WO2013175444A1 - Controlling and authorizing access to a resource - Google Patents

Controlling and authorizing access to a resource Download PDF

Info

Publication number
WO2013175444A1
WO2013175444A1 PCT/IB2013/054305 IB2013054305W WO2013175444A1 WO 2013175444 A1 WO2013175444 A1 WO 2013175444A1 IB 2013054305 W IB2013054305 W IB 2013054305W WO 2013175444 A1 WO2013175444 A1 WO 2013175444A1
Authority
WO
WIPO (PCT)
Prior art keywords
electronic device
resource
access
grantor
request
Prior art date
Application number
PCT/IB2013/054305
Other languages
French (fr)
Inventor
Alan Joseph O'REGAN
Horatio Nelson HUXHAM
Hough Arie VAN WYK
Tara Anne MOSS
Original Assignee
Fundamo (Pty) Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fundamo (Pty) Ltd filed Critical Fundamo (Pty) Ltd
Publication of WO2013175444A1 publication Critical patent/WO2013175444A1/en
Priority to ZA2014/07012A priority Critical patent/ZA201407012B/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals

Definitions

  • This invention relates to a system and a method for controlling and authorizing access to a resource.
  • Access-control systems are employed in a wide variety of situations in which a person or entity desires access to a resource or thing. Examples include vehicle access control systems, systems for controlling access to premises, facilities, buildings or specific rooms in a building, systems for controlling access to equipment or materials, systems for controlling access to electronic devices, accounts, content, or confidential data, amongst many others.
  • Access-control systems generally make use of a predefined process for issuing, controlling and distributing a password, key or other token to authorized requestors, so that those requestors can gain access to the resource by using the password, key or token.
  • the term “requestor” means an individual who requests access to a resource.
  • the term “resource” means any entity, premises, facility, area, electronic data or any other tangible or intangible thing which is controlled by an access-control system.
  • resources include: vehicles such as air, land or sea vehicles; buildings or parts thereof (including a safe); materials or equipment; devices such as a mobile phone, computer, camera, or remote-control apparatus; content such as a web page, electronic document, email, television or radio program; files such as music files, movie files, or application programs; confidential information; and financial accounts, which in all cases have access restricted by some form of access-control system.
  • the term “grantor” means a person or entity who is in control of the access-control system and who is able to authorize a requestor to gain access to the resource.
  • electronic device means any electronic or digital device or apparatus, including mobile phones, tablet PCs, desktop PCs, laptops, personal digital assistants and the like.
  • a method performed by a first electronic device which has a hardware security module and which is associated with a first individual hereafter termed a grantor comprising: receiving a request for access to a resource which request originates from a second electronic device, the second electronic device having a hardware security module and being associated with an individual hereafter termed a requestor, and the request being in the form of digital data which is encrypted by the second electronic device's hardware security module and which uniquely identifies both the second electronic device as well as the resource to which access is requested, decrypting the digital data by the first electronic device's hardware security module, presenting the request and the identity of the requestor to the grantor, and, in response to the grantor authorizing access to the resource, transmitting an authorization instruction or token to either the resource or to the second electronic device.
  • the resource is network-enabled in that it is capable of communicating with the grantor by a communications network
  • the method includes the step of the grantor transmitting an authorization instruction to the resource, the authorization instruction being in the form of digital data which is encrypted by the first electronic device's hardware security module and decrypted by a decryption module of the resource, the authorization instruction including an identifier of the second electronic device to thereby enable the resource to grant access to the requestor associated with the second electronic device.
  • the resource may grant access to the requestor once per authorization instruction, or the authorization instruction may be persistent in that once authorized, a requestor is able to access the resource according to a set of conditions that may be included in the authorization instruction.
  • the resource is network-disabled in that it is not capable of communicating with the grantor by a communications network
  • the method includes the step of the grantor transmitting a token to the second electronic device, the token being in the form of digital data which is encrypted by the first electronic device's hardware security module and includes an identifier of the resource to which the grantor has authorized access, the token thereby enabling the resource to grant access to the requestor associated with the second electronic device when the second electronic device presents the token to the resource and the resource decrypts the token.
  • digital data of the token to include a set of conditions, and for the set of conditions to include data specifying times at which the requestor is allowed to access the resource, or the number of times within specified periods that the requestor is allowed to access the resource.
  • token to include other data which the grantor wishes to communicate to the resource, such as instructions to revoke specific requestors' access to the resource, or settings regarding the availability of the resource.
  • a method performed by a first electronic device which has a hardware security module and which is associated with a grantor comprising: identifying a second electronic device associated with a requestor, the second electronic device having a hardware security module, optionally transmitting an encrypted identity confirmation request to the second electronic device, the identity confirmation request prompting the requestor to confirm or deny its identity, and receiving, decrypting by the hardware security module of the first electronic device, and presenting to the grantor a confirmation or denial response to the identity confirmation request from the second electronic device, and transmitting an authorization instruction to a resource, the resource being network-enabled in that it is capable of communicating with the grantor through a communications network, the authorization instruction being in the form of digital data which is encrypted by the first electronic device's hardware security module and decrypted by a decryption module of the resource, the authorization instruction including an identifier of the second electronic device to thereby enable the resource to grant access to the requestor associated with the second
  • a method performed by an electronic device associated with a requestor comprising: identifying a resource, transmitting a request for access to the resource to a grantor, receiving an encrypted token from the grantor, storing the encrypted token, and presenting the encrypted token to the resource, the resource being configured to decrypt the encrypted token and grant the requestor with access to the resource in the event that the token indicates that the request for access is to be allowed.
