EP1321901A2 - Method for controlling access rights to an object - Google Patents

Abstract

Method for controlling access to an object in which a mobile object (2) or key is used to undo or release a lock (3) when the key is authorized. Prior to contact between key and lock the key is issued a certificate by a central unit that contains a specific identify code. When the key is connected to or inserted in the lock offline authentication is based on the specific identity code in the certificate. <??>INDPENDENT CLAIMS are made for an electronic lock system, fixed lock unit, computer program and computer program product.

Description

The invention relates to a method for regulating the access regime to one Object, a locking system, a mobile unit, a stationary unit, a Computer program and a computer program product according to the independent Claims.

Traditional locking systems are based, even if they use the latest technologies are realized on a uniform principle. With mobile units ("Keys") a release is obtained in fixed units ("lock cylinders"). The mobile units have a fixed mechanical or electronic coding, while the fixed units are programmed mechanically or electronically, so that only in the case of mobile units with certain encodings, approval by the fixed units. Modern electronic locking systems see this before that the programming of the fixed units changed again and again can be updated.

Traditional locking systems offer good protection for individual objects clearly regulated access authorizations. But problems can arise if the objects to be protected, territorially accessible with a specific key are distributed. Problems can also arise if the group of Access is not defined in advance and is rapid and repeated Changes in access authorizations are expected. This is especially true even if the release should only be for short periods of time.

Such locking systems are certainly the best choice if many participants are involved centrally assigned access authorizations have access to an object that is protected by relatively few locks. This is for example with one Company building where some doors are used by many employees.

However, there are more and more applications where access authorizations are variable to be awarded. There are also applications where many potential cylinders, which can also be spatially distributed, operated by a few key owners should be.

An example: In the mobile phone sector, systems in the past have been controlled by state or semi-governmental institutions increasingly controlled objects from Mobile phone operators serviced. It also happens that the plants are third parties be made available for rent. The objects, e.g. tunnel systems, Church towers, parish houses, etc. are spread over a large territorial area and for economic or technical reasons they cannot be connected by cables or integrate radio into a network. They have a variety of systems, which must be serviced by external and internal technicians. The Key management is therefore becoming increasingly difficult. Also have a lot be replaced by locking cylinders when a single person Key or even a master key loses. Securing from below Safety aspects of critical systems are not fully guaranteed especially in the time between key loss and completion of the Lock cylinder exchange.

Further examples of access rights to widely distributed objects can be found in the activities of surveillance companies and transport companies, in civil engineering etc. A similar problem is associated with online shopping Home delivery conceivable. It would be desirable if, in the absence of Delivered the delivery could be done in a lockable object.

Complicated and variable train access authorizations also result for the Authorization to access chemical cabinets (in hospitals, laboratories, etc.). The same applies - at a different security level - to schools where the Authorization to access classrooms and preparatory rooms frequently is subject.

Variable assignments of access authorizations also increasingly refer to different systems. So there are applications where a few key owners Should have access to different objects, the different systems belong. For example, a supplier might need access to Have storage rooms of different companies, of course each company has its own Locking system.

There are already approaches to technical solutions that have changed them Circumstances. For example, there are systems with electronic Keys and electronic locks where the key is one under Circumstances can get limited release. Any access to the protected The object is logged online on the lock and key side. Aspects of such Systems are described, for example, in U.S. Patent 4,988,987. Both the In these systems, cylinders as well as keys have to be operated from a central office be programmed. This is disadvantageous in the cases of those mentioned above Applications where the objects with locks are geographically dispersed and may be difficult to access. In addition, such an online approach high demands on communication connections, their Availability, logs etc.

Another approach is, for example, in Swiss patent application 01365/00 described. Fixed stations of a contactless system, for example, function as Lock cylinder. The base stations are over a communication medium, for example. the Internet, updated. The mobile units can then use a base station be initialized. However, this approach requires that the locks are networked and Depending on the design as a base station, it is also technically complex and large are.

Solutions of this type extend the conventional concept Security and monitoring features. By a significant technical Effort allows you to have better control over access. they are but relatively complex to manufacture and therefore expensive. Also is their service cumbersome, which makes them unsuitable for everyday use Non-professionals. You also require that the fixed units Have energy sources. If such are formed by batteries, they need lots of space if the functionality is guaranteed over a longer period and many entries are expected.

