FR2747813A1 - SECURE ACCESS CONTROL SYSTEM FOR AUTOMATIC INVALIDATION OF STOLEN OR LOST ELECTRONIC KEYS AND / OR TRANSFER OF AUTHORIZATION TO PRODUCE KEYS - Google Patents

Abstract

A security access control system comprises a portable storage medium (C) on which is registered an electronic key (CL) including user identification data, the key being provided by a production means (LE), and a means ensuring an electronic locking function (L) to authorise access when the storage medium comprises the required electronic key. According to the invention, a logic key (CL) comprises its own data DPA and its signature S and is registered in the lock (L) when it is first used. When a user loses the medium (C) on which is registered this key (CL), a new key (CL') is registered on another medium and the registration of this new key in the lock overwrites the previous key (CL). To transfer authorisation to make new keys (CL) from one production means (LE) to another, a new public key (K') and the signature (CER) of this key are loaded into it. This invention is useful in the management of buildings.

Description

SECURE BATTERY CONTROL SYSTEM
AUTOMATIC INVALIDATION OF STOLEN ELECTRONIC KEYS8
OR LOST AND / OR THE TRANSFER OF AUTHORIZATION TO PRODUCE
KEYS.

 The present invention relates to a secure access control system allowing automatic invalidation of stolen or lost logical keys and / or transfer of authorization to produce keys.

 The invention is particularly applicable to the field of access control to buildings, computer systems or all kinds of objects whose opening or use must be controlled.

 We know from application PCT / FR95 / 00935 published under the number W096 / 02899, an access control system limited to authorized and renewable time slots.

 This system is based on the use of portable storage media such as smart cards (cards with integrated circuits) with flush or contactless contacts, magnetic cards, badges of electronic keys with contact or contactless. These materials are distributed to all users for whom access will be authorized.

 For this, the storage media have in memory an electronic key giving a right of access.

 This key includes data corresponding to an access authorization period and a digital signature of this data. The period of use corresponds in practice to a date of use and a time slot for use so that the key is only valid for one day and for the defined time slot.

 These keys have a short lifespan and are particularly well suited to an application such as delivery or collection of mail by an attendant. The user of such a support must reload his support every day with a new valid key.

 The problem of theft or loss of an information medium comprising such a key no longer arises since the lifetime of the logical key is ephemeral.

 The person who found or stole the support will no longer be able to use it the next day. It is therefore no longer useful to keep a blacklist of all stolen or lost media.

 This access control system is very effective in applications for which one does not wish to give a permanent or very long access right. However, it turns out not to be suitable in the opposite case.

 Older control systems provide a blacklist for stolen or lost media to prevent unauthorized people who hold such media from accessing the protected set.

 Keeping such lists requires intervention with electronic locks. It is indeed necessary to register on the locks the identification numbers of the stolen or lost media after their holder has made the declaration. These interventions are binding.

 The object of the present invention is to solve this problem.

 The secure access control system offered allows automatic invalidation of keys declared lost or stolen.

 According to the invention, there is no particular intervention to be made with electronic locks. These are the supports of the users who will automatically carry out an invalidation of the stolen or lost supports.

 On the other hand, in the case where a person having an authorization to produce electronic keys and to save them on the storage media, is seen withdrawing this authorization (in the case of the rights of access to a building, it is acts for example of the change of trustee or of the manager of the building), the transfer of authorization to another person, imposes to give to all the users who had access rights, new supports on which the electronic keys are calculated with the key production means holding the new authorization.

 This is a constraint which involves significant costs.

 The secure access control system according to the invention also makes it possible to solve this problem, the media delivered are always valid even in the event of transfer of authorization to another person or more exactly to another means of producing keys.

The invention more particularly relates to an access control system by means of a portable storage medium (C) on which is recorded an electronic key (CL) including user identification data, and a means ensuring an electronic lock function (L) capable of authorizing access in the case where the storage medium comprises the required electronic key, mainly characterized in that
- the electronic key also includes data
own DpA on the support, and the signature
numeric S of this data,
- these data are stored in the lock at
the first use of the support,
- we produce a new electronic key and we
save this key on another medium
memorization for this same user in the case
loss or theft of the previous medium, with a
new own data having a value
greater than the previous one and invalidating the
previous,
- each time the support is used, the lock (L)
verify digital signature S and verify that
the clean data DpA of the key CL of the support is
equal to or greater than the data already recorded
and only allows access when these conditions
are carried out.

