AT512419A1 - METHOD AND APPARATUS FOR ACCESS CONTROL - Google Patents

Abstract

In a method for access control, access rights data are transmitted from an electronic identification medium to an access control device, wherein the access right data is evaluated in the access control device for determining the access authorization and depending on the detected access authorization a blocking means for selectively enabling or blocking the access is controlled. There is an authentication of the electronic identification medium based on at least one digital certificate instead. The data transmission comprises the use of a key exchange or derivation protocol, whereby at least one secret, common session key is made accessible to the electronic identification medium and the access control device, whereupon the at least one session key is used to establish a secure transmission channel between the electronic identification medium and the access control device the access right data is transmitted via the secure channel from the electronic identification medium to the access control device.

Description

1

The invention relates to a method for access control, in particular in buildings, in which bidirectional data transmission takes place between an electronic identification medium and an access control device and data processing, wherein the data transmission comprises the transmission of access right data from the electronic identification medium to the access control device, wherein the access right data in the access control device for Determining the access authorization to be evaluated and depending on the detected access authorization a blocking means for selectively enabling or blocking the access is controlled.

Furthermore, the invention relates to a device comprising an access control device with a blocking means for selectively enabling or disabling the access and a transmitting / receiving device to allow bidirectional data transmission between an electronic identification medium and the access control device, wherein the access control device data processing means for controlling the data transmission and for determining the access authorization on the basis of received access right data and the data processing means interacting with the blocking means for selectively enabling or disabling the access. There are several possibilities for electronic access control with non-contact systems. Previously known RFID systems consist of an electronic identification medium, such as e.g. an electronic key on which access right data, such as an identification code and / or access conditions such as e.g. authorized access time, authorized date of entry, authorized Φ · φ φ φ Φ * · 2 φ * Φ occurrence date of a user and the like, stored electronically and often referred to as "transponder". is called, and a reader. The transponder is usually constructed without its own energy source and the required energy is obtained from the electromagnetic field of the reader. Furthermore, radio systems are also known in which the electronic identification medium is an active transmitter with its own energy source (for example remote opening of the central locking for motor vehicles).

For larger locking systems with a plurality of locking units and electronic identification media or keys, the access authorizations for easier management are usually stored in an access control center. In this case, the access control center usually has a database in which the individual locking units, the keys and the respective access authorizations can be managed. Via a writing device connected to the access control center, the electronic identification media can be programmed in accordance with the respectively desired access authorizations with access right data.

In WO 2009/094683 Al has been proposed in this context to make the programming of the key with access rights data over a wireless telecommunications network, the access right data is sent from the access control center to a wireless mobile telecommunications device of the respective user or key holder. The access rights data received from the mobile telecommunication device can be made available to a suitable identification medium, which receives a key function in this manner. Inventive 3

In accordance with this, a kind of "online key" is thus created. created because the key can be reprogrammed via the mobile telecommunications network and the corresponding mobile terminal to change in this way the access right data and thus the access authorization of the key holder.

Due to the possibility of remote programming of keys it is no longer necessary to change the access authorizations to obtain access directly to the individual locking units. The locking units can work as autonomous units after installation and initialization and in particular require no network connection.

Although the electronic validation of access authorization generally offers a number of advantages, such as: the possibility of rapid change of authorization data and a much greater coding variety and complexity than a mechanical authorization query, electronically present access authorization data, especially those that are wirelessly transmitted, can be easily and unnoticed intercepted or copied and misused inadequate security precautions.

With the transmission of access rights data from the access control center to mobile telecommunications equipment, for example, the risk associated with the access rights data manipulated or intercepted by unauthorized persons. Security critical attack points also provides the data transfer between the identification medium and the access control device. Furthermore, the access control device itself can be the target of attacks which, for example, aim at destroying the electronic components or circuits responsible for access control. *** "

In the context of the invention, access control devices or closing units are to be understood as meaning electrical, electronic or mechatronic closing units, in particular locks. Closing units may in this case comprise various components, such as e.g. Access devices for identification media, in particular electronic keys, a locking electronics and the like. Access control devices or locking units serve in particular to block access to rooms depending on the access authorization or release and are accordingly intended for installation in doors, windows and the like. Among mechanical clamping units, e.g. Cylinder locks to understand. Mechatronic clamping units are e.g. electric motor driven locking devices, in particular e-cylinder. Electric locking units are e.g. electric door opener.