The international publication WO 93/21712 shows an electronic one Security system for payphones and other coin operated machines. at Such systems have the problem that different people for the Collecting the accumulated money are responsible. There is a danger from abuse, and key management is laborious. Therefore, according to the mentioned publication a portable connected to the key Housing presented, which over the public telephone network and a A list of ID codes can be assigned to the modem connection; if one of the ID codes An ID code for a locking cylinder is released. The The ID codes can be transmitted encrypted. In addition, the Memory in the key can be allocated a time window during which the key authorized to operate the locking cylinder. The key can be on the portable Housing are supplied with energy and also the locking cylinder with energy supply. This system solves the problem of complex key management. It but is relatively cumbersome and primarily only for telephone booths suitable, since it requires the immediate existence of a public one Telephone connection. In addition, the system is very susceptible to manipulation, and therefore not suitable for applications that require higher security. A person who wants to manipulate the key only has to prevent that Once the ID codes have been saved, they are deleted and then the key is entered Allocate current time window.

Other electronic security systems are in the French Laid-open specification 2 722 596 and in European laid-open specification 0 282 339. Both of these systems rely on one code on one key disk is loaded; the French Laid-open specification 2 722 596 also shows methods such as such a code can be verified by cryptographic means in the lock cylinder.

All of these security systems have the property that the key in the Essentially only from an electronic code (ID code, "fingerprint" If a correct code of this kind is passed on to the locking cylinder, is released. This has disadvantages when the security requirements are high. It is known that electronic data is copied using suitable means or can be manipulated.

It is therefore an object of the invention to provide a method for regulating an access regime as well as a corresponding locking system and corresponding hardware and To provide software components, which disadvantages of overcome conventional methods and systems and which one in particular allow more variable regulation of access authorizations and high Security requirements are sufficient.

This object is achieved by the invention as set out in the claims is defined.

The invention basically chooses one compared to the prior art different approach. The mobile units ("keys") are variably programmable and equipped with means of communication and storage means. Is in them the information can be stored and reprogrammed, which contains valid, missing information or wrong authorization decides. They are as the active ones communicative components trained and have, for example Energy supply. To release through the fixed units too received, the mobile units can obtain a certificate from a central office to transfer. This includes, for example, a code that is sent to the stationary unit passed and verified by this on the basis of stored information becomes.

This verification is carried out with key-specific algorithms (whereby with "Key-specific" is meant to mean that everyone is physically present is verified differently, for example by adding data with one in a non-rewritable Key identification number stored in the data memory as 'seed number' is encrypted). Access authorizations are therefore not allowed in assigned on the basis of electronic data with the key as a data carrier, but the key is also physically a security element, and that individually.

The stationary units ("locking cylinders"), however, are exempt from the task manage the information about access authorizations etc. The handover of a Codes that decide on access authorization from the mobile unit to the Fixed unit is done offline. That it is not necessary that during the Verification of the fixed or the mobile unit with a central in Communication connection is established.

The invention thus includes security elements in three components involved: The control center that manages the access authorizations, the key that is provided with characteristic information and the lock cylinder, in which information is stored, based on which consistency is checked becomes. All of these three security elements are relevant. One cannot, for example, without proceed to the current authorization of the head office. You can't even do it once Manipulated certificate transferred to another key and gain access with it. After all, even a certificate cannot be in any way of gaining access for someone other than that Use the lock cylinder provided. It has to be coherent - not just from volatile codes, but the physical elements - all three Components prevail.

In this way, the invention combines maximum flexibility of systems with purely electronic keys - such as that of international ones Publication WO 93/21712 - with a high degree of certainty Manipulation attempts. By assuming that only physical Presence of the correct key can be released at all the invention in particular also a security element of traditional, mechanical locking systems. In contrast to these is the security element but cannot be avoided by mechanical copying.

The offline regulation of the release has massive advantages. A supply of the Fixed unit with current data is not absolutely necessary. The whole System can be easily expanded with additional units. The stationary Units also do not have to be connectable online to a central unit. Nevertheless, a dynamic, constantly adapted to the circumstances Access authorizations are managed. This is an advantage in terms to the application examples mentioned at the beginning, where access to possibly very many objects with possibly difficult accessibility must be regulated.

The condition that the verification is key-specific is an important one Prerequisite for ensuring the security of the system. For example, at the electronic security systems described at the outset on a The existing information is copied to another data carrier and the latter are then manipulated, for example, around the 'time window' condition overcome. A manipulator only has to access at some point have had a key to then possibly much later and undetected To be able to make manipulations. This is the case with an inventive No action possible. If the information available on a key to another data carrier - e.g. to another stolen key - copied, they are worthless. In addition, the key-specific allows Verification also a clear logging of the lock cylinder side Access.