  • the invention extends to a system comprising a first electronic device which has a hardware security module and which is associated with a grantor, a second electronic device which has a hardware security module and which is associated with a requestor, and one or more resources, wherein the first electronic device is configured to receive a request, originating from the second electronic device, for access to one or more of the resources, the request being in the form of digital data which is encrypted by the second electronic device's hardware security module and which uniquely identifies both the second electronic device as well as the resource to which access is requested, decrypt the digital data by the first electronic device's hardware security module, present the request and the identity of the requestor to the grantor, and in response to the grantor authorizing access to one or more of the resources, transmit an authorization instruction or token to either one or more of the resources or to the second electronic device.
  • a still further feature of the invention provides for one or both of the first electronic device and the second electronic device to be a mobile phone.
  • the invention extends to a first electronic device comprising: a processor; an antenna coupled to the processor; a computer readable medium coupled to the processor, the computer readable medium comprising code executable by the processor for implementing a method comprising: receiving a request for access to a resource which request originates from a second electronic device, the second electronic device having a hardware security module and being associated with an individual hereafter termed a requestor, and the request being in the form of digital data which is encrypted by of the second electronic device's hardware security module and which uniquely identifies both the second electronic device as well as a resource to which access is requested; decrypting the digital data by a hardware security module of the first electronic device; presenting the request and the identity of the requestor to an individual associated with the first electronic device, hereafter termed a grantor; and in response to the grantor authorizing access to the resource, transmitting an authorization instruction or token to either the resource or to the second electronic device.
  • FIG. 1 illustrates a system for controlling and authorizing access to a resource according to a first embodiment of the invention
  • FIG. 2 is a flow diagram of a method for controlling and authorizing access to a resource using the system of FIG. 1 ;
  • FIG. 3 illustrates a system for controlling and authorizing access to a resource according to a second embodiment of the invention
  • FIG. 4 is a flow diagram of a method for controlling and authorizing access to a resource using the system of FIG. 3;
  • FIG. 5 illustrates a system for controlling and authorizing access to a resource according to a third embodiment of the invention
  • FIG. 6 is a flow diagram of a method for controlling and authorizing access to a resource using the system of FIG. 5;
  • FIG. 7 illustrates a system for controlling and authorizing access to a resource according to a fourth embodiment of the invention
  • FIG. 8 is a flow diagram of a method for controlling and authorizing access to a resource using the system of FIG. 7;
  • FIG. 9 illustrates a block diagram of an exemplary mobile electronic device with which various embodiments of the invention can be implemented.
  • Embodiments of the present invention provide a method for controlling and authorizing access to a resource.
  • a first electronic device has a hardware security module (HSM) and is associated with a first individual hereafter termed a grantor.
  • a second electronic device also has an HSM and is associated with the second individual hereafter termed a requestor.
  • the first electronic device receives an encrypted request for access to a resource, the request originating from the second electronic device and the request including data which uniquely identifies both the second electronic device as well as a resource to which access is requested.
  • HSM hardware security module
  • the HSM of the first electronic device decrypts the encrypted request and presents the decrypted request to the grantor, who can either deny the request, in which case no authorization is transmitted, or who can authorize the request in which case the first electronic device transmits an encrypted authorization instruction or token to either the resource or to the second electronic device.
  • first and second electronic devices with HSMs in accordance with embodiments of the invention are different from electronic devices that may solely use software to encrypt communications between an electronic device and a target device or system.
  • An electronic device that solely uses software to encrypt communications may comply with only a security level 1 of the Federal Information Processing Standard 140-2 (FIPS 140-2), which provides only a minimum level of security to protect sensitive information.
  • FIPS 140-2 Federal Information Processing Standard 140-2
  • the HSM within an electronic device according to embodiments of the invention is compliant with at least a security level 2 of the FIPS 140-2 standard. More preferably, the HSM within the electronic device in embodiments of the invention is compliant with security level 3 or security level 4 of FIPS 140-2.
  • the HSM in embodiments of the invention uses hardware to encrypt data instead of solely performing the encryption in software.
  • the HSM provides enhanced protection over software encryption technologies.
  • the HSM provides secure key management to generate cryptographic keys, sets the capabilities and security limits of keys, implements key backup and recovery, prepares keys for storage and performs key revocation and destruction.
  • the HSM is implemented as a dual processor device that includes a secure processor with storage and a public processor with storage.
  • the HSM may also include a physical or logical separation between interfaces that are used to communicate critical security parameters and other interfaces that are used to communicate other data.
  • FIG. 1 illustrates a block diagram of a system (100) for controlling and authorizing access to a resource (102) according to the invention.
  • the resource (102) may be an entity, premises, facility, area, equipment, material, electronic data or any other tangible or intangible thing which is controlled by an access control system.
  • examples of resources include: vehicles such as air, land or sea vehicles; equipment or materials; buildings or parts thereof (including a safe); devices such as a mobile phone, computer, camera, or remote-control apparatus; content such as a web page, electronic document, email, television or radio program; files such as music files, movie files, or application programs; confidential information; and financial accounts.
  • the resource (102) may be a building to which access is restricted by an automatic gate or lock, where a programmable microcontroller with a communication interface (120) subsystem is configured to control the automatic gate or lock.
  • the resource (102) may be a room in a building to which access is restricted by an automatic gate or lock.
  • the resource (102) may be a parking facility to which access is restricted by, for example, an automatic gate or a boom barrier.