 According to another characteristic, the signature S is calculated from a secret key algorithm k and a corresponding public key K by production means LE, the lock has in memory the public key K, a verification function VK of this signature S and of the means for implementing this verification function.

According to another characteristic, to check a DpA data specific to a user, the lock
- compare the DpA own data present on the
support, to the data already recorded during the
first use for this user, and
- save this data in place of the data
already saved when its value is greater
to the data already recorded.

 The specific DpA given to a user can be the date of personalization of its storage medium.

 The DpA own data can be a value obtained by a counter, this value being incremented with each new version of key for a given user.

 These operations make it possible to automatically update the delivery of a new medium to a user by recording in the lock the new data specific to the medium, replacing the previous one.

 When customizing a new medium for a given user, the specific data DpA (date of personalization) has a value greater than the previous one.

 The electronic key CL recorded on a support also includes data identifying this support, or will take for example as data the serial number of manufacture of the support.

 To increase security, the electronic lock includes data corresponding to a DH reference value; access authorization is only given if, in addition, the DpA's own data for the user has a value less than the reference value DH.

 The DH reference data is the current date supplied by an internal clock of the electronic lock.

According to another characteristic of the invention, the production means include authorization information HA given by an authority to produce the keys CL, including a public key K, and the digital signature CER of this information; and we operate a transfer of empowerment to new means
by registering a new public key K 'and the corresponding signature CER'.

 The lock checks any new authorization.

 For this purpose any new public key is registered in the electronic lock for verification with its certificate which will not in principle be kept.

 According to another characteristic, the data relating to the means of production includes an identification data ID, a validity period VAL and the public key K, the validity period assigned to the old key K having an end date which corresponds to the date of start of validity of the validity period of the new key K ', this date being able to be later (ie for example one month).

 According to another characteristic, for the verification of a new version of key K 'of CER signature', the lock compares and replaces the end date of the validity period of the old key with the start date of validity of the key next.

Advantageously, during a verification of an electronic key, the lock also performs the following steps
- compare the personalization date DpA with the validity period VAL of the public key K which has been used,
- authorize access if this date is within the validity period of this key, and refuse access otherwise.

 The public keys K, K ′ are obtained by the authority from a production function FKA with public key KA, with a secret key ka. The lock has in memory at the time of the verification a verification function VKA and the key KA for the verification of the signatures CER or CER '.

Another subject of the invention is an access control system by means of a portable storage medium C on which an electronic key CL is recorded, means for producing these electronic keys and means ensuring a lock function. electronic L capable of authorizing access in the case where the storage medium comprises the required electronic key, according to which the production means include authorization information HA to produce the keys CL, including a public key K, and the signature digital CER of this information, and in which an authorization transfer is made to new means of production by registering a new public key K 'and the corresponding signature
CER '. This new public key is, after verification of the authorization, recorded in the electronic lock L which verifies the keys CL produced by these means LE.

 According to another characteristic, the data relating to the means of production comprises an identification data ID, a validity period VAL and the public key K; the period of validity assigned to a new key K 'has a starting date which corresponds to the date of end of validity of the period of validity of the previous key K.

 Advantageously, for the verification of a new version of public signature key CER ′, the lock compares the start date of the validity period of the new key to the end date of the validity of the previous key.

 The public keys are obtained by the authority from a production function FKA with public key KA, with a secret key ka, the lock comprising in memory at the time of verification a verification function VKA and the key KA for the verification of these CER or CER signatures'.

 Thus, when a new means of production is in service, this means is declared to the lock which will control the keys produced by this means.

 For this, the authority registers the authorization certificate with the lock and the KA key that it used for the calculation. The means of production can itself register its authorization with the lock.

 The media, the keys of which were produced fraudulently by means which are no longer authorized, do not allow access to the protected assemblies.

 Indeed, the transfer of authorization is carried out by secure loading of a new public key with the lock.

 Previous public keys are in principle kept unless the production algorithm has been broken or the secret key of the secret key, public key pair has been discovered.

Other advantages and peculiarities of the invention will appear on reading the following description which is given by way of non-limiting illustration and with reference to the drawings in which:
FIG. 1 represents a secure access control system according to a first object of the invention,
- Figure 2 shows a secure access control system according to a second object of the invention.

 It should be noted that an authority is understood to mean an organization possessing secret keys, means capable of issuing public keys and authorization data.

 By secret key is meant digital data which is known only to an authority or the means of production.