Although, as mentioned, the keys are the active units of the system according to the invention, the security is not based solely on one Key transmitted code that must be correct and then by virtue of its coherence authorized to access, as is known from the prior art. Much more According to the state of the art, the locking cylinder must be based on Key characteristic data and based on a certificate determine whether there is an authorization. In contrast to the prior art, where the Security elements are either programmed on one side in the locking cylinder or one-sided in the key, the concept of 'networked' applies here 'entangled' security: there must be a coherence between key - as Physically existing entity - certificate and lock cylinder available: only then can be released.

The method according to the invention and the corresponding system bring advantages In terms of variability. As explained, the system as a whole can do without anything Restructuring continuously adapted to the circumstances. Access authorizations can also be easily assigned to mobile units which were not previously part of the system. It follows immediately another advantage: the scalability. The system enables the management of very few or very many fixed and mobile units without the System architecture needs to be changed.

Associated with this is the advantage of mobility. In contrast to also electronic Shooting systems according to the prior art are not components of the Systems - not even the 'fixed' units - are tied to specific locations.

Another advantage is the versatility. The system also allows the Transmission and administration of very simple access certificates as well as of complex, hierarchical certificates. In any case, the fixed Units designed very simply and always the same and on the basis of always be programmed using the same algorithms.

After all, the system is inherently dynamic. Although, or precisely because of that Certification, i.e. the handover of the certificate to the stationary unit, offline access rights can be granted or revoked at any time become.

Fixed units of the system according to the invention can be designed such that they can be easily installed in existing doors or cupboards, which previously were provided with standard locking cylinders. This represents a major and decisive advantage in comparison to existing processes and systems, which introduce a variable, i.e. dynamic control of the access regime to attempt. The invention thus offers an implementation and handling very simple solution for the task at hand.

Because the regulation of the access regime takes place offline, the fixed units do not have up-to-date access authorization information upgradeable and therefore not networked at all. Preferably and in a consistent manner Further developments include the mobile units Energy supply means, for example a battery. The Power supply to the stationary units during access control can then done through the keys. The mobile units don't even have to hang on the mains. Maintenance of the stationary units, for example Replacing batteries etc. is hardly necessary.

The certificates to be transmitted by a central unit can vary be designed. In a simple version of the invention, they only consist of the code which the stationary unit must recognize, as well as, for example Time window or an access quota. A time window defines a certain time during which access is possible. An access quota determines a certain one Number of accesses that are granted (for example, a single access ) Grants. The code becomes bswp. transferred encrypted to the stationary unit, where a key-specific data (ID) for the decryption as, Seed Number 'can be used.

The certificate can also contain further information. Examples of such Data is an authorization hierarchy in more complex systems, but in the Contrast to conventional systems not through the key mechanism is implemented. For example, at the same time as an access authorization an access authorization for a certain object is automatically included associated objects of a lower hierarchical level. The certificate can also include object identification and key identification.

An object identification can be used as an unchangeable and unique object identification symbol be formed, the object or the fixed unit can be clearly assigned. For example, it is set so that it doesn't even can be changed by a central unit. The object identifier can serve to prevent tampering with the lock cylinders, e.g. cannot be monitored by a central unit.

Finally, depending on the design of the system and whose hardware components also include individually coordinated data such as stored PINs, information for the user, etc. are transmitted. On in this way the invention enables "security made to measure".

A key identification mark is used to identify the keys and ensure that the certificates are transmitted to the desired mobile unit become. The key identification sign does not have to be sent to the Lock cylinders are handed over.

According to a first embodiment, no information has to flow from the locking cylinder to the key. After receiving the certificate, the key then transmits an encrypted code, assigned to the locking cylinder and stored in it, together with the key-specific data (ID). In this, the consistency is checked and, if necessary, approval is given. The code to be transmitted can also be present instead of a fixed character as a function value f _ID (A, t) of an essentially irreversible function of time and a function parameter A, where A characterizes the locking cylinder. The key is only transmitted f _ID (A, t), it has no possibility to determine A. In the lock cylinder, f _ID (A, t) is also calculated for verification; if it is correct, it is released. For additional security, it can be ensured in terms of hardware that no information flows from the locking cylinder to the key, making “data theft” - a key-side determination of A - impossible. The key-specific data (ID) - they are used here as a kind of 'seed number' for data encryption - may have been determined by the central unit when the key was issued, but they cannot be changed in any way.