Under a release agent is within the scope of the invention, e.g. a mechanically acting blocking element which can be moved between a blocking and a releasing position, a mechanical or magnetic coupling element comprising an actuating element, e.g. a handle coupled or decoupled with a locking member, or an electrically locking and / or releasable locking member, such as e.g. an electric door opener, to understand.

The present invention therefore aims to increase the safety of electronically operating access control systems. «· 99 ♦ I« 9999 99 9 99 9 99 9 9 99 9 9999 99 999 _ 999999 999 5 ·, / "·, ·, · .. · ·" · · "·

In order to achieve this object, according to a first aspect of the invention, a method of the aforementioned type provides that the data processing comprises an authentication of the electronic identification medium on the basis of at least one digital certificate and the data transmission comprises the use of a key exchange or derivation protocol, whereby at least one secret, common session key is made accessible to the electronic identification medium and the access control device, whereupon the at least one session key is used to set up a secure transmission channel between the electronic identification medium and the access control device, and the access right data is transmitted via the secure channel from the electronic identification medium to the Access control device are transmitted. By virtue of the fact that the electronic identification medium is authenticated on the basis of at least one digital certificate, users of the access control system who are foreign to the system and therefore not certified or invalidly certified can be identified. Preferably, it is provided that the at least one digital certificate is issued by an access control center. Preferably, the at least one digital certificate is additionally signed by the access control center, so that the certificate can also be checked for authenticity and validity. A digital certificate here is to be understood as a digital data record which confirms certain properties of the identification medium and whose authenticity and integrity can be tested by cryptographic methods. In particular, this is a public-key certificate, which confirms the identification medium as the owner and other properties of a public cryptographic key. Thus, it is a six-hundred-percent ft. · A · · · ft ft

Proof that the public key of an asymmetric encryption method belongs to the identification medium. In particular, the digital certificate is used as part of a dynamic asymmetric authentication method.

It is also essential to the invention to set up a secure transmission channel, the session key required for this purpose being made accessible by a key exchange of the derivation protocol. Here, a key exchange or derivation protocol is an operation in cryptography in order to make two or more communication partners access a common, secret key without transmitting it in plain text. This can be done by someone transferring a key to all partners involved or by creating or deriving a new key during the execution of the protocol. The key exchange of the derivation protocol determines the exact procedure. The session key is then used to encrypt and decrypt the data transmitted between the identification medium and the access control device by means of a symmetric encryption method and to maintain their authenticity.

The procedure is preferably such that the at least one session key is generated or derived in the electronic identification medium and in the access control device on the basis of an access control device-specific access code, preferably on the basis of a random number generated by the identification medium and a random access number generated by the access control device and / or one of the identi - 7

fikationsmedium and a run number generated by the access control device.

The transmission security can be further increased by the fact that the key exchange protocol comprises the generation of a cryptogram using the session key in the access control device and the transmission of the same to the identification medium, wherein the cryptogram is verified in the identification medium using the session key. This process can also be used in the opposite direction. In this case, the key exchange protocol comprises generating a cryptogram using the session key in the identification medium and transmitting it to the access control device, verifying the cryptogram in the access control device using the session key.

The advantage of the inventive method is that all data that does not serve the construction of the secure transmission channel are transmitted in this secure, session-specific channel, whereby the integrity, authenticity and confidentiality of the data is ensured. Thus, for example, the access rights data are transmitted via the secure channel, wherein a supplementary authentication preferably succeeds by signing the access right data from an access control center and transmitting it together with the signature via the secure channel from the electronic identification medium to the access control device.

A further advantage of the procedure according to the invention is that the access control device neither at the access control center nor at a certification authority has to be connected wirelessly or by wire. Rather, the determination of the access authorization in the access control device, including the authentication of the electronic identification medium, the implementation of the key exchange or derivation protocol and the establishment of the secure transmission channel, takes place exclusively on the basis of the access control device and the electronic identification medium or once and permanently stored in the access control device data, such as a manufacturer-stored access control device identification.