  • the system includes a first electronic device (104) which has an HSM (106) and which is associated with a first individual who is remote from the resource, hereafter termed a grantor (108).
  • the first electronic device may be any electronic or digital device or apparatus, including a mobile phone, tablet PCs, desktop PCs, laptop, or personal digital assistant.
  • the first electronic device is a mobile phone such as a smartphone that is carried by the grantor.
  • a conventional mobile phone does not typically include an integrated HSM.
  • the HSM is implemented as an adhesive cryptographic label with embedded processors.
  • the cryptographic label is applied directly to a subscriber identity module (SIM) card (1 10) that can be inserted into the mobile device.
  • SIM subscriber identity module
  • the cryptographic label is designed such that after it has been fitted to a SIM card, cryptographic label it cannot be removed without rendering it unusable.
  • SIM subscriber identity module
  • the combination of the cryptographic label adhering to the top of the SIM card (106, 1 10) can be inserted into a SIM card slot of the mobile phone (104).
  • the cryptographic label's HSM (106) enables the mobile phone to send and receive encrypted messages by using the capabilities of the SIM card to transmit encrypted data.
  • the cryptographic label typically comprises a printed circuit having a first set of electrical contacts disposed on a top side of the printed circuit for interfacing to the mobile phone, a second set of electrical contacts disposed on a bottom side of the circuit for interfacing to the SIM card, and an HSM disposed in the circuit and coupled to the first and second sets of electrical contacts.
  • a cryptographic label device is fully described in PCT Publication Number WO/2013/013192 which is incorporated herein by reference in its entirety.
  • the system includes a second electronic device (1 12), which may also be a mobile phone and which also has an HSM (1 14) which may be in the form of a cryptographic label which is fitted to a SIM card (1 16).
  • the second electronic device is associated with a second individual hereafter termed a requestor (1 18). Both the first and second electronic devices are able to communicate with a communication interface (120) of the resource through first and second communication channels respectively (122, 124).
  • the communication interface (120) is also a SIM card to which a cryptographic label has been applied.
  • the communication interface is a virtual communication point such as a network address, for example where the resource is a web site, electronic document or file.
  • the first and second communication channels can be wireless mobile communication channels such GSM, Wi-Fi or Bluetooth channels.
  • the first, second or third communication channels may be near- field communication (NFC) channels, and the second electronic device is able to communicate with the communication interface by the requestor bringing the second electronic device into proximity with an NFC reader associated with the communication interface, such as a door access reader.
  • NFC near- field communication
  • FIG. 2 is a flow diagram of a method for controlling and authorizing access to a resource using the system of FIG. 1 .
  • the second electronic device (1 12) requests access to the resource (102) by communicating with the communication interface (120) of the resource (102) through the second communication channel (124). This may, for example, be by the second electronic device (1 12) being tapped on an NFC reader associated with the resource (102) in a case when the second electronic device (1 12) is in close proximity to the resource (102); by the second electronic device (1 12) transmitting a request to a remote resource; or by any other means of communication with the resource (102) through the second communication channel (124).
  • the request is encrypted by the HSM (1 14) of the second electronic device (1 12).
  • the HSM (1 14) may encrypt the request using Data Encryption Standard (DES), Triple Data Encryption Standard/Algorithm (TDES/TDEA), DES-X, Secure Socket Layer (SSL), Advanced Encryption Standard (AES), Blowfish, Serpent, Twofish, Threefish, International Data Encryption Algorithm (IDEA), Rivest, Shamir, & Adleman (RSA), Digital Signature Algorithm (DSA), Tiny Encryption Algorithm (TEA), extended TEA (XTEA), and/or other encryption algorithms or protocols.
  • DES Data Encryption Standard
  • TDES/TDEA Triple Data Encryption Standard/Algorithm
  • SSL Secure Socket Layer
  • AES Advanced Encryption Standard
  • Blowfish Serpent, Twofish, Threefish
  • International Data Encryption Algorithm IDEA
  • Rivest Rivest
  • the cryptographic label HSM (1 14) includes a public section and a security section, each of which corresponds to a processor on the adhesive label that are physically and/or logically separated from each other.
  • the operations of the security section are handled by a security processor and the operations of the public section will be handled by a public processor.
  • the security processor will only be exposed to the public processor which will act in strict accordance with HSM standards, i.e. the secure processor will only respond to encryption and decryption attempts; no further information will be offered to the public processor.
  • the resource (102) forwards the request to the first electronic device (104) associated with the grantor (108), preferably without the resource (102) being capable of decrypting the request.
  • the first electronic device (1 12) decrypts the request using its HSM (106) and presents the request to the grantor (108), for example by displaying the request and the identity of the requestor (1 18) to the grantor (108) on a display of the first electronic device.
  • Such a display could, for example, be in the format of, " ⁇ NAME OF REQUESTOR> REQUESTS ACCESS TO ⁇ NAME OF RESOURCES.
  • the grantor (108) is able to approve or deny the request by responding using the first electronic device (104). For example, the grantor (108) may respond by pressing an "approve” or "deny” button presented adjacent the displayed request. If the grantor (108) denies the request, then at stage (208), the first electronic device (104) transmits a denial of authorization instruction to the resource (102), and the resource (102) then prevents the requestor (1 18) from gaining access.
  • the grantor (108) approves the request, then at stage (210), the first electronic device (104) transmits a grant of authorization instruction to the resource (102).
  • the resource (102) then permits the requestor (1 18) to gain access to the resource (102), for example by opening a door or barrier, unlocking a feature or area of a website or program, or enabling a document or file to be opened.
