CN101088247B

CN101088247B - Controlling access to an area

Info

Publication number: CN101088247B
Application number: CN2004800207923A
Authority: CN
Inventors: 菲尔·利宾; 西尔维奥·米卡利; 戴维·恩贝里
Original assignee: Corestreet Ltd
Current assignee: Buga Technologies GmbH
Priority date: 2003-07-18
Filing date: 2004-07-16
Publication date: 2012-05-16
Anticipated expiration: 2024-07-16
Also published as: CN101088247A; CN101065789B; ES2367435T3; CN101036339A; CN101268649B; CN101065789A; CN101036339B; CN101268649A

Abstract

Controlling a plurality of user to access at least one disconnected door by the entity comprises mapping a plurality of users to group, to each time interval d of a series of dates the administrative framework generates a digital signature which indicates that the member in the group can access the door at the period of the time interval d, at least one member in the group receives the digital signature in the period of the time interval d in order to present to the door thereby passing the door, at least one member in the group present the digital signature to the door D and the door is opened after the checking of the following content: (i) the digital signature is the digital signature of the administrative framework and indicates that the member in the group can access the door at the time interval d, and (ii) the current time is in the time interval d. At least one member in the group comprises an user card and the door comprises a card reader connected to the electric-controlled mechanical lock, and at least one member in the group can receive the digital signature by storing the digital signature in the user card and represents the digital signature to the door by facilitating the reading of the user card by the card reader.

Description

The group interview of control opposite house

The related application cross-index

The application requires the priority of the U.S. Provisional Patent Application 60/488,645 of application on July 18th, 2003, and it is combined in this by reference, and also requires the U.S. Provisional Patent Application 60/505 of application on September 24th, 2003; 640 priority, it is combined in this by reference, and is the continuity of the U.S. Patent application 10/876,275 (unsettled) of application on June 24th, 2004; It requires the priority of the U.S. Provisional Patent Application 60/482,179 of application on June 24th, 2003, and itself is the U.S. Patent application 09/915 of application on July 25 calendar year 2001; The continuity of 180 part, it is that the continuity of the U.S. Patent application 09/483,125 of application on January 14th, 2000 (is a United States Patent (USP) 6 now; 292,893), it is the U.S. Patent application 09/356 of application on July 19th, 1999; 745 continuity (abandoning), it is that the continuity of the U.S. Patent application 08/823,354 of application on March 24th, 1997 (is a United States Patent (USP) 5 now; 960,083), it is the U.S. Patent application 08/559 of application on November 16 nineteen ninety-five; 533 continuity (being United States Patent (USP) 5,666 now, 416); It requires the priority of the U.S. Provisional Application 60/006,038 of application on October 24 nineteen ninety-five, and is the U.S. Patent application 10/409 of application on April 8th, 2003; 638 continuity (unsettled), it requires the priority of following application: the U.S. Provisional Application 60/370,867 of application on April 8th, 2002; The U.S. Provisional Application 60/372,951 of application on April 16th, 2002; The U.S. Provisional Application 60/373,218 of application on April 17th, 2002; The U.S. Provisional Application 60/374,861 of application on April 23rd, 2002; The U.S. Provisional Application 60/420,795 of application on October 23rd, 2002; The U.S. Provisional Application 60/421,197 of application on October 25th, 2002; The U.S. Provisional Application 60/421,756 of application on October 28th, 2002; The U.S. Provisional Application 60/422,416 of application on October 30th, 2002; The U.S. Provisional Application 60/427,504 of application on November 19th, 2002; The U.S. Provisional Application 60/443,407 of application on January 29th, 2003; And the U.S. Provisional Application 60/446,149 of application on February 10th, 2003; The teaching of all these applications all is combined in this by reference.And it is the continuity of part of the U.S. Patent application 10/103,541 (unsettled) of on March 20th, 2002 application, and its teaching is combined in this by reference; Itself be the continuity of part of the U.S. Patent application 09/915,180 (unsettled) of July 25 calendar year 2001 application, and it is the U.S. Patent application 09/483 of application on January 14th, 2000; 125 continuity (being United States Patent (USP) 6,292 now, 893); It is the continuity (abandoning) of the U.S. Patent application 09/356,745 of application on July 19th, 1999, and it is the U.S. Patent application 08/823 of application on March 24th, 1997; 354 continuity (being United States Patent (USP) 5,960 now, 083); It is that the continuity of the U.S. Patent application 08/559,533 of application on November 16 nineteen ninety-five (is a United States Patent (USP) 5,666 now; 416), it is based on the U.S. Provisional Application 60/006,038 of application on October 24 nineteen ninety-five.U.S. Patent application 10/103,541 still be the U.S. Patent application 08/992,897 of on December 18th, 1997 application (be United States Patent (USP) 6 now; 487,658) continuity, it is based on the U.S. Provisional Application 60/033 of application on December 18th, 1996; 415, and it is the continuity of part of the U.S. Patent application 08/715,712 (abandoning) of on September 19th, 1996 application; It is based on the continuity of the U.S. Provisional Application 60/004,796 of application on October 2 nineteen ninety-five.The part of U.S. Patent application 08/992,897 still is the continuity of U.S. Patent application 08/729,619 (be United States Patent (USP) 6,097 now, 811) of on October 11st, 1996 application, the U.S. Provisional Application 60/006,143 that it was applied for based on November 2 nineteen ninety-five.U.S. Patent application 08/992; 897 part still is the U.S. Patent application 08/804 of application on February 24th, 1997; The continuity of 868 (abandoning), it is the continuity of the U.S. Patent application 08/741,601 (abandoning) of application on November 1st, 1996; It is based on the U.S. Provisional Application 60/006,143 of application on November 2 nineteen ninety-five.The part of U.S. Patent application 08/992,897 still is the continuity of U.S. Patent application 08/872,900 (abandoning) of on June 11st, 1997 application; It is the U.S. Patent application 08/746 of application on November 5th, 1996; The continuity of 007 (being United States Patent (USP) 5,793 now, 868); It is based on the U.S. Provisional Application 60/025,128 of application on August 29th, 1996.Also based on the U.S. Provisional Application 60/035,119 of application on February 3rd, 1997, it still is the U.S. Patent application 08/906 of application on August 5th, 1997 to U.S. Patent application 08/992,897; The continuity of 464 (abandoning), its part are that the U.S. Patent application of applying on December 9th, 1,996 08/763,536 (is a United States Patent (USP) 5,717 now; 758) continuity, it is based on the U.S. Provisional Application 60/024,786 of application on September 10th, 1996; And (be United States Patent (USP) 5,604 now based on the U.S. Patent application 08/636,854 of on April 23rd, 1996 application; 804), and also based on the U.S. Provisional Application 60/025,128 of application on August 29th, 1996.The part of U.S. Patent application 08/992,897 still is the continuity of U.S. Patent application 08/756,720 (abandoning) of on November 26th, 1996 application; It is based on the U.S. Provisional Application 60/025,128 of application on August 29th, 1996, and the U.S. Patent application of also applying for based on September 19th, 1,996 08/715; 712 (abandoning), and (be United States Patent (USP) 5 now based on the U.S. Patent application of applying for November 16 nineteen ninety-five 08/559,533 also; 666,416).The part of U.S. Patent application 08/992,897 still be the U.S. Patent application 08/752,223 of on November 19th, 1996 application (be United States Patent (USP) 5 now; 717,757) continuity, it is based on the U.S. Provisional Application 60/025 of application on August 29th, 1996; 128, and the still continuity of the U.S. Patent application 08/804,869 (abandoning) of application on February 24th, 1997 of part; It is the U.S. Patent application 08/741 of application on November 1st, 1996; The continuity of 601 (abandoning), it is based on the U.S. Provisional Application 60/006,143 of application on November 2 nineteen ninety-five.The part of U.S. Patent application 08/992,897 still be the U.S. Patent application 08/823,354 of on March 24th, 1997 application (be United States Patent (USP) 5 now; 960,083) continuity, it is the U.S. Patent application 08/559 of application on November 16 nineteen ninety-five; The continuity of 533 (being United States Patent (USP) 5,666 now, 416); It is based on the U.S. Provisional Application 60/006,038 of application on October 24 nineteen ninety-five.U.S. Patent application 10/103; 541 also based on the U.S. Provisional Application 60/277 of March 20 calendar year 2001 application; 244, reach the U.S. Provisional Application of applying for June 25 calendar year 2001 60/300,621, the U.S. Provisional Application 60/344,245 that reaches application on December 27 calendar year 2001.Above-mentioned all applications all are combined in this by reference.U.S. Patent application 10/409,638 still is the continuity of U.S. Patent application 09/915,180 (unsettled) of June 25 calendar year 2001 application, and its teaching is combined in this for your guidance; It itself is the continuity of the U.S. Patent application 09/483,125 (being United States Patent (USP) 6,292 now, 893) of application on January 14th, 2000; It is the continuity of the U.S. Patent application 09/356,745 (abandoning) of application on July 19th, 1999, and it is the U.S. Patent application 08/823 of application on March 24th, 1997; The continuity of 354 (being United States Patent (USP) 5,960 now, 083); It is that the U.S. Patent application of applying for November 16 nineteen ninety-five 08/559,533 (is a United States Patent (USP) 5,666 now; 416) continuity, it is based on the U.S. Provisional Application 60/006,038 of application on October 24 nineteen ninety-five.The teaching of above-mentioned all applications all is combined in this by reference.U.S. Patent application 10/409,638 still is the continuity of U.S. Patent application 10/395,017 (unsettled) of on March 21st, 2003 application, and its teaching is combined in this for your guidance, itself is the U.S. Patent application 10/244 of application on September 16th, 2002; The continuity of 695 (abandoning), it is the continuity of the U.S. Patent application 08/992,897 (being United States Patent (USP) 6,487 now, 658) of application on December 18th, 1997; It is based on the U.S. Provisional Patent Application 60/033,415 of on December 18th, 1996 application, and its part is the continuity of the U.S. Patent application 08/715,712 (abandoning) of application on September 19th, 1996, and it is based on the U.S. Patent application 60/004 of application on October 2 nineteen ninety-five; 796, and its part still is the continuity of U.S. Patent application 08/729,619 (being United States Patent (USP) 6,097 now, 811) of on October 10th, 1996 application; It is based on the U.S. Patent application 60/006,143 of November 2 nineteen ninety-five application, and its part still be the continuity of U.S. Patent application 08/804,868 (abandoning) of application on February 24th, 1997, and it is the U.S. Patent application of applying on November 1st, 1,996 08/741; The continuity of 601 (abandoning), it is based on the U.S. Patent application 60/006,143 of November 2 nineteen ninety-five application, and its part still be the continuity of the U.S. Patent application 08/872,900 (abandoning) applied on June 11st, 1997; It is the continuity of the U.S. Patent application 08/746,007 (being United States Patent (USP) 5,793 now, 868) of application on November 5th, 1996, and it is based on the U.S. Patent application 60/025 of application on August 29th, 1996; 128, and it is also based on U.S. Patent application 60/035,119 of on February 3rd, 1997 application, and its part still be the continuity of the U.S. Patent application 08/906,464 (abandoning) applied on August 5th, 1997; It is the continuity of the U.S. Patent application 08/763,536 (being United States Patent (USP) 5,717 now, 758) of application on December 9th, 1996, and it is based on the U.S. Patent application 60/024 of application on September 10th, 1996; 786, and also based on the U.S. Patent application 08/636,854 (being United States Patent (USP) 5,604 now, 804) of application on April 23rd, 1997 and the U.S. Patent application 60/025 of application on August 29th, 1996; 128, and its part still is the continuity of U.S. Patent application 08/756,720 (abandoning) of on November 26th, 1996 application, and it is based on the U.S. Patent application 60/025,128 of application on August 29th, 1996; And the U.S. Patent application of also applying for 08/715,712 (abandoning), and (be United States Patent (USP) 5 now also based on the U.S. Patent application of applying for November 16 nineteen ninety-five 08/559,533 based on September 19th, 1996; 666,416), and its part still be the U.S. Patent application 08/752,223 of on November 19th, 1996 application (be United States Patent (USP) 5 now; 717,757) continuity, it is based on the U.S. Patent application 60/025,128 of application on August 29th, 1996; And part is the continuity of the U.S. Patent application 08/804,869 (abandoning) of application on February 24th, 1997 still, and it is the continuity of the U.S. Patent application 08/741,601 (abandoning) of application on November 1st, 1996; It is based on the U.S. Patent application 60/006,143 of November 2 nineteen ninety-five application, and its part still be the U.S. Patent application of applying on March 24th, 1,997 08/823,354 (be United States Patent (USP) 5 now; 960,083) continuity, it is that the U.S. Patent application of applying for November 16 nineteen ninety-five 08/559,533 (is a United States Patent (USP) 5 now; 666,416) continuity, it is based on the U.S. Patent application 60/006,038 of application on October 24 nineteen ninety-five.The teaching of above-mentioned all applications all is combined in this by reference.

Background of invention

1. technical field

The application relates to physical access control field, particularly uses the lock of processor manipulation and the physical access control field of related data.

2. background technology

In many cases, as when visit airport, military installations, the office building etc., it is very important guaranteeing to have only authorized addressable shielded zone of the talent and equipment.Traditional Men Heqiang can be used for protecting the sensitizing range, but the door with traditional lock & key bothers when management being provided with of many users very much.For example, in case the employee is unemployed, when employing originally, very difficult withdrawal issues this preceding employee's physics key.In addition, the risk that also has such key to be replicated many handles and not surrender forever.

The intelligence door provides access control.In some cases, the intelligence door can be by equipment with keyboard, and the user can input its PIN or password through keyboard.Keyboard can have additional memory and/or basic processing unit, and effectively the tabulation of PIN/ password can be stored in wherein.Therefore, door can check whether the PIN of current input belongs to current effective tabulation.If belong to, then door is opened.Otherwise door can keep being locked.Certainly, not that (unique) depends on traditional key or simple keyboard, more modern intelligent Men Keyu card (like smart card and magnetic stripe card) or contactless equipment (like PDA, mobile phone etc.) are worked together.Such card or equipment can be in auxiliary uses except that traditional key or electronic keyboard or in order to replace aforementioned key or electronic keyboard.These magnetic stripe cards, smart card or the contactless equipment that design cause user carries can have the ability of preservation information, and information can be transferred to door.More advanced card also can have calculating and communication capacity.Relevant device on the door can be from the card read message, and possibly participate in and the interactive protocol that blocks, with compunication etc.

The one side of door is its connective grade.The full door that connects is the door that always is connected with some databases (or other computer system).For example, database can comprise the information about current effective card, user, PIN etc.In some cases, change the information that flows into door for preventing the enemy, (for example, through will the lead from the door to the database be seated in the steel pipe) be protected in such connection.On the other hand, totally disconnected Men Buyu its near the outside of near zone communicate.Between these two extreme cases, has the door (for example, wireless connections " moving " door, it just can be communicated by letter with the outside only within ground station's scope the time, like the door of aircraft or truck) of interrupted connectedness in addition.

