RU2562776C2 - Method for authorised access to secured facility - Google Patents

Abstract

FIELD: physics.

SUBSTANCE: method for authorised access to a secured facility, comprising storing identical sequences of signal values in an access key held by a user and in an access database located in the secured facility, transmitting, from the access to the access database, an initialising signal where it is processed, and then generating, at the access database, a request signal and transmitting said request signal to the access key where it is processed, and then generating, at the access key, a response signal and transmitting the response signal to the access database where it is identified and, based on the identification results, a decision is made to grant the user access to the secured facility. The method is characterised by that the stored sequences of signal values are presented in the form of N≥1 blocks, each comprising values of the initialising signal, the request signal and the response signal, wherein during the n-th access procedure (where n=1, 2…, N), sequences of signal values of the m-th current block, where m∈[1, N] are used at the access database and the access key, and the number of the m-th current block is determined using a given function f(n).

EFFECT: high level of protection from unauthorised access to a secured facility.

4 cl, 5 dwg

Description

The invention relates to the field of object authentication systems, is intended to control access to protected resources or objects, and can be used in the construction of systems with respondent authentication.

A known method of protection against unauthorized access to a protected object, implemented in the "Method and device for authentication in a system with electronic lock control" according to patent EP No. 0739109 A2, IPC H04L 9/32, publ. 10/23/1996

The method consists in performing the following actions: lay unique algorithms for generating data, encrypting data and calculating the result in the devices of the access key (CD) and access database (DB). The user and the protected object place the CD and DB, respectively. An initialization signal is transmitted from the CD to the DB, where it is processed, then a request signal is generated on the DB and transmitted to the CD, where it is processed, then a response signal is generated on the CD and transmitted to the DB, where it is identified and the decision on granting access is made based on the identification results user to the protected object.

The disadvantage of this method is the relatively low level of protection against unauthorized access to the protected object through the use of algorithms to generate relevant signal values and, as a result, the transmission of statistical information in the communication channel, which allows attackers to conduct its cryptanalysis and further use to determine the initial algorithm for generating current signal values.

Also known is a method of protection against unauthorized access to a protected object, implemented in the "Method and system for requesting a response" according to patent EP No. 1743447 A1, IPC G06F 12/14; G06F 13/14; H04L 29/06; H04L 9/00; H04L 9/32, publ. January 17, 2007

The method consists in performing the following actions: lay in the device access key (CD) and access database (DB) algorithms for hashing values, store a unique user password on the CD and on the database. The user and the guarded object place the access key (CD) and access database (DB), respectively. A call signal is generated on the database and transmitted to the CD. The value of the received call signal on the CD is combined with the result of the hash function of the user-specified unique password, the received value is hashed to obtain the encoding key. The user-specified unique password is encoded onto the CD using the received encoding key, then the corresponding response signal is generated and transmitted to the database. On the database, the value of the call signal previously transmitted to the CD is combined with the result of the hash function of the unique password set by the user, the received value is hashed to obtain the encoding key. The value of the received response signal is decoded onto the database using the received encoding key to obtain the value of the unique password entered by the user. If the value of the obtained value coincides with the value of the unique password entered by the user contained in the database memory, authentication is considered successful.

The disadvantage of this method is the relatively low level of protection against unauthorized access to the protected object due to the ability of attackers to cryptographically analyze the information transmitted between the CD and the database, determine the initial algorithm for generating the actual values of the signals and then use them to gain access to the protected object.

The closest in technical essence to the claimed method is a method of protection against unauthorized access to a guarded object, implemented in the "Method for the operation of an automobile anti-theft system, and a system for implementing the method" according to US patent No. 5897598, IPC H04L 9/32; B60R 25/04, publ. 04/27/1999

The method consists in performing the following actions: identical sequences of signal values are stored on the access key (CD) and on the access base (DB), the CD and DB are placed respectively at the user and on the protected object, the initialization signal is transmitted from the CD to the DB, where it is processed, then, a request signal is generated on the DB and transmitted to the CD, where it is processed, then a response signal is generated on the CD and transmitted to the DB, where it is identified and, based on the identification results, a decision is made to provide the user with access to security object to be removed.

The disadvantage of the prototype method is the relatively low level of protection against unauthorized access to the protected object, due to:

- the possibility of repeating, during the user authentication procedure, the actual combinations of request-response signals previously used in user authentication procedures, which gives attackers with previously used values of the request-response signal combinations the opportunity to gain access to the protected object;

- authentication of the CD with a static signal, which gives attackers the possibility of an unlimited number of calls to the database in order to select the actual value of the response signal;

- the ability to obtain the actual values of the response signal to a given request signal in the case of an attacker transmitting a request signal to the CD and simultaneously jamming the communication channel between the CD and the DB when the user initializes the access procedure.

