GB2438434A

GB2438434A - Selectively enabling and disabling vehicle key security transponder

Info

Publication number: GB2438434A
Application number: GB0610162A
Authority: GB
Inventors: Pat Keenan
Original assignee: Nissan Motor Manufacturing UK Ltd
Current assignee: Nissan Motor Manufacturing UK Ltd
Priority date: 2006-05-23
Filing date: 2006-05-23
Publication date: 2007-11-28
Anticipated expiration: 2026-05-23
Also published as: GB2438434B; EP1860617A2; GB0610162D0; EP1860617A3

Abstract

In order to deter theft of a key, means is provided for enabling and disabling a key so that when not to be imminently used, the key may be disabled, thus rendering it useless in the event that it is stolen. The key may be a vehicle key (14) for use in conjunction with an engine start system which is operated only when the key (14) is validated following encrypted communication with a vehicle immobiliser. The key (14) may be disabled by modifying a security code in a transponder memory (28) of the key (14) so that a code generator of the key is unable to generate a proper validation code for communication to the vehicle immobiliser. The key (14) is enabled by correctly writing the security code (60) to a key memory. The security code (60) may be written to the key (14), and modified, by a terminal (54) remote from the vehicle or resource with which the key (14) is associated e.g. located in a home or other premises. The terminal (54) may include security means such as a keypad (58) for PIN entry prior to operation. Communication between the terminal (54) and the key (14) may be wireless. The key may be operable so as to remain enabled only for a set time period.

Description

SECURITY SYSTEMS

This invention relates to security systems and particularly, but not exclusively, to key-operated vehicle security systems including the elements of a key, vehicle security components, an additional security component distinct from the vehicle security components and related methods of operation.

In a vehicle context, keys are used to lock or unlock doors controlling access to the vehicle interior. Keys may also be used to control access to other parts of the vehicle including storage areas, the engine compartment and a fuel filler. Keys also control access to vehicle functions and resources such as accessories, engine ignition and engine start. Any facility, area or function to which the access needs to be controlled in a secure manner may be regarded generically as a secured resource' in this specification. Similarly, the term access' should therefore be construed with corresponding breadth in this specification.

The term key' should also be construed broadly in this specification. A key need not necessarily be a mechanical key having a toothed or patterned metal blade which matches a mechanical lock. Indeed, most modern vehicles can be opened by remote control, typically using radio frequency (RF) transmission, without inserting a mechanical key into a mechanical lock. Increasingly, a vehicle engine can also be started without inserting a mechanical key into a mechanical lock: instead, the driver need merely have an electronic key about his or her person in order to start the engine by, for example, touching an engine start' button in the vehicle cabin.

Nowadays, mechanical keys and locks increasingly provide merely a back-up function in the event that an electronic key is damaged or loses power, for example due to a flat battery. Commonly, therefore, electronic keys include a toothed or patterned blade co-operable with a mechanical lock. Also, it is still the case that most vehicles having remote-control entry systems require the insertion of a mechanical key into a mechanical lock to start the engine.

In the present context, the term key' should be construed as a physical, tangible key and typically refers to, but is not limited to, a hand-held key carried by a user permitting access to a secured resource. This will be used as the basis of the more detailed description of the prior art that now follows.

In this regard, reference will now be made to the accompanying drawings and particularly Figures 1 to 4 which illustrate the progression of vehicle security systems to the present day. In those drawings: Figure 1 is a block diagram of a vehicle security system reliant upon a mechanical key and lock; Figure 2 is a block diagram of an improved vehicle security system in which a mechanical key and lock is supplemented by an immobiliser acting on an engine control module; Figure 3 is a block diagram of a vehicle security system corresponding to that shown in Figure 2 but including a body control module also responsive to the immobiliser; and Figure 4 is a block diagram of communications between an engine control module, immobiliser control module and a transponder associated with a vehicle key.

In Figure 1, a known vehicle security system 10 is used to control the start function of an engine 12. A key 14, matched to a barrel lock 16, is inserted into the lock 16 and turned to close an electrical circuit 18. The circuit 18 forms part of the vehicle wiring harness (not shown) and, for simplicity, is shown without components such as relays that are necessary in practice.

Turning the key 14 to a first position closes the circuit 18, activating an engine control module (ECM) 20. The ECM 20 must be activated before the engine 12 can be started. By turning the key 14 to a second position against spring bias, a starter motor (not shown) is powered to turn the engine crank while the ECM 20 controls ignition and fuel supply. This starts the engine 12, whereupon the ECM controls its subsequent operation in accordance with the user's commands.

Once the engine 12 is started, the key 14 is released to return under spring bias to the first position in which the starter motor is disengaged and inoperative.

