, we need to know, for example, if the seat belt is properly fastened, for what we will consult the central unit of the vehicle or if it has enough points in the driving license, for which we consult the DGT database.  The possibilities of the rules are endless, all that is needed is a reliable source [4] with which to contrast the information.  The rules will be validated one by one and the answers will typically be YES or NO, indicating whether it satisfies the rule in question or not.  After this, we go to a verification phase, where it is determined if the results obtained from the consultations are positive, complying with the minimum requirements of the system and allowing access to the resource, either a place or a device, or in a way negative, so we leave the system and we are denied access [ACCESS].  In the event that the input data provided is not valid, is in an incorrect format or does not comply with the rules stipulated to grant access, a system output occurs, the reasons being shown on a data display screen or optionally , on the screen of your Smartphone (previous configuration) via Bluetooth (there is no problem with consulting this information in the mobile terminal since it is a previous step to access / boot).  20 The central unit is powered by an external power source, although it has a backup power module, which allows its operation in the event of an external power supply failure.  25 The central unit has an associated serial number for identification in external communications.  Four.  Part 4: Databases.  They contain the knowledge and information we need to validate the rules. We have an internal database [3C], where there are the rules to be applied and the users registered in the system and an indeterminate number of reliable external databases [4], where we must consult the necessary information according to the rule to be applied.   5 As an example of these external databases, we can mention the General Directorate of Traffic, insurers, ITV, etc.  Access to these databases will be automatic (by the central unit) and through a secure connection, since they contain, in general, sensitive information.  As a fundamental support of the system, there is an external server that performs the functions of linking between the user, the user identifier element [lA], the central unit [3] and the external databases [4].  The system keeps a record of all access attempts to detect possible threats and statistics creation.  From an access interface to that server, the main user (the owner of the resource) can perform administration functions: • Authorize access to different users.  • Create restrictions for these users (rules).  15 • Create your own key (user identification element) or cancel it in case of theft or loss immediately.  (For this step you must have a reader like the validator of your system) The user's account is password protected and will be created at the time of the initial configuration of the unit.  To create the first user identification key for electronic storage devices (particular case of user identification element), we generate an alphanumeric user identification key that will be stored in the server database.  This key is signed with the serial number of the storage device and encrypted with a private encryption key of at least 256 bits that we store on the server.  In this way, the key is unique and every time you want to create a new one (for loss, theft or any other reason), the previous one is automatically invalidated.  In the case of an isolated access control system and independent, the functions of the external server can be transferred to the central unit, the main user being able to perform the administration functions by connecting directly to the central unit by means of a network cable.  Optionally, through this connection, you can manage and manage the central unit, as well as authorized users and the rules to be validated.  10 INDUSTRIAL APPLICATION (Note: In square brackets we will indicate the parts of Figure 2 to which we refer as we explain the invention) One of the possible industrial applications of our system is as a system to control access to the start of motor vehicles by documentation mandatory electronically coded, based on pre-established road safety rules.  15 The new system of access to the start of motor vehicles by electronic documentation, is more complete and safer than that seen in the background: the user identification element [1], in any format we have already explained (fingerprint, key, card, smartphone, etc. ), carries coded information (identification number of the encrypted user / driver) that uniquely identifies the holder of the same and that is only read by the Central Unit [3] through the data entry port (validator) [2] .  This Central Unit [3] reads the information, ensures that the individual has permission to start the vehicle and is responsible for verifying that the vehicle meets a series of 25 conditions that have been programmed into it through a web interface to the that only the legal owner of the vehicle can access.  An additional complement to traffic agents in order to improve road safety and reduce risk, is that they can request the user identification element 30 from the driver for identification, thus avoiding their leak, connect the user identification element with the central traffic unit through reader terminals to verify the status of the vehicle and driver documentation to be able to act in case of legal breach, immediately recording the infraction, 5 sanction and / or withdrawal of points, taking effect on the next start or 24 hours after the infraction, so that when said driver tries again to start a vehicle for which he is authorized, when verifying the rule on the points of the license card driving, you will have the updated figure and the central unit will act accordingly.  