  • the grant or denial of authorization instruction may also be encrypted by means of the first electronic device's HSM (106), and decrypted by a decryption module (126) of the resource.
  • a different encryption arrangement is employed for communication between the first electronic device (1 12) and the resource (102), so that the resource (102) is only able to decrypt communications received form the grantor (108), and is not able to decrypt the request received from the requestor (1 18), which the resource simply forwards to the grantor (108).
  • the system (100) illustrated in FIG.1 and the method illustrated in FIG. 2 require that the grantor (108) be available to approve or deny access requests at the time those requests are made.
  • FIG. 3 illustrates a system (300) for controlling and authorizing access to a resource (102) according to a second embodiment of the invention.
  • the system (300) of FIG. 3 is similar to the system (100) of FIG. 1 and like reference numerals refer to like entities or devices.
  • the grantor (108) does not need to be available to approve or deny access requests at the time that those requests are made, but can do so in advance.
  • the first and second electronic devices (104, 1 12) are enabled to communicate with each other directly by means of a third communication channel (302).
  • FIG. 4 is a flow diagram of a method for controlling and authorizing access to a resource using the system of FIG. 3.
  • the second electronic device (1 12) identifies the resource (102) and requests access to the resource (102) from the first electronic device (104) by transmitting a request through the third communication channel (302), where the request is encrypted by the HSM (1 14) of the second electronic device (1 12).
  • the identification of the resource (102) may be carried out by any one of a number of methods, including by entering an identifier of the resource (such as a unique code which may have been obtained from the grantor) into an interface of the second electronic device (1 12), by automatically obtaining an identifier of the resource (102) by first bringing the second electronic (1 12) device into proximity with the resource (102) and communicating with the resource (102) through the second communication channel (124) to obtain the resource's identifier, by obtaining an identifier of the resource (102) through wireless data exchange over a Wi-Fi network, or any other suitable communication through the second communication channel (124).
  • an identifier of the resource such as a unique code which may have been obtained from the grantor
  • the first electronic device (104) decrypts the request using its HSM (106) and presents the request to the grantor (108) on a display of the first electronic device (104).
  • the grantor (108) is able to approve or deny the request by, for example pressing an approve button or deny button, as previously described. If the grantor (108) denies the request, at a next stage (406), the first electronic device (104) transmits a denial of authorization instruction to the resource (102), whereas if the grantor (108) approves the request, at a next stage (406), the first electronic device (104) transmits a grant of authorization instruction to the resource (102).
  • the second electronic device (1 12) requests access to the resource (102) directly from the first electronic device, and not from the resource (102) as in FIGs. 1 and 2, that the request can be granted in advance of the requestor (1 18) first requesting access to the resource (102), or at least in advance of subsequent requests for access to the resource (102).
  • the grantor (108) does not have to be available to approve the request for access at the time that access is required, but can do so in advance.
  • the grant of authorization instruction will be stored on the resource (102) to enable the resource (102) to check whether the second electronic device (1 12) is authorized when the second electronic device (1 12) subsequently wishes to obtain access to the resource (102).
  • the resource (102) may grant access to the requestor (1 18) once per authorization instruction, or the authorization instruction may be persistent in that once authorized, a requestor is able to access the resource (102) according to a set of conditions that may be included in the authorization instruction, such as that access is only to be given during certain times, or for a certain number of times within a set period. For example, in a case where the requestor is an employee requiring access to a working facility, the authorization instruction may command the resource (102) to only allow access to the specific requestor during working hours on weekdays.
  • the resource (102) is network-enabled in that it is capable of communicating with the grantor (108) by means of the first communication channel (122).
  • FIG. 5 illustrates a system (500) for controlling and authorizing access to a resource (102) according to a third embodiment of the invention.
  • the system (500) of FIG. 5 is similar to the system (100) of FIG. 1 and the system (300) of FIG.3, and like reference numerals refer to like entities or devices.
  • the resource (102) is network-disabled in that it is not capable of communicating with the grantor (108) by means of a communications network.
  • the resource (102) is only able to communicate with the second electronic device (1 12) through the second communication channel (124).
  • An example of a network-disabled resource would be a building which has an access control system in the form of a gate reader which can communicate by Bluetooth or NFC but which is not otherwise connected to a communications network.
  • FIG. 6 is a flow diagram of a method for controlling and authorizing access to a resource using the system of FIG. 5.
  • the second electronic device (1 12) identifies the resource (102) and requests access to the resource (102) from the first electronic device (104), as described above.
  • the first electronic device (104) then decrypts the request and presents it to the grantor (108), who either approves or denies the request at a next stage (604).
  • the grantor (108) denies the request, no authorization token is provided by the first electronic device, as shown at a next stage (606). However, if the grantor (108) approves the request, then the first electronic device (104) transmits a grant of authorization token to the second electronic device (1 12) at a next stage (608).
  • the grant of authorization token is encrypted by the first electronic device (104) and is stored by the second electronic device (1 12).
  • the authorization token includes an identifier of the resource (102) to which the grantor (108) has authorized access, and is encrypted in such a way that the contents thereof cannot be decrypted by the second electronic device (1 12).
  • the second electronic device (1 12) is able to use the encrypted authorization token to gain access to the resource (102), as shown at a next stage (610), by presenting the encrypted authorization token to the resource (102), which decrypts it using the decryption module (126).