A further increase in security succeeds in that the data transmission purely passive by loading the electromagnetic field between the electronic identification medium tion and the access control device. This data transmission works only over a very limited range of about 10 cm, so that listening is difficult.

To solve the problem underlying the invention is provided according to a second aspect of the invention in a device of the type mentioned that the data processing means comprise at least one microcontroller and a Secure Access Module (SAM), wherein the SAM is configured to perform cryptographic functions, and the transmitting / receiving device is arranged in a first area of the access control device and the SAM is arranged in a second area of the access control device. Thus, as many critical operations as possible, e.g. the construction of a secure transmission channel, cryptographic operations, access decisions, log file, blacklist and so on, are bundled in a dedicated component, namely the Secure Access Module (SAM), the SAM being in one of the transmission / Receiving unit separate area of the access control device can be arranged. Preferably, the design here is such that the first area (in which the transmitting / receiving unit is arranged) an unprotected area and the second area (in which the SAM is arranged) is a structurally protected area. This ensures that the SAM is better protected against destruction or manipulation by force or other destructive influences, especially against physical attacks of all kinds.

Advantageously, the microcontroller is arranged in the second area. The microcontroller is preferably connected so that it connects the transmitting / receiving device with the SAM. The microcontroller is preferably arranged interchangeably in the access control device.

By way of example, the protected area is the area behind a drill-up guard or on a side facing away from the access side (for example, the room outside) (for example, the inside of the room). In particular, it can be provided that the access control device is designed for installation in a door and with at least a first handle, such as. a knob or a pusher is provided, wherein the first region of the first handle and the second region of a provided for receiving in an opening of the door leaf area or a second, the first handle opposite, second handle is formed.

To enhance the security of the authorization request, the SAM preferably includes authentication means to authenticate the electronic identification medium based on at least one digital certificate, and is programmed with a key exchange protocol. Furthermore, the SAM is preferably designed or programmed to set up a secure transmission channel between the electronic identification medium and the access control device. Furthermore, it is preferably provided that the SAM comprises an evaluation circuit for determining the access authorization on the basis of the received access right data. The evaluation circuit can be designed as a hardware circuit or realized by software.

The SAM is particularly preferably designed as a microcontroller in chip card or SIM card design, in particular in IC design. Advantageously, the SAM can be interchangeably recorded in an interface, in particular in a slot, so that, for example, the encryption type and the encryption strength can be changed in a simple manner by exchanging the SAM or changing the application running in the SAM.

Preferably, the identification medium is integrated into a mobile telecommunications device, in particular a mobile telephone. In this case, the training is preferably developed such that the transmitting / receiving device for the wireless, preferably inductive data transmission in particular according to the NFC or RFID standard (ISO / IEC 14443) is formed.

The invention will be explained in more detail with reference to embodiments shown schematically in the drawing. 1 shows the schematic structure of an access control system in a first embodiment, FIG. 2 shows a further embodiment of an access control system, FIG. 3 shows a modified embodiment of an access control system, FIG. 4 shows a block diagram of an access control device which is used in an access control system according to FIGS 1, 2 or 3 can be used, and Fig. 5 is a diagram of the simplified protocol procedure in a locking operation.

In Fig. 1, an access control center is designated 1. The objects to which the access is to be controlled by means of the access control system are designated 2 and schematically represented in the present case as houses. The objects 2 each have a door with a e.g. based on RFID closing unit. An administrator 3 manages the access control center 1 and can assign access authorizations. The access control center 1 is connected to a telecommunications network 4, such as a LAN, WLAN, GSM, GPRS or UMTS network and can send via the network 4 access rights data to mobile telecommunications equipment 5. The mobile telecommunication devices 5 are e.g. mobile phones equipped with a key function. The cell phones have, for example, an NFC or RFID module in whose memory the access rights data obtained from the access control center 1 can be written. Now, when the telecommunication device 5 used as a key is brought close to a closing unit, bidirectional data transmission between the corresponding NFC or RFID interface of the telecommunication device 5 and a transmitting / receiving unit of the closing unit is started, in the course of which the access right data is sent to the closing unit be transmitted. If the locking unit detects an access authorization, the lock is released. 12

From the illustration in Fig. 2, there are now various applications. The access control center is again designated 1 and the administrator 3. The access control center 1 has a database 6 or is connected to such a database on which the access right data is stored and managed. The access control center 1 is further connected to a writing unit 7, which is designed, for example, as a writing instrument for RFID tags or transponders. With 8 an RFID transponder is shown, which can be described by the writing unit 7. This corresponds in principle to the conventional method of how RFID transponders can be programmed.