Traditional access control mechanism has many shortcomings.The full door that connects is very expensive.The cost that bursting tube is connected to the intelligence door of distant place possibly far exceed the cost of intelligence door own.With the pin mode guardwire, simultaneously maybe be cheap, but its own cost (for example, protect and the cost of managing keys) is also arranged.In addition, do not have the cryptographic system of steel pipe and safety guard can not prevent that lead from being cut off, in this case, the door that does not connect for a long time possibly be forced between two extreme selections and select: promptly, always keep shut or always open, but the two all is not desirable.In some cases, connecting gate open entirely often is not feasible selection.(for example, in fact the door at the cargo container of Middle Atlantic b.s.l. is not communicated with fully.)

The door that disconnected intelligence door possibly be communicated with is cheap.Yet tradition has the problem of himself near the intelligence door.For example, suppose that disconnected intelligent can be discerned PIN.The employee who is terminated no longer is authorized to through this door, yet if he also remembers his PIN, he will have no difficulty to open like basic intelligence door.Therefore, must " counteracting " have stopped the influence of employee's PIN, this is difficult to for disconnected door.In fact, such process possibly bother and be expensive very much: airport installation has good hundreds of sect, and no matter when the employee leaves or be terminated employment relationship, dispatches all that special workman troop goes out and to remove all these old program too unrealistic.

Therefore, be desirable to provide the safe class that is associated with the door of full-mesh, and do not cause extra cost.Like what proved, disconnected intelligence door and card itself do not guarantee the safe, convenient and low-cost of access control system.

Summary of the invention

According to the present invention, the control visit comprises provides the visit obstacle, and it includes the controller of selecting to allow visit; At least one management entity generation voucher/prove if wherein only provide the value of voucher and expired proof, then can not be confirmed as valid certificates; Controller reception voucher/prove; Controller confirms whether visit is authorized to current, if visit by current mandate, then controller allows visit.Voucher/prove to be one, also divided portion.Can be that first management entity produces voucher, other management entity produces proof.First management entity also can produce proof or first management entity can not produce proof.Voucher can be corresponding to the digital certificate that comprises final value, and final value is the result who one-way function is applied to first proof.Each proof can be the result who one-way function is applied to one of following proof.Digital certificate can comprise the identifier of electronic equipment.Voucher can comprise final value, and final value is for being applied to one-way function the result of first proof.Each proof can be the result who one-way function is applied to one of following proof.Voucher can comprise that the user asks the identifier of visiting.Voucher/prove to comprise digital signature.The visit obstacle can comprise wall and door.The control visit also can comprise provides the door lock that is connected to controller, and its middle controller allows visit to comprise that controller starts door lock and opens to allow door.Control visit also can comprise provides the card reader that is connected to controller, and its middle controller receives voucher/prove from card reader.Voucher/prove can be provided on the smart card that the user appears.The control visit also can comprise provides the outside to be connected to controller.Outside connection can be intermittent the connection.Controller can use outside the connection to receive at least a portion voucher/prove, or controller can use the outside reception institute documentary/prove of connecting.Control visit also can comprise provides card reader to be connected to controller, and controller receives the remainder of voucher/prove from card reader.Voucher/prove can be provided on the smart card that the user appears.Voucher/the prove password that can comprise that the user inputs.Voucher/prove to comprise user biometrics information.Voucher/prove to comprise handwritten signature.Voucher/prove can be included in the secret value that provides on the card that the user holds.Voucher/prove that the back is expired at the fixed time.

According to the present invention; Entity is controlled a plurality of users and the visit of at least one disconnected door is comprised a plurality of users are mapped to group; For each time interval d on a series of dates, make management organization produce digital signature SIGUDd, it shows member's addressable door during time interval d of this group; Thereby at least one member who makes this group receives SIGUDd to present to door through door during time interval d; Make at least one member of this group that SIGUDd is presented to a D, and in checking door is opened: (i) SIGUDd shows that this group membership can be in management organization's digital signature of time interval d access door, reaches (ii) the current time within time interval d.At least one member of this group can have a subscriber card and a card reader that can have the electromechanical lock of being connected to; At least one member of this group can receive SIGUDd through SIGUDd is kept in the subscriber card, and through making subscriber card machine-readable and SIGUDd is presented to door by Card Reader.Management organization can will be received SIGUDd by at least one member of this group through SIGUDd being charged in the database that can be visited by at least one member of this group during time interval d.SIGUDd can be a public key signature, and door can be preserved the PKI of management organization.Door also can be verified at least one member's of this group identity information.Can comprise one of following at least about at least one member's of this group identity information: the answer of the challenge of PIN and opposite house.

According to the present invention; The control physical access comprises that also the distribution real time credentials is to one group of user; The inspection real time credentials; Wherein real time credentials comprises fixing first and the second portion that regularly is modified, and wherein real time credentials is provided is the proof of current voucher to second portion, compares the validity of verifying real time credentials through executable operations in first and with result and second portion; And only be verified as the physical access that just allows this group membership when effective at real time credentials.First can be by management organization's digital signing.Management organization can provide second portion.Second portion can be provided by the entity that is different from management organization.Real time credentials can be provided on the smart card.The member of this group can obtain the second portion of real time credentials in primary importance.The member of this group can be allowed to visit the second place that is different from and separates with primary importance.At least a portion of the first of real time credentials can be represented the uni-directional hash of the part of the second portion that repeatedly is applied to real time credentials.The time quantum that passes after repeatedly can being issued corresponding to first from real time credentials.The control physical access also can comprise the visit of control through door.

According to the present invention; Definite visit comprises that confirming whether specific voucher/prove shows to visit is allowed to; Determine whether other data and voucher/prove to be associated; Wherein other data are independent of voucher/prove, and if specific credential/prove show that visit has been allowed to and has other data and specific credential/prove to be associated, the information that then provides according to other data whether to determine denied access.Voucher/prove to be one, also divided portion.Can be that first management entity produces voucher, other management entity produces proof.First management entity also can produce proof or first management entity can not produce proof.Voucher can be corresponding to the digital certificate that comprises final value, and final value is the result who one-way function is applied to first proof.Each proof can be the result who one-way function is applied to one of following proof.Digital certificate can comprise the identifier of electronic equipment.Voucher can comprise final value, and final value is for being applied to one-way function the result of first proof.Each proof can be the result who one-way function is applied to one of following proof.Voucher can comprise that the user asks the identifier of visiting.Voucher/prove to comprise digital signature.Visit can be to the visit by wall and door enclosed areas.Definite visit can comprise provides door lock, and wherein whether door lock is rejected according to visit and opens.Definite visit also can comprise the card reader that reception voucher/prove is provided.Voucher/prove can be provided on the smart card that the user appears.Voucher/the prove password that can comprise that the user inputs.Voucher/prove to comprise user biometrics information.Voucher/prove to comprise handwritten signature.Voucher/prove can be included in the secret value that provides on the card that the user holds.Voucher/prove that the back is expired at the fixed time.Other data can be by digital signing.Other data can be the message of binding with voucher/prove.Message can be discerned specific voucher/prove and comprise specific credential/the prove indication that whether has been cancelled.Indication can be an empty string.Other data can comprise the date.Other data can be to comprise about the information of specific credential/prove and comprise the message about the information of one or more other vouchers/prove.Definite visit also can comprise preserves other data.Other data can comprise expiration time, and it shows how long other data will be preserved.Expiration time can expiring corresponding to specific credential/prove.Definite visit also can comprise preserves the predetermined long time with other data.Voucher/prove and all to expire afterwards at the fixed time.Other data can use smart card to provide.Smart card can be appeared by the user who attempts access region.Can use wall and at least one door to limit to the visit in zone.Other data can be used for being different from the user's who attempts to visit user.Definite visit also can comprise to be provided communication link and uses the other data of communication link transmission.Communication link can be provided with other data by smart card.Smart card can require with the communication link periodic communication to remain valid.Smart card can be provided with other data by another smart card.Other data can be offered group's smart card selectively.Definite visit also can comprise provides priority to other data.Other data can be offered group's smart card selectively according to the priority that offers other data.Other data can be offered group's smart card at random.

According to the present invention; The data of sending and propagating about voucher comprise that entity is sent shows the data through identifying that voucher has been cancelled; Make and be kept in first user's first card through the data of identifying; Use first blocks and will give first through the transfer of data of evaluation, makes the information of first preservation about the data of warp evaluation, and makes first dependence come the denied access voucher about the information of the data of warp evaluation.Data through identifying can be identified by digital signature, but and first certifying digital signature.Digital signature can be a public key digital signature.The PKI of digital signature can be related with voucher.Digital signature can be the private key digital signature.The voucher and first card all belong to first user.Voucher can be stored in second card that is different from first card, and first can be through relying on such information from memory search about the information through the data identified.Voucher can belong to second user who is different from first user.Data through identifying can at first be kept at least one other card that is different from first card, and can be transferred to first card from least one other card through the data of identifying.Data through identifying can be transferred to first card through at first being transferred at least one other card of at least one other Men Ercong that is different from first.Entity can make first card obtain from transponder to make that through the data of identifying being stored in first through the data of identifying blocks through at first making to be kept at through the data of identifying then on the transponder.But transponder unprotect.First can through make through the data of identifying at first be transferred at least one other card of being different from first card and from first card receiver about information through the data identified.At least one other card can at first be transferred at least one other Men Ercong first card receiver of being different from first about the information through the data identified through making through the data of identifying.First can be not to be communicated with entirely or intermittently to be communicated with.

According to the present invention; First data that reception is identified about the warp of first user's voucher; Process comprises the data of first card receiver through identifying that are subordinated to second user who is different from first user; Preservation receives voucher about the information through the data identified, and rely on preserved about information denied access voucher through the data identified.Data through identifying can be identified by digital signature, and first certifying digital signature.Digital signature can be a public key digital signature.The PKI of digital signature can be related with voucher.Digital signature can be the private key digital signature.Can be transferred to first card at least one other card then from least one other card and be stored in first card through at first being kept at through the data identified.Data through identifying can be transferred to first card through at first being transferred at least one other card of at least one other Men Ercong that is different from first.Data through identifying can make first card obtain to be stored in first card from transponder through at first being kept at then on the transponder.But transponder unprotect.First can through make through the data of identifying at first be transferred at least one other card of being different from first card and from first card receiver about information through the data identified.At least one other card can at first be transferred at least one other Men Ercong first card receiver of being different from first about the information through the data identified through making through the data of identifying.First can be not to be communicated with entirely or intermittently to be communicated with.

According to the present invention, help the immediate cancel visit to comprise the data through identify of reception about voucher, will be kept on first card about information, and make first reception about information through the data identified through the data identified.Data through identifying can be identified by digital signature.Digital signature can be a public key digital signature.The PKI of digital signature can be related with voucher.Digital signature can be the private key digital signature.Voucher all belongs to first user with card.If first is stuck in and fails to receive the signal of specified type in advance in the preassigned time, then first card will become and be not useable for visit.Voucher can belong to another user who is different from first user.Can be transferred to first card and by first card receiver through at first being kept at least one other card that is different from first card then through the data identified from least one other card.Data through identifying can be transferred to first card through at first being transferred at least one other card of at least one other Men Ercong that is different from first.First card can obtain the data through identifying from transponder.But transponder unprotect.First card can be through at first making first reception about the information through the data identified at least one other card that is different from first card through the transfer of data of identifying.First card can be through at first making the information of at least one other card receiver about the data of warp evaluation at least one other that is different from first through the transfer of data of identifying.First can not be communicated with entirely or intermittently be communicated with.Last first card can from memory deletion preserved about information through the data identified.Voucher can have due date, first card can be voucher be expired after from the memory deletion preserved about information through the data of evaluation.Can infer from specified message in the voucher due date of voucher.

According to the present invention, thereby record comprises that with the relevant incident of access region the record incident relevant with access region is to provide logout and to identify that at least one logout provides the record through identifying.Recording events can comprise the time of writing down recording events.Recording events can comprise the type of recording events.Incident can be to attempt access region.Recording events can comprise the voucher that record attempt to use together with access region/prove.Recording events can comprise the result that record is attempted.Recording events can comprise that record is different from and show that visit should unaccepted voucher/existence of the data that prove.Recording events can comprise the other data that record is relevant with the zone.Identification recording can comprise the digital signing record.Identify that at least one logout can comprise the evaluation logout and identify that other logout is to provide single record through identifying.Single record through evaluation can be stored on the card.Record through identifying can be stored on the card.Card can have another through the recorded and stored identified on it.Another can be provided by the card that links with being used for access region through the record of identifying.If another is not verified that through the record of identifying then visit can be rejected.Controller can provide together with access region, and its middle controller is further identified another record through identifying.Another can use digital certificate to identify through the record of identifying.Recording events can comprise that also the user presents card to attempt access region.Recording events also can be included in the user when attempting access region card further identify record through identifying.Relevant with access region, controller can be provided, its middle controller and the common record of further identifying through identifying of card.Recording events can comprise provides the relevant data that produce, and it indicates the content recorded through identifying.The relevant data that produce can be bound with the record through evaluation.The relevant data that produce can be identified with the record binding of warp evaluation and the binding of gained.Resulting binding can be by digital signing.Relevant to produce data can be a series of numerals, and one of specific in the numeral can be endowed incident.Recording events also can comprise the binding of identifying optional network specific digit and incident.Identify to bind and to comprise the digital signing binding.Identify to bind and to comprise that uni-directional hash binds its result of digital signing then.The relevant generation data of incident can comprise the information of discerning another incident.Another incident can be in preceding incident.Another incident can be following incident.Recording events also can comprise first and second random values of correlating event, in first and second random values at least one is associated with another incident, and with at least one and another incident binding in first and second values.Provide the relevant data that produce to comprise that the use multinomial produces relevant information.Provide the relevant data that produce to comprise that the use hash chain produces relevant information.The relevant data that produce can comprise the information about a plurality of other incidents.The relevant data that produce can comprise error correction code.Recording events also can comprise the record of propagating through identifying.Propagate through the record of identifying and to comprise being provided on the card that appears by the user who attempts access region through the record of identifying.The zone can be confirmed by wall and door.