 By public key KA, K, K 'is meant digital data shared by several users, namely, the authority and the means of production of the electronic keys or the means of production and the electronic lock.

 The term “key production means LE” is understood to mean a device for processing digital information, for example a micro-computer, holding HA authorization information and having computing means for carrying out the digital signature of data implementing functions such as 'a classic public key algorithm.

 The term electronic key or logical key CL is understood to mean digital data or more data accompanied by their digital signature giving the right to access.

 The invention is described by way of example, in the application to managing access to buildings.

 We can refer to the diagram in Figure 1 for a better understanding.

 The storage medium C comprising the electronic keys distributed to authorized users may be either smart cards, or smart keys, or badges or magnetic cards. The transmission between the support C and the lock L can be made through electronic contacts or by radioelectric means or by reading a magnetic tape.

 By way of example, a smart card has been chosen as the support.

 It includes an I / O input / output interface 100 and an electrically writable non-volatile memory 101.

 In the example described, the personalization of a support C consists in particular in writing in memory an identification information IDA of the user A comprising for example his name, the number of his apartment and the own data item DpA which is given to him. affected. According to a preferred embodiment of the date of personalization of its storage medium.

 We also write in memory information identifying the support, this is for example the serial number NS for manufacturing the support. In general, this information is entered at the end of manufacturing, before handing over the support to the AT authority.

 The personalization of the supports is made by the LE device (and the person who uses it) who holds an HA authorization (ID, KA, CER, K).

 The LE production device is for example produced by a microcomputer of the PC type, provided with a card reader.

 The diagram in FIG. 1 schematically represents the different functional blocks of this LE device.

 The production apparatus LE comprises a microprocessor type processing unit 200 connected by a bus 201 to memories. A volatile working memory of the RAM 202 type contains the data of the application.

 An EEPROM type non-volatile memory includes in the protected area the secret key k used for the production of the electronic keys. It also includes the electronic key production program.

This program implements a production algorithm of the public key algorithm type FK using the secret key k and the corresponding public key K.

 The memory 203 further comprises the personalization program which consists in writing the own data, that is to say according to the preferred embodiment the date DpA of the personalization day (plus the time if necessary). This information is obtained from an internal clock 204.

 The own data can also be obtained by a counter 206 whose value is increased (incremented by 1 for example) with each new version of key.

 The execution of these programs is started by the authorized person by means of the keyboard 205.

 According to another aspect of the invention, the volatile memory 203, can also contain the public key KA and the authorization certificate CER.

 Indeed, an LE production device must be authorized to produce CL keys. The authorization is taken over by the AT authority.

 In practice, the authority gives him a public key K which will be used to calculate the keys CL. However, the key K is transmitted to it with a signature which is called here CER certificate.

This CER certificate is therefore the digital signature of a data set including the identity of the authorized person ID, his public key K and the validity period VAL such as
CER = FKA (ID, VAL, K),
FKA being the public key algorithm, ka being the secret key for calculating the certificate and KA the corresponding public key. This calculation is made by the AT authority.

 The electronic locks CL are constituted by an apparatus of the chip card reader or microcomputer type equipped with a chip card reader interface for the example of embodiment described.

 The lock L comprises a processing unit 300, an electrically programmable non-volatile memory 301 and a working memory 302. The memory 301 comprises the key verification program implementing a verification function VK of the electronic keys CL.

 This memory 301 also contains the public key K corresponding to the secret key k which was used for the production of the keys CL.

 Lock L allows, according to a first object of the invention, to detect false electronic keys.

 For this, the lock compares the date of personalization DpA of the key CL to the date of personalization that it has in memory for the same medium (IDA identification).

 If there is a tie, the lock allows access. If the date DpA> on the date of personalization present in the lock, then it is a new version of key, the lock updates its list of keys, that is to say that it saves the new in place of old.

 If the DpA date <on the personalization date present in the lock, then it is a reuse of a key declared stolen or lost.

 Access is prohibited. There is no update of the key list.

 When an HA authorization is assigned, the pair public key and CER certificate of the LE key production device as well as the key KA are recorded in the lock in working memory for example, to allow the lock to perform a verification of authorization.

 This verification is made at each new authorization. For this, the lock also contains the certificate verification program, this program implementing a VKA certificate verification function. At the end of this verification, if the certificate corresponds to the public key K, the key is saved in EEPROM memory, the certificate and the key KA are not kept.

 When an authorization change takes place, a CER 'certificate for a new key K' is calculated by the AT authority and loaded into the LE device, reference may be made to the diagram in FIG. 2.