Conventional mechanical vehicle security as illustrated in Figure 1 can easily be overcome by a criminal. For example, the lock 16 could be forced without use of the key 14 to assume the first and second positions necessary to start and run the engine 12. It is also possible forcibly to access and tamper with the vehicle wiring harness, resulting in the electrical circuit 18 being closed or hot-wired'. Doing so simulates the use of a key 14 in the lock 16 allowing the engine to be started and the vehicle to be driven away.

The improved vehicle security systems 22 and 24 shown respectively in Figures 2 and 3 use an immobiliser to achieve greater security by verifying the presence and identity of the correct key. This enables engine start to be blocked if no key is present, as when forcing the lock or hot-wiring the vehicle. Engine start can also be blocked if a bogus key is used that emulates the unique blade pattern of the correct key, for example if the correct key is clandestinely copied; such a bogus key could otherwise be used to start the engine. Attempts to start the engine by picking the lock will also be foiled.

The immobiliser function of the systems 22 and 24 in Figures 2 and 3 respectively is effected by an immobiliser control module (1CM) 26 associated with the vehicle that interacts with the ECM 20 and with a transponder 28 associated with the key 14. Communication means between the 1CM 26 and the transponder 28 is effected via a coil antenna 30 associated with the lock 16. Although shown beside the lock 16 in Figures 2 and 3 for clarity, the antenna 30 typically encircles the lock 16 in practical immobiliser arrangements.

Figures 2 and 3 differ in that Figure 3 further includes a body control module (BCM) 32 interposed between the 1CM 26 and the ECM 20. This is to show that additional vehicle components or modules other than the ECM 20 can be involved in immobiliser operation. The BCM 32 typically controls vehicle ancillaries not associated with the engine 12, such as lights, wash/wipe and door locking.

Distributing immobiliser functions in this manner makes it more difficult and expensive for a criminal to circumvent the immobiliser by replacing vehicle components. Also, where the BCM 32 controls door locking, the BCM 32 and the transponder 28 suitably interact during the locking and unlocking process so that the doors will only unlock in response to a code emitted by the correct transponder 28.

The description that follows refers specifically to the embodiment shown in Figure 2. However, it will be understood that much the same processes underlie the operation of the embodiment shown in Figure 3, with the further steps of communicating with the ECM 20 via the BCM 32.

In a secure environment, such as a vehicle factory or at a supplying dealer, matching electronic codes are stored in memories of both the 1CM 26 and transponder 28. When the key 14 is inserted and turned in the lock 16 to the first position, the ECM 20 is activated as in the arrangement shown in Figure 1. When activated, the ECM 20 acting through the 1CM 26 powers-up the transponder 28 by induction via the antenna 30. Once powered-up, the transponder 28 emits a signal using short range RF, which signal includes the code stored in the transponder 28. The 1CM 26 receives this signal via the antenna 30. A match between the codes stored in the transponder 28 and the 1CM 26 confirms to the 1CM 26 that the correct transponder 28 and hence the correct key 14 is present.

The 1CM 26 then sends a signal to the ECM 20 enabling the ECM 20 to start the engine 12 when the key 14 is turned to the second position. Thus, vehicle security cannot be circumvented by measures such as hot-wiring in the absence of the correct transponder 28.

Vehicle security using fixed codes as described above can easily be circumvented.

Specifically, a criminal can obtain, access, emulate or adapt an 1CM 26 and a transponder 28. Using a computer and an antenna, a criminal is able to decipher the codes and reprogram the transponder and/or the 1CM, or program corresponding replacement components. For example, by emulating the 1CM 26 and antenna 30 of a vehicle, a fixed code can be read from a transponder such that a bogus transponder can be programmed with that code. Also, if a transponder broadcasts its fixed code as, for example, when unlocking a vehicle door by remote control, it is possible for a criminal to detect the code using a scanner and to program a bogus transponder with that code.

A bogus transponder can be integrated into a copy key allowing the vehicle security system to be overcome and the vehicle to be stolen. It is also possible to use a bogus transponder without a key, as the presence of a bogus transponder will allow traditional theft methods such as forcing the lock or hot-wiring to succeed.

In view of the security drawbacks of fixed codes, it is known to use rolling codes.

Rolling code systems may be characterised as using a different code upon each access operation. The transponder and the 1CM 26 are synchronised such that the 1CM 26 expects the transponder to reply with a particular different code upon each successive access operation. In this way, a criminal knowing only the last code that was used cannot readily determine the next code that must be used to achieve the same objective.

Rolling code systems rely upon a predetermined sequence of codes being generated by or stored in the transponder 28 and the 1CM 26. For example, an algorithm may take the previous code of the sequence to generate the next code of the sequence. If both the transponder 28 and the 1CM 26 are programmed with the same starting code and the same algorithm, the code sequences will be synchronised in a manner that will only be apparent to a criminal if the algorithm is known or can be determined. Another rolling code technique involves a fixed number of different codes stored in an equal number of corresponding address locations in the 1CM 26 and the transponder 28. The codes and sequence of codes in the 1CM 26 and the transponder 28 are the same.