According to the present invention, the visit of at least one management entity control electronic equipment, it is that electronic equipment produces voucher and a plurality of corresponding proof through at least one management entity; If wherein only provide the value of voucher and expired proof; Can not confirm effective proof, electronic equipment receives voucher, if visit is authorized at special time; Electronic equipment receives the proof corresponding to special time, and electronic equipment uses voucher to confirm proof.At least one management entity can produce proof after producing voucher.Single administrative entity can produce voucher and produce proof.Also can be that first management entity produces voucher, other management entity produces proof.First management entity also can produce proof maybe can not produce proof.Voucher can be the digital certificate that comprises final value, and final value is for being applied to one-way function the result of first proof.Each proof can be the result who one-way function is applied to one of following proof.Digital certificate can comprise the identifier of electronic equipment.Voucher can comprise final value, and it is for being applied to one-way function the result of first proof.Each proof can be the result who one-way function is applied to one of following proof.Voucher can comprise the identifier of electronic equipment.Electronic equipment can be a computer, and it only starts when visit is authorized to.Electronic equipment can be a disc driver.The visit of at least one management entity control electronic equipment can comprise uses at least one proof allocation entity that is independent of at least one management entity to witness.A proof allocation entity can only be arranged or a plurality of proof allocation entity are arranged.The visit of at least one management entity control electronic equipment can comprise that the connection that uses electronic equipment witnesses.Connection can be the internet.At least the part proof can be existed on the electronic equipment by this organizational security.The visit of at least one management entity control electronic equipment can comprise that if proof in respect of time can not obtain at this machine, electronic equipment proves through external connection request.Each proof can be associated with particular time interval.After the specified time interval that is associated with specific proof had disappeared, electronic equipment can receive new proof.The time interval can be one day.

According to the present invention; Electronic equipment control is to its visit; It is used for the voucher of electronic equipment and at least one of a plurality of corresponding proofs through reception, if wherein only provide the value of voucher and expired proof then can not confirm effective proof, and uses voucher to test at least one in a plurality of proofs.Voucher can be the digital certificate that comprises final value, and final value is for being applied to one-way function the result of first proof.Each proof can be the result who one-way function is applied to one of following proof.Digital certificate can comprise the identifier of electronic equipment.Voucher can comprise final value, and it is for being applied to one-way function the result of first proof.Each proof can be the result who one-way function is applied to one of following proof.Voucher can comprise the identifier of electronic equipment.Electronic equipment can be a computer.Electronic equipment control can comprise also that to its visit only being authorized to computer-chronograph in visit starts.Electronic equipment can be a disc driver.Electronic equipment control can comprise that to its visit the connection that uses electronic equipment obtains proof.Connection can be the internet.At least the part proof can be existed on the electronic equipment by this organizational security.Electronic equipment control can comprise that to its visit if proof in respect of time can not obtain at this machine, electronic equipment proves through external connection request.Each proof can be associated with particular time interval.After the specified time interval that is associated with specific proof had disappeared, electronic equipment can receive new proof.The time interval can be one day.

According to the present invention; Control comprises the visit of electronic equipment provides voucher to electronic equipment; If visit is allowed at special time, provide proof corresponding to special time to electronic equipment, if wherein only provide the value of voucher and expired proof then can not confirm proof.Voucher can be the digital certificate that comprises final value, and final value is for being applied to one-way function the result of first proof.Each proof can be the result who one-way function is applied to one of following proof.Digital certificate can comprise the identifier of electronic equipment.Voucher can comprise final value, and it is for being applied to one-way function the result of first proof.Each proof can be the result who one-way function is applied to one of following proof.Voucher can comprise the identifier of electronic equipment.Electronic equipment can be a computer.Control can comprise that to the visit of electronic equipment only being authorized to computer-chronograph in visit starts.Electronic equipment can be a disc driver.Control can comprise the visit of electronic equipment uses at least one proof allocation entity that is independent of at least one management entity to witness.A proof allocation entity can only be arranged.A plurality of proof allocation entity can be arranged.Control can comprise that to the visit of electronic equipment the connection that uses electronic equipment witnesses.Connection can be the internet.At least the part proof can be existed on the electronic equipment by this organizational security.Control can comprise that to the visit of electronic equipment if proof in respect of time can not obtain at this machine, electronic equipment proves through external connection request.Each proof can be associated with particular time interval.After the specified time interval that is associated with specific proof had disappeared, electronic equipment can receive new proof.The time interval can be one day.

Description of drawings

Figure 1A is that it comprises connection, a plurality of electronic equipment, management entity, proof allocation entity according to the sketch map of system implementation example described here.

Figure 1B is the sketch map according to another embodiment of system described here, and it comprises connection, a plurality of electronic equipment, management entity, proof allocation entity.

Fig. 1 C is the sketch map according to another embodiment of system described here, and it comprises connection, a plurality of electronic equipment, management entity, proof allocation entity.

Fig. 1 D is the sketch map according to another embodiment of system described here, and it comprises connection, a plurality of electronic equipment, management entity, proof allocation entity.

Fig. 2 is the detailed view according to the electronic equipment of system described here.

Fig. 3 is according to system described here, determines whether to carry out the flow chart of the step of confirming execution together with electronic equipment.

Fig. 4 is according to system described here, the flow chart of the performed step relevant with carrying out affirmation.

Fig. 5 is according to system described here, the flow chart of the performed step relevant with producing voucher.

Fig. 6 is according to system described here, the flow chart of the performed step relevant with check proof according to voucher.

Fig. 7 is the sketch map according to system described here, comprises its physical access confined zone.

Embodiment

With reference to Figure 1A, Figure 20 shows general connection 22, has a plurality of electronic equipment 24-26 and is connected to this connection.Although Figure 20 shows three electronic equipment 24-26, system described here can work with any amount of electronic equipment.Connection 22 can be implemented as the connection of direct electron data, the connection through telephone wire, LAN, WAN, internet, Virtual Private Network or any other and be used to provide the mechanism of data communication.On behalf of one or more laptop computers, desktop computer (in office or in employee family or other position), PDA, mobile phone, disc driver, mass memory unit or any other, electronic equipment 24-26 can be used for limiting the electronic equipment to its visit.In embodiment at this, the desk-top or laptop computer that electronic equipment 24-26 representative can be used by the employee of mechanism, mechanism hopes to limit the visit to electronic equipment when one of user/employee's decorporation and/or computer are lost or stolen.Certainly, the reason of other restriction to the visit of one or more electronic equipment 24-26 can be arranged, system described here can use with any suitable execution mode.

Management entity 28 is set the strategy that allows user capture electronic equipment 24-26.For example, management entity 28 can confirm that specific user U1 no longer has the right to visit any electronic equipment 24-26, and the addressable electronic equipment 24 of another user U2 but other

electronic equipment

25,26 of inaccessible.Management entity 28 can use any strategy to be used to set user capture.

Management entity 28 provides a plurality of proofs, and it is transferred to electronic equipment 24-26 through connecting 22.Proof can offer electronic equipment 24-26 through other means, and these means will be discussed in more detail below.Electronic equipment 24-26 receives the proof of being distributed, and uses the inner voucher of preserving (describing in detail in this specification other places), confirms whether should be allowed to its visit.Alternatively, prove that allocation entity 32 also can be connected to connection 22 and management entity 28.Proof allocation entity 32 is witnessed to electronic equipment 24-26.In embodiment, prove only effective to one of a user and electronic equipment 24-26, alternatively, only effective on a certain date or date range at this.

Proof can be used United States Patent (USP) 5; Disclosed similar mechanism provides in 666,416, and this patent is combined in this by reference; Wherein, Each electronic equipment 24-26 receives the digital certificate of management entity 28 (or other authorized entity) signature as voucher, digital certificate comprises particular value, and it represents the value after one-way function is applied to initial value N time.In each new time interval, electronic equipment can be appeared with proof, and it is by through forming one of in N the value using the one-way function acquisition.In this example, electronic equipment 24-26 can confirm to prove legal with the particular value that obtains to provide in the digital certificate through repeatedly using one-way function.This mechanism and other possible mechanism are all described in detail in this specification other places.

Also can use the CoreStreet of Massachusetts Cambridge; Ltd. the one or more products that provide are provided at the suitable voucher and the proof of this proposition; Or use any other to be used to produce the mechanism of unique proof, and it is 1 years old) only can produce by management organization's (not existing Administrative Security to run counter to); And 2) can not be used to produce any other proof.Therefore, prove to make that given legal proof P1, unwarranted user can not produce legal proof P2 on another surface and be used for different purpose (for example, being used for different time intervals, different equipment etc.).Thereby the proof of sending can unclassified mode be preserved and is distributed, and this has reduced system cost in fact.Certainly, it is favourable the entity that produces voucher and/or proof being kept suitable fail safe and the proof of any not sending (like future) is kept suitable fail safe.

In addition, the unwarranted user who has a legal proof P1-PN can not produce new proof PN+1.This is favourable in many cases.For example; It also has all previous legal proofs that are used for laptop computer when he is employed by company even the employee who is terminated employment relationship is after stopping, and it oneself also can not produce new proof so that the unauthorized access to its company's laptop computer to be provided.

In the embodiment at this, electronic equipment 24-26 has the firmware of execution processing described here and/or the computer of operating system software, proves to be used to stop login without permission and/or the visit to it.Starting on the basis and/or after the enough time has disappeared, the upon request suitable proof of computer is to move.In this embodiment, function described here can combine with standard Windows login system (and BIOS or PXE environment).Management entity 28 can combine with domestic consumer's management tool of the Microsoft of company network and allow the keeper to set account policy for each user.In many cases, management entity 28 can be derived all needed information from existing management information, and it makes this new function almost transparent and reduced training and adopted cost to the keeper.Management entity 28 can move in enterprise network or deposit the model into ASP by laptop computer manufacturer, BIOS manufacturer or other partner that is commissioned.Proof allocation entity 32 can part be moved in enterprise network, partly move at Global Site.Because proof is not a sensitive information, but proves that the storage vault of the global access of distribution system can be used as the network service operation, thereby make proof can be used for the user outside the enterprise network.

In the embodiment at this, each computer upon request newly proves every day.Yet persons skilled in the art will be appreciated that incremental time can be changed, and making computer will look for novelty weekly proves or the proof of per hour will looking for novelty.

In addition, also possibly utilize the characteristic of seldom using of IDE hard disk drive, it allows on driver, to be provided with password, and password must be presented to driver before driver will rotate and allow accessed content.Use system described here if the firmware of driver is modified, then the visit to hard disk drive possibly be limited, even feasible hard disk drive is placed on can not the access computer hard disk drive in the different computers.This characteristic can be implemented with the hard disk drive of other type.

In other embodiments, system can be used for the visit data file, actually coil, logical volume etc.In some cases, under the situation like the limiting access file, it can be used for corresponding operating system is carried out suitable modification.

With reference to Figure 1B, Figure 20 ' shows another embodiment with a plurality of management entity 28a-28c.Although Figure 20 ' shows three management entity 28a-28c, system described here can work with any amount of management entity.In the embodiment shown in Figure 20 '; One of possible management entity 28a-28c (like management entity 28a) produces voucher; And other entity among the management entity 28a-28c (like

management entity

28b, 28c) produces proof, or all management entity 28a-28c all produce proof.Alternatively, can use proof allocation entity 32.

" show another embodiment with reference to figure 1C, Figure 20 with a plurality of proof allocation entity 32a-32c.Although Figure 20 " only show three proof allocation entity 32a-32c, can work with any amount of proof allocation entity by system described here.Figure 20 " shown in the embodiment technology implementation that can use the Akamai Technologies Incorporated of Massachusetts Cambridge to provide.

With reference to figure 1D, Figure 20 " ' show another embodiment with a plurality of management entity 28a '-28c ' and a plurality of proof allocation entity 32a '-32c '.Although 20 " ' only show three management entity 28a '-28c ' and three proof allocation entity 32a '-32c ', system described here can work with any amount of management entity and proof allocation entity.Figure 20 " ' shown in embodiment combined the characteristic of Figure 1B illustrated embodiment and the characteristic of Fig. 1 C illustrated embodiment.

With reference to figure 2, it shows in detail electronic equipment 24, and it comprises confirmation unit 42, voucher data 44 and proof data 46.Confirmation unit 42 can use hardware, software, firmware or its combination to implement.Based on some condition, as starting, confirmation unit 42 receives enabling signals, and it makes confirmation unit 42 inspection voucher data 44 and proof data 46, based on check result, produce show that legal proof appeared pass through signal or generation failure signal.The output of confirmation unit 42 is used to confirm whether operation can continue by continuing processing/equipment such as computer starting firmware.

In the embodiment at this, electronic equipment 24 comprises external interface 48, and it is by confirmation unit 42 controls.As confirmation unit 42, external interface 48 can use hardware, software, firmware or its combination to implement.External interface 48 is connected to and connects 22, and is used for fetching the new proof that can be stored in proof data 46.Thereby if confirmation unit 42 confirms to be kept at the proof insufficient (for example out of date) in the proof data 46, confirmation unit 42 provides signal to ask new proof to external interface 48 so that external interface 48 warps connect 22.Certainly, if if if electronic equipment 24 lost and/or steal or the user for the employee that stopped or there be any other not allow to visit the reason of electronic equipment 24, then external interface 48 can not obtain valid certificates.In certain embodiments, external interface 48 prompting users carry out suitable electronics connection (for example, laptop computer being connected to network).

In the embodiment at this, time data 52 provides information to be presented to the last time of confirmation unit 42 to confirmation unit 42 to indicate valid certificates.This information can be used for stoping request proof too continually, prevents simultaneously before the new proof of request, to wait for too for a long time.Confirmation unit 42, external interface 48, voucher data 44, proof data 46, the interaction that reaches time data 52 and use are described in detail in this specification other places.

With reference to figure 3, flow process Figure 70 shows and determines whether to send enabling signal and give confirmation unit 42 performed step, with confirm confirmation unit 42 whether should check voucher data 44 and proof data 46 with produce through or failure signal.Processing starts from first step 72, and it confirms whether start-up operation just is performed.In embodiment, always prove and check together with start-up operation at this.Therefore, if confirm that at testing procedure 72 startup just is performed, then control from step 72 and forward step 74 to, enabling signal is sent out to confirmation unit 42.Be step 76 after step 74, process is waited for the predetermined long time before circulating once more.Duration predetermined in the embodiment at this can be one day, although other duration also can be used.After step 76, control rotates back into like above-mentioned testing procedure 72.

If confirm that at testing procedure 72 start-up operation is not performed, then to control from testing procedure 72 and forward testing procedure 78 to, it confirms whether predetermined amount of time disappears after moving confirmation unit 42 last time.This can perhaps reach current system time through data element 52 service time and confirm.In embodiment, it is one day in the scheduled time amount that testing procedure 78 uses at this.If measured greater than the scheduled time at testing procedure 78 definite time quantums since moving confirmation unit 42 last time, then to control from testing procedure 78 and forward step 74 to, enabling signal is sent out to confirmation unit 42.(if time quantum is not more than scheduled time amount) is aforesaid step 76 after step 74 or after testing procedure 78.