The purpose of the claimed technical solution is to develop a method of authorized access to a protected object, providing a higher level of protection against unauthorized access to a protected object, due to:

- exclusion of the possibility of repetition in the user authentication procedure of the actual combinations of request-response signals previously used in user authentication procedures;

- a modified CD authentication procedure that does not use static signals;

- eliminating the possibility for attackers to obtain the actual value of the response signal to a known request signal;

In the claimed invention, the goal is achieved by the fact that in the known method of authorized access to the protected object, which consists in storing on the access key (CD) that the user has and the access base (DB) located on the protected object, identical sequences values of signals, transmit an initialization signal from the CD to the DB, where it is processed, then a request signal is generated on the DB and transmit it to the CD, where it is processed, then a response signal is generated on the CD and transmitted to the DB, where its ideal tifitsiruyut identification and the results of taking the decision to grant the user access to the protected object, the stored signal values represent a sequence of blocks N≥1. Each of the blocks contains the values of the initialization signal, request and response signals. In the nth access procedure (where n = 1, 2 ..., N) on the database and on the CD, sequences of signal values of the m-th current block are used, where m∈ [1; N].

The serial number of the m-th current block is determined using the given function f (n), for example f (n) = n.

The initializing signal, request and response signals are generated in the form of digital sequences that do not have a correlation dependence using a pseudo-random number generator, for example, a Mersenne vortex.

The transmission of signals between CD and DB is carried out over the air.

Due to the new set of essential features in the claimed method due to the use of a modified procedure for generating the values of the signals used, presented in the form of N≥1 blocks, each of which contains the values of the initialization signal, request and response signals, and with the n-th access procedure (where n = 1, 2 ..., N) on the database and on the CD use a sequence of signal values of the m-th current block, where m∈ [1; N], the possibility of repeating the actual combinations of request-response signals previously used in user authentication procedures is excluded during the user authentication procedure, CD authentication is performed without using static signals, and the possibility of obtaining by the attackers the actual value of the response signal to the known request signal is eliminated, thereby achieving the specified technical result.

The claimed method is illustrated by drawings, which show:

Figure 1 - structural diagrams of CD and DB;

Figure 2 is a representation of the values contained in the memory of the CD and DB devices;

Figure 3 - block diagram of the algorithm of the device CD;

Figure 4 is a block diagram of the algorithm of the database device;

Figure 5 is a block diagram of the algorithm of the database device with a delay in the repeated reception of the initialization signal.

The implementation of the claimed method is explained as follows: systems for protecting objects from unauthorized access with an open channel for transmitting signals between CDs and databases, based on the principle of transmitting from a CD to a database the only fixed value of the access signal, are vulnerable to attack by attackers that involve listening to this open channel and further using the obtained value of the access signal to gain access to the protected object.

To eliminate this possibility in the system, at each procedure for gaining access, access signals that are different from the previous ones are used. New values for each subsequent access procedure are calculated in accordance with the algorithms laid down in the CD and DB, or they are extracted from the memory of the CD and DB, if they were stored there in advance. However, such systems are also vulnerable to a number of attacks, including attacks consisting in jamming the communication channel between the CD and the database, and at the same time listening to and remembering the signal values transmitted from the CD for their further use to gain access to the protected object.

To exclude the possibility of gaining access to the protected object during such attacks, it is necessary to use the principle of dialogue exchange of signal values between CDs and databases for their mutual authentication. In systems using this principle of operation, signals are transmitted between the CD and the DB in both directions. Systems operating on this principle using varying signal values during each authentication procedure are resistant to attacks consisting in jamming the communication channel between the CD and DB, while simultaneously listening to and remembering the signal values transmitted from the CD for their further use to gain access to protected object.

Systems in which the signal values are generated by the algorithms embedded in the CD and DB are also subject to intellectual hacking, since the operands of the algorithms for generating new signal values that can be used for cryptanalysis of the algorithm are transmitted through the communication channel.

Also, all of the above systems are susceptible to attack, which consists in the selection of current signal values. Resistance to such attacks is determined by the number of possible combinations of signal values.