Vehicle security using rolling codes can be circumvented using similar techniques to those used in detecting fixed codes, although circumventing a rolling-code system places greater demands upon a criminal. Specifically, the transponder 28 must be activated repeatedly with each code emitted from the transponder 28 being recorded until all codes are recorded. Thereafter, a computer using the recorded codes is configured to emulate the transponder 28 and communicates via the antenna 30 to the 1CM 26. The computer transmits codes to the 1CM 26 and monitors the communicated response, using the response to decipher the code sequence and/or algorithm.

With codes, code sequence and/or algorithm of the 1CM 26 deciphered, a bogus transponder can be programmed to match the 1CM. The bogus transponder can then be integrated into a copy key allowing the vehicle security system to be overcome and the vehicle to be stolen. Alternatively, as with fixed-code systems described above, it is possible to use a bogus transponder without a key, as the presence of a bogus transponder will allow traditional theft methods such as forcing the lock or hot-wiring to succeed.

With increasing computer power, the time required for copying and sequencing of rolling codes and deciphering algorithms has been reduced significantly.

Consequently, criminals are no longer adequately deterred from stealing vehicles protected by rolling-code systems.

Against this background, the current state of the art in vehicle security systems employs cryptographic immobilisers. In such systems, communications between a transponder and a 1CM are encrypted: the transponder and the 1CM both store an identical encryption key and run identical algorithms. In use, the 1CM outputs a random number code to the transponder. That code is processed by the 1CM and by the transponder in parallel using their identical encryption keys and algorithms.

Thus, the code is identically modified by the encryption keys and algorithms of the 1CM and the transponder.

In this way, the 1CM can challenge the transponder with the random number code and the transponder can respond to the challenge with a number code matching that produced by the algorithm and encryption key of the 1CM. Neither the challenge nor the response directly discloses the encryption key, in contrast to fixed and rolling code systems that inherently disclose the codes upon which they rely. It is noted that transponders using traditional fixed and rolling code systems emit their codes when powered up, allowing criminals to emulate the vehicle security system and detect the codes.

Overcoming a cryptographic immobiliser requires substantial computational power and time to decipher the encryption key and algorithm. Using current computer technology, approximately 24 hours would be required to decrypt a system that uses a 48-bit binary code. Increasing the code length results in an exponential increase in the computational power and time required to decipher the encryption key and algorithm. In essence, cryptographic immobilisers cannot be overcome by criminals over practical timescales for the purpose of vehicle theft.

The pressure of the insurance market and legislation such as EU Directive 95/56/EC means that cryptographic immobilisers have become the de facto standard in the automotive industry.

A cryptographic immobiliser system 34 will now be described with reference to Figure 4.

Firstly, to ready the system 34 for use by programming the transponder 28, a fixed 48-bit initialisation code stored in the 1CM 26 is sent via an antenna to the transponder 28. This synchronises the 1CM 26 and transponder 28 such that both store a common encryption key 36 and algorithm 38. Thereafter, neither the 1CM 26 nor the transponder 28 can emit the code during normal use: this is intended as a once-only initialising operation, to be conducted by the manufacturer or supplying dealer. However, it is possible to repeat the initialising operation in secure circumstances, for example in the event of key replacement due to damage or loss. This may involve a dealer, for example, entering an enter factory mode' command to the ECM 20 that communicates with the transponder 28 via the 1CM 26.

Whilst Figure 4 omits a body control module (BCM) for simplicity, practical systems may involve a BCM that communicates with the ECM 20 and/or with the 1CM 26. Where a BCM and ECM are used together, those modules may interrogate and/or respond to each other, in addition to interrogation of the transponder 28.

In practice, forty bits of the 48-bit initialisation code represent the encryption key 36 and the remaining eight bits represent an instruction to the transponder 28, fixed within the physical key, to act in a predetermined manner. That action is to write the encryption key 36 to the memory of the physical key, and in particular to a first address location 40 in the transponder 28. It will be noted that the transponder 28 has further address locations, only one of which -a second address location 42 -is shown in solid lines, for simplicity.

The key verification process is initiated in a similar manner to the systems described in Figures 2 and 3. Thus, turning a key to a first position activates the ECM 20, in turn requesting the 1CM 26 to validate the presence of the correct key as identified by the transponder 28. The 1CM 26 includes a random number generator 44 that, on each access operation, either generates a random number on an ad hoc basis or provides a random number from a stored list of such numbers.

The random number is transmitted to the transponder 28 as a challenge 46 where it is modified by the algorithm 38 in accordance with the encryption key 36 stored at the first address location 40. The result is a response 48 transmitted back to the 1CM 26.

Meanwhile, the 1CM 26 runs an identical algorithm 38 to modify the random number in accordance with the same encryption key 36 to generate an answer 50 that will match the response 48 if the correct transponder 28 is present. The 1CM 26 includes a comparator 52 to verify a match between the response 48 and the answer 50. Upon determination of such a match, the 1CM 26 sends a signal to the ECM 20 enabling the engine to start.