10 With our electronic documentation access device, we act to improve access security, making it difficult to copy, duplicate, manipulate and falsify access data.  There are a series of common and mandatory rules for all and 15 other individuals established by the vehicle owner.  DESCRIPTION INDUSTRIAL APPLICATION ACCORDING TO Figure 2 A user who wants to have access to a motor vehicle [6J, either 20 access door [6AJ or the motor vehicle starting system [68], must be registered in the system: this it is done, in the case of the owner, at the time of purchase or transfer of the vehicle, and in the case of another user, being previously authorized by the owner.  Its identification is created in the system through a remote server 25 (system administration web interface), a user identification number is generated and it is dumped in the encrypted and signed user identification element that will identify the user from that instant (your key) [lAJ; as always, instead of the user identification number stored in the electronic device (user identification element 30), it can also be from a fingerprint or an eyeprint to a simple pendrive or Smartphone.   The user identification element [lA] is associated with the corresponding validator [2A], which is connected to the Central Unit [3], transferring the user's data for reading, signature validation and decryption [3A].  After decrypting them, it is possible (possible) that the data is valid (YES) or that it is not (NO).  In the latter case, we leave the system (OUT).  In the case of possible (SI), together with the decrypted information of the user and the programmed rules stored in the device [3C], we create the necessary data queries [3B] and send them through the network [Tx] as a query [3D] 10 where user, rules and original data source are connected, stored in external databases: DGT [4A], SECURE [4B], IVTM [4CJ, ITV [4D], and others we need for your inquiry .  As the initial configuration of the vehicle, the database will be created that will be located in the system memory, having the owner as the only authorized user.  The information of the other authorized users, as well as the rules to be validated, will be introduced through the web interface that we have already commented.  Some of the rules will not be modifiable by the user, since they are mandatory from DGT 20 and must come from the factory, such as: -The user / driver must have a certain number of points on the driving license.  -The user / driver must have valid insurance associated with the vehicle he wants to start.  25 -The vehicle must have a valid ITV.  and many other rules that can be considered mandatory and therefore cannot be modified.  The extra rules will be those added by the vehicle owner: 30 -User X has permission to start the vehicle.  -User Y cannot start the vehicle on Saturdays after 21:00.  In this case of industrial application for motor vehicles, the fundamental database from which to extract almost all the information to validate the rules is the source of the DGT.  The database of rules and authorized users is updated periodically through the internet connection, so that the information held by the device is always valid.  10 For each [3D] query, a response [3E] is generated and sent through the network [Tx] to the central unit [3] for verification [3F].  The answers will typically be of the YES / NO type, indicating whether it satisfies the rule in question or not.  In the verification phase [3F] it is determined whether the data obtained in the consultations are positive or not (complies), in a positive way, (YES) allowing access to the motor vehicle [61 either access door [6A] or to the motor vehicle start system [6B], or negatively (NO), so we leave the system (OUT).  In the event that all restrictions are satisfied, the vehicle can start.  Within the same rules, permissiveness levels can be established, specifying what would happen in case some "minor" rule is not met; It may even allow the user to start under certain circumstances, for example, it is outside the range of action allowed for said user to use the vehicle.  25 30 In the case of (possible) NO and (complies) NO, it goes to (Out) because the data is not valid and there is an output of (access) being displayed on the system message display screen [5]. Denial data and road safety status of the vehicle.  The central unit [3] needs a power supply to operate correctly.  The necessary voltage is obtained from the battery of the vehicle itself through a specific current regulator.  To adapt to the current circumstances of the 5-vehicle market, two versions are different, one basic and one standard, with the following characteristics and differences: 1. -Basic version: for vehicles registered without self-diagnosis, that is, without Electronic Control Unit (ECU), with key notches and without display screen, which requires a previous installation of the central unit [3], the port of access (validator) [2], system message display screen [5] and the user identification element [1].  2. -Standard version: for vehicles registered with self-diagnosis to 15 through the Electronic Control Unit (UCE) and the newly manufactured ones, so it requires the installation of the Central Unit [3], connected to the Electronic Control Unit (UCE).  You can use as the data input port [2A], the start contact, according to each model.  As the user identification element [lA], the vehicle key could be used if it were programmable and could be associated with the unique user identifier that the system needs.  If this is not possible, an added user identification element must be incorporated, containing the encrypted and signed key that identifies the user (user identification number) [lA].  In this case, we would have to use two keys: the usual vehicle key 25 for starting the engine and the user identification element to validate said start.  