Thus, to ensure the stability of the system to all types of the above attacks, it is necessary:

- implement in the system the principle of dialogue exchange of signal values for mutual authentication of CD and DB;

- eliminate the possibility of attackers receiving the actual value of the response signal;

- for each subsequent procedure of access to the protected object, use deliberately non-computable signal values that do not have a correlation with the previously used signal values;

- use a format of signal values that has a sufficient number of possible combinations of values to make an attack on the selection of actual signal values (in real time) inappropriate.

The implementation of the claimed method can be illustrated by the example of a control system for a mechanical lock for access to a protected object, in which the CD device is located directly at the user, which gives him the opportunity to obtain authorized access to the protected object; and the database device is located on a guarded object, with the help of which a mechanical lock for blocking access to it is controlled. The claimed method can also be used in other systems with authentication of respondents.

Device CD and DB for the implementation of the claimed method can be explained in the diagrams shown in figure 1.

The access key is made in a single device and contains the following components:

- transceiver module 1, which implements the reception and transmission of signal values between CD and DB via a radio communication channel 9. Any other transmission medium can also be used to transfer signal values between system devices;

- memory 3, in which the signal values and the address indicator of the current block are stored. In this implementation of the claimed method, the value L of the amount of memory in the CD and DB devices is the same and can be, for example, 2048 bits. All data and signal values in the proposed system;

- implementations of the claimed method are presented in binary form. The resolution ℓ of the values of all signals is 8 bits; all the signal values recorded in memory 3 and 6 are pseudorandom sequences. The bit depth ℓ of the signal values can be selected the same or different for the initializing signal, the request signal and the response signal;

- computing module 2, which interacts between all other components of the device, processes the received and transmitted signal values.

The database device, in addition to the similar components listed above, namely, the transceiver module 4, the computing module 5 and the memory 6, contains an executive module 7, which implements a state change open / closed mechanical lock 8 access to the object.

Figure 2 shows the structure of the data contained in the memory 3 and 6 of the CD devices, identical to the corresponding data stored in the database memory. All addresses and values stored in the memory of the CD and DB devices are respectively equal. Each address in memory corresponds to one value of ℓ = 8 bits. The memory contains 256 addresses with corresponding ℓ bit values. Values are presented in blocks of 3 bytes. The first value in the block is considered the value of the initialization signal; the second is the value of the request signal; the third is the value of the response signal. In this implementation of the claimed method, the value of the address pointer of the initializing signal of the current block of signal values corresponds to the address 0 × FF in the memory. The initial value of the address pointer is 0 × 00, which means that the 1st block is the current block of signal values. Bit depth of the value of the address pointer corresponding to the initializing signal of the current block of signal values is determined by the amount of memory in the CD and DB devices and calculated as an integer value by the formula:

J = int (log ₂ (L / 8) -10 ^-L +1) = 8 bits.

On the flowcharts depicted in figure 3 and figure 4, the algorithms for the operation of the CD and the database in the framework of this implementation of the claimed method are disclosed.

The database is in reception mode over the communication channel 9 of the initialization signal, which is transmitted from the CD when the user initializes the authentication procedure. The authentication procedure begins by the user on the CD. Computing module 2 reads from memory 3 the value 0 × 00 of the address pointer in memory 3, which corresponds to the value X1 of the initialization signal in the current block 1 of the signal values. Then the value of X1 through the computing module 2 is supplied to the transceiver module 1, where they form the corresponding initialization signal, which is transmitted through the communication channel 9 and transferred to the database. Then, the computing module 2 starts the time count d∈ [0.1; 0.5] sec. Required for processing the transmitted initialization signal to the database, and the subsequent generation and transmission via the communication channel 9 of the request signal from the database.

After receiving the signal on the transceiver module 4, the computing module 5 reads from memory 6 the value 0 × 00 of the address indicator in memory 6, which corresponds to the value X1 of the initialization signal in the current block 1 of the signal values.

Then, the value X1 of the initialization signal received at the transceiver module 4 is supplied to the computing module 5, where it is compared with the value X1 of the initialization signal contained in the current block 1 of the signal values in the memory 6. If the comparison result is positive, the value X2 of the request signal contained in the actual block 1 in memory 6 through the computing module 5 is supplied to the transceiver module 4, where they form the corresponding signal and are transmitted to the CD through the communication channel 9. Then, the computing module 5 starts the countdown of the time d necessary for processing the transmitted request signal to the CD, and the further formation and transmission via communication channel 9 of the response signal from the CD.