A data connection between a mobile telecommunication onsgerät 5 and the access control center 1 can now be done in various ways as shown in FIG. 2. For example, a wireless connection via various connection protocols, such as WLAN, GSM or UMTS can be made with the Internet 9, wherein the access control center 1 is connected to the Internet 9. Alternatively or additionally, an SMS gateway 10 may be provided so that the data exchange between the access control center 1 and the mobile telecommunication device 5 via a short message service or another push service.

The user 11 of the mobile telecommunication device 5 can in this case, as indicated by the line 12, access the access control center 1 and, if he has the required access rights to the access control center 1, manage the access authorizations. If the user 11 is not the administrator, then 13

granted access to the access control center 1 access designed so that he can only manage his own access permissions and change if necessary. Access to the access control center 1 can take place, for example, via a web interface so that the user 11 can manage his access authorizations with the aid of any internet-capable computer.

The designated in Fig. 2 with 5 mobile telecommunications device may be a cell phone, which is equipped with an NFC module. In this case, the access rights data obtained from the access control center 1 are made available to the built-in NFC module, so that the access right data can be transmitted in the sequence via an NFC connection to the locking unit 13.

In Fig. 2, another mobile telecommunications device 14 is shown, which itself does not assume a key function. Instead, the access rights data transmitted by the access control center 1 are transferred to an external RFID transponder 15. The RFID transponder 15 can then be used independently of the mobile telecommunication device 14 to block locking units 13.

In Fig. 3, a modified access control system is shown, in which, as in the system of FIG. 2, an access control center 1 via an arbitrary communication link, e.g. via the Internet 9, mobile telecommunications devices 5 can provide access rights data. This can also be done via an SMS gateway 10 or another push service. A client computer 16 of a user is also connected to the Internet 9 and can access rights data issued by the access control center 1 14 14

* * · · * * Ft · ft

Proxy mediate. The client computer 16 is connected to a writing unit 17, which is designed, for example, as a writing instrument for RFID tags or transponders. 18, an RFID transponder is shown, which can be described by the writing unit 17.

In Fig. 3, a certification authority 19 is now also involved in the access control system, which is in communication with the access control center 1. The provisioning of the components in the access control system is done as follows, which is usually only required once when a new component is added to the system. The certification authority 19 creates a digital certificate (corresponding to "cert ^" in FIG. 5) for the mobile telecommunication device 5 or the module arranged or installed therein, which performs the key function, such as e.g. a secure element, in particular a secure access module, or the SIM card of the telecommunication device 5.

The module is identified by a system unique ID ("IDmk" in Figure 5). Furthermore, the certification authority 19 creates a digital certificate (corresponding to "certi," in FIG. 5) for a secure element, in particular a secure access module, the access control device or locking unit 13. The module of the access control device 13 is also identified by a unique system ID ("IDj," in Fig. 5).

The application of the access authorizations to the mobile telecommunication device 5 takes place as follows. The access rights data to be transmitted to the mobile telecommunication device 5 are generated in the access control center 1. The access right data consists e.g. from a secret access control individual key (corresponding to "LT" in Figure 5) and a time restriction {corresponds to "Calendar " in Fig. 5). This temporal privilege restriction is signed by the certification authority 19 (see "sc" in Figure 5) to ensure its authenticity. For this purpose, the authorization restriction is transmitted from the access control center 1 to the certification authority 19, which then returns the signed authorization restriction to the access control center 1. There, the individual access right data, which consists of the access control device-specific key and the time restriction of authorization signed by the certification authority 19, are then combined.

Between the access control center 1 and the module of the mobile telecommunication device 5 is via the mobile telecommunication device 5, a secure connection using the digital certificates, which were applied in the provisioning built. This means that the module of the mobile telecommunication device 5 and the access control center 1 as it were communicate directly, the mobile telecommunication device 5 serves only as a mediator (proxy). Via this secure connection, which can run over an insecure communication network 9, the access control data is transmitted to the mobile telecommunication device 5 and stored in the module in a secure manner.