It will be apparent that only random numbers are communicated between the 1CM 26 and the transponder 28. As mentioned above, this prevents the encryption key 36 being read directly and extends significantly the period of time required to decipher the encryption key 36 or the algorithm 38.

As cryptographic immobiliser systems are so difficult to overcome, criminals are faced with two choices to circumvent such systems. Firstly, in theory, it would be possible for a criminal to remove each vehicle security component such as the ECM and BCM and to replace them with new or bogus components. Secondly, and more practically, criminals can simply steal the key.

There has been a massive increase in burglaries for the purpose of stealing keys for the theft of, or other access to, vehicles parked outside the home or other premises. When a vehicle is not in use, the driver will typically leave its key in a convenient and predictable location where it can easily be retrieved and so can also easily be found and stolen once a thief has gained access. For example, it is known for car keys to be fished' from a coat, hook or table in an entrance hall, using a rod passed through the letterbox of a home.

Whilst it is possible to hide vehicle keys in a secret location to deter theft, it is difficult to find a location that is convenient for daily use and yet that will defy efforts by a thief to guess where it is. Locking a key away is another option, for example storing the key in a secure box that is locked by another key or protected by a key code. However, security that relies upon a physical barrier can be circumvented by force.

Paradoxically, therefore, the effect of ever-better immobilisers has been to shift crime from being perpetrated merely upon vehicles to being perpetrated upon vehicle owners and their property. Unauthorised entry to the home or workplace carries a risk of violence, of injury to vehicle owners and of damage to property.

It is against this background that the present invention has been made. This invention results from our efforts to overcome the problem of unauthorised acquisition of the key resulting in vehicle theft. Other aims of the invention will be

apparent from the following description.

In a broad sense, the invention resides in the ability to enable and disable a physical key for controlling access to a secured resource. Enabling and disabling the key is typically carried out by associated enabling and disabling apparatus, preferably in the form of a security terminal.

Accordingly, in an advantageous aspect, the invention resides in a security system comprising a physical key for controlling access to a secured resource. The physical key includes a memory for storing a security code and a code generator responsive to the security code to generate a validation code, such as an encryption key, for confirming the validity of the physical key to access the secured resource.

Furthermore, the security system includes a terminal cooperable with the physical key selectively to write the security code to the memory or to modify the security code in the memory. The result is such that when written to the physical key by the terminal, the security code enables the code generator to generate the validation code but when the security code is modified by the terminal, the code generator is unable to generate the validation code, whereby the ability of the physical key to access the resource may be successively and repeatedly enabled and disabled by the terminal.

The memory of the physical key may comprise first and second address locations.

The security code may be stored in one of the address locations and a modified validation code may be stored in another of the address locations.

The code generator may be responsive to the modified validation code to generate the validation code when the security code has been written to the memory by the terminal. The code generator may, for example, perform arithmetic manipulation upon the security code and the modified validation code to generate the validation code.

The code generator advantageously modifies the validation code and stores the modified validation code in its address location. The code generator may, for example, modify the validation code in accordance with another code, preferably the security code.

The validation code may be processed by an algorithm to generate a response to a challenge issued upon attempting to access the secured resource.

The physical key suitably includes a communication means for receiving the security code from the terminal. That communication means may include a transponder.

Advantageously, the terminal is remote from the secured resource. There may be a plurality of terminals each capable of enabling and disabling the same physical key. Conversely, the system may comprise a plurality of physical keys, each capable of being enabled and disabled by the same terminal.

The system of the invention is suitably embodied as a vehicle security system. In that case, the secured resource may be a vehicle interior or engine start function and the physical key may be a vehicle key. Also, the terminal may be inside a home or other premises and the secured resource may be a vehicle parked outside those premises. In a vehicular context, the system may further comprise a vehicle immobiliser control module for supplying the validation code to the code generator when the system is initialised.

The terminal advantageously includes user authorisation means. For example, the user authorisation means may include a keypad.

The terminal suitably includes a terminal communication means for data communication with the physical key. The terminal communication means may include an antenna.

The terminal may include user-selectable controls to enable or disable the physical key, and may be arranged to toggle the status of the physical key between enabled and disabled. The terminal may also include a system status indicator, which advantageously confirms whether the physical key is enabled or disabled. The status indicator may also confirm whether the terminal is capable of data communication with the physical key.

The invention extends to a physical key for use in the system of the invention, and encompasses a physical key for controlling access to a secured resource, the physical key having a memory for storing a security code and a code generator responsive to the security code to generate a validation code for confirming the validity of the physical key to access the secured resource, such that when the security code is written to the physical key, the security code enables the code generator to generate the validation code but when the security code is modified, the code generator is unable to generate the validation code, whereby the ability of the physical key to access the secured resource may be successively and repeatedly enabled and disabled.

The invention also extends to a terminal for use in the system of the invention, and encompasses a terminal for a security system, the terminal being cooperable with a physical key for controlling access to a secured resource, wherein the terminal selectively writes a security code to a memory in the physical key or modifies a security code stored in said memory, whereby the ability of the physical key to access the secured resource is successively and repeatedly enabled and disabled by the terminal.

The invention may also be expressed as a method of enabling a physical key that controls access to a secured resource, the method comprising writing a security code to the physical key and generating a validation code in the physical key with reference to the security code, the validation code confirming the validity of the physical key to access the secured resource.

The validation code may be written to the physical key before writing the security code to the physical key. A modified validation code may be stored in the memory of physical key, for example in a first address location in the memory.

The security code may be written to the physical key, for example using a terminal, and is stored by the code generator in the memory of the physical key.

The security code may be written to a second address location in the memory.

The security code may be written to the physical key on different occasions using different terminals. It is also possible to write the security code to a plurality of physical keys using the same terminal, and to write different security codes to the keys of the plurality using the same terminal.

The method of the invention advantageously further comprises disabling the physical key by writing other than the security code to the physical key to prevent the physical key from generating a validation code that would confirm the validity of the physical key to access the secured resource.

The invention extends to a method of disabling a physical key that controls access to a secured resource and that has a security code stored in a memory, the method comprising writing a disabling code to the memory to overwrite the security code, preventing the physical key from generating a validation code that would confirm the validity of the physical key to access the secured resource.

The disabling code may be a code other than the security code, and may be zero.

The disabling code is optionally written to an address location in the memory, suitably by a terminal, and may be written on different occasions using different terminals. It is also possible to write the disabling code to a plurality of physical keys using the same terminal.

The terminal optionally toggles between enabling and disabling on successive operations. Such toggling may be in response to user authorisation means.

The invention also encompasses a method of successively and repeatedly enabling and disabling a physical key that controls access to a secured resource, that method comprising alternating the enabling method of the invention with the disabling method of the invention.

Reference has already been made to Figures 1 to 4 of the accompanying drawings which illustrate the development of the prior art. In order that the invention may be more readily understood, reference will now be made, by way of example, to the remainder of the drawings in which: Figure 5 is a block diagram showing an embodiment of the invention in the form of a security terminal for disabling and enabling a key; Figure 6 is a block diagram showing a further embodiment of the invention wherein a transponder is programmed by an 1CM; and Figure 7 is a block diagram showing a further embodiment of the invention wherein a transponder is programmed by a security terminal; and Figure 8 is a block diagram showing an embodiment of the invention in which the transponder uses two encryption keys stored in respective addresses to output to an algorithm a value corresponding to an original encryption key.

The invention provides the option of disabling a key by temporarilydisabling a transponder carried by the key, and subsequently enabling the transponder when the key is next required. The invention does so by the provision of an additional security component distinct from the vehicle security components. That additional component is advantageously a security terminal remote from the vehicle. The terminal is intended to remain in the vicinity of the key when the key is not in use, for example in the owner's home or workplace when the vehicle is parked there.

Disabling the transponder carried by the key reduces the opportunities for a criminal to obtain the key and make a bogus copy of it or to use that key to gain unauthorised access to a vehicle protected by the key.

The ability to disable the transponder carried by the key adds an additional level of control, improving the vehicle security system. The invention can be applied to any vehicle security system that uses electronic means to verify that a correct key is present, including vehicle security systems using fixed codes, rolling codes and encryption. However, the invention will be described in the context of cryptographic immobilisers.

Referring to Figure 5 of the drawings, a security terminal 54 cooperates with the transponder 28 of a key 14 via an antenna 30. The antenna 30 operates under the control of electronics 56 activated in turn by authorisation means such as a key pad 58. When the key 14 is brought into transmission range of the antenna 30 and the user inputs a suitable authorisation code via the key pad 58, the electronics 56 transmits a signal via the antenna 30 that disables the transponder 28 of the key 14.

The key 14 may then be left in that position on the terminal 54 or may be taken away and left somewhere convenient or hidden. Even if a thief steals the key 14 when in that disabled state, the key 14 cannot be used to make an active bogus copy or to access or start the vehicle for which the key 14 is intended.

When the key 14 is required for use, the key 14 is brought into transmission range of the antenna 30 (if not already in range) and the user inputs an authorisation code via the key pad 58. That code may be the same as that entered previously upon disabling the transponder 28 or may be different; if the former, the state of the transponder 28 is toggled with each successive entry of the code. The electronics 56 then transmits a signal via the antenna 30 that enables the transponder 28 of the key 14. This can be done shortly before gaining access to the vehicle, such that there is no opportunity for a thief clandestinely to steal the enabled key.