If on the transceiver module 1 after the d waiting time of the request signal has not been received, then the procedure on the CD is completed. If, on the receiving-transmitting module 1, a signal is received during the set d waiting time of the request signal, the value X2 of the received signal is sent to computing module 2, where it is compared with the value X2 of the request signal contained in the current block 1 of the signal values in memory 3. If positive As a result of the comparison, the value X3 of the response signal contained in the current block 1 in the memory 3 through the computing module 2 is supplied to the transceiver module 1, where the corresponding signal is generated, which is transmitted via the communication channel 9 distributed on the database. Then, the computing module 2 writes to the address pointer in memory 3 the value 0 × 03 of the address, which corresponds to the value X4 of the initialization signal of the next actual block 2 of the signal values in memory 3. At this, the CD procedure is completed.

If, after the set d waiting time for the response signal, the signal has not been received, the computing module 5 writes the value 0 × 03 of the address to the address pointer in memory 6, which corresponds to the value X4 of the initialization signal of the next current block of 2 signal values in memory 6. On This procedure is completed on the database.

If, on the transceiver module 4, a signal is received within the set d waiting time for the response signal, the value X3 of the received signal is sent to computing module 5, where it is compared with the value X3 of the response signal contained in the current block 1 of the signal values in memory 6. If positive As a result of the comparison, the computing module 5 sends a signal to the executive module 7 to change the state of the mechanical lock 8. Then, the computing module 5 writes the value 0 × 03 to the address pointer in memory 6, to which corresponds to the value X4 of the initialization signal of the next current block of signal values in memory 6. This completes the procedure on the database.

Possible actions by attackers in order to gain access to the protected object:

1. The initializing signal can be intercepted by cybercriminals when it is transmitted via communication channel 9 without preventing it from being received on the database. In this case, the value X1 of the initialization signal of the current block 1 can be obtained from the intercepted signal by the attackers. The initializing signal is also received on the database.

The value X1 of the initialization signal obtained from the intercepted initialization signal will not be of value if it is subsequently used as the value of the initialization signal when attackers try to gain access to the protected object, since block 1, which owns the value X1 of the intercepted initialization signal, will no longer be relevant.

2. The initializing signal can be intercepted by cybercriminals when it is transmitted via communication channel 9 while preventing its reception on the database (for example, by emitting interference on communication channel 9). In this case, from the intercepted signal by attackers, the value X1 of the initializing signal of the current block 1 can be obtained. The initializing signal in this case is not received on the database.

The value X1 of the initialization signal of the actual block 1, obtained from the intercepted initialization signal while preventing its reception on the database, can be used by attackers to initiate the access procedure on the database and the subsequent attempt to guess the expected signal response value X3 on the database of the current block 1, after which it is stored in memory The database will determine the new current block of 2 signal values.

3. The request signal can be intercepted by cybercriminals when transmitting it over communication channel 9 without preventing it from being received on CD. In this case, the value X2 of the request signal of the current block 1 can be obtained from the intercepted signal by the attackers. The request signal is also received on the CD.

The value X2 of the request signal obtained from the intercepted request signal will not be of value when it is subsequently used as the value of the request signal of the current block to obtain the value of the response signal of the current block from the CD, since block 1, which owns the value X2 of the intercepted request signal, is no longer will be relevant.

4. The request signal can be intercepted by cybercriminals when transmitting it via communication channel 9 while preventing its reception on the CD (for example, emitting interference on communication channel 9). In this case, the value X2 of the request signal of the current block 1 can be obtained from the intercepted signal by the attackers. The request signal is not received on the CD.

The value X2 of the request signal obtained from the intercepted signal of the request while preventing its reception on the CD will not be of value when it is subsequently used as the value of the request signal of the current block to obtain the value of the response signal of the current block from the CD, since the DB after transmitting the request signal, regardless of further events (the request signal was received or was not received within the set time d waiting for it on the database), determines the following block of 2 signal values relevant fishing.

5. The response signal can be intercepted by cybercriminals when transmitting it over communication channel 9 without preventing it from being received on the database. In this case, the value X3 of the response signal of the current block 1 can be obtained from the intercepted signal by the attackers. The response signal is also received on the database.

The value X3 of the response signal obtained from the intercepted response signal will not be of value when it is subsequently used by attackers as the value of the response signal of the current unit to gain access to the protected object, since unit 1, which owns the value X3 of the intercepted response signal, will no longer be relevant .

6. The response signal can be intercepted by cybercriminals when transmitting it via communication channel 9 while preventing its reception on the database (for example, by emitting interference on communication channel 9). In this case, the value X3 of the response signal of the current block can be obtained from the intercepted signal by the attackers. The request signal in this case is not received on the database.