 Thus, in accordance with a second object of the invention, this change of authorization consists in using a new public key K 'and in assigning this new key K' to the device.

 Electronic keys CL calculated by the device which had the old public key K will always be valid as well as the new ones which are produced by a device which has the key K ', from the moment the lock has verified this new authorization.

 We choose the period of validity assigned to the key K so that it has an end of validity date equal to the start date of the period of validity assigned to the key K 'or a slightly later date (one month for example) ..

 In the case where an LE production device has HA authorization data (ID, KA, CER, K) whether it is a first authorization or a new authorization, and in the case where the keys CL (S, DpA, IDA) products have their own data such as the date of personalization of the medium on which they are recorded, the lock can check the access conditions set out in the first part of the description and also compare the date DpA at the period of validity of the public key of the device.

 This comparison will make it possible, for example, to detect the CL keys that would have been produced when the LE production device no longer had the authorization.

 In fact, the DpA customization dates necessarily fall into either one or the other of the VAL or VAL 'validity periods' for keys K or K'.

 In each case, the lock can then compare the personalization date with the validity period corresponding to the corresponding public key. The lock authorizes access when, after this verification, it finds that the date DpA is within the validity period of the corresponding public key.

 As each public key K or K 'has its own validity period, it is easy to detect fraud.

Claims (12)

 1. Access control system by means of a portable storage medium (C) on which an electronic key CL is recorded including a data item identifying the user, and a means ensuring an electronic lock function (L ) suitable for authorizing access in the case where the storage medium includes the required electronic key, characterized in that  - the CL electronic key also includes a  DpA data specific to the medium, and the signature  numeric S of this data,  - these data are stored in the lock at  the first use of the support,  - a new electronic key CL 'is produced and  we save this key on a new medium  memorization for this same user in the case  loss or theft of the previous medium, with a  new own data DpA 'having a value  greater than the previous one and invalidating the  previous,  - each time the support is used, the lock (L)  verify digital signature S and verify that  the clean data DpA of the key CL of the support is  equal to or greater than the data already recorded  and only allows access when these conditions  are carried out.  2. Access control system according to claim 1, characterized in that the signature S is calculated from a secret key algorithm k and a corresponding public key K / by production means LE, and by what the lock has in memory the public key K, a verification function (VK) of this signature S and means for implementing this verification function.  3. Access control system according to claim 1 or 2, characterized in that to check a DpA data specific to a user, the lock  - compare the DpA own data present on the  support, to the data already recorded during the  first use for this user, and  - save this data in place of the data  already saved when its value is greater  to the data already recorded.  4. Access control system according to any one of the preceding claims, characterized in that the own data item (DpA) assigned to the support of a user A is the date of personalization of its storage medium.  5. Access control system according to any one of the preceding claims, characterized in that the proper data is a value obtained by a counter (206), this value being incremented with each new version of key for a given user.  6. Access control system according to any one of the preceding claims, characterized in that the electronic lock (L) has a reference value (DH), and in that access authorization is given only if in addition the specific data DpA to a support has a value lower than the reference value.  7. Access control system according to any one of the preceding claims, characterized in that the DH reference data is the current date provided by an internal clock (303) of the electronic lock.  8. Access control system according to claim 2, characterized in that the production means (LE) comprise authorization information HA given by an authority to produce the keys CL, including an identification data ID, a public key K, a validity period VAL and the digital signature CER of this key, and in that an authorization transfer is made to new means of production by registering a new public key K 'and the corresponding signature CER '.  9. Access control system according to claim 8, characterized in that the validity period assigned to an old key K has an end date which corresponds to the start date of validity of the validity period of the new key K 'or which is subsequent thereto.  10. Access control system according to claim 8 and 9, characterized in that for the verification of a new version of key K 'of signature CER', the lock uses a verification function with public key, in addition the lock compares and replaces the expiry date of the previous key with the expiry date of the new key.  11. Access control system according to any one of the preceding claims, characterized in that during a verification of an electronic key CL, the lock also performs the following operations  - compare the date of personalization DpA with the validity period VAL of the public authorization key K which has been used,  - authorize access if this date is within the validity period of this key, and refuse access otherwise.  12. Access control system according to any one of the preceding claims, characterized in that the public keys are obtained by the authority from a production function FKA with public key KA, the lock comprising in memory at moment of the verification of an authorization, a verification function VKA, and the key KA.