Upon acquiring the terminal 54, the user is instructed on how to program the terminal 54 to accept an authorisation code personal to that user. The authorisation code typically comprises a multi-digit or alphanumeric sequence. This personal identification number (PIN) is used to verif' the presence of an authorised user, allowing him or her to enable or disable the transponder 28 of the key 14 by using the keypad 58. However, other authorisation means such as a fingerprint scanner or other biometric sensor, mechanical keys and so on are possible and are contemplated within the broad concept of the invention.

Before the vehicle owner acquires the security terminal 54, the manufacturer or supplying dealer programs the terminal 54 with a code unique to that terminal, referred to as a security code or security key 60. Alternatively the security key 60 will have been pre-installed in the terminal 54. Upon operation of the terminal 54, the security key 60 interacts with codes stored in the transponder 28 of the key 14 in a manner that will now be described in detail with reference to Figures 6 and 7 of the drawings.

Figures 6 and 7 show the transponder 28 modified in accordance with the invention. Specifically, a key modifier 62 is implemented in software in the transponder 28, functionally interposed between the address locations 40, 42 and the algorithm 38.

In the embodiment described, the key modifier 62 has various purposes.

One purpose of the key modifier 62 is to receive the encryption key 36 from the 1CM 26 and to store the encryption key 36 in the first address location 40 of the transponder 28. This process is shown in Figure 6 and, as in the conventional systems described above, is typically performed in a secure environment such as the vehicle factory or at a supplying dealer.

Another purpose of the key modifier 62 is to receive the security key 60 from the terminal 54 and to store the security key 60 in the normally-unused second address location 42 of the transponder 28. This process is shown in Figure 7 and is typically performed at a supplying dealer when the security terminal 54 is supplied to a customer. The security key 60 is stored in and provided to the transponder 28 by the electronics 56 of the security terminal 54 via the antenna 30.

It will be noted from Figure 7 that when the security key 60 is provided to the key modifier 62, the encryption key 36 stored in the first address location 40 is overwritten with a new value. That value is modified and referred to in Figure 7 as a modified validation code. The modified validation code corresponds to the encryption key 36 but modified in accordance with the security key 60.

In a greatly simplified example, if the encryption key 36 is represented by the value 450 and the security key 60 is represented by the value 200, the modified validation code written to the first address location 40 may be 250, this being the difference between the values of the encryption key 36 and the security key 60.

Other relationships between the encryption key 36 and the security key 60 are of course possible: for example, the modified validation code could be the sum of the values of the encryption key 36 and the security key 60, or the product of those key values, or the result of one key value being divided by the other. Any such arithmetic manipulation can be used to modify the validation code on the basis of the encryption key 36 and the security key 60.

Once the modified validation code is stored in the first address location 40 and the security key 60 is stored in the second address location 42, the key modifier 62 can fulfil its principal purpose as shown in Figure 8 of the drawings. This is to output to the algorithm 38 a value corresponding to the original encryption key 36 originally stored in the first address location 40. In the example above, that value is 450. Thus, provided that the modified validation code (250) is stored in the first address location 40 and the value (200) of the security key 60 is stored in the second address location 42, the algorithm 38 responds affirmatively to the input 46 of a random number from the 1CM 26. The transponder 28 is thus enabled.

When it is desired to disable the transponder 28, the security terminal 54 is used to modify the security key 60 held in the second address location 42 -either to modify the value held in that location 42, or to empty it. The value of the modified validation code stored in the first address location 40 remains the same (250), but assume that the second address location 42 now holds the value zero. Now, therefore, the key modifier 62 outputs to the algorithm 38 a value (250) that no longer corresponds to the original encryption key 36 (450). Thus, the algorithm 38 can no longer respond affirmatively to the input 46 of a random number from the 1CM 26. The transponder 28 is thus disabled.

It will be appreciated from the aforementioned description that a function of the key modifier 62 is to act as a code generator, responding to the security code to generate a modified validation code for confirming the validity of the physical key to access the secured resource. During the configuration and thereafter in general use, the transponder of the security system receives data signals from the vehicle or from the security terminal, and the key modifier generates codes accordingly.

By means of the invention, theft of a vehicle by unauthorised access to its key can be prevented by, in effect, switching the key off when not in use. The key can then simply be switched on to enable the key when required. The effect of switching the key off and on is achieved by disabling the transponder carried by the key after use, and subsequently by enabling the transponder when the key is next required.

Thus, using a security terminal to toggle the key between enabled and disabled states, the vehicle owner reduces the opportunities for a criminal to obtain a functioning key.

The invention may be used with any vehicle security system that uses electronic means to verify that a correct key is present, including vehicle security systems using fixed codes, rolling codes and encryption. The switching feature of the invention may also be applied to, but is not limited to, symmetric or asymmetric cryptographic security systems.

Many variations are possible within the inventive concept. For example, it is possible for the security terminal to be portable or indeed to be associated with the vehicle, provided that the key is disabled when stored and not in use. A plurality of security terminals may be employed, one being in each location typically visited by the vehicle owner or driver.

Enabling or disabling the transponder 28 may be in response to further user command once the user has been identified, for example by a two-position rocker switch on the security terminal. The transponder 28 may thereby be enabled when the switch is in one position and be disabled when the switch is in the other position.

In some vehicle security systems, the value stored in the first address 40 of the transponder 28 can only be modified by an instruction that is unique to the vehicle 1CM 26. In that case, when the security key 60 is provided to the key modifier 62 by the security terminal 54, the encryption key 36 stored in the first address location 40 cannot be overwritten with the validation code. Instead, the encryption key 36 must be re-written to the key modifier 62 using the vehicle 1CM and modified in accordance with the security key 60 stored in the second address location Vehicles and other secured resources are often used or accessed by persons other than the main user. It is often desirable that the access permitted to such third parties is limited, for example to particular periods of time. In some circumstances, therefore, it would be advantageous for the secured resource owner to specify the time period for which the physical key is enabled. For example, the physical key may be enabled for a limited number of hours during a working day or for a limited amount of time from enablement. The transponder, in cooperation with the security terminal, may comprise electronics that allow the time period to be configurable.

In particular, vehicle hire companies are susceptible to vehicle theft. A criminal with bogus documentation can procure a vehicle under a false pretence and simply not return the vehicle. The vehicle hire company, being caught unaware, will have provided the criminal with an enabled key and be unlikely to retrieve their vehicle.

Therefore, prior to providing a customer with an enabled key, the period of time for which the key will remain enabled is set. At the end of the time period, typically being the hire period, the key is deactivated. As described previously, a disabled key cannot be used to make an active bogus copy or to access or start the vehicle for which the key 14 is intended.

In view of these and other variants of the invention, reference should be made to the accompanying claims in determining the scope of the invention.

Claims

CLAIMS

1. A security system comprising: a physical key for controlling access to a secured resource, the physical key having a memory for storing a security code and a code generator responsive to the security code to generate a validation code for confirming the validity of the physical key to access the secured resource; and a terminal cooperable with the physical key selectively to write the security code to the memory or to modify the security code in the memory; such that when written to the physical key by the terminal, the security code enables the code generator to generate the validation code but when the security code is modified by the terminal, the code generator is unable to generate the validation code, whereby the ability of the physical key to access the resource may be successively and repeatedly enabled and disabled by the terminal.

2. The system of Claim 1, wherein the memory comprises first and second address locations.

3. The system of Claim 2, wherein the security code is stored in one of said address locations.

4. The system of Claim 3, wherein a modified validation code is stored in another of said address locations.

5. The system of Claim 4, wherein the code generator is also responsive to the modified validation code to generate the validation code when the security code has been written to the memory by the terminal.

6. The system of Claim 5, wherein the code generator performs arithmetic manipulation upon the security code and the modified validation code to generate the validation code.

7. The system of any of Claims 4 to 6, wherein the code generator modifies the validation code and stores the modified validation code in its address location.

8. The system of Claim 7, wherein the code generator modifies the validation code in accordance with another code.

9. The system of Claim 8, wherein the other code is the security code.

10. The system of any preceding claim, wherein the validation code is processed by an algorithm to generate a response to a challenge issued upon attempting to access the secured resource.

11. The system of any preceding claim, wherein the validation code is an encryption key.

12. The system of any preceding claim, wherein the physical key includes a communication means for receiving the security code from the terminal.

13. The system of Claim 12, wherein the communication means includes a transponder.

14. The system of any preceding claim, wherein the terminal is remote from the secured resource.

15. The system of any preceding claim and including a plurality of terminals each capable of enabling and disabling the same physical key.

16. The system of any preceding claim and including a plurality of physical keys, each capable of being enabled and disabled by the same terminal.

17. The system of any preceding claim and being a vehicle security system, wherein the secured resource is a vehicle interior or engine start function and the physical key is a vehicle key.

18. The system of Claim 17, further comprising a vehicle immobiliser control module for supplying the validation code to the code generator when the system is initialised.

19. The system of Claim 17 or Claim 18, wherein the terminal is inside a home or other premises and the secured resource is a vehicle parked outside those premises.

20. The system of any preceding claim, wherein the terminal includes user authorisation means.

21. The system of Claim 20, wherein the user authorisation means includes a keypad.

22. The system of any preceding claim, wherein the terminal includes a terminal communication means for data communication with the physical key.

23. The system of Claim 22, wherein the terminal communication means includes an antenna.

24. The system of any preceding claim, wherein the terminal includes user-selectable controls to enable or disable the physical key.

25. The system of any preceding claim, wherein the terminal is arranged to toggle the status of the physical key between enabled and disabled.

26. The system of any preceding claim, wherein the terminal includes a system status indicator.

27. The system of Claim 26, wherein the status indicator confirms whether the physical key is enabled or disabled.

28. The system of Claim 27, wherein the status indicator confirms whether the terminal is capable of data communication with the physical key.