The value X3 of the response signal obtained from the intercepted response signal while preventing its reception on the database will not be of value when it is subsequently used as the value of the response signal of the current unit to gain access to the protected object, since the database after transmitting the request signal, regardless from further events (the request signal was received or was not received during the time d waiting for it on the database), determine the following block of 2 signal values relevant.

Thus, in order for attackers to gain authorized access to the protected object, they need to know the values of the initialization signal and the response signal of the current block of signal values. Together, both of these values can be obtained by attackers either with direct access to the memory of CD or DB devices, or as a result of selection.

Any implementation of the proposed method implies the lack of direct access of attackers to the memory of CD or DB devices, therefore, the only way to obtain the actual values of the initialization signal and the response signal is selection. The stability of the system to this method of gaining access to a protected object by attackers is determined by the number of possible values of each of the signals transmitted between the CD and the database via communication channel 9. The maximum number of possible signal values is determined by the bit depth of its value.

In this implementation of the inventive method, a C bit value of binary values of each of the signals equal to 8 bits is adopted. Therefore, the maximum number S of possible values of each of the signals is:

S = 2 ^ℓ = 256.

In order to make the selection of the correct signal values of the current block practically impossible for attackers, in the database, with an unsatisfactory result of comparing the value of the received initialization signal with the current value of the initialization signal, a time delay Δt was introduced for the repeated reception of the initialization signal.

The algorithm of the database in this implementation of the inventive method with a delay Δt for re-reception of the initialization signal is shown in Fig.5. Thus, taking into account the set delay Δt = 1 sec, the minimum time T required for guaranteed selection of the 8-bit (ℓ = 8 bit) actual value of the initialization signal by the attackers, without taking into account the time taken to process the signal value in the modules of the database device, is :

T = Δt * 2 ^ℓ = 256 sec.

Further, in the case when an attacker transmitted to the database a signal corresponding to the value of the actual initialization signal in the database memory, in order to gain access to the protected object, during the waiting time d for the response signal to the database, it is necessary to transmit to the database a signal corresponding to the current value of the response signal in the memory DB In any case, on the database after receiving the response signal or after the time d of waiting it determines the next block of signal values relevant.

Thus, each actual value of the initializing signal correctly selected by the attackers gives them only one attempt to select the actual value of the response signal before the next actual block of signal values in the database memory is determined. In this implementation of the proposed method with ℓ = 8 bits, the probability P of selecting the actual value of the response signal is:

P = 1 / 2ℓ≈0.0039.

Blocks of signal values cannot be reused, because otherwise the attackers, having intercepted the initialization signal and the access signal of a certain block of signal values, can subsequently gain access to the protected object using known signal values when the corresponding block of signal values is again relevant. Therefore, the maximum number K of possible procedures for access to the protected object is determined by the number of blocks of signal values contained in the memory of the CD and DB devices. In turn, the number of blocks of signal values contained in the memory of CD and DB devices is determined by the value L of the memory volume containing the signal values and the bit depth ℓ of the signal values. In this implementation of the claimed method, the maximum number of access procedures to the protected object is:

K = int ((L-8) / 3ℓ) = 85.

Table 1 presents some possible values of L and ℓ used in this implementation of the claimed method, and the corresponding characteristics of S, K, J, P, T at Δt = 1 sec.

Table 1 L bit ℓ, bit S K J bit P T ~ years 1048576 8 256 43689 17 1/256 0.00048 1048576 16 65536 21844 17 1/65536 0.125 1048576 24 16777216 14563 17 1/16777216 32.2 1048576 32 4294967296 10922 17 1/4294967296 8172 1048576 40 1099511627776 8737 17 1/1099511627776 2091917 33554432 8 256 1398100 22 1/256 0.00048 33554432 16 65536 699050 22 1/65536 0.125 33554432 24 16777216 466033 22 1/16777216 32.2 33554432 32 4294967296 349525 22 1/4294967296 8172 33554432 40 1099511627776 279620 22 1/1099511627776 2091917

Since the only way to obtain unauthorized access in the claimed method is the selection of actual values, it is possible to carry out comparative calculations of the probability P and time T of the guaranteed selection of the actual values of the signals to gain access to the protected object in the prototype and the claimed method.

For the prototype and the claimed method, you can consider two options for selecting the actual values of the response signal. The first is to transmit the signals corresponding to the selected values directly to the database.