With reference to figure 4, flow process Figure 90 shows confirmation unit 42 and determines whether to receive the performed step of enough proofs.Of this specification other places, confirmation unit 42 send through or failure signal give subsequent processes/equipment (like computer starting firmware or disc driver firmware).Processing starts from first step 92, and confirmation unit 42 is confirmed necessary proof.Must prove confirmation unit 42 definite being enough to and to send proof through signal.Confirmation unit 42 is confirmed through inspection voucher data 44, proof data 46, time data 52 even inside/system clock must proof.Be testing procedure 94 after step 92, it confirms whether suitable proof can locally obtain (promptly in proof data 46) and whether the local proof that provides satisfies necessary requirement (description of this specification other places).If, then to control and forward step 96 to from step 94, confirmation unit 42 sends through signal.After step 96, processing finishes.

In certain embodiments, maybe and hope that following proof of acquisition and preservation is in proof data 46.For example, expectation can not be connected to management entity 28 and/or prove that the user of allocation entity 32 can obtain and preserve following proof.In these embodiment; When electronic equipment is connected to management entity 28 and/or proof allocation entity 32; But the proof that its autopolling is following, it can provide perhaps (or in addition) according to the strategy of definition again; It also is possible that user and/or electronic equipment are clearly asked following proof, and it can not provide according to control strategy yet.

If confirm that at testing procedure 94 suitable proof can not locally obtain (promptly in proof data 46); Then control from testing procedure 94 and forward testing procedure 98 to; Confirmation unit 42 confirms whether suitable proof can obtain from the outside; For example as stated, through signal is provided so that external interface 48 attempts to fetch proof.If confirm that at testing procedure 98 proof that the outside provides satisfies necessary requirement (description of this specification other places), then control from testing procedure 98 and forward step 96 to, as stated, confirmation unit 42 sends through signal.In the embodiment at this, the proof that the outside provides is stored in the proof data 46.

If confirm that at testing procedure 98 suitable proofs can not obtain from the outside, or because there is not suitable connection or because other reason is then controlled from testing procedure 98 and forwarded step 102 to, the user is pointed out input suitable proof.In the embodiment at this, if the user is not having the suitably position of electrical connection, the user can call out specific telephone number and receive the suitable proof of digital form, and it can manually be input in the electronic equipment together with the prompting that step 102 provides.Certainly, the user can receive proof through other means, even as being published in the proof (for example, at specification area) in the newspaper by hand-written, typewriting.

Be testing procedure 104 after step 102, it confirms whether the user has imported the proof (of this specification other places) that satisfies exclusive requirement.If, then control from testing procedure 104 and forward step 96 to, as stated, confirmation unit 42 sends through signal.Otherwise control forwards step 106 to from testing procedure 104, and confirmation unit 42 sends failure signal.After step 106, processing finishes.

With reference to figure 5, flow process Figure 120 shows and produces the performed step of confirmation unit 42 employed vouchers.The step of flow process Figure 120 can and provide voucher to electronic equipment 24 by the management entity that produces voucher (and a series of proofs) 28 execution.Other suitable entity (like the entity of authorizing through management entity 28) can produce voucher.In the embodiment at this, random value can use with proof together with producing voucher, and is normally uncertain.Be step 124 after step 122, subscript variable I is set to 1.In the embodiment at this, the voucher that is provided is used to the whole year and need new proof every day, thereby 365 independently prove and can produce together with producing voucher.Subscript variable I is used to follow the tracks of the quantity of the proof that is produced.Be step 126 after step 124, initial proof value Y (0) is set equal to the random value RV that confirms in step 122.

Be testing procedure 128 after step 126, it confirms that whether subscript variable I is greater than end value IEND.As stated, in the embodiment at this, 365 proofs produce together with producing voucher, thereby in this embodiment, IEND is 365.Yet,, can IEND be set at any number for other embodiment.

If confirm that at testing procedure 128 the I value is not more than IEND, then control and forward step 132 to from step 128, Y (I) is set equal to one-way function and is applied to Y (I-1).The one-way function that uses in step 132 is such function, the result of given application one-way function, and it possibly confirm to be transfused to the value of one-way function hardly.Thereby, for the one-way function that uses in step 132, given Y (I), very difficulty is not impossible confirm input value (Y in this example (I-1)).As in this use, the term one-way function comprises any function exclusive disjunction that this characteristic suitably is provided, and includes but not limited to traditional one-way hash function and digital signature.This characteristic of the one-way function that uses in step 132 can be used for and can preserve and distribute the proof of sending with not secret mode, and is of this specification other places.Voucher can produce or prove and can be produced on the date after a while by the entity that produces voucher or another entity with proof in different time.Notice that for other embodiment, in this respect, possibly make Y (I) is not the function of Y (I-1) or any other Y.

Processing starts from first step 122, and random value RV is produced.Be step 134 after step 132, subscript variable I adds 1.After step 134, control rotates back into testing procedure 128, as stated.If confirm that at testing procedure 128 I greater than IEND, then controls from testing procedure 128 and forwards step 136 to, final value FV is set equal to Y (I-1).It should be noted that I is subtracted 1, is exceeded IEND because I increases progressively.After step 136 step 138, management entity 28 (or produce proof and voucher other entity) digital signing final value, current date, and other information together with the proof use.In the embodiment at this, out of Memory can be used for discerning specific electronic equipment (like laptop computer), specific user or voucher and proof is tied to the out of Memory of specific electronic equipment set and/or user and/or some other properties.Alternatively, date and/or FV can combine with out of Memory.For example, can use the message of similar OCSP signature, it is " device #123456 is valid on1/1/2004 " or make that the position corresponding to special installation is on or off among the miniCRL briefly.In these cases, but the voucher evaluation apparatus on the equipment (promptly confirm equipment very be equipment #123456 etc.).OCSP and miniCRL are commonly known in the art.After step 138, processing finishes.

With reference to figure 6, performed step when flow process Figure 150 shows confirmation unit 42 and confirms the validity of proof.Processing starts from first step 152, and confirmation unit 42 receives proof (for example, through reading proof from proof data 44).Be step 154 after step 152, confirmation unit 42 receives voucher (for example, through reading voucher data 46).

Be testing procedure 156 after step 154, it confirms whether the out of Memory that provides together with voucher matees.Of this specification other places, out of Memory comprises the sign of electronic equipment, user's sign or other property identifying information.If the particular estate in testing procedure 156 definite out of Memory that are associated with voucher and out of Memory description (does not for example match; Voucher is used for different electronic equipments or different users); Then control from testing procedure 156 and forward step 158 to, failure signal is provided.After step 158, processing finishes.

If confirm that at testing procedure 156 out of Memory that is associated with voucher matees, then control from testing procedure 156 and forward step 162 to, variable N is set equal to current date and deducts the date relevant with voucher (i.e. fate after voucher is issued).Be step 164 after step 162, the proof value that provides in step 152 has one-way function and is applied to its N time.The one-way function that uses in step 164 is corresponding to the one-way function that uses in step 132, as stated.

Be testing procedure 166 after step 164, it confirms whether equal final value FV in the result that step 164 obtains, and FV is the part at the voucher of step 154 reception.If, then to control from testing procedure 166 and forward step 168 to, confirmation unit 42 provides through signal.Otherwise, if confirm to be not equal to the final value FV that the voucher with step 154 provides, then to control from testing procedure 166 and forward step 172 in the result that step 164 obtains at testing procedure 166, confirmation unit 42 provides failure signal.After step 172, processing finishes.

Digital signature can provide the internet of effective form to differentiate.Different with traditional password and PIN, digital signature can provide can be verified and undeniable authority's discriminating everywhere.Digital signature can be through the authentication secret PK checking that the signature key SK produces and warp matees.User U is to its oneself SK maintain secrecy (make and have only U can represent the U signature).Fortunately, key PK can " not betray " key SK that is complementary, and, knows that PK can't give the benefit of any reality of enemy when calculating SK that is.Therefore, user U can make its oneself PK open (thereby each can verify the signature of U per capita) as much as possible.For this reason, PK preferably is called as PKI.Notice that the set of user, entity, equipment or user, equipment and/or entity can be represented in term " user ".

PKI also can be used for asymmetric encryption.Public encrypting key PK can produce with the decryption key SK that is complementary.Again, know that PK can not betray SK.Any message can easily use PK to encrypt, but only can just can easily decipher through knowing key SK through such ciphertext of calculating.Therefore, user U can make its oneself PK open (making each can be the U encrypting messages per capita) as much as possible, but keeps SK special-purpose (make and have only the readable message for the U encryption of U).

Known RSA system provides the example of digital signature and asymmetric encryption.

The certificate that alphanumeric strings is called stipulates that given key PK is the PKI of given user U.Entity is commonly referred to Notified Body (CA), produces and sends certificate and give the user.Certificate at the appointed time back is expired, under the situation of public CA, is generally 1 year.In fact, digital certificate (C) is made up of several numerical value secure bindings the digital signature of CA together: sequence number, PK-user's PKI, U-user's title, D that the SN-cert is unique ₁-issuing date, D ₂-the term of validity, and the other information (comprise and do not have information) of AI-.Be expressed as symbol, C=SIG _CA(SN, PK, U, D ₁, D ₂, AI).

Public encrypting key also can provide discriminating/means of identification.For example, one knows that specific public encrypting key PK belongs to specific user U (as because this side has verified respective digital certificate and the PK of U) and thirsts for identification U, and it can use PK to encrypt random challenge C, and requires U to reply with correct deciphering.Owing to have only the processor (thereby U) of SK can do this work, if be correct to replying of challenge, U is by identification fully.

The physical access in the system control zone to using intelligence door (and/or intelligent virtual door, referring to the description in this specification other places) can be provided.The intelligence door can verify that the people who is just getting into has been authorized to get into current.Not only provide with specific user's voucher but also provide with independent to door to prove favourable, voucher/user is still effective to a certain extent, itself in addition can be by disconnected door safe handling.In an embodiment, such proof is by following generation.Suppose that voucher indicates the user to door and can get into.Then; For each voucher and each time interval (like every day); Suitable entity E (visit this entity at any time or be second entity of this entity work as whom determines be authorized to) calculates through the indication of identifying (PROOF), and it is effective indication for specific credential at specified time interval.(if voucher does not confirm that the door user is authorized to get into, and it is effective at specified time interval that PROOF also can indicate voucher to door).

The PROOF of E can be made up of the digital signature of E, and it is effectively to indicate specific credential through the mode of identifying at specified time interval, for example: SIG _E(ID, Day, Valid; AI); Wherein ID is the information (like the sequence number of voucher) of identification voucher, and Day is the indication (common certain day) of specified time interval, and Valid is that voucher is regarded as effective indication (this indication can be omitted if E never signs the similar data string; Only if voucher is regarded as effectively), AI indicates any useful extraneous information (comprise and do not have information) that is regarded as.In some cases, the signature of E can be public key signature (but its also private key signature promptly, can produce and the signature of checking through single privacy key, have only signatory and verifier to know).If voucher comprises digital certificate; One inferior embodiment can comprise short-lived certificates; Promptly; Required time is sent at interval again the digital signature (for example, digital certificate indicates same PKI, same user U and some other essential informations, but also indicates Start Date and expiry date to confirm that want, the common date) of voucher.For example, in inferior embodiment, let short-lived certificates continue one day, PROOF can take SIG commonly _E(PK, U, D ₁, D ₂, form AI), wherein Start Date D ₁Indicate the beginning of particular day D, Close Date D ₂Indicate the corresponding end of date D, or D ₁=D ₂=D; Perhaps, more simply, use phase in odd-numbered day information field to confirm date in question, SIG _E(PK, U, Day, AI).If E conforms to original Notified Body, short-lived certificates PROOF can take following form: SIG _CA(PK, U, D ₁, D ₂, AI) or SIG _CA(PK, U, Day, AI).

Can not produce the PROOF (being himself voucher PROOF at that time) of himself at that time as certified user; Can not the PROOF of its yesterday be changed into himself PROOF today, can not the PROOF of another user today be changed into the PROOF of its oneself today.Because PROOF is in fact a non-ductility and inalterable, these PROOF must not protected.Thereby entity E can use PROOF by insignificant cost.For example, E can be distributed on all PROOF of particular day (as PROOF can be obtained through Akamai server or analog) on the internet, or PROOF is sent to the approaching transponder/server of user easier.For example, send to the server that is positioned at airport (or office building) inlet, many should being positioned at there by the door of appropriate visit.Like this, come the employee of work can easily obtain its oneself PROOF (as through its oneself card is inserted the card reader that is connected with server) and also represent PROOF is kept on its oneself the card, together with its oneself voucher.Like this, when the user presented to the door of its certificate authority's visit with its card, door not only can be verified voucher but also can receive and verify the PROOF of current mandate, need not connect.Correctly whether the time interval that door checking PROOF (like the digital signature through the public key verifications E of preservable E after installing) and PROOF indicate (like the local clock through himself).If all are normal, then door is permitted visit, otherwise the door denied access.In fact; Door can be disconnected door, its PROOF checking relatively easy (because door can receive most ofs available sides' PROOF: real user requires visit) and comparatively safe (although door is from most of suspicious sides reception PROOF demonstrably: the real user requirement is visited).In fact, the customer requirements visit can be at physically approaching usually, thereby PROOF can be provided easily, and need not use any connection of website at a distance that is connected to, thereby can be independent of the connectedness operation of door.Simultaneously, in the crucial moment, the customer requirements visit possibly be least reliable information source.But because the user cannot any way produces or change the PROOF of its own current validity, door can notice that suitably the PROOF of checking must be produced by E, and if E know that the user will not be authorized to then E should not produce PROOF at specified time interval.When the user is stopped when authorizing, E will stop to send the PROOF of this subscriber authorisation, thereby the user no longer can get into corresponding door (even disconnected door), because the user will lack the PROOF of needs checking to permit visiting.Therefore, prove suitably and current mandate that the identical inconvenience relevant with other system of having exempted described here promptly need do not assigned personnel and gone disconnected door reprogramming through using customer requirements to visit.

This method also makes people can manage the visit of disconnected door by " role " (or by " privilege ").Promptly; Do not use door that the voucher designated user is authorized to get into and then as the PROOF that sends the current validity of voucher every day (neither send indicate its user of specific credential mandate get into the PROOF of some at specified time interval), disconnected door can be programmed (as when mounted) only to grant the user's entering with specific role.For example, the operator's seat hatch door of aircraft can be programmed only to grant pilot (PILOT) and inspector and get into.Voucher can be issued the employee with their identity of principal security (this can not become), and while E such as each PROOF that every day specific credential is sent also can specify the role of (as in the AI field) its relative users in that day.For example, PROOF=SIG _E(ID, Day, PILOT, AI) proof is the pilot in that day corresponding to the user of the determined voucher of ID.Like this, the employee can be next role from a role " conversion ", and need not send voucher again for them, and not need user's voucher or indicate in the PROOF its corresponding every day the user can that day get into which the door.The quantity that it should be noted that such door can be very big.Thereby all that indicate in user's voucher that the user granted entering bother very much.In addition, if increase new door (for example because bought new aircraft), then pilot's voucher has to send again with the outer door of specified amount, and this also bothers very much.