The establishment of the secure connection between the access control center 1 and the module of the mobile telecommunication device 5 can be done in several ways: 1. SMS: The access control center 1 sends an SMS via the SMS gateway 10 to the mobile telecommunication device 16

5, and the mobile telecommunication device 5 thereupon establishes the secure connection to the access control center 1 via which the access rights data are transmitted in a secure manner. 2. Polling: The mobile telecommunication device 5 periodically requests the access control center 1 for new access right data, the transmission takes place as in 1. 3. Push: The mobile telecommunication device 5 is permanently registered at the access control center 1 (eg by depositing the IP address or telephone number) and sends a message to the mobile telecommunication device 5, which then establishes a secure connection to the access control center 1, the transmission takes place as in 1. 4. The user starts the mobile telecommunication device 5 an application that builds the secure connection, the transmission takes place as in 1.

In Fig. 4, the structure of the access control device 13 is now explained in more detail. The access control device 13 has an unprotected area 20, e.g. an outdoor area, and a protected area 21, e.g. an interior, on.

In the unprotected area 20, the transmitting / receiving unit 22 is arranged, e.g. is designed as an RFID read / write device and can exchange data with a passive RFID medium integrated in the mobile telecommunication device 5 or a passive RFID chip card 18. The data transmission can take place, for example, in NFC card emulation mode. In the protected area 21, a microcontroller 23, a Secure Access Module (SAM) 24, a circuit 25 for the electromechanical or electrical driving of a blocking means, not shown, and a hardware clock 26 are arranged. In this case, the blocking means can be set between a locking position and a release position for optional release or locking between a locking position and a locking position Locking the access to be moved. The microcontroller 23 controls the basic functions of the access control device 13 and connects the SAM 24 to the transmitting / receiving unit 22. The communication between the secure module of the mobile telecommunication device 5 or the chip card 18 and the SAM via ISO / IEC 7816-4 commands (APDUs), wherein the microcontroller 23 assumes the function of an APDU proxy. In this case, the application protocol data unit (APDU) generally refers to a communication unit between a chip card and a chip card application (for example, according to the ISO / IEC 7816 standard). The SAM 24 contains the access control logic and a secure memory, as will be explained in more detail in particular with reference to the description of FIG. 5. The microcontroller 23 acts with a schematically indicated acoustic and / or visual signal generator 27, such as e.g. a light ring and a buzzer together to signal the user various operating conditions.

5, the basic sequence of communication between the electronic identification medium 5, in particular the secure module of the mobile telecommunication device 5 or the chip card 18, and the SAM 24 of the access control device 13 is now shown. This is not the actual protocol, but a simplified representation of the underlying principles of the protocol. On the part of the access control device 13, both the microcontroller 23 and the SAM are involved in the communication. The secure module of the mobile telecommunication device 5 or the chip card 18 is referred to in FIG. 5 with the keychain application 28. For the intended authorization and authentication purposes, the following are available: http://www.myspace.com/support functions, the access control device and the electronic identification medium in the initial state have stored the following data:

Identification medium, also referred to below as Mobile Key (MK):

IDmk: a unique identification of the MK certRCA: Certificate of the certification authority that contains the public key pubRcA of the certification authority certMK: Certificate of the MK (contains among others Identifi

ciation data of the MK and the public key pubKMK of the MK and is signed with the private key privRcA of the certification authority) pubKMKi public key of the MK

privKMK > MK LT private key: "Lock token", secret access controller individual key

Calendar: temporal permission restriction sc: Signature of the temporal authorization restriction

A record of LT, Calendar and sc forms the access right data, each record being associated with an access control device identification IDL.