  • the authorization token also includes a set of conditions which includes, for example, data specifying times at which the requestor (1 18) is allowed to access the resource (102), or data specifying the number of times within specified periods that the requestor (1 18) is allowed to access the resource (102).
  • a grantor can set up, in advance of a requestor obtaining access, conditions for that access. For example, a parent can grant a child access to a vehicle at certain times during the day, or a company manager can grant employees access to non-work related electronic content during specific times, on certain days or for a certain number of times per day.
  • an authorization token may include instructions to revoke specific requestors' access to the resource (102), instructions to grant access to other requestors, or settings relating to the availability of the resource (102).
  • the second electronic device (1 12) can be utilized by the grantor (108) as a communication channel to the resource (102), particularly in the absence of a direct communication channel between the grantor (108) and the resource (102).
  • the same instructions can be encoded into several requestors' electronic devices, so that the grantor (108) can be more certain that instructions will reach the resource (102) in the event of some requestors not requesting access to the resource (102) within an expected time period or at an expected time.
  • the requestor (1 18) could also add a PIN number, password or a set of security questions to the request, which PIN number, password or security questions are encrypted into the authorization token by the first electronic device (104).
  • the resource (102) will then prompt the requestor (108) for the PIN, password or answers to the security questions at the time that the requestor (108) provides the authorization token to the resource, thereby adding a second factor of authentication and preventing an unauthorized possessor of the second electronic device (1 12) from gaining access to the resource (102).
  • the grantor (108) could require that two or more requestors be present for the resource (102) to become available, similar to the case where two keys held by different holders are required to open a high-security deposit box.
  • FIG. 7 illustrates a system (700) for controlling and authorizing access to a resource (102) according to a fourth embodiment of the invention.
  • the system (500) of FIG. 5 is similar to the system (100) of FIG.3, and like reference numerals refer to like entities or devices.
  • the grantor (108) is capable of first identifying the requestor (1 18) before the grantor (108) initiates a request for access to the resource (102).
  • the requestor (1 18) may, optionally, be requested to confirm its identity before the grantor (108) transmits a grant of authorization instruction to the resource (102).
  • FIG. 8 is a flow diagram of a method for controlling and authorizing access to a resource using the system of FIG. 7.
  • the first electronic device (104) of the grantor (108) identifies the second electronic device (1 12) of the requestor (1 18) and sends a request to the second electronic device (1 12) to confirm the identity of the requestor (1 18).
  • the identification of the second electronic device (1 12) may be carried out by any one of a number of methods, including by entering an identifier of the second electronic device (1 12), such as a unique code which may have been obtained from the requestor, into an interface of the first electronic device (104); by automatically obtaining an identifier of the second electronic device (1 12) by first bringing the second electronic (1 12) device into proximity with the first electronic device (104) and communicating with the second electronic device (1 12) through the third communication channel (302) to obtain the second electronic device's identifier; by obtaining an identifier of the second electronic device (1 12) through wireless data exchange over a Wi-Fi network; or any other suitable communication through the third communication channel (124).
  • an identifier of the second electronic device (1 12) such as a unique code which may have been obtained from the requestor
  • the second electronic device (1 12) receives the encrypted request and decrypts the request.
  • the request is then presented to the requestor (1 18), who either approves or denies the identity request at a next stage (804).
  • the requestor (1 18) denies the request
  • the first electronic device (104) receives a denial response to the identity request.
  • the requestor does not respond to the request within a specified time period, the validity of the identity request lapses.
  • the second electronic device (1 12) transmits a confirmation thereof (808) to the first electronic device (104).
  • the first electronic device decrypts the confirmation message and presents it to the grantor (108).
  • the first electronic device (104) then, at a next stage (812), transmits an authorization instruction to the resource.
  • the authorization instruction is typically in the form of digital data which is encrypted by means of the first electronic device's HSM (106) and decrypted by means of a decryption module (126) of the resource (102).
  • the authorization instruction includes an identifier of the second electronic device (1 12), for example, a unique code obtained from the requestor (1 18), to thereby enable the resource (102) to grant access to the requestor (1 18) associated with the second electronic device (1 12).
  • the system of FIG. 7 may, in other embodiments, also function without communication between the first electronic device (104) and the second electronic device (1 12) through the third communication channel (302), which is indicated by a broken line in FIG. 7.
  • the grantor (108) would typically already have details of the second electronic device (1 12).
  • the requestor (1 18) may provide these details to the grantor (108) without use of the second electronic device (1 12).
  • the grantor (108) then transmits an authorization instruction to the resource (102) without the step of requesting the requestor (1 18) to confirm or deny its identity.
  • FIGs. 1 to 8 include only one grantor, one requestor, and one resource
  • the invention extends to systems and methods for controlling and authorizing access to a resource in the case of a plurality of grantors, a plurality of requestors, and/or a plurality of resources.
  • the same methods can be applied in systems comprising one grantor and multiple requestors, multiple grantors and multiple requestors and/or multiple grantors and one requestor without departing from the scope of the invention.
  • the invention further extends to systems including any of the above combinations of requestors and grantors wherein access to more than one resource is controlled.
  • FIG. 9 shows a mobile device (900) that can be used as a first electronic device or second electronic device according to the embodiments described above.
  • the mobile device (900) includes a display (912), an input element (914), computer readable medium (924) such as volatile and non-volatile memory, processor (910) and at least one antenna (920).
  • the mobile device may include a dual interface including both contact (not shown) and contactless interface (916) for transferring information through direct contact or through an integrated chip, which may be coupled to a second antenna.