The time interval that is suitable for specific credential can specify in voucher itself, or can be specified together by voucher and PROOF.For example, voucher can specify specific Start Date and its need by every day proof effectively, but and the PROOF fixed time at interval 244, it means that PROOF refers to the date 244 after Start Date of appointment in the voucher.

System described here also is favourable with respect to more expensive communicating door system.For example, suppose that all doors all are connected to central database safely, and sudden power (as owing to sabotage) takes place in hypothesis.Then communicating door possibly be forced between two extreme selections and select: open (help safety but be unfavorable for maintaining secrecy, particularly under the situation that the terrorist causes cutting off the power supply) always and close (be unfavorable for safety but help maintaining secrecy) always.Through contrast; Under the situation of sudden power, system described here provides reaction more flexibly, and the door that some (no longer) are communicated with can keep closing always; And other door is opened always, and other door also can continue to move by not communicating door described here access control.That is, as long as correct voucher and correct PROOF are appeared, the door that then depends on battery can be opened.In fact, before outage took place, all employees possibly normally receive their expection PROOF.

Certainly, entity E can produce different vouchers are specified different time PROOF at interval.For example, in airport installation, but policeman and emergency worker have every day and specify following two weeks as the PROOF in the corresponding time interval, and all normal employees can have PROOF every day that only specifies the said date.Under the situation of long-term and accident power-off, such system can provide better control.If such outage takes place; The every day of PROOF, usual distribution possibly be interrupted; General employee possibly not receive their PROOF every day; But police and emergency treatment people still can in their card, import their the previous day receive two week proof, thereby all doors (like all doors) that can continue to be granted at them entering are located to work.

Will be appreciated that method described here comprises the voucher that use is made up of the certificate of reduced form, it can be called as minimum certificate.Minimum certificate can omit the identifier ID (or with the PKI replacement user name and/or the identifier ID of certificate, the PKI of each certificate is unique) of user name and/or certificate in fact.For example, minimum certificate voucher can be taked C=SIG _CA(PK, D ₁, D ₂, form AI) should be understood correctly appearing of this voucher and comprise that proof is corresponding to the knowledge of the privacy key SK of PK (as through the challenge-response method).Whether door is known in advance should cause granting about correctly the appearing of the voucher of PK (if first-selected ground is current being identified) and is got into.Perhaps, minimum voucher C can specify (as in AI) to know whether the user of corresponding SK has the right to get into specific door.Show validity if understand any similar signature through hint, the PROOF that about its PKI is the minimum certificate of PK can be following form: SIG _E(ID, Day, Valid, AI) or SIG _E(PK, Day, Valid, AI) or SIG _E(ID, Day, AI).Perhaps, the current PROOF of minimum certificate can take to send again the form of minimum short-lived certificates: as, SIG _E(PK, D ₁, D ₂, AI), wherein Start Date D ₁Refer to the beginning of particular day D, D ₂Should be the end of date D mutually, or D1=D2=D; Perhaps, SIG _E(PK, Day, AI); Perhaps, make E consistent, SIG with initial Notified Body _CA(PK, D ₁, D ₂, AI) or SIG _CA(PK, Day, AI).In a word, any method of being devoted to certificate described here all should be understood that also can use minimum certificate.

The intelligence door can be verified the validity and the circulation of user's voucher, and voucher can be followed corresponding proof.The user uses voucher/prove to be similar to and to use voucher/prove when the visit of control electronic equipment to obtain access classes to the zone, and is of this specification other places.Following is the example of voucher/prove, wherein part can combine with other:

1, PIN or password are communicated by letter to door in the keyseat input that is associated with door or through subscriber card;

2, biometric information, the special reader that is associated with door by user's warp provides;

3, the traditional (handwritten) signature by the user through the gates associated with the particular signature Bo provided;

4, be used for PKI PK digital certificate (as, such voucher can be stored in the subscriber card, right user/card can use corresponding privacy key SK evaluation/identification its for the identity of door just like through the challenge response agreement).For example, if PK is a public signature key, door can require the specific message of signed, and right user-unique is known the people of corresponding secret signature key SK-correct requested signature can be provided; If PK is disclosed encryption key, door can ask to make particular challenge to encrypt ciphertext and deciphered, and this can be accomplished by the correct user who knows corresponding secret decryption key SK.

5, the enhancing digital certificate that comprises every day " affirmation value " (it guarantees that certificate is effective in this specific date) is kept in the subscriber card and door is given in communication;

6, confirm the digital signature of user's certificate at effective central office of current time, it provides server or transponder to communicate by letter to door;

7, be kept in the subscriber card and communication is given the digital certificate of door and communicated by letter to the every day " affirmation value " of door through server or transponder;

8, be kept at secret in the subscriber card, its knowledge is proved to door by mutual (maybe zero knowledge) agreement that door has;

9, the privacy key of mechanism signature is kept in the subscriber card, and its indication user is authorized to get in particular day.

Thereby, in some cases, voucher/prove that being used as one provides, and in other cases, the voucher/form with separate section that proves provides: voucher and proof separately.For example; At voucher/prove by comprising that the enhancing digital certificate of indication certificate in effective affirmation every day of this specific date value constitutes and being associated with the user and when being given door by communication, voucher (enhanced digital certificate) can be independent of proof (affirmation every day value) provides (through different means and/or in different time).Similarly, voucher can produce or produced by different mechanisms with proof by same mechanism.

With reference to figure 7, it shows the system 200 that comprises zone 202, and wherein the physical access to zone 202 will be limited.Zone 202 is by a plurality of wall 204-207 sealings.Wall 207 has door 212, so that the outlet in zone 202 to be provided.In other embodiments, can use the above door of a fan.Wall 204-207 and door 212 provide the visit obstacle in zone 202.Door 212 can use electronic lock 214 to lock, and it prevents that door 212 from opening, till electronic lock 214 receives appropriate signals.Electronic lock 214 can use provides any suitable element of function described here to implement, and includes but not limited to use the electronic lock that need not customize.

Electronic lock 214 can be connected to controller 216, and it provides proper signal to be opened to allow door 212 to electronic lock 214.In certain embodiments, electronic lock 214 and controller 216 can be provided in the single device.Controller 216 can be connected to input unit 218, and it can receive user's voucher, alternatively, also receives and indicates the user in current corresponding proof of being granted entering zone 202.Input unit 218 also can receive urgent legitimacy cancellation alarm (HRA), and it shows that the user no longer is allowed to get into zone 202.HRA will be described in more detail below.Input unit 218 can be any suitable input equipment such as keyseat, card reader, biometric apparatus etc.

Alternatively, controller 216 can have outside connection 222, and it can be used for transfer of data to controller 216 or slave controller 216 transmission data.Outside connection 222 can be maintained secrecy, although outside in certain embodiments connection 222 not needs to be keep secret.In addition, outside connection 222 possibly not need, because function described here possibly use the self-contained unit with outside connection to provide.In the example that outside connection 222 is provided, outside connection 222 can be used for transmitting voucher, proof, HRA and/or is used for online visit to zone 202.On-line access will be explained the other places detailed description at this.It should be noted that outside to connect 222 can be interrupted connection, make for example,, and do not have outside the connection at controller 216 At All Other Times in outside 222 connectednesses that provide controller 216 that connect of some time.In some cases, outside connect 222 and can be used for transmitting a part of voucher/prove (like the PKI digital certificate), and the user presents the remainder (like the affirmation every day value together with the digital certificate use) of voucher/prove to input unit 218.

In certain embodiments, the user can present to input unit with card 224.Of this specification other places, card 224 can provide data (like voucher/prove) to the smart card of input unit 218, PDA etc.Card 224 can obtain some or all data from transponder 226.In other example, card 224 can block (not shown), input unit 218 (or some other mechanisms that are associated with access region 202) or some other suitable sources from other and obtain data.

In first example, voucher can use the pin/ password with physical protection to safeguard with proof.In this example, the concrete door that server produced new secret password SU and new SU was communicated by letter and is allowed to visit to U for each authorized user U every morning.Communication can be used unclassified link encryption to send or can other secret means be transferred to door through some.When U came to work in the morning, central server made the current secret password SU of the card receiver of U.Secret password SU is stored in the safe storage of card, its only can just be read during by proper authorization at card (as through user's input secret PIN relevant with card or through with server or on the hardware of being commissioned be connected).No matter the user attempts the access door when, and card is all communicated by letter SU to door safely.Door then checks from the value SU of card receiver whether mate from the value that server receives with morning, if then allow to get into.

Thereby SU is user's voucher on the same day.This system advantage is that each voucher only has the limited duration: if the employee is terminated employment relationship or its card is stolen, its voucher at second day with of no use.Yet, some connection of system requirements: need short-term to be communicated with (preferably every morning) at least to upgrade door.This transmission should be maintained secrecy (as physically or access to your password).

In another example, user's voucher comprises the privacy key signature.This example uses signature, or public key signature (like the RSA signature) or privacy key signature (like message identified code or MAC).For example, access control server uses privacy key SK to produce signature, and door has the means (as through corresponding public key or through sharing the knowledge of same SK) of the such signature of checking.When user U when coming to work work the morning of date D, server makes user's card receiver signature Sig, it identifies identification information (like the secret password of unique card number or U or the fingerprint of biometric information such as U) and the date D of U.When U attempted access door, the card Sig that will sign communicated by letter to door, the validity of its checking Sig even the identification information that U provides, and date of providing of door lock.If all are all correct, then door allows to get into.

In this technology, the voucher that signature Sig can be taken as the user is together with proof.This method has the advantage of himself: card need not preserved secret, and the safety that door need not remain to central server connects, yet very not long effective voucher tabulation.

In another example, user's voucher comprises the digital certificate of those hash chain validity proofs with the flow process Figure 120 generation that is similar to Fig. 5.This example uses public-key and signs and one-way hash function H (realizing the digital signature of specific type).It is right that central office has key: PKI PK (for door is known) and the privacy key SK that is not known usually.For user U, mechanism produce random secret value X0 and calculated value X1=H (X0), X2=H (X1) ..., X365=H (X364).Because H is an one-way hash function, each value of X can not be calculated from next value of X.Mechanism sends digital certificate Cert to U, uses the SK signature and comprises value X365, to 1 year effectively.Next, when U when date i comes to work work, mechanism makes the affirmation value Xj in this sky of user's card receiver, wherein j=365-i.When U attempted access door, card was worth Xj with affirmation and communicates by letter to door with the certificate Cert that comprises X365.Door also checks also with the validity of the PKI PK checking Cert of mechanism whether use i H to Xj produces X365.It should be noted that " 1 year " and 365 can use any cycle At All Other Times to replace.

Thereby, user's certificate Cert and affirmation value Xj composition user's voucher/prove.This system has many advantages: door and card all need not preserved any secret; Door need not have any safety and connect; Certificate can send once in 1 year, and computational load every day on the central office minimum (because Xj only need retrieve in mechanism) thereafter; Affirmation every day value can be provided by the transponder that unclassified (cheaply) arranges, because they do not need secret.

The duration of the voucher of user U/prove is limited usually, and this is useful in many cases.For example, if U is the employee on airport and is terminated employment relationship that expired when its voucher/prove can finish in this sky, it no longer can get into the door on airport.Be more accurate access control, possibly hope to have the voucher of shorter duration.For example, if the voucher of U/prove comprises hour and minute and the date, then U can be locked in the outside on airport in one minute after being terminated employment relationship.Yet, the renewal that voucher/demand of proof of shorter duration is more frequent, this has increased the cost of system.Thereby, having short-term credentials and have in hope and have inherent balance between the low-cost system, this can cause the more desirable sometimes length of duration of voucher.For example, U possibly need at once in the outside on airport, but its voucher is just expired up to midnight.Therefore, hope can be cancelled still not out of date voucher immediately.

It should be noted that if voucher/prove to be stored in the safety database that the equal Query Database of door during each request visit then can quite directly be cancelled voucher/prove through from database, removing the voucher that is cancelled/prove always.Yet, make each query safe database both expensive.At first, because this has increased the very big delay of transaction, because the user thinks access door at once, but he must wait quilt to be checked suitably to accomplish.The second, because this communication first-selection is on escape way, to carry out, this can use up with regard to every like a cork, 000 (or more) or do not reach in some cases at all (as aircraft or cargo container the door).The 3rd because single safety database only can be handled limited query load, and duplicate safety database itself very expensive and consuming time (for example, because keep the cost of database security must be double and keep these to copy synchronous effort also must increasing).Therefore, different with the method for current global mechanism, be not communicated with or interrupted connection method (like above-mentioned example) requires communication still less and usually voucher/prove is kept at unclassified transponder or blocks.In this case, remove voucher/prove not enough from database simply.Refer again to above-mentioned example, password SU or mechanism's signature or affirmation value Xj have to deleted from subscriber card or door for a certain reason.In addition, even such deletion does not always guarantee the cancellation of voucher yet, because the voucher that is kept in the unwarranted transponder can be anyone acquisition, comprise malicious attacker, it is preserved voucher and after the subscriber card deletion, attempts to use this voucher at voucher.Thereby, existing even have the usefulness cost efficient solution of finite duration voucher, these solutions itself there is no need to provide the abundant cancellation of not out of date voucher/prove.

Cancellation voucher/prove can use urgent legitimacy cancellation alarm (HRA) to carry out, and it is the data segment (preferably through identifying) that is transferred to door, and it will stop the door mandate to have the user capture of (although possibility is not out of date) voucher of cancellation/prove.For example, HRA can be made up of the message of digital signing, and it indicates specific credential/indicate and is cancelled.Yet, it should be noted that only sending HRA along shielded connection maybe be not enough under the situation of the door that safety is communicated with.Yet as stated, the door that is communicated with of safety is very expensive in some cases, in other cases can not (or almost approach can not) uses the door of that kind.

If HRA is useful by evaluation, thereby HRA can be confirmed relatively that by the entity of presenting to it HRA is real.Let ID (particularly as the identifier of the voucher that is cancelled/prove C; ID can be consistent with C itself); Then (ID, " REVOKED " AI) can be HRA to SIG; Wherein (" REVOKED " possibly be empty string to " REVOKED " signaling of representing the C of any way to be cancelled; If the fact that voucher/prove is cancelled can infer through other means-like the situation of total system agreement except cancellation, the message of such signature is not sent out), and AI represent any extra information (possibly be date and time information-as when voucher/prove time and/or the HRA when being cancelled when producing time or do not have information).Particularly, digital signature SIG can be public key signature, privacy key digital signature or message identified code.The HRA that sends through identifying through enciphered message suitably also is possible.For example, can take ENC (ID, " REVOKED ", form AI) through the HRA that identifies.