Access Control Device, also referred to as Lock (L) below: IDl: a unique identification of the Lock certßCA: Certificate of the Certification Authority containing the public key pubRCÄ of the Certification Body certi:

Certificate of the lock (includes lock's identification data and Lock's public key pubKL and is signed with private key privRCA of the certificate authority) pubKL: lock privKL private key: lock LT private key: "lock token", secret access control device individual key

The simplified communication protocol is now provided as follows:

First, by the transmitting / receiving unit 22 of the access control device, a (passive) Mobile Key (MK) 28 that is potentially located in the RF field and not actively transmitting itself is detected, whereupon the wake-up sequence is transmitted according to the standard used for transmission (FIG. eg ISO / IEC 14443-3).

In step 1, the access control device starts the communication by transmitting the unique access control device IDL ID. In step 2, by the keychain application of the MK, the access right data assigned to the access control device IDL received in step 1 is determined. If no IDL is found, this means that the MK is not authorized to operate this access control device. • In step 3, a random number randMK is created in the keychain application and buffered. In step 4, the keyfob application transmits the following data to the SAM 24 of the access control device 13: 20 ····························································································. »

the generated random number randMK the unique identification of the MK IDmk the certificate certme • In step 5 the received certificate certMK is verified by the SAM 24 using pubRCA, which is contained in certRCA. In step 6, the SAM 24 of the access control device 13 generates the following values:

the random number randL the digital signature sL, which serves to prove ownership of the private key privKL: sL = sig-privKL (IDMK || randMK || randL), where the operation "|| " representing a sequence of parameters, a session key SKEWC: SKenc-deriveEncLf (randMK || randi,) derived from LT and the random numbers, a session key SKkac for a message authentication code (MAC) derived from LT and the random numbers: SKmac = deriveMaci / r ( randL || randHK) (this is different from SKenc, because the derivation functions have distinctions).

The two session keys are used for session-specific security of the communication. This includes the integrity, the authenticity as well as the confidentiality of the subsequently transmitted data, a cryptogram cL is generated using the session key SKkac / IDl and the random numbers, which proves the knowledge of the lock-specific access code LT of the SAM 24 of the access control device: cL = MACskMAC ( randMK | jrandL || IDL) · • In step 7, the following data is transmitted to the keychain application 28 by the access control device 13:

the generated random number randL 21

the certificate certL the signature sL

the access controller cryptogram cL • In step 8, the keychain application 28 verifies the certificate certL using pubRCAf contained in the certificate certRCA. In step 9, the digital signature sL is verified using the certificate certL, which is possible because the keychain application is in the possession of IDMk and the random numbers. In step 10, the keychain application knows that the access control device is in possession of the pri-vKl key belonging to the public key in certL and performs the following operations:

Generating a SKENC derived from LT and the random numbers: SKENC = deriveEncLT (randMK || randL) Generate a session key SKmac derived from LT and the random numbers for a Message Authentication Code (MAC): SKmac = deriveMacLT (randL || randMK) Verify from cL by generating a MAC c'L = MACskKc (randMK [| randL || IDL) and checking if c'L == cL. If the verification is successful, the keychain application knows that the access control device knows LT and that it communicates using IDl.

Generate a digital signature sMK that serves to prove ownership of the private key privKMK: sMK = sigprivKwK (IDL || randL | lrandMK} ·

Generate a cryptogram Cmk using the session key SKmäcu IDmk and the random numbers:

Cmk = MACsknac (randL || randMK || IDMK) · The cryptogram Cmk «» · · 22 «» · · 22

· · Ft the access control device, the knowledge of the lock-specific access code LT after. In step 11, after the creation of SKEnc and SKmac, a secure channel is established on both sides. Further communication is encrypted with SKENC and authenticated with SKmac. • In order to complete the authentication and authorization process, the keychain application sends cMK, sMk and the calendar corresponding to the IDL in step 12 together with the signature Sc to the access control device. In step 13, the access control device performs the following operations:

The access control device verifies the sMk signature using the certMK certificate that it obtained previously, and then knows that the keychain application owns the privKMK private key that belongs to the public key pubKMK in certMK. With this step, the access control device successfully authenticated the keychain application.

The access control device checks cMK by generating a MAC c'mk = MACskMac {randL] | randMK || IDMK) and checks if c'MK == cMK. If the verification is successful, the access control device knows that the keychain application knows LT and that it communicates authentically with MK.

The access control device checks Calendar using sc and the certRCA certificate and verifies that the keychain application is now authorized. Once the authorization has been established, the keyfob application has been successfully authorized to operate the access control device.