  • the mobile device (900) may be capable of communicating through a cellular network, such as GSM through an antenna (920).
  • the mobile device (900) may be capable of transmitting and receiving information wirelessly through both short range, radio frequency (RF) and cellular connections.
  • the device of FIG. 9 may include an account identifier associated with an account.
  • a method, system and device for controlling and authorizing access to a resource is therefore provided.
  • the method, system and device disclosed enables a grantor in an access-control system to grant, control and modify access to a resource without requiring physical exchanges of possession. This may reduce the costs associated with maintaining an access-control system and may improve the efficiency of the system.
  • both the requestor and grantor have HSM-enabled electronic devices, both can trust that they are being identified to each other correctly, since the communication between the HSMs of the first and second electronic devices is hardware-encrypted and includes information which uniquely identifies both parties.
  • the resource includes a decryption module for decrypting the encrypted information it receives from either the first electronic device or the second electronic device.
  • These secure elements and the encrypted communication channels used may reduce the risk of fraudulent activities, such as the copying of requestor passwords, intercepting of requestor, grantor, or resource information, or the risk of unauthorized persons or entities gaining access to a resource.
  • an authorization instruction to a resource or an authorization token to a requestor allows the person or entity in control of the access-control system to grant access to requestors, control and/or modify access to the resource while in a location physically remote from an access point of the access-control system.
  • additional factors of authentication such as passwords or security questions, can easily be incorporated into the system in order to improve the grantor's level of certainty regarding the identity of the requestor to whom access is granted.
  • any of the software components or functions described in this application may be implemented as software code to be executed by a processor using any suitable computer language such as, for example, Java, C++ or Perl using, for example, conventional or object-oriented techniques.
  • the software code may be stored as a series of instructions, or commands on a computer readable medium, such as a random access memory (RAM), a read only memory (ROM), a magnetic medium such as a hard-drive or a floppy disk, or an optical medium such as a CD- ROM.
  • RAM random access memory
  • ROM read only memory
  • magnetic medium such as a hard-drive or a floppy disk
  • optical medium such as a CD- ROM.
  • Any such computer readable medium may reside on or within a single computational apparatus, and may be present on or within different computational apparatuses within a system or network.
  • a software module is implemented with a computer program product comprising a computer-readable medium containing computer program code, which can be executed by a computer processor for performing any or all of the steps, operations, or processes described.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method for controlling and authorizing access to a resource is described. A first electronic device has a hardware security module (HSM) and is associated with a first individual termed a grantor. A second electronic device also has an HSM and is associated with the second individual termed a requestor. The first electronic device receives an encrypted request for access to a resource, the request originating from the second electronic device and the request including data which uniquely identifies both the second electronic device as well as a resource to which access is requested. The HSM of the first electronic device decrypts the encrypted request and presents the decrypted request to the grantor, who can either deny the request, in which case no authorization is transmitted, or who can authorize the request in which case the first electronic device transmits an encrypted authorization instruction or token to either the resource or to the second electronic device.

Description

CONTROLLING AND AUTHORIZING ACCESS TO A RESOURCE
CROSS-REFERENCES TO RELATED APPLICATIONS [0001] This application claims priority to South African provisional patent application number 2012/03838 filed on 25 May 2012.
BACKGROUND TO THE INVENTION
[0002] This invention relates to a system and a method for controlling and authorizing access to a resource.
[0003] Access-control systems are employed in a wide variety of situations in which a person or entity desires access to a resource or thing. Examples include vehicle access control systems, systems for controlling access to premises, facilities, buildings or specific rooms in a building, systems for controlling access to equipment or materials, systems for controlling access to electronic devices, accounts, content, or confidential data, amongst many others.
[0004] Access-control systems generally make use of a predefined process for issuing, controlling and distributing a password, key or other token to authorized requestors, so that those requestors can gain access to the resource by using the password, key or token.
[0005] Issuing, controlling and distributing physical keys or tokens is generally expensive and cumbersome as it usually requires a physical exchange of a possession. Furthermore, it may be difficult for the person who is in control of the access-control system to make changes to the system without needing to reissue and/or redistribute the physical keys or tokens. For example, if an employee leaves a company, a physical exchange would typically need to take place in order to ensure that the employee does not retain access to a building or facility.
[0006] The control of virtual keys such as passwords suffers from the disadvantage that the password may be copied and used by unauthorized requestors. It is also, in many cases, not possible to use inherent requestor characteristics to control access to the resource, because these characteristics may not have been captured by the person in control of the access control system or may not be known for all requestors. [0007] Furthermore, in many situations the person who is in control of the access control system is physically remote from the access point, and access must be granted to requestors whose identities may not be known with a high degree of certainty.
BRIEF SUMMARY OF THE INVENTION
[0008] As used in this specification, the term "requestor" means an individual who requests access to a resource. The term "resource" means any entity, premises, facility, area, electronic data or any other tangible or intangible thing which is controlled by an access-control system. Examples of resources include: vehicles such as air, land or sea vehicles; buildings or parts thereof (including a safe); materials or equipment; devices such as a mobile phone, computer, camera, or remote-control apparatus; content such as a web page, electronic document, email, television or radio program; files such as music files, movie files, or application programs; confidential information; and financial accounts, which in all cases have access restricted by some form of access-control system. The term "grantor" means a person or entity who is in control of the access-control system and who is able to authorize a requestor to gain access to the resource. Lastly, the term "electronic device" means any electronic or digital device or apparatus, including mobile phones, tablet PCs, desktop PCs, laptops, personal digital assistants and the like. [0009] In accordance with a first aspect of the invention there is provided a method performed by a first electronic device which has a hardware security module and which is associated with a first individual hereafter termed a grantor, comprising: receiving a request for access to a resource which request originates from a second electronic device, the second electronic device having a hardware security module and being associated with an individual hereafter termed a requestor, and the request being in the form of digital data which is encrypted by the second electronic device's hardware security module and which uniquely identifies both the second electronic device as well as the resource to which access is requested, decrypting the digital data by the first electronic device's hardware security module, presenting the request and the identity of the requestor to the grantor, and, in response to the grantor authorizing access to the resource, transmitting an authorization instruction or token to either the resource or to the second electronic device.
[0010] In one embodiment of the invention, the resource is network-enabled in that it is capable of communicating with the grantor by a communications network, and the method includes the step of the grantor transmitting an authorization instruction to the resource, the authorization instruction being in the form of digital data which is encrypted by the first electronic device's hardware security module and decrypted by a decryption module of the resource, the authorization instruction including an identifier of the second electronic device to thereby enable the resource to grant access to the requestor associated with the second electronic device.
[0011] The resource may grant access to the requestor once per authorization instruction, or the authorization instruction may be persistent in that once authorized, a requestor is able to access the resource according to a set of conditions that may be included in the authorization instruction.
[0012] In a second embodiment of the invention, the resource is network-disabled in that it is not capable of communicating with the grantor by a communications network, and the method includes the step of the grantor transmitting a token to the second electronic device, the token being in the form of digital data which is encrypted by the first electronic device's hardware security module and includes an identifier of the resource to which the grantor has authorized access, the token thereby enabling the resource to grant access to the requestor associated with the second electronic device when the second electronic device presents the token to the resource and the resource decrypts the token.
[0013] Further features of the invention provide for the digital data of the token to include a set of conditions, and for the set of conditions to include data specifying times at which the requestor is allowed to access the resource, or the number of times within specified periods that the requestor is allowed to access the resource.
[0014] Yet further features of the invention provide for the token to include other data which the grantor wishes to communicate to the resource, such as instructions to revoke specific requestors' access to the resource, or settings regarding the availability of the resource.
[0015] In accordance with a second aspect of the invention there is provided a method performed by a first electronic device which has a hardware security module and which is associated with a grantor, the method comprising: identifying a second electronic device associated with a requestor, the second electronic device having a hardware security module, optionally transmitting an encrypted identity confirmation request to the second electronic device, the identity confirmation request prompting the requestor to confirm or deny its identity, and receiving, decrypting by the hardware security module of the first electronic device, and presenting to the grantor a confirmation or denial response to the identity confirmation request from the second electronic device, and transmitting an authorization instruction to a resource, the resource being network-enabled in that it is capable of communicating with the grantor through a communications network, the authorization instruction being in the form of digital data which is encrypted by the first electronic device's hardware security module and decrypted by a decryption module of the resource, the authorization instruction including an identifier of the second electronic device to thereby enable the resource to grant access to the requestor associated with the second electronic device. [0016] In accordance with a third aspect of the invention there is provided a method performed by an electronic device associated with a requestor, the method comprising: identifying a resource, transmitting a request for access to the resource to a grantor, receiving an encrypted token from the grantor, storing the encrypted token, and presenting the encrypted token to the resource, the resource being configured to decrypt the encrypted token and grant the requestor with access to the resource in the event that the token indicates that the request for access is to be allowed.
[0017] The invention extends to a system comprising a first electronic device which has a hardware security module and which is associated with a grantor, a second electronic device which has a hardware security module and which is associated with a requestor, and one or more resources, wherein the first electronic device is configured to receive a request, originating from the second electronic device, for access to one or more of the resources, the request being in the form of digital data which is encrypted by the second electronic device's hardware security module and which uniquely identifies both the second electronic device as well as the resource to which access is requested, decrypt the digital data by the first electronic device's hardware security module, present the request and the identity of the requestor to the grantor, and in response to the grantor authorizing access to one or more of the resources, transmit an authorization instruction or token to either one or more of the resources or to the second electronic device.
[0018] A still further feature of the invention provides for one or both of the first electronic device and the second electronic device to be a mobile phone.
[0019] The invention extends to a first electronic device comprising: a processor; an antenna coupled to the processor; a computer readable medium coupled to the processor, the computer readable medium comprising code executable by the processor for implementing a method comprising: receiving a request for access to a resource which request originates from a second electronic device, the second electronic device having a hardware security module and being associated with an individual hereafter termed a requestor, and the request being in the form of digital data which is encrypted by of the second electronic device's hardware security module and which uniquely identifies both the second electronic device as well as a resource to which access is requested; decrypting the digital data by a hardware security module of the first electronic device; presenting the request and the identity of the requestor to an individual associated with the first electronic device, hereafter termed a grantor; and in response to the grantor authorizing access to the resource, transmitting an authorization instruction or token to either the resource or to the second electronic device.