, describe in 416 at United States Patent (USP) 5,666 through another noticeable example of the HRA that identifies, it is combined in this by reference.Send mechanism with voucher/prove that C is combined among unique (digital signature scheme) PKI PK of C, be cancelled thereby indicate C about the digital signature of PK.In the specific embodiments of such scheme, PK can be made up of value Y1, and it is calculated as Y1=H (Y0), and wherein H is (preferably hash) one-way function, and Y0 is a secret value.When voucher/when proving that C is cancelled, the HRA that only is made up of Y0 is issued.Such HRA can through hash Y0 and check result whether with belong to voucher/the prove value Y1 coupling of C and verify.

It should be noted that signature possibly not be asked to be used for HRA.For example, under the situation of safety communicating door, only (ID, " REVOKED " AI) is enough to as HRA along shielded connection transmission.Yet, be that through the advantage of the HRA that identifies HRA itself needs not to be secret.Through the HRA that identifies,, can be stored on the transponder that (possibly disperse on the geography) more than in case identified by suitable mechanism.In addition, these transponders can unprotect (with to send mechanism different), because they do not preserve secret information.Can higher reliability be provided lower cost through duplicating a plurality of unprotect transponders.United States Patent (USP) 5,666, some other advantages through the HRA example identified of 416 are: (1) HRA quite short (can be that 20 bytes are such short); (2) suitable easy for calculation (simply, the previous Y0's that preserves tables look-up); And (3) are verified (only using one-way hash function one time) quite easily.

HRA through identifying is particularly conducive to effective wide-scale distribution, as further described below.When HRA through near a plurality of somes transmission of door the time, have multiple maybe be with in the incorrect HRA insertion system.In fact, the HRA that receives by door not directly through or the publisher that connects of the safety of the hanging oneself pure unverified information of specific credential cancellation only.Yet, if HRA is identified that this unverified information can easily confirm that by door this can verify its reliability.

In a word, HRA can be the clear and definite cancellation information that maybe can provide about a plurality of vouchers/prove to single voucher/prove.For example, if ID1 ..., IDk is the identifier of the voucher that is cancelled, HRA can by single digital signature SIG (ID1 ..., IDk; " REVOKED "; AI) form.Consider that door preserves the situation of information, said information is confirmed voucher/the prove access door of having the right.Indicate one or more vouchers/prove HRA that is cancelled if such door receives, need not preserve HRA.The Men Congqi memory is deleted determined voucher/prove with regard to enough (or they be labeled as " REVOKED " with certain mode).Then, attempt visit if having the user of the voucher of cancellation/prove, goalkeeper does not allow visit because the voucher that is appeared/prove current not being stored in the door, if or be kept at wherein, but be marked as " REVOKED ".

Consider now that door do not preserve the information of a voucher of confirming all permissions/prove, but when being the current voucher/prove whether be allowed to verified.When the user presents voucher/when prove to such door, door can verify at first whether voucher/prove is effective, regardless of HRA.(for example, if voucher/prove to comprise digital signature, then door certifying signature.In addition, if voucher/prove to comprise time expiration, door can verify that also voucher/prove is not yet due, like the use internal clocking.Even) but through all inspections, if voucher/prove is indicated as by the HRA cancellation, but denied access still.Therefore, be helpful if such door has about the information of corresponding HRA.A kind of way that realizes this is to preserve all to present to its HRA.On the other hand, in some cases, this maybe be unrealistic.Consider many vouchers/prove system that can be used for through door.For example, transportation department just the imagination scale be the various individualities (comprise pilot, airport attendant, course line employee, pilot, porter, manager, truck driver, police etc.) of system to be used for once being allowed to visit particular door of 10,000,000 voucher.Carefully estimate annual 10% cancellation rate, then to the year end door can preserve 1,000,000HRA, this is to spend very expensive task (if feasible).In addition, if the quantity of HRA can not be confirmed accurately in advance that the designer of system has to memory span that too high estimation is used for HRA in the hope of insurance, and in door, sets up more storage capacity (with higher cost).

This problem can be able to by means of deleting HRA solve.This means to make HRA indicate the time component it specifies HRA when can be deleted from memory safely.For example, at voucher/indicate in the system of limited duration, this can realize through following step: (1) makes voucher/prove to comprise time expiration, and after time expiration, voucher/prove should be not be accepted as effective access credentials/prove by door; (2) make the HRA of cancellation voucher/prove comprise time expiration; And (3) after time expiration, makes the HRA of Men Congqi memory deletion cancellation voucher/prove.For example, the time expiration of voucher/prove can be expired time of voucher/prove (and time expiration can be included in voucher/in prove clearly and identified or it can be hinted by the total system agreement).After time expiration, delete this HRA and can not damage fail safe.In fact, if door is preserved the HRA of cancellation specific credential/prove, maybe be because after expiration, HRA to be deleted from memory, then expired voucher/proving will be by the door denied access.

It should be noted that top step (2) is an optional step under the situation that time expiration possibly hint or indicate indirectly in HRA.For example, HRA have SIG (C, " REVOKED ", form AI), voucher/prove can comprise its oneself expiry date.In addition, also can use the HRA that does not indicate the time expiration that is cancelled voucher to implement owing to can delete HRA, top step (1) is an optional step.For example; If the institute's documentary in the particular system all at the most at one day effectively; Then all HRA can wipe (more generally, if the maximum life of voucher/prove can certain mode infer that then corresponding HRA can be wiped free of after by the aforementioned time quantum of preservation) after being preserved one day.As for another example, voucher with specific time expiration/when proving, door can be sought the HRA of cancellation voucher when being appeared.If existence and time expiration be mistake, then door can be deleted HRA safely.Otherwise door can be preserved the time expiration relevant with the HRA that is preserved, and after this time, deletes HRA.

Door can be in many ways with they deletions after HRA is expired.In some cases, the HRA deletion can realize through the data structure (like Priority Queues) of safeguarding HRA based on time expiration effectively.Perhaps, door can regularly be checked all HRA in the memory and remove the HRA that no longer needs.As another selection, when meeting with HRA, if door recognizes that HRA is no longer relevant, then door can be deleted HRA.For example, HRA can be stored in the tabulation, and voucher is appeared at every turn all will check this tabulation when verifying.No matter in this tabulation, run into expired HRA when, expired HRA can be deleted.As another selection,, memory (perhaps is used for other HRA) when need being released, and door is only deleted HRA as required.

HRA can be deleted and the needed memory capacity of door can be reduced greatly.Use the example of above-mentioned 10,000,000 user and 10% annual cancellation rate, if HRA is expired and quilt is deleted, have only the individual HRA in 2,740 (rather than 1,000,000) to be preserved then average every day.The storage capacity requirement of this reduction is the maximum potential advantages that can delete HRA.

It is useful that HRA can be that door obtains as soon as possible, with will no longer acceptable voucher/prove notice to.This is the problem that exists of communicating door not, but the also problem that exists of the door of full-mesh.Certainly, when HRA was issued, the door of full-mesh can send HRA in the connection of door.Yet this transmission possibly stoped or disturbs that (for example, if maintain secrecy through cryptographic means to the connection of door, the enemy only can cut off the signal that lead or change/filtration are advanced by firm enemy.If through lead is protected in steel pipe, then such interference and prevention maybe be more difficult to the door that connects, but can not).Such malice HRA disturbs and stops the door that interrupted (as wireless) is communicated with more easily to implement.

The enemy is more difficult to stop door to receive HRA in order to make, and HRA can itself be carried by the card that is cancelled.For example, when the door of card and database or connection (or know any door of the corresponding HRA) when communicate by letter, can HRA be sent to card, card can be preserved HRA.Particularly, this can not accomplish under the user carries out the situation of any indication, exempts from the card and delete the user's of HRA infringement of hoping to distort with protection HRA.If card carries the hardware component or be not easy the data (like enciphered data) being read by the user/delete of preventing to distort, then this method is more effective.Be used subsequently when attempting to get into any (even totally disconnected) door when being stuck in, card can be communicated by letter its HRA to door, based on suitable checking, but card denied access (and in some cases, preserving HRA).

HRA can be on radio channel, and (as through beep-pager or mobile network or through artificial satellite) sends to card.Even card only has limited communication capacity, this also can be done, for example through transmitting set being placed on the place that each user possibly pass through.For example, in building, such transmitter can be placed on each building entrance, receives the chance of transmitting for each card provides when no matter getting into building in when with the user at card.Perhaps, transmitter can be placed on the inlet in parking lot etc.

For preventing that user malevolently from stoping transmission (for example, through card being wrapped in the material that transmission signals is difficult to permeate), in fact, card can require it to receive periodic transmission working fully.For example, card can be expected a signal in per 5 minutes so that its clock and system clock are synchronous, maybe can expect to receive another (best digital signing) signal regularly, like gps signal, or hoped the suitable noise of appropriate frequency in the recent period.If such signal is not reasonably receiving in the time interval, card can " block " and refuse simply and any gate open letter, and this makes and itself is inappropriate for visit.It should be noted that more simply all HRA propagated to all cards that such system maybe be more economical and more convenient, because HRA is changing message.Thereby, HRA propagated to all cards possibly require to build the artificial satellite of specific purposes or the artificial satellite that customization has existed.Said method replaces the signal of the available extensive transmission of utilization and local transmitter is installed being used for conventional message.

Perhaps, if but security strategy requires user's insight wearing card like safe badge or in suitably local (in transmission range) card to be presented to protector, can prevent that then the user from stoping to the behavior that blocks transmission.Other technology that is used to propagate the HRA of particular card/voucher/prove comprises uses other card to send HRA to door.In this technology, card 1 can (for example when obtaining its own voucher every day/when prove, or wireless mode or when believing or when carrying out the connection of any kind with the gate open of connection) reception HRA, HRA2, cancellation and different cards block 2 vouchers/prove that are associated.Card 1 then can be preserved HRA2 and HRA2 is communicated by letter to door, and door is then also preserved HRA2.In fact, card 1 can provide to a plurality of doors, for example offers all doors or blocks 2 all disconnected doors in special time period (like whole day) visit or communication.Here, can refuse to comprise holder's entering of the card 2 of the voucher of cancellation/prove by any door (even not being communicated with) that card 1 arrives.Preferably, HRA2 is digital signing or identifies certainly, and can be propagated with the malice that prevents false HRA by the reliability of any the inspection HRA2 that blocks 1 arrival.

This HRA2 that can learn through the goalkeeper that card 1 is arrived communicates by letter and promptly blocks 3 to another card and be able to strengthen, and card 3 is access door or believe with gate open subsequently.This is useful, can arrive the door that Dacca 1 will not arrive or will after card 3, arrive because block 3.Through making these doors and other cartoon letters of arriving in addition, this process can continue.In addition, even some door is not connected to central database entirely, also can have connection each other.Thereby such door can exchange available HRA similarly.If jig have mutual communication capacity-for example when near the time-information of their also commutative HRA that preserves about their.

It should be noted that through the HRA that identifies HRA communications advantageous particularly described here.In fact, send HRA through a plurality of media (card and door) a plurality of fault points possibly are provided, wherein HRA possibly can be injected by the adversary by adversary's modification or false HRA.In a sense,, they possibly become pure unverified information without the HRA that identifies when arriving door.On the other hand, through the HRA that identifies, no matter how they arrive door, can are correct by guaranteeing all.

Under the situation of little big consideration resource, all HRA can preserve and propagate by this way.It also is possible adopting some optimizations.For example, card can as management HRA storage, and HRA that will be expired deletion is with the card memory space that discharges the inherence and prevent to carry out unnecessary communicating by letter with other.It is useful in such system, making storing communication and minimum because, even the quantity of the voucher of not out of date but cancellation is few, but maybe some parts (as some cards or) do not have enough memories or bandwidth to handle all not out of date HRA.

Make storage and communicate by letter minimum another possibly comprise selecting which HRA to stick into the row propagation through which.For example, HRA can provide with precedence information, and it shows the relative importance of disperseing as soon as possible about the knowledge of specific credential/prove.For example, some HRA can be marked as " promptly ", and other can be marked as " routine " (priority level can be accurate as much as possible or approximate).Equipment with finite bandwidth or memory can write down and exchange the information about higher priority HRA, and as long as resource allows, can be absorbed in lower priority HRA.As another example, stop the HRA of card visit particular door to propagate through near the card (enabling this, to visit this card like its voucher) that more possibly arrive this soon.In fact, card and door can be engaged in and set up the target which HRA accepts storage and/or propagates in addition.Perhaps, HRA or the card of preserving them can be selected to a certain extent, and it comprises randomness, and perhaps door can provide the card of HRA to some (preceding k the card that " runs into " like door).

The use of such communications can reduce the possibility that the user of voucher with cancellation/prove will get into, even because disconnected door, user what its user in office that also has to provides suitable HRA to arriving door before the door with the card that upgrades.Information exchange between Ka Hemen can assist in ensuring that many cards can by notified apace about the cancellation information.The countermeasure that this method also can be used as anti-" the premeditated interference " attacks, said attack is attempted to break off the door of connection and is stoped door to receive HRA.Even interference attack is achieved success and the eternal HRA notice that does not obtain central server or transponder of door, individual consumer's card also possibly known HRA to gate open.The practical methods that it should be noted that exchange HRA between Ka Hemen can change.Under the situation of a little short HRA, exchange and relatively all known HRA are the most effective.If many HRA are done in a tabulation, tabulation can comprise the time when tabulation is sent by server that indicates.Then, card and door can at first compare their the sending the time of HRA tabulation, and older tabulation is replaced in available newer tabulation.In other cases, can use more complicated being used for to find and other algorithm of coordination area.

Effectively HRA propagates and can realize through following step: the HRA through identifying is sent in (1); (2) will send to one or more cards through the HRA that identifies; (3) make card will send to other card and/or door through the HRA that identifies; (4) HRA that preservation is received and/or the HRA that transmission received are blocked to other.

It is useful introducing some sample HRA uses in detail:

Order 1 (directly from " management organization " to):

1, the voucher of entity E cancellation user U/prove and send HRA A, it comprises voucher/the prove information that has been cancelled;

2, A is transferred to a D through wired or wireless communication;

3, the reliability of D checking A if verify successfully, is preserved the information about A;

4, attempt when presenting voucher/prove visit D as U, a door D notices that the information about A of being preserved indicates voucher/prove to be cancelled also denied access.

Order 2 (snapping into door from " management organization " to the user):

2, another user U ' comes to work and its card is presented to E to obtain its current voucher/prove;

3, together with the current voucher of U '/prove that HRA A is transferred to the card of U '; Card is preserved A (card can also can not verified the reliability of A, depends on the ability of card);

4, when U ' attempts access door D, its card is with its voucher/prove together with A to be transferred to D;

5, the reliability of D checking A if verify successfully, is preserved A;

6, attempt when presenting its voucher/prove visit D as U, door D notices also denied access of the voucher of A cancellation U/prove.

Order 3 (snapping into door to another door to the user) from " management organization ":

1, the voucher of entity E cancellation user U/prove and send HRA A, it comprises the voucher of U/the prove information that has been cancelled;

2, A is transferred to a D ' through wired or wireless communication;

3, the reliability of D ' checking A if verify successfully, is preserved A;

4, another user U ' with its oneself voucher/prove presents to D ' to get into D ' with its card.D ' is except the voucher/prove of checking U ' and when suitable, grant entering, also A is transferred to the card of U '.Card is preserved A (card can also can not verified the reliability of A, depends on the ability of card);

5, when U ' attempts access door D, its card is with its voucher/prove together with A to be transferred to D;

6, the reliability of D ' checking A if verify successfully, is preserved A;

7, attempt when presenting its voucher/prove visit D as U, door D notices also denied access of the voucher of A cancellation U/prove.

Order 4 (snapping into door from " management organization " to the user):

1, entity E cancels the voucher C of user U and sends HRA A, and it comprises the information that C has been cancelled;

2, user U carries Itscartoon and crosses near the transmission point that is positioned at the building entrance, and this makes its card receiver A; Card is preserved A (card can also can not verified the reliability of A, depends on the ability of card);

3, when U attempts access door D, its card is transferred to D with A together with C;

4, the reliability of D checking A, if verify successfully, preservation A also refuses the visit of U;

If 5 U attempt to visit D through presenting C once more, then door D notices that the A of previous preservation has cancelled C and denied access.

Sometimes, after crime, set up who attempt to visit specific door, when, appeared what voucher/prove, and visit whether be rejected or agree be useful.Whether whether blocked, the switch of mechanism or the senser of knowing door breaks down etc. also is useful.To the end, possibly hope to safeguard the event log of event.If such daily record can easily obtain at some middle position, it is particularly useful, thereby it can be examined and abide by its behaviour.For example, under the situation of hardware fault, maintenance party possibly need by scheduling rapidly.Yet such daily record has two subject matters.

At first, if door is connected, then be easier to through sending daily record and collector journal through connecting.Yet for disconnected door, the Collection Events daily record is more difficult.Certainly, a kind of way of collector journal is to send someone each disconnected door passing daily record back middle position through physics mode, but this method cost is too high.

Secondly, for the event log that will be trusted, comprise that the integrality of whole system of generation, collection and the storage of daily record should be guaranteed.Otherwise for example, the opponent can create will record or delete effective daily record holiday.Traditional method is as protecting communication port and data storage facility physically, its cost very high (and self also be not enough to protection through them).

Through the existence of such log record, suppose that log record is effectively, then traditional daily record can be concluded " a certain user removes a certain door ".Yet this is inappropriate for high-security applications.Suppose that user U is charged with door D some property at the back that infringement is locked.Traditional log record only can provide U to get into the unable evidence of D: people have to believe nobody's malice forgery log record.Thereby, hope to make daily record that more strong evidence is provided, because daily record can not be by enemy " artificial ".Particularly, the provable door of uncontested daily record D (maybe with the work that engages of U) creates record in daily record.

System described here has solved this problem in the following manner: no matter when door receives voucher as the part of access request/prove, can create log record (like serial data), and it comprises the information about incident, for example:

Request time;

Request type (,, or opening or closing engine etc.) if request is used to withdraw from or get into if request if possible-for example more than one;

The identity (if having) of voucher/prove and appeared;

Whether voucher/prove is by good authentication;

Voucher/prove whether have corresponding HRA;

Whether visit is authorized to or solves.

Log record also can comprise the service data or the information of any unusual incident, like curtage fluctuating, senser fault, the position of the switch etc.A kind of way that produces nothing dispute daily record comprises makes door by means of privacy key (SK) digital signing event information.The nothing dispute daily record of gained can (wherein AI represents any extra information for event, AI) expression by SIG.The endorsement method that door D uses can be PKI or private key.

Stress that signature is that effective PKI PK or the door that is used to produce the privacy key SK of signature or produce signature are useful with respect to it, thereby can symbolically not be expressed as there being the dispute daily record.SIG _PK(event, AI), SIG _SK(event, AI) or SIG _D(event, AI).Such daily record is uncontested, because the enemy is at the signature of not knowing can not forge under the situation of corresponding privacy key door.On the other hand, the reliability of daily record can be by the suitably verifier of the notice verifier of SK of PK or the door of door (as the know) inspection of any quilt, and needn't look forward to preserving the integrality of system of integrality or transmission daily record of the database of daily record.In a word, daily record not only can be caught undisputed through each record of digital signing, but also can make undisputed through the digital certificate step that use is used for a plurality of records.For example, door can by means of digital signature SIG (E1 ..., E2, AI) identify a plurality of incident E1, E2 ...As usual, should with reach other place here, digital signature possibly mean the process of digital signing with the uni-directional hash of certified data.Particularly, stream is identified the special circumstances that can be counted as digital signature.For example, each can be used for identifying next (or previous) record through the record of identifying.A kind of way that realizes this comprises making through the record of identifying and comprises the PKI (PKI of former digital signature particularly) that is used to identify next or other record.

Daily record and do not have the dispute daily record and can produce also that (particularly, card can not have the dispute daily record through producing about the information of incident E with digital signing: be expressed as symbol SIG (E, AI)) by card.All daily record technology described here also can be regarded as relevant with the daily record that blocks generation.

In addition, other daily record can be through door and card acquisition with nothing dispute daily record.For example, during the door access request, card can offer door with (maybe be uncontested) log record of card oneself.But the door audit log writes down also only granted access when door finds that log record " can be accepted ".For example, but thereby the digital signature of door card authentication is identified log record; Or door can verify whether the temporal information in the log record that is included in card is correct according to the come-at-able clock of door.

The nothing dispute daily record of other type also can obtain through generation and/or the evaluation that makes door and card all be devoted to log record.For example, card can be identified log record, and door also can identify at least a portion of log information, and vice versa.In concrete embodiment, card C can be with the signature x=SIG of its log record _C(E AI) gives door, and goalkeeper's countersign should be signed, and was expressed as symbol SIG _D(x, AI '), vice versa.Perhaps, door and card can calculate event information the associating digital signature (split like key and to calculate by means of the secret signature between door and the card, or with the signature of the signature of door and card be combined into single " multiple " sign calculate).Can use several multiple signature schemes, particularly, the scheme of Micali, Ohta and Reyzin.

Maybe extra information be included in the daily record.If consistent with the information of door report by card, extra information can be examined.For example, card can use their available clocks that temporal information is included in the log record with door.In addition, card (possibly also have door) can be included in positional information (like the positional information that obtains from GPS) the log record.Perhaps, if be difficult to obtain current location (as using because of the GPS receiving ability), the positional information of then knowing recently (and setting up before how long) can be comprised.Like this, particularly, under the situation of moving door (like the door of aircraft), possibly confirm when incident takes place door and where be positioned in.

Certainly, even also can be deleted or be prevented from arriving database from database mala fide like above-mentioned nothing dispute log record.For preventing such deletion, it is useful providing deletion can detect log system.Such system can set up through using following proposal: (1) qualification program (like the digital signature scheme); (2) related generation scheme; And (3) related detection scheme.A given log event E (part of a series of past and/or future event), related generation scheme can be used for producing related information CI, and secure binding can detect log record to E to produce deletion by means of qualification program then for it.Related generation scheme can be guaranteed; Even the existence of an onrelevant of incident own and an incident can not be inferred from the existence of other incident; CI still produces to guarantee that the log record that does not have suitable related information that lacks exists by this way, and some can use related detection scheme to detect.In some cases, even system can guarantee that also some log records disappear, other log record also can be guaranteed credible and/or indivedual nothing disputes.

In first example, the related information CI of log record can comprise the serial number log record.Corresponding related detection scheme can comprise the existence of notice number sequence interval.But can detect log system in order to obtain deletion, the suitable binding between CI and the log record comes to light, and this possibly be not easy to realize, even secure digital signature is used for the evaluation part of system.For example, make i log record by (i, it is unsafe that SIG (event, AI)) forms, because the enemy can revise record subsequently behind the deletion log record numbering is to hide at interval.Particularly, after deletion log record numbers 100, the opponent can subtract 1 with the number of log record 101,102 etc.Thereby the enemy can hide its deletion because, even the integrality of event information by digital signature protection, but numbering itself can not be protected.In addition, even also the digital signing numbering possibly can not be proved effective.For example, suppose that i log record is by (SIG (i), SIG (event, AI)) forms.Next, the enemy can: (1) is observed and is remembered SIG (100); (2) deletion record numbers 100; (3) SIG (101) with original record 101 replaces SIG (100), remembers SIG (101) simultaneously, and the rest may be inferred, to hide deletion fully.

Above-mentioned two kinds of methods all can not produce the CI that wants and the secure binding of log record.In fact; The incident of being numbered through secure binding (1) number information and (2); We mean when j is different from i, even provide the secure binding of (a) number i and Ei to reach the secure binding of (b) counting j and Ej, the enemy also can not make number j and about the binding of the event information of i incident Ei.For example, i log record can be by SIG (i, Ei, AI) composition.Like this, the deletion of i log record will be detected by specific log record after a while.This is because after a while log record carries the number bigger than i, and it can not be deleted, revise or replace with another log record number information by the opponent, because itself and log record secure binding.For example, suppose the enemy delete log record 100:SIG (100, E100, AI).As long as the opponent can not delete all log records (this will require the continuous access database) subsequently, for hiding its deletion, the opponent will create another log record with duplicate numbers 100.Yet this is difficult to, because: (a) opponent can not produce brand-new the 100th log record SIG (100, E ', AI '), because he does not have the key of the secret signature of door; (b) opponent do not make can not revise under the invalid situation of digital signature existing log record (as can not with SIG (101, E101, AI101) change into SIG (100, E101, AI101), even the record SIG that he remembers to be deleted (100, E100, A1100)); (c) opponent can not extract indication numbering 100 log record part signature and with its with the digital signature binding to produce another log record.

Such secure binding also can be realized through the means of the incident that is different from common numeral signature record number and numbered.For example, it can and be signed hash by the incident of being numbered and realize through the uni-directional hash record number then, is SIG (H (i, Ei, AI)) with the symbolic representation.As for another example, it can be included in the digital signature of incident through the hash with numbering and be achieved, and vice versa: for example, be SIG (i, H (Ei), AI)) with the symbolic representation.It also can be realized through digital signature of signature number information and event information: for example, be SIG (i, SIG (Ei), AI)) with the symbolic representation.As another example, people can sign (1) number information and unique character string x individually; And (2) event information and character string x, with symbolic representation be (SIG (and i, x), SIG (x, Ei, AI)) (such character string x can be the current time).

Deletion can detect daily record also can be through realizing with the log record related information secure binding that is different from serial number information.For example, can comprise in log record i that some are from the identifying information of previous log record like record i-1.Such information can be the record i-1 (or part of log record i-1) the anticollision hash: with symbolic representation, log record i can be represented as SIG (H (log record i-1), Ei, AI).Then; If the opponent attempts to delete log record i-1, such deletion will be detected when receiving log record i, because the hash H (log record i-2) of the previous log record that receives does not match with H (log record i-1) (because anticollision of H); Otherwise; H (log record i-1), because itself and log record i bind safely, it can not be revised by the opponent under the situation of the validity of not destroying digital signature.At this, log record i also can mean the subclass such as the Ei of its information.

It should be noted that it must not is the information and record i binding of log record i-1, it can be another the previous or following record, perhaps in fact, and a plurality of other records.In addition, which log record and which record are bound and can be selected at random.

Other related information also can be used.For example, each log record i can have and two values (like random value or current time) x _iAnd x _I+1Secure binding: with symbolic representation, like SIG (x _i, x _I+1, Ei, AI).Then, two log records in succession can always be shared an x value: for example, record i and i+1 will share x _I+1Yet if log record is deleted, this is with no longer valid (because the opponent can not revise the log record of signature under the situation that does not have detection, only if it knows the privacy key of signature).For example, if recording mechanism 100 is deleted, database will comprise SIG (x ₉₉, x ₁₀₀, E99, AI) and SIG (x ₁₀₁, x ₁₀₂, E101 AI), and can notice their shared common x values.Such related information can be taked other form: in fact, log record can be related with a plurality of other log records.Particularly, this multinomial capable of using produces related information and realizes (can comprise with the same polynomial result of difference input evaluation like in two or more log records each).Such related information hash chain also capable of using: for example, with value y ₁Beginning lets y ₂=H (y ₁), y ₃=H (y ₂) ... etc., and next make y _iWith the Ei secure binding: for example, i log record can symbolic representation be SIG (y _i, Ei, AI).Then, log record i and i+1 can have relating value y in succession _iAnd y _I+1, suitable y _I+1=H (y _i).Yet if the opponent deletes log record, this possibility no longer valid thereby deletion can be to be detected.For example, deleted if write down 100, database will comprise SIG (y ₉₉, E99, AI) and SIG (y ₁₀₁, E1101, AI) (as previously mentioned, it can not be revised by the opponent under the situation of not destroying digital signature).Then, deletion can be to be detected, because H is (y ₁₀₁) will be not and y ₉₉Coupling.Use a plurality of hash chains, perhaps use non-record and two-way in succession, also such related information can be provided.

In another embodiment, even each log record can comprise the indication of some or all previous incidents subsequently, thereby daily record is not only deleted to detect, and when deletion, can rebuild.Can rebuild log system can set up through using following proposal: (1) qualification program (like the digital signature scheme); (2) reconstruction information produces scheme; And (3) reconstruction model.A given log event E (part of a series of past and/or future event), reconstruction information generation scheme is used to produce reconstruction information RI, and it then can be by means of qualification program and other log record secure binding.Reconstruction information generation scheme guarantees that even lose corresponding to the log record of incident i, other log record comprises the enough information about E, rebuilds E with the RI that allows from other log record, to exist.For example, i+1 record can comprise the information about the previous i of an all or part incident, and it is generated by reconstruction information generation scheme.Therefore; If the enemy successfully wipes j log record from database with certain mode; Information Ej about j incident will disclose in one or more records subsequently, under the situation that lacks j log record, also can use reconstruction model reconstruction information Ej even make.Thereby as far as the enemy, temporary visit is inadequate to database: his have to " all the time " monitor database and delete a plurality of log records and represented to stop the information about j incident.Select which incident to be included in to produce scheme by reconstruction information in the log record to accomplish, will when in follow-up daily record, disclose about the information of particular event so that the enemy is difficult to prediction with random fashion.Preferably, can rebuild log system can also be that deletion can detect with incontrovertible.

It shall yet further be noted that the reconstruction information about being included in the incident j in another log record needs not to be direct information.It can be by partial record j or its hashed value h _j(particularly, producing scheme by reconstruction information calculates through unidirectional/anticollision hash function) or its digital signature or any other indication are formed.Particularly, if use unidirectional anticollision hash function H, then possibly there is not dispute ground from comprising h _jLog record i recover information about j incident: with symbolic representation, if i record signed, the nothing daily record of disputing on accordingly can be taked form SIG (h _j, Ei, AI).For example, get into specific door at special time if suspect the specific user, but test value h _jWhether with hash H (Ej) coupling of the log record Ej that has created in response to this incident.This is incontrovertible, because the crash avoidance characteristics of H: the record E ' j that can not propose to be different from Ej in fact makes H (E ' j)=H (Ej).

Log record Ej can be created, and should make its easy conjecture (thereby checking) to a certain extent should be what log record (for example, through the standardized format of usage log record, using time proximity interval etc.) for particular event.Uni-directional hash is because its size is very little and particularly useful: even can many all the previous log records of hash to be included in the record subsequently.For example, record i+1 can comprise h ₁=H (E ₁), h ₂=H (E ₂) ..., h _i=H (E _i).Perhaps, can nested (part) hash, thus reduce desired amount of space.For example, if nested all hash, then second log record should comprise h ₁=H (E ₁), the 3rd log record should comprise h ₂=H (E ₂, h ₁) ....Thereby, if create or observation log record i, then can have dispute ground and create log record i through i-1 and log record i+1.This system can improve through (part) information that (like the key that uses database only to know) encrypted in the log record, thereby but the enemy can not see that he must damage the reconstruction capability of which information with the harm particular event.In fact, in case the encrypted protection of daily record, such encryption daily record (preferably uncontested encryption daily record) can be dealt into another (second) database, and can not lose any secret.This makes the more difficult deletion of enemy: he has to get into two or more databases to forge daily record now.

Can rebuild daily record also can realize through using error correction code.Particularly; These can be through a plurality of components (" part ") of each log record of generation and with they (perhaps with other log record) transmissions separately by this way; When abundant part has been received; Log record can be rebuild by reconstruction model, and the decoding algorithm of code is corrected in this possibility call error.These parts can by at random or pseudorandom propagate, thereby when in fact enough parts arrive, make the opponent be difficult to of the reconstruction of the abundant part of deletion with the prevention log record.

Event log (no matter by the card establishment or by door or card and door combination establishment) can be carried to help its collection by card.When snapping into the door that reaches connection or communicating by letter or can communicate by letter with central database on the contrary with central server, it can send the daily record that is stored in wherein.This can be similar to the such realization of propagation of HRA, and except HRA can send to the card from the central point, and daily record can send to the central point from card.Therefore, all methods of propagation HRA are applied to the collection of event log.Particularly, the method for propagating HRA can be transformed to the method for Collection Events daily record, and it passes through: (1) replaces transmitter with receiver, and vice versa; (2) replace HRA with log record.

Particularly, card C1 can collect the event log of the incident that has nothing to do with C1, like the visit of another card C2 or the fault of door D.In addition, the event log of a D1 can be preserved (perhaps interim) and on another D2, (perhaps is carried to the there by card C1).Then, when another card C2 communicated by letter with D2, it can receive the part of these log records and give middle position for another door or communication their communication subsequently.This wide-scale distribution can guarantee that event log arrives the central point quickly.(in addition, although some doors are not connected to central database entirely, can have connection each other.Thereby such door can exchange the available event daily record similarly.If jig has mutual communication capacity--for example when near the time-information of their also commutative event logs of preserving about their.In such collection process, uncontested daily record is favourable, because they must not transmit on escape way, because they can not be forged.Therefore, they do not rely on the fail safe of the connection between card or card and the door.Deletion can detect daily record extra advantage is provided, if some log record is not collected (perhaps because the door that some card is communicated with from no show), it guarantees that this fact can be detected.Can rebuild and aim at some log record day and do not arrive the reconstruction (again, perhaps because the door that some card is communicated with from no show) that can allow log record under the situation of central database.

In some cases, all event logs can be preserved and propagate by this way.Otherwise it is useful adopting some optimizations.A kind of optimization method is that event log is provided with precedence information, and it shows the relative importance of notice central office about particular event.Some log records maybe be more urgent than other log record: for example, if door is maintained at and opens or closes the position, if attempt to carry out unwarranted visit, if or detect uncommon access module.Can be abideed by the position of acting in order to quicken that such important information is sent to it, the information in the access log can be with the sign mark that indicates its importance (or its importance can be inferred from the information of himself).For example, some log records can be marked as " promptly ", and other can be marked as " routine ".Or they can be by the numeral or the code word mark (priority level is as far as possible suitably accurate or approaching) of the significance level that indicates them.For example, the information of higher priority can be given more card and/or the door to increase its possibility with its destination of faster or safer arrival.Equally, card or door when receiving the information of high priority, can be that high priority message is vacateed the room through deleting low priority information from its memory.Equally, door can determine high priority message passed through its each card, and low priority information only is given a few card and maybe can waits for till door is connected.

Perhaps or except above-mentioned technology, card can be selected to preserve specific log record to a certain extent, comprise at random and preserving, or door can offer log record the card (for example, preceding k card of door " experience ") of some.The important record that the use of such communications can reduce in the event log greatly can not arrive the possibility that it is abideed by the middle position of acting.Particularly, it can be used as the effective countermeasure that anti-" the premeditated interference " attacks, and said attack attempts to stop its distress message of gate open letter of damage.The practical methods of switch log can change between Ka Hemen.Under the situation of a little record, the exchange and relatively all known records are the most effective.In other cases, can use more complicated being used for to find and other algorithm of coordination area.

It is useful introducing the sample method that some event logs can be collected in detail.Below, " management organization " A comprises some central points or database, event log is collected in wherein.

Order 1 (directly from the door to the management organization):

1, the door D that is communicated with creates incontrovertible log record E in response to incident.

2, E is transferred to the A of management organization through wired or wireless communication.

3, the reliability of A checking E if verify successfully, is then preserved E.

Order 2 (from the door to user, snapping into management organization):

1, door D creates in response to incident does not have dispute log record E.

2, the card C that is presented the user U that is used to visit D receives and preserves E (except the communication relevant with visit).Card can also can not verified the reliability of E.

When 3, when U comes off duty and finishes on weekdays, its card being presented to A, E is transferred to A by card.

4, the reliability of A checking E if verify successfully, is then preserved E.

Order 3 (from the door to user, snapping into another (connection) door) to management organization:

1, door D creates in response to incident does not have dispute log record E.

3, subsequently, U presents its card C to be used to visit another (connection) door D '.D ' the granted access, receives E from C except the checking voucher and when suitable.D ' can also can not verify the reliability of E.

4, E is transferred to the A of management organization through wired or wireless communication by D '.

5, the reliability of A checking E if verify successfully, is then preserved E.

The protected field can be confirmed by wall and physics door, as the door through enterable door of its people or container, emergency exit, the vehicles etc.Shielded zone also can be confirmed by virtual door and wall.For example, the zone can be by detector guard, and it can be felt to invade and can when not being provided mandate, send warning or send another signal.Such warning system is an example of virtual door: in the airport, often will trigger such warning through outlet access door district, tunnel, although do not have the door or the wall of physics to be violated.Another example of virtual door is a tollbooth: although many tollbooths do not comprise the fence or the door of physics, specific automobile possibly be authorized to also maybe the uncommitted tollbooth that passes through.For example, such mandate can be dependent on the validity of the electronic charging payment mark of automobile.Another example is the traffic control area.For example, get into the city center of town or lead to road, army's military camp or another sensitizing range of nuclear facility, the vehicles must have suitable mandate, are used for purposes such as book keeping operation, safety or congested control.

In addition, it is required that protection not only is merely the zone, and also for equipment needs, power traction like flying is held up or military equipment.For example, must guarantee engine that has only authorized the talent can start aircraft or the engine that delivers the truck of hazardous material.

There are many modes to use voucher/the prove control that conducts interviews.It should be noted that for mode disclosed herein term " date " should be understood that the general time period in a series of time periods, and mean the beginning of time period in " morning ".

In this application, " door " should be regarded as and comprise all types of inlets (as physics and/or virtual), access control system/equipment, and surveillance/equipment.Particularly; They comprise the key mechanism that is used to start engine and control device (particularly, thereby the present invention can be used for guaranteeing to have only current authorized user can start aircraft, operation bull-dozer or visit and the various important and/or dangerous article of control, equipment and parts).Consistent with this agreement, we are called " entering " and are authorized to conceivable visit (or physics or virtual).

Similarly, particularly but do not lose generality, card can be understood that any access means of user.Be appreciated that; The notion of card enough briefly comprises mobile phone, PDA or other wireless and/or sophisticated equipment; And card can comprise or work together with other safety measure; Like PIN, password and biometric information, although the part of these measures possibly " being arranged in " blocked among holder's the brain or health rather than card itself.

In addition, wording " user " (often being called " he " or " she ") can be interpreted as not only comprise user and people widely, also comprises equipment, entity (and set of user, equipment and entity), includes but not limited to subscriber card.

System described here can use any suitable combination of hardware and software to implement, and includes but not limited to be kept at the software in the computer-readable medium, and they can be by one or more processor access.In addition, be used to encrypt, the technology of evaluation etc. can suitably be combined and used convertibly.In that, each in following United States Patent (USP) and the application all is combined in this by reference:

The U.S. Provisional Patent Application 60/004,796 of application on October 2 nineteen ninety-five;

The U.S. Provisional Patent Application 60/006,038 of application on October 24 nineteen ninety-five;

The U.S. Provisional Patent Application 60/006,143 of application on November 2 nineteen ninety-five;

The U.S. Provisional Patent Application 60/024,786 of application on September 10th, 1996;

The U.S. Provisional Patent Application 60/025,128 of application on August 29th, 1996;

The U.S. Provisional Patent Application 60/033,415 of application on December 18th, 1996;

The U.S. Provisional Patent Application 60/035,119 of application on February 3rd, 1997;

The U.S. Provisional Patent Application 60/277,244 of application on March 20 calendar year 2001;

The U.S. Provisional Patent Application 60/300,621 of application on June 25 calendar year 2001;

The U.S. Provisional Patent Application 60/344,245 of application on December 27 calendar year 2001;

The U.S. Provisional Patent Application 60/370,867 of application on April 8th, 2002;

The U.S. Provisional Patent Application 60/372,951 of application on April 16th, 2002;

The U.S. Provisional Patent Application 60/373,218 of application on April 17th, 2002;

The U.S. Provisional Patent Application 60/374,861 of application on April 23rd, 2002;

The U.S. Provisional Patent Application 60/420,795 of application on October 23rd, 2002;

The U.S. Provisional Patent Application 60/421,197 of application on October 25th, 2002;

The U.S. Provisional Patent Application 60/421,756 of application on October 28th, 2002;

The U.S. Provisional Patent Application 60/422,416 of application on October 30th, 2002;

The U.S. Provisional Patent Application 60/427,504 of application on November 19th, 2002;

The U.S. Provisional Patent Application 60/443,407 of application on January 29th, 2003;

The U.S. Provisional Patent Application 60/446,149 of application on February 10th, 2003;

The U.S. Provisional Patent Application 60/482,179 of application on June 24th, 2003;

The U.S. Provisional Patent Application 60/488,645 of application on July 18th, 2003;

The U.S. Provisional Patent Application 60/505,640 of application on September 24th, 2003;

The U.S. Patent application 08/715,712 of application on September 19th, 1996;

The U.S. Patent application 08/741,601 of application on November 1st, 1996;

The U.S. Patent application 08/756,720 of application on November 26th, 1996;

The U.S. Patent application 08/804,868 of application on February 24th, 1997;

The U.S. Patent application 08/804,869 of application on February 24th, 1997;

The U.S. Patent application 08/872,900 of application on June 11st, 1997;

The U.S. Patent application 08/906,464 of application on August 5th, 1997;

The U.S. Patent application 09/915,180 of application on July 25 calendar year 2001;

The U.S. Patent application 10/103,541 of application on March 20th, 2002;

The U.S. Patent application 10/244,695 of application on September 16th, 2002;

The U.S. Patent application 10/409,638 of application on April 8th, 2003;

The U.S. Patent application 10/876,275 of application on June 24th, 2004;

United States Patent (USP) 5,604,804;

United States Patent (USP) 5,666,416;

United States Patent (USP) 5,717,757;

United States Patent (USP) 5,717,758;

United States Patent (USP) 5,793,868;

United States Patent (USP) 5,960,083;

United States Patent (USP) 6,097,811; And

United States Patent (USP) 6,487,658.

Combined the disclosed while of a plurality of embodiment in the present invention, it is revised those skilled in the art will be very tangible.Therefore, essence of the present invention and scope are proposed by following claim.

Claims

1. entity is controlled the method for at least one disconnected door of a plurality of user captures, comprising:

A plurality of users are mapped to group;

For each time interval d on a series of dates, make management organization produce digital signature SIGUDd, the member of its this group of indication can be during the time interval d access door;

Thereby at least one member who makes this group receives SIGUDd to be used to presenting to door through door during time interval d;

Make at least one member of this group receive proof, when proof is presented to, authorize at least one member through door, wherein proof does not comprise digital signature;

Make at least one member of this group that SIGUDd and proof are presented to door; And

After the following content of checking, door is opened: (i) SIGUDd is the digital signature of management organization; Its member who indicates this group can be in time interval d access door; (ii) the current time and is (iii) authorized at least one member's access door of this group when proof is presented within time interval d.

2. according to the method for claim 1; Wherein at least one member of this group has subscriber card and door has the card reader that is connected to electric-controlled mechanical lock; And wherein at least one member of this group receives SIGUDd through SIGUDd is kept in the subscriber card, and through making subscriber card machine-readable and SIGUDd is presented to door by Card Reader.

3. according to the process of claim 1 wherein through making SIGUDd during time interval d, to be received in the addressable database of at least one member of SIGUDd being charged to this group by at least one member of this group.

4. according to the process of claim 1 wherein that SIGUDd is a public key signature, and wherein door is preserved the PKI of management organization.

5. according to the process of claim 1 wherein that door also verifies the identity information about at least one member of this group.

6. according to the method for claim 5, wherein comprise one of following at least: the replying of the challenge of PIN and opposite house about at least one member's of this group identity information.