29. A physical key for use in the system of any preceding claim.

30. A physical key for controlling access to a secured resource, the physical key having a memory for storing a security code and a code generator responsive to the security code to generate a validation code for confirming the validity of the physical key to access the secured resource, such that when the security code is written to the physical key, the security code enables the code generator to generate the validation code but when the security code is modified, the code generator is unable to generate the validation code, whereby the ability of the physical key to access the secured resource may be successively and repeatedly enabled and disabled.

31. A terminal for use in the system of any of Claims 1 to 28.

32. A terminal for a security system, the terminal being cooperable with a physical key for controlling access to a secured resource, wherein the terminal selectively writes a security code to a memory in the physical key or modifies a security code stored in said memory, whereby the ability of the physical key to access the secured resource is successively and repeatedly enabled and disabled by the terminal.

33. A method of enabling a physical key that controls access to a secured resource, comprising writing a security code to the physical key and generating a validation code in the physical key with reference to the security code for confirming the validity of the physical key to access the secured resource.

34. The method of Claim 33, wherein the validation code is written to the physical key before writing the security code to the physical key.

35. The method of Claim 33 or Claim 34, wherein a modified validation code is stored in the memory of physical key.

36. The method of Claim 35, wherein the modified validation code is stored in a first address location in the memory.

37. The method of any of Claims 33 to 36, wherein the security code is written to the physical key and is stored by the code generator in the memory of the physical key.

38. The method of Claim 37, wherein the security code is written to a second address location in the memory.

39. The method of any of Claims 33 to 38, wherein the security code is written to the physical key using a terminal.

40. The method of Claim 39, comprising writing the security code to the physical key on different occasions using different terminals.

41. The method of Claim 39, comprising writing the security code to a plurality of physical keys using the same terminal.

42. The method of Claim 41, comprising writing different security codes to the keys of the plurality using the same terminal.

43. The method of any of Claims 33 to 42, further comprising disabling the physical key by writing other than the security code to the physical key to prevent the physical key from generating a validation code that would confirm the validity of the physical key to access the secured resource.

44. A method of disabling a physical key that controls access to a secured resource and that has a security code stored in a memory, the method comprising writing a disabling code to the memory to overwrite the security code, preventing the physical key from generating a validation code that would confirm the validity of the physical key to access the secured resource.

45. The method of Claim 44, wherein the disabling code is a code other than the security code.

46. The method of Claim 44 or Claim 45, wherein the disabling code is zero.

47. The method of any of Claims 44 to 46, comprising writing the disabling code to an address location in the memory.

48. The method of any of Claims 44 to 47, comprising writing the disabling code to the physical key using a terminal.

49. The method of Claim 48, comprising writing the disabling code on different occasions using different terminals.

50. The method of Claim 48, comprising writing the disabling code to a plurality of physical keys using the same terminal.

51. The method of any of Claims 48 to 50 wherein the terminal toggles between enabling and disabling on successive operations.

52. The method of claim 51, comprising toggling between enabling and disabling in response to user authorisation means.

53. A method of successively and repeatedly enabling and disabling a physical key that controls access to a secured resource, comprising alternating the enabling method of any of Claims 33 to 42 with the disabling method of any of Claims 44 to 52.

Amendments to the claims have been filed as follows 1. A physical key for controlling access to a secured resource using a response code, the physical key comprising: a memory configured to store key status data and pre-encryption data unique to the secured resource; a code generator configured to generate the response code by generating an encryption key from the key status data and the pre-encryption data and combining the encryption key with challenge data issued upon attempting to access the secured resource.

2. The key of Claim 1, wherein the memory comprises first and second address locations and the pre-encryption data is stored in one of said address locations, and the key status data is stored in another of said address locations. S... *SS S

3. The key of claim 1 or claim 2, wherein the code generator comprises a key modifier and an algorithm.

4. A security system comprising a physical key, according to any preceding claim, and a terminal for writing the key status data to the memory of the physical key wherein the terminal is configured to provide at least key status code to the physical key that will result in a response code that will permit access to the secured resource, when the challenge is issued, and wherein the ability of the physical key to access the secured resource can be successively and repeatedly enabled and disabled by the terminal.

5. The system of claim 4, wherein the terminal is arranged to toggle the status of the physical key between enabled and disabled.

6. The system of claim 4 or claim 5, wherein the terminal includes a system status indicator configured to confirm whether the physical key is enabled/disabled 7. The system according to claim 6, wherein the status indicator confirms whether the terminal is capable of data conimunicat ion with the physical key.

8. The system according to any one of claims 4 to 7, wherein in the disabled condition, the code generator is unable to generate the response code. S...

S **SS

9. The system according to any one of claims 4 to 7, wherein in the disabled...

condition, the code generator generates a response code that does not enable access to the secured resource.