EP1780680A1 - Procedure for control of interlock and lock - Google Patents

Abstract

The method involves identifying a user (4) close to an electronic lock (5), displaying a question by the lock, and transmitting, via e.g. e-mail, short message system (SMS) message, the question to an electronic locks managing central computer (1). The central computer computes the answer to the question and transmits the computed answer to the user who presents the answer in the lock. The lock verifies the answer and decides on unlocking of the lock based on the answer. A receipt code is displayed by the lock and transmitted to the central computer by the user. Independent claims are also included for the following: (1) an electronic lock (2) a method for an electronic locks managing central.

Description

Technical area

The present invention relates to an electronic lock lock control method. The present invention also relates to an electronic lock useful for the implementation of this method. The present invention relates in particular to a lock providing the required level of security for ATMs (Automatic Teller Machines) or safes.

State of the art

Conventional locks are locked or unlocked by means of mechanical or electronic keys. Key distribution is restricted to users who are authorized to access lock-protected content. The level of protection depends on the ease with which the keys can be falsified and the trust given to the key holders.

In the case of cash dispensers, the front access is secured by a card reader and a keypad allowing different users to identify themselves before taking a limited number of tickets. Access to the rear face of the dispenser, however, is generally closed by means of a conventional key lock. The bank employees, the bottom conveyors responsible for filling the distributor and the technical repairers all share copies of the same key that allows access to vaults frequently containing tens of thousands of Euros in cash or in a container . The risk is important that one of these keys is lost or stolen and falls into the wrong hands. In addition, it is extremely difficult to find the culprit in case of theft by an unscrupulous employee when a key is distributed to many users.

To remedy these problems, the company Kaba Mas (registered trademark) has been offering for several years a lock sold under the name of Cencon System 2000 (registered trademark). This lock can be opened by means of a conventional electronic key, to identify its holder, and a secret code OTC (One Time Combination, registered trademark). The OTC code is communicated to the user from a central, for example through a telephone call. Only a user who successfully submits both an electronic key and a valid OTC code is authorized to access the contents of the protected distributor.

However, this solution has the disadvantage of always requiring physical keys associated with each distributor. A conveyor requires as many keys as distributors to replenish during its tour, or a key programmed to open several distributors in combination with different OTC codes. The management and programming of keys to be distributed to different users is an administrative headache, especially when a key is lost.

In addition, a user who has fraudulently acquired a key may attempt to call the central office by impersonating the authorized key holder in order to obtain a valid OTC code. The security offered is therefore insufficient.

On the other hand, the electronic key reader comprises electrical, electronic and / or electromechanical elements that offer possibilities for manipulation and additional fraud.

The patent application EP0546701 discloses a lock unlocking verification method in which security is provided by means of different PIN codes and encoded messages that the user must enter into a terminal belonging to him. This terminal is then connected to the protected box to cause its unlocking. The terminal that is usually in the hands of the user is a target for hackers attempting to study it or to build a compatible terminal to access unauthorized vaults.

An object of the present invention is therefore to provide a method and a lock which make it possible to avoid the disadvantages of the methods and locks of the prior art.

• un utilisateur s'identifie auprès de la serrure électronique,
• la serrure électronique affiche une question, de préférence une question à usage unique,
• l'utilisateur transmet la question à une centrale,
• la centrale calcule la réponse à la question et transmet cette réponse à l'utilisateur,
• l'utilisateur introduit la réponse dans la serrure,
• la serrure vérifie si la réponse est correcte et décide en fonction de cette réponse du déverrouillage de la porte.

According to the invention, these objectives are achieved in particular by means of an electronic lock lock control method, comprising the following steps:

• a user identifies himself with the electronic lock,
• the electronic lock displays a question, preferably a single-use question,
• the user sends the question to a central,
• the central calculates the answer to the question and transmits this answer to the user,
• the user enters the answer in the lock,
• the lock checks if the answer is correct and decides according to this response of unlocking the door.

This method has the advantage of forcing the user to transmit a question posed by the lock of the dispenser to the central. This additional operation makes it possible to provide additional tests, for example to check in the central if the question asked is indeed valid.

This method also has the advantage of basing the identification of the user not necessarily on a physical key, but for example by means of password, PIN, or biometric data, more difficult to steal.

In the case of an identification of the user by means of a password or a PIN, this method has the advantage of making it possible to distribute, replace or invalidate very easily passwords, to distance by simple software manipulations from a central.

In a variant, the secret code used to identify the user is verified by the central unit 1, and not by the lock. This avoids the transmission of authorized user lists to different locks.

This method also has the advantage that all the data and all the codes necessary to unlock the lock can be introduced directly into the lock, without passing through an intermediate device offering an additional vulnerability to the attacks.

• des moyens d'introduction de données pour l'introduction d'un code d'identification personnel, et des moyens de vérification dudit code d'identification personnel,
• un module pour générer puis afficher une question en réponse à l'introduction d'un code d'identification personnel accepté,
• un module pour vérifier si une réponse à ladite question introduite sur ledit clavier est correcte, et pour provoquer le déverrouillage de ladite serrure en cas de réponse correcte.

The present invention also relates to an electronic lock comprising:

• data entry means for the introduction of a personal identification code, and means for verifying said personal identification code,
• a module for generating and displaying a question in response to the introduction of an accepted personal identification code,
• a module for checking whether a response to said question entered on said keyboard is correct, and for causing the unlocking of said lock in case of correct answer.

This lock is adapted to the method above; it also has the advantage of not necessarily requiring a key reader, vulnerable and expensive.

• distribution de codes personnels à une pluralité d'utilisateurs afin de leur permettre de s'identifier envers au moins certaines desdites serrures,
• détermination des droits d'accès de chaque utilisateur à chaque serrure,
• réception d'une question transmise par undit utilisateur au travers d'un réseau de télécommunication,
• vérification de la plausibilité de ladite question,
• calcul d'une réponse à ladite question au moyen d'un algorithme confidentiel,
• transmission de ladite réponse audit utilisateur.

The present invention also relates to a method for an electronic lock park management center, comprising the steps of:

• distributing personal codes to a plurality of users in order to enable them to identify themselves with at least some of said locks,
• determination of the access rights of each user to each lock,
• receiving a question transmitted by a user through a telecommunication network,
• verification of the plausibility of the said question,
• calculating a response to said question using an algorithm confidential,
• transmitting said response to said user.

This method can be implemented entirely automatically by a computer programmed for these different tasks, or in a manner assisted by a human operator, or a group of human operators, using a computer.

Brief description of the drawings

• La figure 1 illustre sous forme de schéma bloc un système mettant en oeuvre le procédé et la serrure de l'invention.
• La figure 2 illustre sous forme de diagramme de flux les échanges d'information au cours du processus de l'invention.

Examples of implementation of the invention are indicated in the description illustrated by the appended figures in which:

• Figure 1 illustrates in block diagram form a system implementing the method and the lock of the invention.
• FIG. 2 illustrates in the form of a flow diagram the exchanges of information during the process of the invention.

Example (s) of embodiment of the invention

FIG. 1 illustrates in the form of a block diagram a system comprising a central unit 1 to which different users 4 can connect using a mobile device 3 through a network 2. The system also comprises one or more locks 5 to protect devices not shown, for example cash dispensers, chests, rooms or other protected volumes.

The central unit 1 may be constituted for example by a call center, animated by several human operators, or a server or server group executing a specific application. The network 2 is for example a telecommunications network, for example a conventional telephone network, an Internet or Intranet type network, or preferably a mobile cellular network. Users can get connect to control panel 1 by establishing voice or data communication through the network 2.

In a preferred embodiment, the users connect to the central unit 1 via a mobile cellular network 2 and by sending data, for example SMS (Short Message System), e-mails or IP data packets through a network 2 of GSM, GPRS, HSCSD, EDGE or GPRS for example. The central station preferably automatically receives data via a modem or a suitable router, and can also respond to the user by sending his own data through the same channel, or a different channel. The data exchanged in one of the directions, or in both directions, can be electronically signed and / or encrypted by the central unit 1 and / or by the mobile equipment 3, for example by using a smart card in the mobile equipment 3 .

In another variant, the users 4 connect to the central unit 1 by means of a voice communication. In this case, the central unit 1 uses human operators to react to this voice call, and / or an IVR (Interactive Voice Response) voice recognition system to analyze the content of the user's requests and / or DTMF codes and to synthesize a voice response.

The central unit 1 furthermore comprises a database of authorized users, which contains for each user at least one personal code - or personal code verification data - as well as authorizations, for example a list of locks that the user user is allowed to open. The record comprising each user may further indicate time windows during which access to one or more locks is authorized, a user profile, including for example its name, its coordinates, cryptographic keys for communication with each user, a history of system usage (number of successful trials, unsuccessful trials, dates, times, etc.), and other identification or authentication data, including for example a MSISDN caller number corresponding to its mobile equipment 3, biometric data, etc.

Calculation means 11 in the central unit 1 make it possible to execute an application program for managing the various users and their rights in the data bank 10. The calculation means also make it possible to execute an algorithm making it possible to calculate the response to a number of requests. question ("challenge") received from a user. This algorithm can for example consult a read-only correspondence table that indicates the answer to each expected question, or preferably calculate a mathematical function from each question. The function performed is preferably chosen so that knowledge of any number of answers to previous questions does not predict what will be the answer to the next question (pseudo-random function). The chosen algorithm, or the values allowing to parameterize it (for example the seed in the case of a pseudo-random function) are preferably kept confidential. In addition, a different algorithm, or different values, are preferably used for each lock 5, and / or even for each user 4.

The central unit 1 may further comprise a lock database (not shown), comprising for each lock 5 a profile with information such as the geographical location, the type of protected device, cryptographic communication keys, etc.

The mobile equipment 3 depends on the type of network used. In a preferred embodiment, this equipment is constituted by cellular mobile equipment, for example a cellular telephone or a personal assistant, a smartphone or a personal computer equipped with a connection card to a cellular network, a modem or a personal computer. a router. It is also possible to use a dedicated communication device for this purpose.

The mobile equipment 3 may comprise geolocation means 30, for example a satellite receiver of the GPS type to determine its position and possibly transmit it to the central 1. Insulated worker protection equipment (ITP) 31 makes it possible to check whether the user 4 of the mobile equipment 3 is awake, for example by checking whether move, if it is vertical, if it reacts to requests for answers, etc. The mobile equipment 3 may further comprise additional identification and / or authentication means 32, for example a smart card (SIM card for example), PIN code input and verification means, a sensor biometric, etc. The identification and / or user authentication 4 can be performed locally, that is to say in the mobile equipment or in a smart card inserted in the equipment, or remotely, that is, ie for example in the central 1 which then has means of verification of the data of the smart card, PIN codes and / or biometric data entered. The mobile equipment 3 can be for example portable or installed in a vehicle.

It is however possible to use a conventional mobile telephone as mobile equipment in the context of the invention; it is only necessary for the user to be able to connect by means of this equipment with a central unit 1 to send a question and receive a corresponding answer. It is even advantageous, to increase security, to establish communications between the different users and the central by different types of channels. The plant may for example use this additional information and agree with a conveyor, for example, that the question should be transmitted orally, even if the conveyor has equipment for data communication.

The user 4 is for example a bank employee, a bottom conveyor, a technical repairer, or any natural person authorized by the central 1 to open the lock 5. The user 4 has the knowledge of a code secret personnel that has been transmitted to it by the central 1 and with which it can identify itself to one or more locks 5 of a park locks managed by the central 1. The user 4 is also preferably able to s' identify towards his mobile equipment 3 by means another secret code, for example the PIN code of the phone and / or the SIM card. Other means of identifying the user 4 to the lock 5 and / or to the mobile equipment 3 are conceivable within the scope of the invention; for example, the user could prove his identity by presenting a personal object, such as a key or a smart card, or by biometric identification using fingerprints, iris, retina, voice, face, etc. Of course, different methods can be implemented to identify or authenticate the user 4 towards the mobile equipment 3 and the lock 5. It is also possible to accumulate several identification methods. Furthermore, the identification data entered in the mobile equipment 3 can be transmitted to the central 1 for verification.

The lock 5 comprises an electromechanical element 52, for example a bolt, whose position is controlled by a logic device inside the lock 5 to act on a mechanical mechanism ("linkage") to lock or unlike to unlock access to the protected volume, for example inside a distributor. The lock is preferably intended to be used in combination with a device containing a volume to be protected, for example with a cash dispenser or a safe; it does not itself constitute such a safe, and has no protected volume, but has means not shown to associate it mechanically and / or electrically, so hardly removable with such a chest or such a dispenser.

A numeric or alphanumeric keyboard 51 associated with the lock 5 allows the user to enter his personal code and the answer to the questions asked. Other data input elements (not shown), for example a biometric sensor, a camera, a microphone, etc., may optionally be provided in the lock 5. The lock further comprises a screen 50 for displaying messages in text or matrix mode, including questions, invitations to reply, and status messages.

The lock preferably further comprises one or more optional interfaces 53 which enable it to exchange data with the device it is to protect, for example a cash dispenser, and / or with the central unit 1 through any network, for example a telephone network or the Internet. The communication of data with the device to be protected in which the lock is mounted notably makes it possible to improve the security, thanks to the exchange of information making it possible to detect probable frauds using combinations of indices and thanks to the generation of log files taking into account data collected by both the lock and the protected device. This communication can also, if necessary, be used to control the lock 5 by means of the keypad of the dispenser, to display messages depending on the behavior of the lock 5 on the distributor screen, to echo alarms triggered by the lock by the distributor, or to trigger other actions performed by the distributor. The bidirectional communication preferably between the lock 5 and the central unit 10 makes it possible, for example, to remotely modify the list of authorized users to identify with each lock 5 (unless this check is made by the central), to modify the remote response verification algorithms, to consult the log files generated by the lock, and to remotely detect other events related to the use of the lock. This communication with the central unit 1 can also be carried out through the device protected by the lock, for example by using a modem or a router of this device. In one embodiment, the data exchanged by the lock and the central unit 1 are electronically signed and encrypted, for example through a Virtual Private Network (VPN), so as to preserve their confidentiality and their very authenticity. to the distributor to be protected.

The lock 5 furthermore preferably comprises an electronic watch 54 which enables it to determine the date and time autonomously, and to calculate time intervals. Calculation means not shown, for example a microcontroller, a microprocessor with a memory, an industrial microcomputer, an asic type circuit and / or a FPGA circuit, etc., to manage the dialogs with the user, and to control the electromechanical device causing the locking or unlocking of the lock. The calculation means preferably furthermore comprise a module, for example a software module, for generating and displaying a question in response to the introduction of an accepted personal identification code, and a module, for example a software module, for checking if an answer to the question is correct, and to cause the unlocking of the lock in case of correct answer

The calculation means are preferably protected against physical or software manipulations and may, for example, self-destruct, while keeping the lock closed, during fraudulent manipulations. The lock 5 may further comprise wireless connection elements with the mobile equipment 3, for example a Bluetooth-type interface, for example to detect and verify the presence of this equipment in the vicinity; however, these means can be dispensed with if they introduce an additional vulnerability.

The lock 5 is preferably electrically autonomous and powered with batteries or battery; it remains mechanically locked when the batteries are discharged. Charging or replacing the batteries can then be done without unlocking the lock. In a variant, the lock is electrically powered by the device in which it is mounted, for example a cash dispenser. In yet another variant, it is powered by means of a generator actuated by the user; the watch 54 uses in its own power source case to keep the time even when the rest of the system is no longer electrically powered.

We will now describe with the help of Figure 2 an example of implementation of the method of the invention.

Initially, a user 4 wishing to unlock the lock 5 is physically in front of this lock and introduced during step 100 a personal code on the keyboard 51, for example a numeric or alphanumeric code, for example a 6-digit code.

During step 101, the calculation means in the lock verify the personal code introduced. In a first variant, the personal code is compared with a list of accepted codes ("white list") stored in the lock. This variant however has the disadvantage of having to transmit such a list to the lock, for example through a telecommunications network or through the conveyors. Such a transmission is subject to risks of interception or espionage. To avoid this risk, in a second preferred embodiment, the lock is satisfied to check during step 101 if the personal code introduced is plausible, for example if the format of the code is admissible, if a possible parity code is correct, or if the entered personal code does not belong to a list of rejected codes ("black list") because nonexistent or belonging to refused users. The verification of the particular personal code introduced by the user is in this second variant delegated to the central office, to which the code must be transmitted implicitly or explicitly later.

If the lock detects during the step 101 that the entered personal code is invalid, it is rejected, and an error message can be displayed on the display 50 to inform the user and invite him to introduce a new one. code. In order to prevent "brute force" attacks, that is by successively testing a large number of different codes, it is possible, for example, to introduce a delay between each attempt and / or to limit the number of possible unsuccessful attempts to lock the lock for a longer period, or until an unlocking maneuver is introduced.

In a variant, the user identifies with the lock by proving the possession of an object, for example a key, an electronic key, a smart card, etc. The object presented may itself be protected by a code, especially in the case of a smart card. However, this solution has the disadvantage of requiring an organization to distribute and manage the objects to present. The user can also identify himself by means of biometric data acquired by means of a biometric sensor, for example by means of his fingerprints, the iris, the retina, the face, the voice, etc. . These biometric data however have the disadvantage of not being able to be replaced with the ease of a personal code that can be transmitted at the last moment to the user; a user record is also required to acquire his reference biometric data.

Different identification methods can further be combined. It is also possible to claim additional or different identification depending on the circumstances; for example, a biometric or key identification may be required when the personal code identification has not worked after a predetermined number of tests, or when the sum available in the protected volume exceeds a certain sum, or when other circumstances impose increased security.

If the personal code is valid, the means of calculation of the lock (or, later, those of the central) verify the access rights attached to the user identified by this code. Access rights may be time dependent; for example, it is possible to authorize an unlocking of the lock only during a limited time window corresponding to the time at which the user is expected. This time window can be coded, along with other information, in the control panel response described below.

Depending on the protected object, it is also possible to allow access to different parts of the protected volume to different users; for example, it is conceivable to allow a technician to access only different parts of a distributor, for example to reload the paper, take log files or perform other maintenance operations, while access to the trunk is reserved for other users identified by other codes.

The lock 5 can also check if a particular manipulation has been made during the introduction of the personal code by the user 4 to signal that he is under duress, for example because an attacker is forcing him to introduce the code. The particular handling may involve for example the introduction of a different personal code, the pressure of a key or an additional member, a prolonged press on a key, or other identifiable manipulations unambiguously by the lock 5 but difficult to detect for an assailant observing the maneuver. The detection of a particular manipulation leads to a different behavior of the lock, as will be seen below.

In case of valid identification, the lock 5 then displays in step 102 a question on the display 50. The question displayed may depend on the time, the date, the identified user, the lock , other parameters collected by the lock, and / or a possible manipulation detection to signal a constraint. In addition, the choice of the question may depend on a random factor. Each question is preferably displayed once and is not reused, or at least not for the same user. The displayed question can be generated by a mathematical function, for example a pseudo-random function, and / or chosen in a table of predefined questions. In a preferred embodiment, the pseudo-random function depends at least partially on the value of an incremented counter each time the trunk is opened and / or each unlocking attempt; the counter can never be decremented, and the maximum value that can be counted is sufficient to ensure that the counter does not loop back. It would also be possible to use the time counted by the lock clock to initialize the pseudo-random function; However, a clock must be able to be set on time, and thus be able to be delayed, which could be used to "go back in time" in order to force the lock to generate again a question whose answer is already known.

Successful IDs and unsuccessful ID attempts are preferably stored in a log file in the lock, along with the date and time of the event. This file can be viewed by a technician, for example by introducing a particular code on the keyboard 51, by connecting a computer to a connector on the front face of the lock, and / or remotely from the central unit 1 through a communication network.

The user 4 reads the question displayed during the step 103, then introduces it during the step 104 on the keyboard of his mobile equipment 3. As the question displayed on the display 50 is unpredictable, and It is possible to distinguish the possible questions from the non-lawful questions, it is thus ensured that the user 4 is indeed close to the lock 5 to open.

During the step 105, the question introduced by the user is transmitted by the mobile equipment 3 to the central station, for example in the form of a short message, for example SMS, e-mail, data packets, DTMF code, or voice message spoken by the user.

A dedicated application, for example a Java (registered trademark) applet, can be executed by the mobile equipment 3 to facilitate the introduction of the question and its transmission to the central station 1. In a variant, the question is simply introduced by the user. user and forwarded to a telephone number or to an e-mail address known to the user.

Access to mobile equipment 3, or to the mobile equipment application, may be protected by a password, a pin code, or require other identification or authentication measures. user 4.

In addition to the question entered by the user, the message transmitted to the central unit 1 during the step 105 may include other information, including for example an identification of the mobile equipment 3 used (for example a number of calling MSISDN), user identification data (including his personal code, but also for example a password, a PIN code, biometric data, extracted data of a smart card in the mobile equipment, etc.), position information provided by the geolocation module 30, information provided by the PTI module 31, etc. The message can also be signed electronically by a smart card in the mobile equipment 3, to prove its authenticity and integrity, and / or encrypted to ensure its confidentiality.

During step 106, the central unit 1 receives the message transmitted by the user and verifies it. Verification involves, for example, checking whether the transmitted question is a lawful question, depending on the user who uses it, the lock in front of which he is, the time, etc. If the user's personal code has been transmitted with the question, or if it is implicitly contained in the question, the central unit 1 can also ensure that this user is actually authorized to access this lock at this time, by example according to a road map previously established for a conveyor moving between several locks. Other checks may take into account the geographic location of the user, the data provided by the PTI device, any data provided directly by the lock, information checks signaling manipulation to indicate a constraint, and so on.

If the checks carried out in step 106 make it possible to determine that the question is a legitimate question transmitted at the right moment by an authorized user, the rights of this user are preferably determined. When the user has at least some rights, an answer to this question is computed during step 107, using an algorithm unknown to the users and executed by the calculation means 11. The response is preferably constituted by a numerical or alphanumerical sequence that does not allow a user to immediately determine if it contains implicit instructions for the lock.

If the question is not valid, or if it was transmitted by an unauthorized user, or when the user does not have the necessary access rights, or when other anomalies have been detected, no answer is calculated. Alternatively, an error message informing the user is then transmitted to the mobile equipment 3 and displayed by the latter, for example to allow the user to correct a typing error during the introduction of the question. Alternatively, the central can provide a modified response resulting in modified behavior of the lock. The reaction of the plant and the response sent may also depend on the anomaly detected, the number of unsuccessful attempts, or other conditions.

If the control unit detects, for example from the question received, that the user has made a particular manipulation to indicate that it is under stress, it preferably calculates a response modified by the normal response, in order to cause a particular behavior. lock. Different modified responses can be chosen automatically or by human operators depending on the circumstances, in order to trigger different reactions.

Other additional information may be coded in the response, for example to define the user's access rights to the lock, for example as a function of time.

The answer to the question is then transmitted to the mobile equipment in step 108, then displayed and read by the user in step 109. The response may include, for example, a numeric or alphanumeric code and is introduced by the user 4 on the keypad 51 of the lock 5 during the step 110.

During step 111, the calculation means in the lock 5 check whether the response received is correct. In a variant, this verification involves a comparison with a response calculated by the lock itself, by executing the same algorithm as that executed by the central unit 1. In a variant, the verification of the received response is performed without recalculating it independently, for example by checking the response received by means of a verification key to distinguish the possible answer (s) to the question of invalid answers, depending on the question and / or other parameters. This variant has the advantage of not requiring copies of the algorithm in a multitude of locks scattered over a territory; it is also compatible with algorithms that can provide several valid answers to the same question.

The calculation means 5 furthermore verify in step 111 whether the response received takes into account a manipulation detection by a user under constraint, or whether other parameters are coded in this response.

In a variant, the user indicates a state of constraint to the lock 5 during the introduction of the answer on the keyboard during the step 110, for example by introducing an additional digit, etc. This solution is however less secure because a usurper could introduce the answer himself, without performing any additional manipulation. In addition the central is not informed of a manipulation.

In a further variant, a state of stress is directly detected by the lock 5 from sensors or additional data, data transmitted by the distributor to which the lock is associated, or data directly transmitted by the central unit 1.

If the lock determines during step 111 that the answer entered is correct, and that it does not correspond to a state of stress, the lock is unlocked during step 112, until the next manual lock or for a limited time. The user can thus access the protected volume, or a part of this volume. This event is logged in the log file, indicating the time and duration of the unlock. Moreover, the counter used to initialize the pseudo-random function is irreversibly incremented.

If the lock determines during step 111 that the answer entered is incorrect, the lock remains locked, and an error message may be displayed on the display 50. After a predetermined number of unsuccessful attempts, an alarm can be triggered locally or sent to Central 1 or to another predetermined address. In a variant, the tickets in the dispenser are automatically destroyed or marked with an indelible ink.

• verrouillage de la serrure, ou maintien du verrouillage, éventuellement même si une réponse correcte et introduite ultérieurement pendant une durée limitée,
• déverrouillage normal de la serrure,
• déverrouillage retardé de la serrure après un délai court, mais plus long que le délai usuel
• déverrouillage retardé de la serrure après un délai long, par exemple supérieur à trois minutes,
• affichage d'un message particulier sur l'affichage 50 de la serrure, par exemple pour indiquer à l'assaillant qu'il a été repéré.
• déclenchement d'une alarme, par exemple une alarme sonore
• destruction du contenu du volume protégé par la serrure, par exemple par marquage des billets au moyen d'une encre indélébile
• etc

If the lock determines during step 111 that the answer entered is correct, but that it corresponds to a state of constraint, it performs one of the following actions depending on the answer:

• locking the lock, or maintaining the lock, possibly even if a correct answer and subsequently introduced for a limited time,
• normal unlocking of the lock,
• delayed unlocking of the lock after a short delay, but longer than the usual delay
• unlocking the lock after a long delay, for example greater than three minutes,
• display of a particular message on the display 50 of the lock, for example to indicate to the attacker that he was spotted.
• triggering an alarm, for example an audible alarm
• destruction of the contents of the volume protected by the lock, for example by marking the notes with an indelible ink
• etc.

The latter two options should however be used sparingly to avoid the risk of the legitimate user being held hostage or retaliated.

These different measures can also be combined.

After the introduction of a correct answer, or a response indicating a manipulation, a receipt code is preferably displayed during an additional step not shown on the display 50. The user then enters this code of a receipt on his mobile equipment and transmits it to the central 1, in the same way as the question before, in order to indicate to the central the end of his mission. The required release code is preferably unique and unpredictable in advance, so as to ensure that the user has read it correctly as a result of the manipulation and has not deduced otherwise. The central office is however able to check whether the transmitted acknowledgment code is lawful.

Again, the release code generated by the lock or reintroduced by the user may contain indications indicating to the central particular events, for example to indicate whether the lock was opened, a new state of constraint, or any other event . In addition, the transmitted acknowledgment code can be signed, encrypted and accompanied by data such as date, time, user identification, mobile equipment, position information geographical, etc. The control unit can thus verify this data, or detect the absence of sending of a receipt message after a predetermined delay, to decide on an appropriate action, including the triggering of an alarm, the triggering of an intervention, and / or the locking of other locks nearby or on the intended course of the user even in case of correct operation.

The receipt code generated is preferably, in the same way as the question or the answer, depending on the current user, the lock in progress and / or other parameters such as date, time, detection of possible manipulations.

• En communiquant un nouveau code personnel à l'utilisateur, par exemple par le biais d'un appel téléphonique, d'un SMS, d'un e-mail ou d'un autre message envoyé à l'équipement mobile 3, ou transmis oralement à l'utilisateur
• En modifiant les codes personnels acceptés par les serrures 5, par exemple en envoyant de nouvelles listes de codes acceptés (liste blanche ; seulement dans la variante où ces listes sont stockées dans la serrure), de nouvelles listes de codes refusés (liste noire), de nouvelles listes de codes suspects, nécessitant des vérifications supplémentaires (liste grise), ou en modifiant les droits d'accès associés à ces codes. Les listes de codes et les droits d'accès peuvent être transmis par un canal de télécommunication au travers d'une interface de télécommunication dans la serrure, et/ou au moyen d'une interface de télécommunication liée au dispositif protégé par la serrure, ou introduit directement, au travers d'un support de données physique, par un technicien chargé de la maintenance.
• En modifiant les codes personnels acceptés par la centrale, en fonction de listes blanches, grises ou noires, ou d'autres paramètres tels que le plan de route prévu de l'utilisateur.
• En modifiant la réponse donnée à une question transmise par un utilisateur, ou en refusant de répondre à ces questions.
• En envoyant un ordre directement à la serrure, par exemple un ordre de maintenir le verrouillage pendant un intervalle.

In the above method, an authorization to unlock a particular lock by a particular user can be changed by the central 1 in one of the following ways:

• By communicating a new personal code to the user, for example by means of a telephone call, an SMS, an e-mail or another message sent to the mobile equipment 3, or transmitted orally to the user
• By modifying the personal codes accepted by the locks 5, for example by sending new lists of accepted codes (white list, only in the variant where these lists are stored in the lock), new lists of refused codes (blacklist), new lists of suspicious codes, requiring additional checks (gray list), or by modifying the access rights associated with these codes. The code lists and the access rights may be transmitted by a telecommunication channel through a telecommunication interface in the lock, and / or by means of a telecommunication interface linked to the device protected by the lock, or introduced directly, through a physical data carrier, by a technician responsible for maintenance.
• By modifying the personal codes accepted by the control panel, according to white, gray or black lists, or other parameters such as the user's planned route plan.
• By modifying the answer given to a question sent by a user, or by refusing to answer these questions.
• By sending an order directly to the lock, for example an order to hold the lock during an interval.

Moreover, regardless of the behavior of the central unit, the lock 5 may itself allow or refuse the unlocking as a function of parameters acquired directly or through the protected device, for example by means of sensors, cameras or microphones associated with the device. lock or device, obtained by analyzing the user's manipulations on the keyboard 5, or according to an internal history of the manipulations of this user and / or the lock 5.

It is however possible, in the context of the invention, to provide only part of the unlocking authorization possibilities mentioned above.

The lock described above may be used to secure volumes other than ticket dispensers, for example weapon cabinets used in police stations or by the military, safes, or other volumes whose locking or unlocking by a local user must be authorized by a remote control panel.

Furthermore, the lock of the invention can be programmed at any time, for example from the control panel and / or with the aid of a particular code introduced by a user nearby, to operate in a mode other than the interactive mode described above. For example, it would be possible to reprogram this lock to allow unlocking by some users, or even by all users, without establishing a connection with the central.