According to a further exemplary embodiment, the Access regime in a two-step authorization process. The key gets a certificate from the central unit, which gives him access to an object or a group of objects. The certificate can also regulate that the key has only a limited access window or access quota is allocated. If the key comes into contact with a locking cylinder, in In a first step, a character identifying the locking cylinder from Lock cylinder transmitted to the key. This then checks against the in certificates available to him - he may have received more than one certificate and save - whether he has access to the object with this locking cylinder is justified. If this is not the case, the key remains passive and transmitted For example, no further information to the locking cylinder. If a certificate from If the key is in the affirmative, the key is transmitted as the second stage of the Proceed the code to the lock cylinder, whereupon the code is correct Approves access.

• Flexible Erteilung des Zutritts, und zwar als einmaliger Zutritt, als periodischer (täglicher, wöchentlicher etc.) Zutritt, als Zutritt während eines definierbaren Zeitfensters (Zutrittsfenster) oder als Zutritt ohne zeitliche Beschränkungen.
• Jeder Zutritt kann registriert werden, und zwar nach Person resp. Schlüssel, Objekt, Zylinder und Zeit.
• Der Zutritt ist kurzfristig fernkonfigurierbar, d.h. einer Person, welche ein Schlüsselmedium besitzt, kann sofort ein Zutritt zugeteilt werden.
• Innerhalb eines Objektes können im Rahmen einer Berechtigungs-Hierarchie verschiedene Zonen definierbar sein, bspw. Hochspannungen, Leitsystem, Lager etc.. Innerhalb der Zonen kann auch die Zutrittsberechtigung von einzelnen Teilobjekten (Schränken, Räumen etc.) flexibel zuteilbar sein.
• Das Schliesssystem kann einfach in vorhandene Türen oder Schränke eingebaut werden, welche bisher mit Standard- Schliesszylindern versehen waren.
• Die ortsfesten Einheiten benötigen keine Energieversorgung.
• Der Dialog mit einer zentralen Einheit, welche den Zutritt zum Objekt gewähren kann, kann mit modernen Standard-Kommunikationsmittel erfolgen, bspw. mit Internet-basierenden Kommunikationseinheiten. Auch die Übertragung der Zutritt verschaffenden Signale selbst kann in standardisierter Form erfolgen, z.B. mit dem TCP/IP-Protokoll und ggf. verschlüsselt.
• Die zentrale Einheit kann die Möglichkeit haben, vorbereitete Zutrittsprofile zu erstellen.
• Die zentrale Einheit kann ihrerseits in ein übergeordnetes System eingebunden sein, über welches Konfigurationen und Zuständigkeitsbereiche von mehreren zentralen Systemen verwaltet werden, wobei aber bspw. vom übergeordneten System keine direkten Zutritte gewährbar sind.
• Eine Fluchtwegfunktion von Innen nach Aussen kann auch bei Energieausfall gewährleistet werden.
• Der Inhaber des Objekts hat die Kontrolle über die zentrale Einheit und kann selbst entscheiden, dass ein beliebiger anderer System-Partizipient oder auch ein Partizipient eines anderen Systems Zugang erhält, er muss das nicht vordefinieren.

The locking system according to the invention and its embodiments meet the following requirements:

• Flexible granting of access, namely as one-time access, as periodic (daily, weekly, etc.) access, as access during a definable time window (access window) or as access without time restrictions.
• Every access can be registered, according to person or Key, object, cylinder and time.
• Access can be configured remotely at short notice, ie access can be immediately assigned to a person who has a key medium.
• Within an object, different zones can be defined within the framework of an authorization hierarchy, for example, high voltages, control system, storage, etc. Within the zones, the access authorization of individual sub-objects (cabinets, rooms, etc.) can also be flexibly assigned.
• The locking system can be easily installed in existing doors or cupboards that were previously equipped with standard locking cylinders.
• The stationary units do not require any energy supply.
• The dialogue with a central unit, which can grant access to the object, can take place with modern standard communication means, for example with Internet-based communication units. The transmission of the access-providing signals themselves can also be carried out in a standardized form, for example using the TCP / IP protocol and possibly encrypted.
• The central unit can have the option of creating prepared access profiles.
• The central unit can in turn be integrated into a higher-level system, via which configurations and areas of responsibility are managed by several central systems, but no direct access can be granted, for example, from the higher-level system.
• An escape route function from the inside to the outside can also be guaranteed in the event of a power failure.
• The owner of the object has control over the central unit and can decide for himself that any other system participant or a participant of another system has access, he does not have to predefine this.

• Figur 1 ein Schema erfindungsgemässen Verfahrens anhand von Komponenten des erfindungsgemässen Systems in einer ersten Ausführungsform.
• Figur 2 ein analoges Schema mit Komponenten einer weiteren Ausführungsform des erfindungsgemässen Systems.
• Figur 3 eine Ansicht einer mobilen Einheit für die Ausführung des erfindungsgemässen Verfahrens.
• Figur 4 ein Schema von Einheiten des erfindungsgemässen Systems im Zusammenspiel.
• Figur 5 ein Schema eines erfindungsgemässen Systems.

In the following, exemplary embodiments of the invention are described in somewhat more detail with reference to figures. The figures show:

• 1 shows a diagram of the method according to the invention using components of the system according to the invention in a first embodiment.
• FIG. 2 shows an analog diagram with components of a further embodiment of the system according to the invention.
• Figure 3 is a view of a mobile unit for performing the method according to the invention.
• Figure 4 is a diagram of units of the system according to the invention in interaction.
• Figure 5 is a schematic of a system according to the invention.

The system according to FIG. 1 has various components: the central unit 1 is the control entity. For example, it can be identical to a control center of a monitoring company using the system according to the invention, a distribution company, etc. It can be operated by persons or implemented as software. It has means for communication with the mobile units 2 (hereinafter: keys). The mobile units each have an energy source or an energy store as well as data processing and data storage means. In addition, they are equipped with communication means for transmitting data to the fixed units 3 (locking cylinders). The term "stationary" means in the context of this application that the units are essentially stationary in operation in relation to an object to be secured. The term does not exclude that the locking cylinders are attached to a mobile object (vehicle, ship, etc.) nor that they can be transported from one object to another for assembly.

The object in which the stationary units are integrated is shown in the drawing symbolizes a box 4. The stationary units 3 can, for example, externally as conventional lock cylinders should be designed and replace them. she have storage means and a data processing and transmission unit for Communication with the keys. However, both the integration of Energy sources or storage as well as the writeability of the storage optional and only available depending on the design of the system.

Each key 2 has, for example, an identification character K. This Identification character K can also be used as a key-specific data record (ID) in of the type described above are used; but he can also from this to be different. If access to an object 4 is desired, the Key transmitted from this identifier. In the head office it is on determined or determined whether the holder of the key is authorized for has or should have access to the property. If access is to take place, then a certificate Z with the authorization code A (hereinafter mostly briefly called code) to the key. According to one embodiment In the procedure, code A in the certificate is always contained in a fixed package with the key identification character K included. (Then this is preferred not identical to the key-specific data record (ID)). This ensures that the code A only if the key identification for access is correct can justify. Code A is passed to the locking cylinder and there Verified. Then, if necessary, an approval is given.

According to a special embodiment, the code is always accompanied by a Object identification O transmitted. This serves as a clear and unchangeable Object identification mark and the lock cylinder together with the Pass code A for verification. In terms of hardware, it is in the object implements that it cannot be changed by reprogramming.

The means of communication, via which data are transmitted between the central unit and the key, can be designed differently. 2 shows a mobile communication apparatus 5 is shown schematically in addition to the components of FIG. 1 This has a modem or another means of communication for communication over a data network, for example the Internet. It can be designed, for example, as a battery-operated, portable device or installed in a vehicle or the like. It can exchange information with the key without contact via a radio frequency connection. Alternatively, there can also be a direct (cable, etc.) connection between the key 2 and the transmission device 5. Finally, the transmission device can also be integrated in key 2. FIG. 2 also shows how the above-mentioned object identification symbol O is handled, the transmission device of course not being able to be used only in systems that use the object identification symbol.

An example of a key 2 is shown schematically in FIG . The key has a key blade 2.1, which can be worked out like conventional keys and has, for example, the mechanical coding of a passkey. It can also be configured differently and, for example, have no mechanical coding at all. Depending on the design of the locking cylinder, the locking system could also function without contact and the key therefore could have no key blade at all. In addition, the key has a circuit board 2.2 on which processor means 2.3 and conductor tracks 2.4 and possibly additional electronic components are attached. Furthermore, energy supply means 2.5, ie a battery, are arranged in the key. The battery, printed circuit board and conductor tracks are arranged so that the battery can supply the processor means with electrical energy. In addition, the key also has a contact path 2.6 for communication, with a locking cylinder and / or for its energy supply. Furthermore, communication means 2.7 are also available, with which data can be exchanged without contact with a transmission device or cylinder.

FIG. 4 shows a diagram which shows some elements of a system according to the invention and their interaction. A central unit 1, a transmission device 5, a key 2 and a locking cylinder 3 are shown in the figure. The data transmission device, the key and the locking cylinder each have a processor unit 5.3, 2.3 or. 3.3. and a data storage and encryption unit 5.9, 2.9 respectively. 3.3. The processor unit and / or the data storage and encryption unit can, for example, be manufactured in a manner known per se. For example, you can include a LEGIC® security module, which is only mentioned here as an example. At this data storage and encryption unit 5.9, 2.9 respectively. 3.3 are connected means 5.7, 2.7 respectively. 3.7 for contactless communication. As already described, the key has energy supply means 2.5. The energy supply means supply the microprocessor unit 2.3 and a timer 2.8 connected to it.

The transmission of data from the central unit to the transmission device takes place, for example, with known and common data transmission lines, Interface protocols, etc. with the help of the Internet. Of course the data transmission is preferably encrypted. The channel for that Transfer of data between the software 1.1 of the central unit 1 and the Transmission device 5 is symbolized in the figure by a double arrow 11. There are two interfaces between the transmission device 5 and the key 2 set up: the microprocessor interface 12 as a contact interface and that Program interface 13. The microprocessor interface 12 is used for synchronization the microprocessors 5.3, 2.3 of the transmission device and the key. The time is an important parameter in regulating the access regime, for example if only a time window for access is available. It can also be significant with regard to data and manipulation security, like that with examples will be explained. The program interface 13 is used to exchange the mentioned data. The program interface and the microprocessor interface need not to use physically different data transmission channels.

Two interfaces are provided between the key and the locking cylinder. The data interface 14 is used to transfer data from the key to the Lock cylinder and possibly also in the opposite direction from Lock cylinder on the key. Via the power interface 15 Lock cylinder with the during the handover of the certificate to the Lock cylinder and electrical energy required during verification provided. This can be done continuously or at the beginning of the action in a short-term energy store of the locking cylinder.

The diagram in FIG. 5 shows a central unit 1, some keys 2 and some objects 4 with locking cylinders 3.

As mentioned above, there is a flow of information, symbolized by arrows between the central unit and the keys as well as from the central unit authorized and restricted from the keys to the locking cylinders and each after the back. Between the central unit and the locking cylinders no information flow. There is also a flow of information between the Locking cylinders are not excluded, but generally not necessary. No information may flow between the keys.

The central unit 1 has information that is used to control the whole Enable the system. In the figure, two databases 1.1 and 1.2 are symbolic shown. The first database contains updated information about the Objects, the second database 1.2 about the keys.

Each key and each lock cylinder can be identified using a corresponding identification symbol K _i or P _i . The data about the objects can have a data structure which reflects the relationships between the objects. A very simple example is shown in the figure: The objects with the identification P ₃ , P ₄ and P ₉ are, for example, parts of a superordinate structure. The object P ₉ is arranged in a simple model in an inner circle (superordinate), the objects P ₃ and P ₄ in an outer circle (subordinate). As an example for illustration, the object P _{9 can be} a safe, which is in a room to be reached through doors P ₃ and P ₄ . Access to the object in the inner circle requires access to an object in the outer circle, but not the other way around. This hierarchical relationship is reflected in the data in the central unit.

The key holders perform different functions and are therefore also equipped with different certificates: one security guard may only get access to subordinate objects, but in many different structures, a branch manager has access to all objects of a single Structure.

Archetypes are created accordingly in the databases. The object database 1.1 contains hierarchy archetypes B ;. For example, an access authorization to an object may be inherent or, at least by default, an access authorization to a hierarchically subordinate object. The hierarchy archetypes can, for example, directly contain the code A of the hierarchically subordinate objects. Hierarchies corresponding to the hierarchy archetypes are adopted in the certificates. The key database 1.2 contains certificate archetypes C _i . Typically, a security guard always has access to the same objects, but only once a night. The certificates Z are produced on the basis of the archetypes and possibly current data. The certificate archetypes contain, for example, references to hierarchy archetypes and not the entire content of the certificate archetypes.

According to one embodiment, individual elements of the archetypes can even be created in the key itself. But you definitely have to go through one of the central unit transmitted certificate can be activated.

The following are some examples of the method according to the invention:

Example 1:

a. The key is activated by its owner and polls the head office an authorization. This request in the form of a request signal can individually for a single access or flat rate (e.g. in the morning when the owner as a fitter starts work and has access authorization for wants to receive all objects accessible on this day). The Request signal contains a key identification character K.

b. The computer in the central unit continuously checks against a updatable database the authorization and compiles a certificate. For each object, this contains a code A that is characteristic of this as well as a time window or an access quota. The certificate also contains the recipient's key identifier.

c. The central computer sends the certificate to the transmission device or encrypted to the mobile unit.

d. The mobile unit may receive the certificate from the transmission device (in the it can be cached until between the transmission device and the mobile unit is connected) and stores it on their Memory chip.

e. The key holder goes to the property and puts the key in the locking cylinder.

f. The key supplies the locking cylinder with electrical energy. This can into a short-term energy storage or continuously during the following Process steps take place.

G. The key transfers the code contained in the certificate, for example, others Information such as a key identification character K about the Data interface 14 to the lock cylinder. The handover is also, for example encrypted, with the 'Seed Number' being used to send the certificate used, seed number 'is different and, for example key-specific record ID corresponds.

H. The processor means contained in the locking cylinder carry out a verification through, i.e. a comparison between the transmitted and a stored Code through. Possibly. the transmitted code is decrypted beforehand. Appropriate Methods such as the public key / private key system, which, for example, simultaneously also a non-manipulable verification of the sender of the allow encrypted message (here the key) are known per se and are not explained in detail here.

i. By means of the processor means of the locking cylinder, if there is coherence Release triggered. After approval, the key holder has a certain one Time, typically a few seconds, is available to get the key rotate. Contacts in the cylinder determine which position it is in the key is located. So that keys and locking cylinders can recognize When the contact is interrupted, the key continuously sends, for example Test bits.

j. In the absence of coherence (corresponding to a missing or wrong Authorization) there is a non-release event. For example, this can easily be done be an acoustic signal. An event similar to the non-release event can also be triggered if none within a certain threshold time Communication connection established between the key and the locking cylinder could be or if, for example, the battery 2.5 is discharged and the energy not enough.

Example 2:

Steps a, cf, i and j, for example, are the same as in example 1, but the certificate does not contain the actual code A but a value f _ID (A, t ₀ ), where t _{0 is} a point in time at which the key holder is authorized to access is. When there is contact between the key and the locking cylinder, ie after step e, the processor means of the locking cylinder are supplied with the current time t by a timer 2.8 in the key. The comparison then takes place between f _ID (A, t ₀ ) and f _ID (A, t). The condition to be fulfilled for an approval can be that the difference between the values f _ID (A, t ₀ ) and f _ID (A, t) does not exceed a certain threshold value, the function f then having to be continuous and standardized.

Example 3:

Like example 2, but the authorization is given not only at a time t ₀ (or in a time window surrounding it) but also periodically, for example daily at a certain time. This can be achieved by the certificate containing a number of function values f _ID (A, t _i ) with i = 1, 2, ... or by using a special function that is periodic in t.

Example 4:

As in example 2, but instead of a value f _ID (A, t ₀ ), a value f _ID (A, n) is transmitted, where n represents the number of times the key holder has had access so far. To a certain extent, this example works analogously to a strike list principle.

Example 5:

Like example 1 to 4, but instead of step a, the certificate is issued by the central unit transmitted without a previous request signal. For example, be useful if the key holder is a security guard or a Suppliers heard and at the same time with the authorization from the headquarters Unit an order is issued.

Example 6:

The holder of the key goes to the object to which he has access would like to. In a first step, he puts the key in the lock cylinder Object. In general, the key will not have a certificate that it authorized to access the property, and there is no release. The The locking cylinder, however, passes on information that characterizes it - for example Object identification symbol O - to the key. This transmits the Characteristic information to the head office, for what if necessary Communication module as the mobile transmission device 5 is used. In the The head office decides whether the key holder is at a time one-time access. This can be done in an unmanned headquarters based on table values or other characteristics. to The control center can provide additional security - possibly automated - to the suspected Call the holder of the key, e.g. on his cell phone, and his identity and Check intentions. An unmanned control center can check the identity, by it and a certain statement - for example an agreed code word - from him polls and the voice of the called party with saved voice recordings compares. Then the head office sends a certificate to the key, and it is as in one of the examples discussed above.

Depending on the design of the system, in any of the examples at Release / non-release or after this the entry or attempt to access the object be logged. This follows, for example, into a memory in the key. At the next Contact with the central unit or directly on its own can do the key Submit log to the central unit where it is stored in a database and / or is evaluated. Logs of access / access attempts can of course be used when creating new certificates. Alternatively or as a supplement to this, an entry / access attempt can also be made in non-volatile data memories of the stationary units are logged.

Of course, any combination of features belongs to the above Described examples, provided they are within the definition of the independent Claims and are not contradictory.

It is understood that the invention is without countless other embodiments includes and is not limited to the examples described above.

Claims (22)

Method for regulating the access regime to an object or to a group of objects, a mobile unit (2) coming into contact with a stationary unit (3) and this, depending on a verification, releasing the object or a non-releasing event triggers, with a central unit transmitting a certificate to the mobile unit beforehand for the contact between the fixed and the mobile unit, and verification being carried out offline and on the basis of data contained in the certificate, characterized in that the mobile unit has a specific identity code (ID) and that a code authorizing the release of a specific object is determined on the basis of this specific identity code and the certificate. A method according to claim 1, characterized in that the specific identity code (ID) serves as a 'seed number' when encrypting data contained in the certificate. Method according to claim 1 or 2, characterized in that the certificate contains a code which is transferred from the mobile unit (2) to the stationary unit (3) and that the verification is a check of the code for correspondence with data which be determined on the basis of data permanently stored in storage means of the fixed unit (3). A method according to claim 3, characterized in that there is no direct flow of information between the central unit and the fixed unit. Method according to one of the preceding claims, characterized in that the release / non-release can be made dependent on an access time window contained in the certificate or an access quota. Method according to one of the preceding claims, characterized in that the code authorizing the release of a specific object is dependent on the time and / or on status information. A method according to claim 6, characterized in that the certificate contains a function parameter, that the code is calculated as an essentially irreversible function of time and this function parameter, and that in the fixed unit by processor means, the code by evaluating a likewise essentially irreversible function of the Time is verified. Method according to one of the preceding claims, characterized in that no information useful for the certificate flows from the fixed units (3) to the mobile units. Method according to one of the preceding claims, characterized in that the certificate is transmitted to the mobile unit online. Method according to one of claims 1 to 8, characterized in that the certificate is transmitted to a transmission device (5) and is transmitted from there to the mobile unit. Method according to one of the preceding claims, characterized in that energy is transmitted from the mobile unit to the stationary unit beforehand for the verification and / or during the verification. Method according to one of the preceding claims, characterized in that, for authorization, the stationary unit transfers a character identifying the object to the mobile unit and that verification is carried out on the basis of the certificate by processor means of the mobile unit. Electronic locking system with fixed units (3) and mobile units (2), the mobile units being encodable and the fixed units having release means for releasing an object when a mobile unit is connected to them and after a verification has been carried out as a comparison between data was, the mobile units being equipped with communication means for communication with a central unit (1) and with storage means for storing a certificate transmitted by the central unit, that in the mobile units and the fixed units, means for performing the verification offline as a comparison Data contained in the certificate and present in the storage means of the stationary units are characterized in that each mobile unit has a specific identity code (ID) and that a code authorizing the release of a specific object is based on this specific ID entity codes and the certificate can be determined. Locking system according to claim 13, characterized in that the mobile units have energy supply means (2.5) and that there is a power interface (15) for transmitting energy to the fixed units, while the fixed units and the mobile units are connected, so that for verification, the stationary units (3) can be supplied with electrical energy by the mobile units (2). Locking system according to claim 13 or 14, characterized in that the fixed units are free of permanently installed communication lines and free of energy supply means. Mobile unit (2) for carrying out the method according to one of claims 1 to 12 as part of a system according to one of claims 13 to 15, characterized by communication and processor means for exchanging information with a central unit, by storage means for storing data from the Central unit received certificates and through an interface (14, 15) for offline exchange of information with a fixed unit (3), and through a permanently stored identity code (ID). Mobile unit according to Claim 16, characterized by energy supply means (2.5) and a power interface (15) for transmitting energy to a stationary unit. Fixed unit (3) for carrying out the method according to one of claims 1 to 12 as part of a system according to one of claims 13 to 15, characterized by storage means for the non-volatile storage of information characteristic of the fixed unit, an interface (14) for offline Exchange of information with a mobile unit connected to it, and by means for actuating a release mechanism in dependence on a verification of information exchanged with the interface and stored in the storage means. Fixed unit according to claim 18, characterized by a power interface (15) for receiving electrical energy from a mobile unit for carrying out the verification. Fixed unit according to claim 19, characterized in that the means for actuating a release mechanism are designed and connected such that they can also be actuated with electrical energy received from the stationary unit. Computer program with means, one with means of communication with one mobile unit of a system according to one of claims 13 to 15 connectable computer a central unit in the process according to one of the Let claims 1 to 12 form, with means, the computer in Dependency of a request signal sent by a mobile unit Issue certificate and send it encrypted to the mobile unit. Computer program product containing computer readable program code means, one via communication means with a mobile unit of a system according to one of claims 13 to 15 connectable computers a center To have unit formed in the process according to one of claims 1 to 12, the computer readable program code means including means that Computer depending on one sent by a mobile unit Request signal to issue a certificate and encrypted to the mobile Ship unit

Images