As a message display screen [5] you can use the dashboard or control panel on the dashboard of the vehicle to give information and road safety notices.  30 The warning messages launched by the system are displayed on a screen that can come standard installed in the vehicle or add a own if you do not have it, being able to associate a Smartphone terminal via Bluetooth to the system, so that the messages would appear on the screen of said Smartphone.  5 Through the web interface, the vehicle owner may consult statistics related to attempts to access the vehicle, as well as manage access to it, granting or restricting access to other users or creating new rules.  10 DESCRIPTION OF THE ELEMENTS OF FIGURE 2 ADAPTED TO INDUSTRIAL APPLICATION Figure 2 applies to this exemplary embodiment being a schematic representation in block diagram of the security system by electronic documentation for access to resources, places and devices of the present invention and its industrial application in motor transport vehicles.  20 Next we enumerate and describe the elements that integrate the realization in motor vehicles of the present invention: 1 Footprint, key, card and / or Smartphone for access to the starting of the vehicle (user identification element).  2 Lock or access port to the engine start contact (validator).  25 3 Central unit.  CPU type, consists of current or future SBC board, with a power input that comes from the battery with a power regulator, a USB type or similar data input port, a video output and SIM card reader for connection to internet via 3G (or 4G •••), also connects to an electric actuator 30 with two relays that sends the desired electrical pulse so that it Activate the relay and therefore start the vehicle.  In said plate a file will be arranged in any format of computer storage, in which the data of the vehicle by the manufacturer and the owner will be specified after registration.  5 4 External databases of the origin of documents.  10 5 System message display screen.  It informs of the access to the start and warns of the state of the car's road safety.  6 Resource to access: motor vehicle starting system.  7 Operating power module.  In the following list we list and define the subsystems used in the development of the present invention in motor vehicles: lA: User identification element, in any variable format that identifies the driver, and may be the vehicle's ignition key (according to the model), card and / or Smartphone.  2A: Data entry port, any model according to the electronic data support, being the vehicle's starting contact, contactless support or via Wi-Fi, or Bluetooth.  20 3A: DESCRIBED: Process of reading user data and decrypting them.  POSSIBLE: Check if the user data is valid or not, in this case it goes out.  3B: CREATION OF CONSULTATION: Together with the validated information of the user and the list of rules, we create the necessary data queries and send them to the appropriate external databases.  3e: INTERNAL DATABASE WITH RULES: Listed rules to validate stored in the device, may be mandatory and optional.  Mandatory: in this case they are the mandatory official documents 30 and the mandatory minimum road safety data, depending on the type of vehicle and technical characteristics.  They are: a) Manufacturer: vehicle data sheet.  b) Traffic: driving license, infractions, penalties, control points, traffic permit, dates of the inspections 5 mandatory technical vehicle (ITV) scheduled and the date of completion.  c) Owner: National Identity Document (DNI), authorized drivers with their identification by DNI and by personal key or fingerprint, insurance of the vehicle and the policy in force with the 10 date of completion.  d) City Hall: tax on mechanical traction vehicles (IVTM).  Optional: in addition to the mandatory configuration, it allows 15 to increase the road safety of the vehicle, with the expansion of the number of mandatory fields for starting the vehicle through an extra configuration of the Central Unit that adjusts the type of vehicle and its driving to the legislation valid, such as driving hours, maximum authorized weight, number of occupants, inflation pressure of 20 tires, etc.  any failure in the vehicle that causes a decrease in road safety and an increase in driving risk.  The mandatory and optional documents of the motor vehicle vary according to the laws in force in each country, so this device adapts to the existing transport and road safety laws of each country.  3D: CONSULTATION: User connection, rules and databases.  3E: ANSWER: The query is correct and sent to the central unit.  30 3F: VERIFICATION: decides whether the results obtained in the consultations they satisfy the necessary conditions for the start: rules and user.  FULFILL: it can be positive: YES allowing access or be negative: NO and go Outside.  OUT: In case the data obtained is not valid, an output is produced and the reasons for that output are shown on the screen.  ACCESS: access to the resource is granted by the indicated user.  4A: External database of the origin of documents of the General Directorate of Traffic (DGT).  48: External database of the origin of documents of the 10 insurance companies of the vehicle (INSURANCE).  4C: External database of the origin of documents of the Local City Council, tax on vehicles of mechanical traction (IVTM).  40: External database of the origin of documents of the Technical Inspection of Vehicles (ITV).  15 5: System message display screen, dashboard or control panel on the vehicle dashboard.  To be installed if the system is not installed as standard and is not integrated with the vehicle control unit.  Optionally, a bluetooth device is added that allows the user 20 to receive system messages on a Smartphone mobile phone, thus avoiding the installation of an external display.  25 6A: Place, access door.  68: Device, motor vehicle start system.  7: Source of energy.    