To complete the protocol in step 14, status data is transmitted from the access control device to the keychain application, and blacklist entries for IDI, if any, are communicated to the access control device and stored there.

When all steps have been successfully completed, the access control device may, at step 15, actuate the lock and terminate communication with the keychain application.

Claims (17)

1. A method for access control, especially in buildings, in which a bidirectional data transmission between an electronic identification medium and a access control device and data processing takes place, wherein the data transmission comprises the transmission of access rights data from the electronic identification medium to the access control device, wherein the access right data in the Access control device is evaluated for determining the access authorization and depending on the established access authorization a blocking means for selectively enabling or blocking the access is controlled, characterized in that the data processing comprises an authentication of the electronic identification medium based on at least one digital certificate and the data transmission using a Key exchange or derivation protocol, whereby the electronic at least one secret, common session key is made available, whereupon the at least one session key is used to establish a secure transmission channel between the electronic identification medium and the access control device, and the access right data is transmitted via the secure channel from the electronic identification medium to the access control device become. 2. The method according to claim 1, characterized in that the at least one digital certificate is signed by an access control center. 25 A method according to claim 1 or 2, characterized in that the at least one session key is generated in the electronic identification medium and in the access control device based on an access control device-specific access code, preferably further based on a random number generated by the identification medium and an access control device and / or from a run number generated by the identification medium and by the access control device. A method according to claim 1, 2 or 3, characterized in that the key exchange deriving protocol comprises generating a cryptogram using the session key in the access control device and transmitting it to the identification medium, the cryptogram in the identification medium using the session key is verified. 5. The method according to any one of claims 1 to 4, characterized in that the access right data is signed by an access control center and transmitted together with the signature on the secure channel from the electronic identification medium to the access control device. 6. The method according to any one of claims 1 to 5, characterized in that the data transmission is purely passive by loading the electromagnetic field between the electronic identification medium and the access control device. 26 7. Device, in particular for carrying out the method according to one of claims 1 to 6, comprising a access control device with a blocking means for selectively enabling or blocking the access and a transmitting / receiving device to a bidirectional data transmission between an electronic identification medium and the access control device the access control device comprising data processing means for controlling data transmission and determining access authorization based on received access right data, the data processing means cooperating with the blocking means for selectively enabling or disabling the access, [characterized in that the data processing means comprise at least one microcontroller and one secure Access modules (SAM), wherein the SAM is set up to perform cryptographic functions, and that the transceiver in a first area d he access control device and the SAM is arranged in a second area of the access control device. 8. Apparatus according to claim 7, characterized in that the microcontroller is arranged in the second region. 9. Apparatus according to claim 7 or 8, characterized in that the microcontroller connects the transmitting / receiving device with the SAM. 10. Apparatus according to claim 7, 8 or 9, characterized in that the first area is an unprotected area and the second area is a structurally protected area. 11. Device according to one of claims 7 to 10, characterized in that the access control device for Ein¬ · 27 construction is formed in a door and with at least a first handle, such. a knob or a pusher is provided, wherein the first region of the first handle and the second region of a provided for receiving in an opening of the door leaf area or a second, the first handle opposite, second handle is formed. 12. Device according to one of claims 7 to 11, characterized in that the SAM comprises authentication means for authenticating the electronic identification medium on the basis of at least one digital certificate, and is programmed with a key exchange derive protocol. 13. Device according to one of claims 7 to 12, characterized in that the SAM is designed or programmed to establish a secure transmission channel between the electronic identification medium and the access control device. 14. Device according to one of claims 7 to 13, characterized in that the SAM comprises an evaluation circuit for determining the access authorization on the basis of the received access right data. 15. Device according to one of claims 7 to 14, characterized in that the SAM is designed as a microcontroller in smart card or SIM card design, but in particular in IC design. 16. Device according to one of claims 7 to 15, characterized in that the SAM is interchangeably received in an interface, in particular in a slot. 17. Device according to one of claims 7 to 16, characterized in that the transmitting / receiving device for wireless, preferably inductive data transmission in particular according to the NFC or RFID standard (ISO / IEC 14443) is formed. Vienna, 31.1.2012 Applicant by: