EP2306407A1 - Secure system for programming electronically controlled lock devices using encoded acoustic verifications - Google Patents

Abstract

The system has an acoustic module including an electro-acoustic transducer i.e. microphone, capturing crypto acoustic credentials that are in the form of single-use audio signals, where the crypto acoustic credentials are reproduced by an electro-acoustic transducer (24), of a mobile telephone (22), placed at the proximity of a lock device (28). A data applying unit applies extracted digital credential data to an analysis, authentication and control unit that analyzes, authenticates and controls the digital credential data.

Description

The invention relates to lock devices electrically controlled by means of a dematerialized and encrypted key, this key being able to be conveyed by a portable object held by the user such as a magnetic card, a smart card, a badge or a card. contactless card, etc.

By "lock device" is meant not only a lock stricto sensu, that is to say a mechanism placed for example on a door to condemn the opening, but also any device to achieve a comparable result, for example a lock gun considered in isolation, or a more specific locking device comprising various members not grouped in the same lock box, the ultimate goal being to obtain the conviction by mechanical means of physical access to a place or given space, and access to this place or space by unlocking the lock device, on the order of a user, after verification that this user has access rights (i) that are specific to him and (ii) who are specific to the lock device. The lock device may also include, or be associated with, an alarm system that is to disable to allow access to a given space, or conversely activate to protect this space before or after the to have left.

For simplicity of description, we will speak later simply "lock", but this term must be understood in its broadest sense, without any restrictive character to a particular type of equipment.

The portable object, when approached from the lock, acts as a key for ordering the opening by means of a given hereinafter "certification" (credential). Various coding and encryption techniques can be implemented in the lock and / or in the portable object to provide protection against fraudulent manipulations and secure communication between the portable object and the lock. Numerous magnetic card systems are known, or cards or badges with microcircuit implementing with the lock a galvanic coupling (smart card contacts) or non-galvanic (inductive coupling card or RFID type card). This coupling ensures between lock and badge communication allowing in particular the lock to read in the memory of the badge accreditation data to control the opening if this data is recognized as compliant.

One of the disadvantages of this technique is the need to have a specific portable object, which must be given to the user and that it must keep with him. This also results in the multiplication of portable objects, each corresponding to a different lock (home, office, building door, garage, etc.), which ultimately makes the whole inconvenient and subject to the risk of forgetting.

Another drawback is related to the variety of techniques used, each manufacturer having its own specifications both at the level of the physical layer (technological choice of coupling: inductive, RF, magnetic, galvanic, etc.) at the level of format of the data and protocols for exchanging this data between the reader and the portable object. This variety of techniques, linked to technological choices and implementations specific to different manufacturers, is a brake on interoperability, the standardization of materials and procedures and technological evolution, which prevents the rapid spread of these techniques, despite their indisputable advantages.

Moreover, the system is a fixed system, because if one wishes to update the authorizations, to delete existing authorizations or to create new ones, it is necessary either to proceed to the exchange of the portable object, or to update the memory of the latter by means of a protocol and / or a specific reader, with the need for physical manipulations and displacements.

One of the aims of the invention is to propose an alternative technique of management and control of locks that can complement the existing techniques, or even replace them, without requiring substantial changes in both hardware and software, and which offers a maximum level of security, a great flexibility of implementation and is usable without recourse to a specific portable object. As will be seen later, the technique of the invention can be used by means of any conventional mobile phone serving the portable object carrying the key to control the lock, without the user needs to use a specific and dedicated portable object, such as a badge or card.

The system of the invention can thus be immediately generalized to the greatest number, being usable by anyone from a telephone standard model, unmodified, but enjoying all the security and flexibility of modern cryptographic techniques.

From the point of view of the lock manufacturer, the technique of the invention will allow to adapt without major modification the existing locks, without having to replace the hardware elements or the software already integrated in the lock. It will be seen that the invention is perfectly compatible with the pre-existing techniques implemented by the various current manufacturers, insofar as it limits the intervention to a single layer of the communication protocol (the transmission of the accreditation to the lock), thus maintaining the same logical management of the different levels of security already provided by the manufacturer.

The principle of the invention is based on the use, for the transmission of the accreditation data to the lock, encrypted acoustic accreditations type information.

These acoustic accreditations are for example in the form of a coded series of tones (DTMF tones or other), emitted by the speaker of a transmitting device and picked up by the microphone of a receiving device.

Essentially, the present invention consists in translating, at the level of a secure site, the conventional accreditation used for access management (a data block comprising a manufacturer's identifier, a unique identifier of the lock and possibly additional information ) and translate them into an encrypted acoustic accreditation format. This acoustic accreditation is in the form of an audio signal that can be conveyed by audio transmission channels, including telephone transmission channels, and reproduced as such by acoustic transducers.

The acoustic accreditation is sent in this manner to the mobile phone of the user, which is listed in a database of the secure site. To use the accreditation, the user approaches his phone lock and triggers the transmission by the speaker of his phone in the series of tones corresponding to encrypted acoustic accreditation, so that these tones can be captured by a microphone incorporated or coupled to the lock. The latter operates a translation inverse of the acoustic accreditation allowing to restore the original format of the conventional accreditation, which is then applied to the circuits of the lock to be treated in the same way as if this accreditation had been read by a standard reader coupled to the lock (magnetic or smart card reader, inductive coupling reader or RFID, etc.).

The use of acoustic accreditations is not in itself new, it has already been proposed in other contexts and for other applications, for example by the WO 2008/107595 A2 (Tagattitude).

This document describes a technique for securing logical access to a computer network by a remote terminal, for example by a computer connected to this network via the Internet. The user connects to the network with his computer, simultaneously lights his mobile phone, and calls through it a control site interfaced with the network to which access is requested. To verify the user's authorization, the network sends a sound signal (Acoustic Accreditation) to the remote computer that has just connected, a signal that is reproduced by the speaker of the computer. The user having placed his telephone in front of this loudspeaker, this sound signal is picked up by the telephone, transmitted to the remote control site via the mobile telephone network operator and "listened to" by the control site, who can then check accreditation and authorize access to the computer network by the terminal.

Note that in this case it is a "rising" accreditation: the acoustic accreditation is captured by the microphone of the phone which retransmits it to the control site. Knowing the recipient of the phone call, the control site can identify the user through the mobile phone used for this operation, and thus allow logical access to the network by the terminal located near the phone identified. In the case of the invention, the encrypted acoustic accreditations are on the contrary "downward" accreditations, that is to say that they come from a remote management site and transmitted to the mobile phone of the user.

More specifically, the invention relates, in a manner known per se, to a secure locking device opening control system, comprising at least one lock device provided with electronic circuits. for the conditional control of mechanical locking / unlocking devices from digital accreditation data. This lock device comprises means for recognizing, analyzing and authenticating said digital accreditation data, and means for controlling the unlocking of the mechanical members on recognition of conforming digital accreditation data.

In a characteristic manner of the invention, the system also comprises a mobile phone available to a user authorized to open the lock device, a remote manager site, and a mobile network operator. The management site comprises a database of authorized users, with for each user an identifier associated with a mobile telephone number, means for receiving, as input, digital accreditation data suitable for allowing the opening of specific lock devices. , and an encrypted acoustic accreditation generator comprising means for converting the digital accreditation data into encrypted acoustic accreditations in the form of single-use audio signals. The mobile network operator is coupled to the management site and to the mobile telephone, with means for securely transmitting the encrypted acoustic accreditations from the management site to the mobile telephone of the user, the telephone comprising an electro-acoustic transducer able to reproduce these accreditations. acoustic numbers.

The system of the invention is also characterized in that the lock device comprises an acoustic module comprising an electro-acoustic transducer capable of capturing encrypted acoustic accreditations reproduced by the transducer of the telephone previously placed near the lock device. The acoustic module further comprises means for extracting the digital accreditation data from the encrypted acoustic accreditations captured by the transducer, and means for applying to the recognition, analysis and authentication means the digital accreditation data. thus extracted.

Advantageously, the encrypted acoustic accreditation produced by the acoustic accreditation generator comprises a field resulting from the conversion of the digital accreditation data, and a variable field, with different content for each encrypted acoustic accreditation generated. This variable field can in particular be a sequence number or a time stamp, in which case the acoustic module also comprises means for storing, at each use, the sequence number or timestamp of the encrypted acoustic accreditation which has enabled the unlocking of the mechanical members. , and to compare and verify the conformity of the sequence number or the timestamp of any subsequent encrypted acoustic accreditation.

The digital accreditation data may be: data from the management site database, the latter also memorizing lock device information, with for each lock device an associated unique identifier, a list of authorized users with corresponding data of access rights, and possibly additional information; data transmitted online to the management site by a third party site; data transmitted offline, in batches, to the management site by a third party site; data delivered by a reader coupled to a physical medium storing the digital accreditation data; and combinations of the above data.

In an advantageous embodiment, the acoustic module further comprises means for producing acoustic signals in return, on digital data acquisition accreditation, and an electro-acoustic transducer adapted to reproduce these acoustic signals back. These may include a time stamp issued during, or immediately after, the receipt of acoustic accreditation, the marker being issued at a time corresponding to a predetermined temporal position, specific to the lock device, with respect to acoustic accreditation .

As a variant or in addition, the acoustic module further comprises means for defining an additional parameter for transmitting the accreditation, means for, prior to any acoustic accreditation broadcast, producing an acoustic message coded by said additional parameter, and an electro-acoustic transducer capable of reproducing this acoustic message. The telephone comprises, for its part, an electro-acoustic transducer capable of capturing the acoustic message, and means for transmitting to the management site a message coded by this acoustic message. The encrypted acoustic accreditation produced by the acoustic accreditation generator includes the additional parameter, and the acoustic module also includes means for verifying the compliance of the additional parameter included in the acoustic accreditation received.

This additional parameter can be a password generated by the acoustic module and added as a variable field to the acoustic accreditation produced by the cryptographic generator. It can also be a time offset applied to the emission of the acoustic accreditation produced by the cryptographic generator.

• La Figure 1 illustre de façon schématique les principaux éléments contribuant au fonctionnement du système selon l'invention.
• La Figure 2 illustre plus précisément, sous forme de schéma par blocs, les principaux organes constitutifs du téléphone mobile et de la serrure avec laquelle ce dernier est couplé.
• La Figure 3 illustre les différentes transformations subies par l'accréditation au cours des étapes mises en oeuvre par l'invention.
• La Figure 4 est une série de chronogrammes illustrant les diverses techniques de sécurité permettant d'assurer l'utilisation unique de l'accréditation acoustique dans le cadre de l'invention.

An embodiment of the device of the invention will now be described with reference to the appended drawings in which the same reference numerals designate identical or functionally similar elements from one figure to another.

• The Figure 1 schematically illustrates the main elements contributing to the operation of the system according to the invention.
• The Figure 2 illustrates more precisely, in block diagram form, the main components of the mobile phone and the lock with which it is coupled.
• The Figure 3 illustrates the various transformations experienced by the accreditation during the steps implemented by the invention.
• The Figure 4 is a series of timing diagrams illustrating the various security techniques to ensure the unique use of acoustic accreditation in the context of the invention.

We will first describe with reference to Figures 1 and 2 the different elements used for the implementation of the invention. Various ways of implementing it will then be presented, as well as improved variants to enhance security.

General architecture of the system

One of the essential elements of the invention is a secure management site 10 centralizing in a database DB 12 information to identify and identify a number of locks and authorized users for each of these locks. For each user, the database lists a unique mobile phone number associated with this user, as well as access right data and conditions of use (access reserved for certain days or certain time slots, expiry date right of access, etc.).

In addition to the authorized users, the database also lists for each lock a Unique IDentifier (UID) that is uniquely assigned and uniquely identifies the lock in the various data exchange protocols.

Other data may also be stored by the database, including the algorithms used by the lock, one or more cryptographic keys, a simplified free name ("entry", "garage", "cellar", etc.) to facilitate the selection by a user of one of several locks, etc.

The management site 10 also comprises a cryptographic engine forming a generator 14 of accreditation data.

Typically of the invention, the "accreditation data" (credentials) are encrypted acoustic accreditations or CAC (Crypto Acoustic Credential) in the form of single-use audio signals, for example (but not limited to) made of a succession of dual DTMF tones. These audio signals are designed so that they can be conveyed after digitization by telephone audio transmission channels and reproduced as such by acoustic transducers.

The site manager 10 is coupled to a network 16 of a mobile network operator MNO (Mobile Network Operator) via an audio telephone gateway PGW (Phone GateWay) 18 and a secure connection 20, e.g. IP link type https , so as to convey acoustic accreditations from the generator 14 to telephone 22 of the user through the audio transmission channels (voice channel) of the mobile network.

The mobile telephone network 16 is used in a conventional manner by its various subscribers, each user being in possession of a mobile phone 22 of his own, individualized by the information of the SIM card contained in the telephone set or by another unique feature if the phone operates without a SIM card. Thus, when he uses his personal mobile phone, a user is recognized and identified by the network 16 by means of his subscriber number, and therefore in the same way by the management site 10.

Securing the link between the network 16 and the mobile phone 22 can be operated via a trusted service provider or TSM ( Trusted Service Manager ), able to ensure efficiently and safely the various procedures that the description will be exchange or transmission of information between the management site 10 and the mobile phone 22 via the mobile network operator 16.

In the case of a key materialized by a medium such as a card or a badge, a significant part of the security is ensured by the physical delivery of this object to the legitimate user, in the same way that the delivery of a set of keys. In contrast, in the context of the invention, the object used is a mobile phone, so a trivialized object. But it is recognized and authenticated by the SIM card it contains (or by another single element) and which, above all, identifies the user via his phone number (subscriber number). The management site 10 can thus identify a telephone to which it has been connected via the mobile network operator 16 as being that of the authorized user, listed in his database 12.

The implementation of the invention involves reproducing by the speaker 24 of the mobile telephone 22, as an audio signal, the encrypted acoustic accreditation generated by the cryptographic generator 14 and transmitted as a voice signal by the intermediary of the telephone gateway 18 and the operator of the mobile network 16.

Accreditation reproduced by the speaker 24 of the mobile phone is intended to be picked up by a microphone 26 of a lock 28 so as to control the opening of this lock. It's about allowing the user, holder of the mobile phone number 22 known from the database 12, to prove to the lock 28 that he has the identity that he proclaims, and that he has the rights of access allowing the opening of this lock. The reproduced sound signal thus constitutes a proof of the user's identity and of his opening rights, hence the terminology "acoustic accreditation". This acoustic accreditation is also encrypted (by cryptographic means in themselves known), and it is disposable to avoid any fraud by recording and duplication, otherwise it would be very easy to record the acoustic signal and then reproduce it at will.

The Figure 2 illustrates in the form of block diagram the main organs of the mobile telephone 22 and the lock 28.

The telephone 22 comprises a microcontroller 30 coupled to various peripheral devices such as a transmission / reception circuit 32, a display 34, a keyboard 36, a data memory 38, a corresponding UICC card ( Universal In-tegrated circuit card). the "SIM card" for GSM telephony functions) 40, and the acoustic transducer 24.

Various precautions, known per se, may be provided to increase the security of the process, in particular by an additional validation requested by the user, for example the input of a personal code of the "PIN code" type, or a validation of biometric type, by a biometric reader incorporated in the telephone or by means of a voice recognition system using the telephone microphone (the specific biometric fingerprint that can be stored in the memory 38 of the telephone, or in the UICC card 40, or in the database 12).

• l'identifiant unique UID (Unique IDentifier) permettant de reconnaître cette serrure entre toutes, de manière univoque ;
• des algorithmes de reconnaissance et de décodage ;
• des clés cryptographiques ;
• ainsi que d'autre paramètres spécifiques à la mise en oeuvre de l'invention et qui seront décrits par la suite.

The lock 28, in turn, comprises a microcontroller 44 and an electromechanical system 46 for controlling the unlocking of a bolt or a handle 48 by order of the microcontroller 44. A data memory 50 retains various clean modifiable data lock, including:

• the unique identifier UID ( Unique IDentifier ) to recognize this lock between all, unequivocally;
• recognition and decoding algorithms;
• cryptographic keys;
• and other parameters specific to the implementation of the invention and which will be described later.

• un identifiant de fabricant VID (Vendor ID),
• l'identifiant unique UID de la carte,
• et un champ DATA (facultatif) contenant diverses données nécessaires ou utiles au contrôle du fonctionnement de la serrure.

There are many models of locks of this type, offered by a large number of manufacturers. The opening is controlled by a reader module 52 integrated in the lock, which comprises a communication interface with a key or a badge, by a coupling that can be galvanic (smart card reader) or non-galvanic (optical reader for bar code badge, magnetic card reader, inductively coupled RF reader, etc.). The reader 52 delivers to the microcontroller 44 a digital data accreditation, hereinafter designated DDC ( Digital Data Credential ), according to a format and content specific to each manufacturer and which typically includes (but not exclusively), as illustrated on the line a of the Figure 3 :

• a manufacturer ID VID ( Vendor ID ),
• the unique identifier UID of the card,
• and a DATA field (optional) containing various data necessary or useful for controlling the operation of the lock.

This accreditation in DDC digital data, read by the module 52 in a key or badge that the user has coupled with this module, is analyzed by the microcontroller 44 which conditionally issues an authorization to open the lock 46 if the required criteria are met. completed, including the conformity of the UID.

The invention proposes to replace the module 52, or to complete this module 52, by a module 54 able to process accreditations sent to the lock in the form of acoustic accreditations CAC transmitted by a mobile phone 22, instead of DDC digital accreditations read from a card or badge coupled to module 52.

The acoustic module 54 is provided with an acoustic transducer in the form of a microphone 56 making it possible to pick up the surrounding sound signals, in particular the acoustic accreditation which will be reproduced by the loudspeaker 24 of the telephone 22, and to transform the signals acoustics captured in digital signals applied to a stage 58 forming a translator, for converting the acoustic accreditations CAC into signals of the same format as the accreditations in digital data DDC would have provided the module 52 by reading a badge or a card.

The acoustic module 54 also comprises, advantageously, a transducer 60 making it possible to reproduce a sound signal emitted by the stage 58 and audible from outside the lock, this transducer 60 possibly comprising a loudspeaker or, in a version simplified, a simple component type buzzer (buzzer). It is also possible to use the transducer 46 of the acoustic module 54 by operating it in inverted mode (to emit sound signals instead of sensing them).

Implementation of the invention

Several procedures will now be described for the implementation of the invention by means of the various elements of the system that has just been described.

The primary object of the invention is to replace, or supplement, the "proprietary" technology, specific to the manufacturer and implemented in the reader module 52, with a universal technology based on CAC encrypted acoustic accreditations, which can be implemented without substantial modification of the lock components, both hardware and software.

The basic principle is to retain original digital data (DDC) accreditations with their own manufacturer's content and format, and to convert these DDC accreditations into CAC Accreditations, to transmit CACs to the phone, then to have them reproduced by the manufacturer. the user, by means of the loudspeaker of his mobile phone, the acoustic accreditation CAC thus transmitted. Accreditation captured by the acoustic module 54 is then subject to an inverse conversion, performed by the translation stage 58 incorporated in the acoustic module 54, in order to reconstitute the original DDC digital data accreditation from the Acoustic Accreditation CAC that has been captured.

A preliminary step is therefore to convert the DDC digital accreditation into a CAC encrypted acoustic accreditation.

• en temps réel par un site tiers 62, c'est-à-dire à la demande de l'utilisateur au moment où celui-ci veut ouvrir la serrure ;
• par le site tiers 62 en mode "hors ligne", les accréditations étant délivrées à l'avance sous forme de lots ;
• de façon manuelle au moyen d'un lecteur 64, à partir d'une clé ou badge conventionnel 66 ;
• ou bien directement par le site sécurisé 10, l'accréditation numérique DDC étant conservée dans la base de données 12.

DDC digital accreditation can have several origins (see Figure 1 ), being generated:

• in real time by a third party site 62, that is to say at the request of the user when it wants to open the lock;
• by the third party site 62 in "offline" mode, the accreditations being delivered in advance in the form of lots;
• manually by means of a reader 64, from a conventional key or badge 66;
• or directly by the secure site 10, the DDC digital accreditation being stored in the database 12.

These DDC accreditations in the form of digital data blocks are converted by the cryptographic engine 14 of the secure site 10 into acoustic accreditations CAC.

As illustrated Figure 3 , the conversion can be carried out from a data block in which the fields VID, UID and DATA are presented explicitly, to a field CORE / CAC of the acoustic accreditation CAC (of the line a towards the line c of the Figure 3 ). However, the cryptographic engine may well receive at this stage the information in a non-explicit form (CORE), which is directly converted to give the CORE / CAC field of acoustic accreditation CAC (from line b to line c of the Figure 3 ). Indeed, the knowledge of the content of the digital accreditation DDC is not necessary to operate the conversion, which is simply to create an acoustic "envelope" in which is "dragged" digital accreditation DDC regardless of the content of the latter because the cryptographic engine 14 does not need to know the definition of the fields, the coding, etc. DCC accreditation.

The cryptographic engine 14 also adds to the field CORE / CAC containing the actual accreditation data a variable field, different at each generation of an acoustic accreditation, so as to make this acoustic accreditation unique. It may be data generated by a pseudo-random generator or, preferably, a sequence number SEQ. The field SEQ may be a counter incremented each generation of an accreditation by the cryptographic generator 14, or a time stamp that will be functionally equivalent to the incrementation of a counter.

The cryptographic generator 14 may also provide for the addition to the acoustic accreditation CAC of a password PWD making it possible to further increase the security of the process.

When he wishes to obtain the opening of the lock in front of which he is, the user comes into contact with the management site by any appropriate means. This can be achieved by calling a phone number, or sending a message (SMS, MMS, e-mail, instant messaging, etc.) to the server, which will call back the user's phone for issue the authorization in the form of encrypted acoustic accreditation.

In an "online" implementation mode, the transmission of this accreditation is executed immediately and directly. Alternatively, it can also be executed by a method of "call back" type: in this case, the user makes telephone contact with the management site, which does not respond immediately, but after hanging up rings the mobile phone for that the user establishes again the contact with the site, and it is at this moment that the acoustic accreditation is delivered to him. Regardless of how the user comes into contact with the remote site, the latter delivers the acoustic accreditation directly to the user, without intermediate storage.

This mode is particularly simple to implement, insofar as it is sufficient to use the existing infrastructure, without prior adaptation of the phone, including without any need to load an applet or applet, including midlet or cardlet type . The invention can thus be implemented with any type of mobile phone, even very simple, and without any prior intervention on it. Another advantage lies in the ability to check in real time the validity of the accreditation, for example with the possibility of immediately taking into account a "blacklist" of users. Moreover, thanks to this online mode, it is possible to have at the managerial site a large amount of information on the use made of acoustic accreditation, including the date and time of use. , and possibly the geographical location of the user (by identification of the cell of the network from which the user calls). On the other hand, this mode implies having access to the mobile network, which is not always possible (underground car parks, uncovered areas, etc.). On the other hand it does not in principle allow to have, at the user's choice, several accreditations corresponding to several possible locks, to the extent that it is necessary to have a "one for one" correspondence between accreditation and lock.

Another mode of implementation, "offline", is used especially if access to the network is not assured at the time of use. In this case, the user connects in advance to the management site and receives from it a predetermined number of acoustic accreditations. These accreditations are stored securely in the phone or in a peripheral memory of the phone (for example an SD or MicroSD card). When the user wants to reproduce an acoustic accreditation to open a lock, he launches an application integrated in his phone that searches for the first accreditation among those that have been stored, reproduces it to open the door, and removes it from memory. And so on to use the following accreditations. The application allowing this implementation is an applet stored in the phone, previously sent to it via the mobile network operator, or by downloading to an external medium (SD or MicroSD card), or via a connection Internet. In the case of a download via the mobile network operator, the management site will have previously sent a message such as "SMS", "push SMS" or "WAP push" to the phone, in order to identify the brand and the model of it and present to the user a link allowing the download of the applet. When the provision of accreditations stored in the phone will be exhausted, or will be running out, and the user will be able to access the network again, this credential pool will be reloaded for later use. It is possible to benefit from the link to the network for, at the same time, to trace back to the management site a certain amount of information, including a dated history of the use of previous accreditations.

In any case, and whatever the mode of transmission of CAC encrypted acoustic accreditation, when it wishes to obtain the opening of the lock, the user places his mobile phone near the lock he wishes Unlock and trigger the acoustic signal broadcast of CAC Acoustic Accreditation.

As explained above, the acoustic module 54 of the lock receives this accredited acoustic accreditation CAC (corresponding at line c of the Figure 3 ). The translation stage 58 then extracts the data block CORE (line d from the Figure 3 ), that is to say, in pictorial terms, that he "opens the envelope (acoustic)" containing these data. It is then possible to obtain, directly or after decoding, the digital data accreditation DDC (line e of the Figure 3 ) with its various useful fields VID, UID and DATA, which is identical to the corresponding accreditation DDC before it has been converted by the cryptographic engine (line a of the Figure 3 ).

The DDC accreditation, which is in all respects identical to that read by the module 52 from a conventional key or badge according to the manufacturer's own instructions, is applied to the microcontroller 44 for analysis, verification and conditional unlocking of the lock control system 46.

Note that the various checks performed by the microcontroller 44 are identical to those which would have been made from information read in a conventional manner by the module 52, according to the specifications of each manufacturer. The role of the translator stage 58 is simply to "open the envelope" of the acoustic accreditation CAC to extract the digital information DDC which had been previously placed in this envelope by the cryptographic engine 14, but without intervening on the content of this DDC digital accreditation.

Detection of fraud by signal capture

• 1°) Contrôle de l'unicité de l'accréditation acoustique : du fait de la présence du champ unique SEQ généré différent à chaque version de l'accréditation acoustique CAC, le système ne doit jamais produire deux accréditations acoustiques identiques. De ce fait, le module acoustique de la serrure doit pouvoir détecter et refuser une accréditation qui aurait déjà été produite, et qui serait donc une accréditation frauduleusement captée et réutilisée.
  A cet effet, lors de l'initialisation de la serrure (au moment de l'installation du module acoustique 54 ou à l'occasion d'une réinitialisation de celui-ci), un registre du module 54 est mis à zéro. Lors de la première utilisation, c'est-à-dire lorsque la première accréditation acoustique CAC est captée, le module 54 mémorise le numéro de séquence SEQ inclus dans cette accréditation acoustique (ou la date et l'heure, dans le cas d'un horodatage).
  A chaque utilisation ultérieure, le module 54 vérifie que le numéro de séquence de l'accréditation captée est supérieur au numéro de séquence qu'il avait conservé en mémoire dans le registre (ou vérifie que la date et l'heure sont postérieures aux informations correspondantes mémorisées). Si tel n'est pas le cas, l'ouverture est refusée, car il s'agit d'une fraude. En revanche, si la condition est bien remplie, la serrure est déverrouillée et le registre est mis à jour avec le nouveau numéro de séquence (ou avec les nouvelles valeurs de date et d'heure).
• 2°) Génération d'un marquage temporel par la serrure : une autre mesure de précaution, expliquée notamment en référence à la Figure 4, consiste à faire émettre par le HP ou buzzer 60 du module acoustique 54, pendant la réception de l'accréditation acoustique CAC ou juste après celle-ci, un parasite acoustique ou "bip" à un instant prédéfini, toujours le même pour une serrure donnée mais toujours différent d'une serrure à l'autre.

Various measures can be considered to avoid fraud, including that of recording the audio signal reproduced by the phone at the time of use, then use the recorded signal to open another lock, or to try to get a new opening the same lock (while the accreditation is normally for single use and must be renewed each time).

• 1 °) Control of the uniqueness of Acoustic Accreditation : Due to the presence of the unique SEQ field generated different to each version of Acoustic Accreditation CAC, the system must never produce two identical acoustic accreditations. Therefore, the acoustic module of the lock must be able to detect and refuse an accreditation that would have already been produced, which would be fraudulently received and reused.
  For this purpose, during the initialization of the lock (at the time of installation of the acoustic module 54 or during a reset thereof), a register of the module 54 is set to zero. At the first use, that is to say when the first acoustic accreditation CAC is received, the module 54 stores the sequence number SEQ included in this acoustic accreditation (or the date and time, in the case of a time stamp).
  At each subsequent use, the module 54 verifies that the sequence number of the accreditation received is greater than the sequence number that it had kept in memory in the register (or verifies that the date and time are subsequent to the corresponding information stored). If this is not the case, the opening is refused because it is a fraud. On the other hand, if the condition is fulfilled, the lock is unlocked and the register is updated with the new sequence number (or with the new date and time values).
• 2 °) Generation of a temporal marking by the lock : another precautionary measure, explained in particular with reference to the Figure 4 , consists in having the HP or buzzer 60 transmit the acoustic module 54, during the reception of acoustic accreditation CAC or just after it, an acoustic noise or "beep" at a predefined time, always the same for a lock given but still different from one lock to another.

On line a of the chronogram of the Figure 4 , the acoustic accreditation CAC emitted by the telephone is illustrated, and on the line b , the beep, designated BEEP1, emitted by the acoustic module 54 at a time offset by T ₁ from the beginning of the reception of the accreditation CAC.

The signal heard near the telephone, and therefore likely to be recorded, is that shown in line c , with superposition of the CAC signal emitted by the telephone and BEEP1 signal issued by the acoustic module of the lock.

If a fraudster records this combined signal and presents it to another lock as acoustic accreditation, this other lock will emit a BEEP2 parasite according to the same technique as the first, but at a different time position T ₂ (line d of the Figure 4 ).

The combined signal received by the acoustic module of this other lock will therefore be that illustrated line e of the Figure 4 , that is to say a signal comprising two acoustic parasites BEEP1 and BEEP2. The presence of these two parasites will be immediately recognized by the acoustic module, which will refuse the opening.

Note that if the fraudster had represented on the same lock (and not another lock) the acoustic accreditation CAC he had recorded, it would correspond to the line f of the Figure 4 , so with an acoustic noise BEEP1 confused with that emitted at the same time by the acoustic module 54. But in this case the sequence number SEQ1 would be equal to, or less than, that already stored in the memory of the acoustic module of the lock, which will thus be able to detect fraud due to this non-compliant sequence number SEQ1.

Additional security with bidirectional communication

A bidirectional communication can be established with the secure site 10 if it is possible on the phone to obtain a link with the network at the time of use, which can be traced back to it from the phone.

In particular, prior to the generation of the acoustic accreditation CAC, the acoustic module 54 of the lock can produce in acoustic form a password, which is picked up by the microphone of the telephone, then transmitted to the network and to the remote site 10 for to be incorporated in the acoustic accreditation CAC that will be generated by the cryptographic engine 14 (PWD field of the line c of the Figure 3 ). Acoustic accreditation CAC then reproduced by the telephone will include this password, which can then be decoded by the acoustic module 54, which will verify that it matches well with the one just generated by the same module just before.

As a variant or in addition to this password, another security consists in causing the acoustic module 54 to generate a delay value or time offset Δt ₁ , which is different each time (for example a random delay), and to transmit it to the secure site 10 so that it adds this time offset Δt ₁ to the acoustic accreditation CAC during the broadcast of it (line g of the Figure 4 ). The acoustic module 54 then verifies, upon receipt of the acoustic accreditation CAC, that it starts well with a time shift Δt ₁ , introduced by the remote server, which is equal to the offset value that it had itself. generated just before and sent to the server.

Claims (9)

A secure locking device opening control system, comprising: at least one lock device (28) provided with electronic circuits for the conditional control of mechanical locking / unlocking members (46) from digital accreditation data (DDC), said lock device comprising: Means (44) for recognizing, analyzing and authenticating said digital accreditation data, and • means (44) for controlling the unlocking of the mechanical members on recognition of digital accreditation data compliant; system characterized in that it also comprises: - A mobile phone (22) available to a user authorized to open the lock device; a remote management site (10), comprising: A database (12) of authorized users, with for each user an identifier associated with a mobile telephone number, Means for receiving, as input, digital accreditation data (DDC) capable of allowing the opening of specific lock devices, and A generator (14) of encrypted acoustic accreditations, comprising means for converting said digital accreditation data (DDC) into encrypted acoustic accreditations (CAC) in the form of single-use audio signals; and a mobile network operator (16), coupled to the management site and to the mobile telephone, with means for securely transmitting said encrypted acoustic accreditations from the management site to the mobile telephone of the user, the telephone comprising an electro-acoustic transducer (24); ) adapted to reproduce said encrypted acoustic accreditations,
the system being further characterized in that the lock device (28) comprises an acoustic module (54) comprising: • an electro-acoustic transducer (56) capable of capturing encrypted acoustic accreditations reproduced by the transducer (24) of the telephone previously placed near the lock device; Means (58) for extracting said digital accreditation data (DDC) from the encrypted acoustic accreditations (CAC) captured by the transducer; and Means for applying to said recognition, analysis and authentication means (44) the digital accreditation data (DDC) thus extracted. The system of claim 1, wherein the encrypted acoustic accreditation (CAC) produced by the acoustic accreditation generator (14) comprises: a field (CORE / CAC) resulting from the conversion of said digital accreditation data (CAC), and - a variable field, with a different content for each encrypted acoustic accreditation generated. The system of claim 2 wherein: said variable field is a sequence number (SEQ) or a time stamp, and - The acoustic module (54) further comprises means for storing at each use the sequence number (SEQ) or timestamp of the encrypted acoustic accreditation (CAC) allowing the unlocking of the mechanical members, and for comparing and verifying the conformity of the sequence number or timestamp of any subsequent encrypted acoustic accreditation. The system of claim 1, wherein said digital accreditation data (DDC) is data of the group consisting of: data from the database (12) of the management site (10), the latter also memorizing lock device information, with for each lock device an associated unique identifier, a list of authorized users with data corresponding rights of access, and possibly additional information; - data transmitted online to the management site (10) by a third party site (62); - data transmitted offline, in batches, to the management site (10) by a third site (62); data delivered by a reader (64) coupled to a physical medium (66) storing the digital accreditation data; and - combinations of the above data. The system of claim 1, wherein the acoustic module (54) further comprises: Means for producing acoustic signals in return, on digital data acquisition accreditation; and An electro-acoustic transducer (56) capable of reproducing said acoustic signals in return. The system of claim 5, wherein said feedback acoustic signals comprise at least one time marker (BEEP1, BEEP2) issued during, or immediately thereafter, the Acoustic Accreditation Reception (CAC), which marker is issued at a time corresponding to a predetermined temporal position (T1, T2), specific to the lock device, with respect to acoustic accreditation. The system of claim 1, wherein: the acoustic module (54) furthermore comprises: Means for defining an additional parameter for transmitting the accreditation; Means for, prior to any acoustic accreditation broadcast, producing an acoustic message coded by said additional parameter; and An electro-acoustic transducer (56) adapted to reproduce said acoustic message, - The telephone (22) comprises an electro-acoustic transducer adapted to capture said acoustic message, and means for transmitting to the management site (10) a message encoded by this acoustic message; the encrypted acoustic accreditation (CAC) produced by the acoustic accreditation generator (14) includes said additional parameter; and the acoustic module also comprises means for verifying the conformity of the additional parameter included in the acoustic accreditation received. The system of claim 7, wherein said additional parameter is a password (PWD) generated by the acoustic module (54) and added as a variable field to the acoustic accreditation (CAC) produced by the cryptographic generator (14). ). The system of claim 7, wherein said additional parameter is a time offset (Δt1) applied to the acoustic Accreditation (CAC) output produced by the cryptographic generator (14).

Images