Claims (9)

CLAIMS 5 1. Electronic documentation security system for access to resources, places and devices, characterized in that it is made up of: 10 a. A user identifier element [lA] that uniquely identifies the user and a validator for said identifier element [2A]. b. Central unit [3] CPU type, made up of SBC or similar board, a USB or similar type data input port, contactless or via Wi-Fi, or Bluetooth [2A], a video output, SIM card reader for connection to Internet via 3G (or 4G ...) and port of 15 connection for external administration of users and rules. c. Databases [4] to which the rules refer, contain the relevant information of the user and the resource and that are used to validate these rules. d. Operating power system [7] that controls the supply of electrical power to the central unit system. In the memory of the central unit [3] a set of rules [3e] is stored that must be validated [3F] to allow access. 2. Electronic documentation security system for access to 25 resources, places and devices, according to claim 1, characterized in that the user identifier element [lA] is of the key, card and / or Smartphone type and that it contains a unique alphanumeric code (user identifier number) encrypted and digitally signed that uniquely identifies the user. Said code is also associated with the user-identifier element pair. In this way, there are no two identifying elements that identify the same user or two users identified by the same element. identifier, thus ensuring the security of the system. 3. Electronic documentation security system for access to resources, places and devices, according to claim 1, characterized in that the user identifier [lAJ is biometric (fingerprint, eye, voice, DNA ...) that it uniquely identifies the user and is also associated with an alphanumeric identifier within the system (user identifier number). In this case, a user can have more than one element registered in the system that uniquely identifies him (for example, the fingerprint of the index finger of the right hand and the left eye), in which case, the readings of each of they will be associated with the same alphanumeric user identifier within the system. 15 4. Electronic documentation security system for access to resources, places and devices, according to claim 1, 2 or 3, characterized in that it adds a remote server that performs the functions of link between the user, the user identifier element [lAJ , the central unit [3J and the external databases [ 4 A-20 B-C-D -...]. Transferring part of the system's operating logic to a remote location and from where the administration of various access control systems belonging to the same user is concentrated. 25 5. Electronic documentation security system for access to resources, places and devices, according to claim 1, 2 or 3, characterized in that the databases [4 J that contain the reliable and relevant information to validate the rules, are remote and accessible using mobile connection through a query [3B-3D]. 30 6. Electronic documentation security system for access to resources, places and devices, according to claim 1, 2 or 3, characterized by having a system message display screen [5] which shows the requirements that the user meets and does not meet when attempting to access the resource. 5 7. Electronic documentation security system for access to resources, places and devices, according to claim 1, 2 or 3, characterized by being associated with the mobile device (Smartphone) of the user authenticated at that time (via Bluetooth), so that the System messages are displayed on the mobile screen itself. 10 8. Electronic documentation security system for access to resources, places and devices, according to claim 1, 2 or 3, characterized in that it has an associated web user interface with which the user can create their own key (identifier element 15 of the user) [lA] or cancel it in case of theft or loss immediately. 9. Electronic documentation security system for access to resources, places and devices, according to claim 1, 2 or 3, 20 characterized in that any mobile phone (Smartphone) can be used as an identifying element of the user [lA] and / or as the Central Unit [3] allowing mobile and continuous connectivity with the resources [6] (place or device) in which it is registered as an authorized user.