To obtain unauthorized access to a protected object by attackers by selecting the actual signal values to the database in the prototype, after transmitting the known value of the initialization signal, it is necessary to transfer the actual value of the response signal to the database. Otherwise, the following actual value of the response signal will be determined on the database. The probability P _{1 of} selecting the actual value of the response signal in the prototype is determined by the bit depth ℓ of the value of the response signal and when ℓ = 8 bits is:

P ₁ = 1/2 ^ℓ ≈0.0039.

and the maximum time T ₁ required to select the actual value of the response signal in the prototype when Δt = 1 sec, is:

T ₁ = t * 2 ^ℓ = 256 sec.

To obtain unauthorized access to a protected object by malefactors by selecting the actual values of the signals on the database in the claimed method, it is necessary to select the actual value of the initializing signal, and then immediately transmit the signal corresponding to the actual value of the response signal. Otherwise, the next actual block of signal values will be determined on the database. The probability P _{2 of} selecting the actual values of the signals is determined by their bit depth ℓ, and when при = 8 bits is:

P ₂ = 1/2 ^ℓ * 1/2 ^ℓ≈ 0.000015,

and the maximum time T ₂ required to select the current value of the response signal in the claimed method with Δt = 1 sec is:

T ₂ = Δt * 2 ^ℓ * 2 ^ℓ = 65536 sec.

Thus, with ℓ = 8 bits and Δt = 1 sec, the probability of unauthorized access to the protected object when using the claimed method is 0.0039 / 0.000015≈256 times lower than the prototype, and the maximum required time for selecting the actual signal values is 65536/256 = higher 256 times.

The second option is the transmission of the access procedure corresponding to the selected values of the request signal to the CD when the user initializes the access procedure to the CD while preventing the transmission of signals between the CD and the DB via the communication channel 9. The value of the response signal received from the CD can be transferred to the DB in order to gain access to the protected object.

To obtain unauthorized access to a protected object by malefactors by selecting the actual values of the request signal for the CD in the prototype, after the user initializes the access procedure to the CD, the address value corresponding to the current value of the response signal must be transferred to the CD. In this case, the CD will transmit the actual value of the response signal, which can then be transferred to the database to gain access to the protected object. The probability P _{3 of} transmitting to the CD the address value to which the current value of the response signal corresponds is determined by the number of signal values in the CD and DB memory and for S = 2048 bits and ℓ = 16 bits is:

P ₃ = 1 / (S / ℓ) ≈0.0078.

To obtain unauthorized access to a protected object by malefactors by selecting the actual values of the request signal, it is necessary, after the user initializes the access procedure on the CD, to transmit to the CD a signal corresponding to the current value of the request signal. In this case, the CD will transmit the actual value of the response signal, which can then be transferred to the database to gain access to the protected object. The probability P _{4 of} transmitting to the CD the actual value of the request signal, which corresponds to the actual value of the response signal with ℓ = 16 bits, is:

P ₄ = 1/2 ^ℓ ≈0.000015.

Thus, the probability of selection on CD of the actual values of the signals in the claimed method is lower than that of the prototype by 0.0078 / 0.000015≈512 times.

Therefore, in the inventive method, when it is implemented, a limitation of the number of methods for obtaining unauthorized access by attackers is achieved, as well as a multiple reduction in the probability of attackers selecting relevant signal values to gain access to the protected object, which indicates the possibility of achieving the claimed technical result - providing a higher level of protection against unauthorized access to the protected facility.

Claims (4)

1. The method of authorized access to the protected object, which consists in storing the same sequence of signal values on the access key (CD) located at the user and on the access base (DB) located on the protected object, which initializes from the CD to the database the signal where it is processed, then the request signal is generated on the DB and transmitted to the CD, where it is processed, then the response signal is generated on the CD and transmitted to the DB, where it is identified and the decision is made on the basis of identification and user access to the protected object, characterized in that the stored sequences of signal values are represented as N≥1 blocks, each of which contains the values of the initialization signal, request signal and response signal, and with the n-th access procedure (where n = 1, 2 ..., N) on the database and on the CD use sequences of signal values of the m-th current block, where m∈ [1, N] and the number of the m-th current block are determined using the given function f (n). 2. The method according to claim 1, characterized in that the number m of the current block is determined by the sequence function f (n) = n. 3. The method according to claim 1, characterized in that the initialization signal, request and response signals are formed in the form of digital sequences that do not have a correlation dependence. 4. The method according to claim 1, characterized in that the transmission and reception of signals between the CD and the database is carried out over the air.

Images