Claims (32)

An electronic lock lock control method (5), comprising the steps of: a user (4) identifies himself with the electronic lock, the electronic lock (5) displays a question, the user transmits the question to a central (1), the central calculates the answer to the question and transmits this answer to the user, the user enters the answer in the lock, the lock checks if the answer is correct and decides according to this response of unlocking the lock. The method of claim 1, wherein at the end of the manipulation a receipt code is displayed by said lock (5) and transmitted by said user to the central (1) using a mobile equipment (3). The method of one of claims 1 or 2, wherein a different question is displayed at each access to the lock. The method of one of claims 1 to 3, wherein said control panel verifies whether said question is valid. The method of one of claims 1 to 4, wherein the displayed questions depend on said users. The method of one of claims 1 to 5, wherein said response to said question is calculated by means of an algorithm in said central (1),
and wherein said lock verifies by means of the or an algorithm executed in the lock if said response is correct. The method of one of claims 1 to 6, wherein said user (4) transmits said response to said plant by means of a communication established through a cellular network (2) independent of said lock. The method of claim 7, wherein said user (4) transmits said response to said central (1) by means of a mobile equipment (3) able to connect in a cellular network,
said mobile equipment determining the position of said user by means of a geolocation device (30),
said position being transmitted to said central unit (1),
said central unit verifying said position before transmitting said response to said question. The method of one of claims 7 to 8, said mobile equipment (3) employing isolated worker protection equipment (31) to determine whether said user is alive and / or awake. The method of one of claims 7 to 9, said mobile equipment (3) authenticating said user by means of a smart card, a personal code and / or biometric data (32). The method of claim 10, the identity of said user (4) determined in said mobile equipment (3) being transmitted to said central (1) for verification. The method of one of claims 1 to 11, wherein said user (4) identifies with the electronic lock (5) by means of a personal code introduced on a keyboard (51) of the lock (5) . The method of claim 12, wherein a new personal code is transmitted by said central to said user (4. The method of one of claims 1 to 13, comprising a prior step of defining user access rights identified to said lock. The method of one of claims 1 to 14, wherein said user (4) performs a particular manipulation when introducing said question in said lock when it wishes to signal that it is under stress,
said central unit (1) then reacts by generating a modified response to said question, said modified response being different from the response generated when said manipulation is not performed,
said lock modifying said lock conditions when said user introduces said modified response. The method of claim 15, wherein said central (1) selects one of a plurality of modified response when said manipulation has been detected, introducing at least some of the different modified responses causing at least some of the following behaviors: maintaining the lock of the lock (5); unlocking delay of the lock (5); displaying a message on the display (50) of said lock (5); triggering an alarm; destruction or marking of the contents of the device protected by said lock (5). The method of one of claims 2 to 16, wherein a different release code is displayed at the end of each manipulation. The method of one of claims 2 to 17, wherein said release code is dependent on the current user, the opening of the lock, the current lock, the date, the time, and / or the detection of possible manipulations. Electronic lock (5) comprising: data entry means (51) for the introduction of a personal identification code, a module to generate and then display a question in response to the introduction of a personal identification code, a module for checking whether a response to said question entered on said keyboard is correct, and for causing the unlocking of said lock in case of correct answer. The lock of claim 19 including means for generating and displaying a release code after an unlocking attempt. The lock of one of claims 19 to 20, comprising means for verifying the plausibility of said personal code, said means being devoid of a list of authorized users. The lock of one of claims 19 to 21 including means for detecting manipulations of the user, said generated question being modified when such manipulation has been detected. The lock of one of claims 19 to 22, comprising means for delaying the unlocking of the lock according to the response introduced. The lock of one of claims 19 to 23, comprising a log file for listing the events caused by said users. The lock of one of claims 19 to 24, including a clock fed continuously to determine the time and date. The lock of one of claims 19 to 25, comprising an irreversibly incrementable counter for initializing a pseudo-random function employed to generate said question. The lock of one of claims 19 to 26, comprising an interface for exchanging data with a device protected by said lock. The lock of one of claims 19 to 27, comprising an interface for exchanging data with a remote control unit. Method for an electronic lock park management center (1), comprising the steps of: distributing personal codes to a plurality of users (4) in order to enable them to identify themselves with at least some of said locks, determination of the access rights of each user (4) to each lock (5), receiving a question transmitted by a said user through a telecommunication network (2), verification of the plausibility of the said question, calculating a response to said question by means of a confidential algorithm, transmitting said response to said user. The method of claim 29, wherein said algorithm is different for each user (4). The method of one of claims 29 or 30, comprising a step of detecting indications in said question that said user (4) is under stress, and modifying said response in this case. The method of one of claims 29 to 31, including a step of verifying the geographical position of said user with information transmitted by the latter.

Images