BRIEF DESCRIPTION OF THE DRAWINGS
[0020] FIG. 1 illustrates a system for controlling and authorizing access to a resource according to a first embodiment of the invention;
[0021] FIG. 2 is a flow diagram of a method for controlling and authorizing access to a resource using the system of FIG. 1 ;
[0022] FIG. 3 illustrates a system for controlling and authorizing access to a resource according to a second embodiment of the invention; [0023] FIG. 4 is a flow diagram of a method for controlling and authorizing access to a resource using the system of FIG. 3;
[0024] FIG. 5 illustrates a system for controlling and authorizing access to a resource according to a third embodiment of the invention;
[0025] FIG. 6 is a flow diagram of a method for controlling and authorizing access to a resource using the system of FIG. 5;
[0026] FIG. 7 illustrates a system for controlling and authorizing access to a resource according to a fourth embodiment of the invention;
[0027] FIG. 8 is a flow diagram of a method for controlling and authorizing access to a resource using the system of FIG. 7; and
[0028] FIG. 9 illustrates a block diagram of an exemplary mobile electronic device with which various embodiments of the invention can be implemented.
DETAILED DESCRIPTION WITH REFERENCE TO THE DRAWINGS
[0029] Embodiments of the present invention provide a method for controlling and authorizing access to a resource. A first electronic device has a hardware security module (HSM) and is associated with a first individual hereafter termed a grantor. A second electronic device also has an HSM and is associated with the second individual hereafter termed a requestor. The first electronic device receives an encrypted request for access to a resource, the request originating from the second electronic device and the request including data which uniquely identifies both the second electronic device as well as a resource to which access is requested. The HSM of the first electronic device decrypts the encrypted request and presents the decrypted request to the grantor, who can either deny the request, in which case no authorization is transmitted, or who can authorize the request in which case the first electronic device transmits an encrypted authorization instruction or token to either the resource or to the second electronic device.
[0030] It should be noted that the first and second electronic devices with HSMs in accordance with embodiments of the invention are different from electronic devices that may solely use software to encrypt communications between an electronic device and a target device or system. An electronic device that solely uses software to encrypt communications may comply with only a security level 1 of the Federal Information Processing Standard 140-2 (FIPS 140-2), which provides only a minimum level of security to protect sensitive information. In contrast, the HSM within an electronic device according to embodiments of the invention is compliant with at least a security level 2 of the FIPS 140-2 standard. More preferably, the HSM within the electronic device in embodiments of the invention is compliant with security level 3 or security level 4 of FIPS 140-2.
[0031] The HSM in embodiments of the invention uses hardware to encrypt data instead of solely performing the encryption in software. The HSM provides enhanced protection over software encryption technologies. For example, the HSM provides secure key management to generate cryptographic keys, sets the capabilities and security limits of keys, implements key backup and recovery, prepares keys for storage and performs key revocation and destruction. In some embodiments, the HSM is implemented as a dual processor device that includes a secure processor with storage and a public processor with storage. The HSM may also include a physical or logical separation between interfaces that are used to communicate critical security parameters and other interfaces that are used to communicate other data. The HSM can also provide a tamper-proof mechanism that provides a high risk of destroying the HSM and the cryptographic keys stored therein, if any attempt is made to remove or externally access the HSM. [0032] FIG. 1 illustrates a block diagram of a system (100) for controlling and authorizing access to a resource (102) according to the invention. The resource (102) may be an entity, premises, facility, area, equipment, material, electronic data or any other tangible or intangible thing which is controlled by an access control system. As previously described, examples of resources include: vehicles such as air, land or sea vehicles; equipment or materials; buildings or parts thereof (including a safe); devices such as a mobile phone, computer, camera, or remote-control apparatus; content such as a web page, electronic document, email, television or radio program; files such as music files, movie files, or application programs; confidential information; and financial accounts. [0033] In one specific embodiment, the resource (102) may be a building to which access is restricted by an automatic gate or lock, where a programmable microcontroller with a communication interface (120) subsystem is configured to control the automatic gate or lock. In another embodiment, the resource (102) may be a room in a building to which access is restricted by an automatic gate or lock. In a further embodiment, the resource (102) may be a parking facility to which access is restricted by, for example, an automatic gate or a boom barrier. [0034] The system includes a first electronic device (104) which has an HSM (106) and which is associated with a first individual who is remote from the resource, hereafter termed a grantor (108). The first electronic device may be any electronic or digital device or apparatus, including a mobile phone, tablet PCs, desktop PCs, laptop, or personal digital assistant. In a preferred embodiment, the first electronic device is a mobile phone such as a smartphone that is carried by the grantor.
[0035] A conventional mobile phone does not typically include an integrated HSM. Thus, in embodiments of the invention, the HSM is implemented as an adhesive cryptographic label with embedded processors. In such a case, the cryptographic label is applied directly to a subscriber identity module (SIM) card (1 10) that can be inserted into the mobile device. The cryptographic label is designed such that after it has been fitted to a SIM card, cryptographic label it cannot be removed without rendering it unusable. Once fitted onto a SIM card, the combination of the cryptographic label adhering to the top of the SIM card (106, 1 10) can be inserted into a SIM card slot of the mobile phone (104). The cryptographic label's HSM (106) enables the mobile phone to send and receive encrypted messages by using the capabilities of the SIM card to transmit encrypted data.
[0036] The cryptographic label typically comprises a printed circuit having a first set of electrical contacts disposed on a top side of the printed circuit for interfacing to the mobile phone, a second set of electrical contacts disposed on a bottom side of the circuit for interfacing to the SIM card, and an HSM disposed in the circuit and coupled to the first and second sets of electrical contacts. It should be appreciated that various other techniques may be employed to attach the cryptographic label to a SIM card without making use of adhesive materials to attach the cryptographic label directly to the SIM card. Such a cryptographic label device is fully described in PCT Publication Number WO/2013/013192 which is incorporated herein by reference in its entirety. [0037] The system includes a second electronic device (1 12), which may also be a mobile phone and which also has an HSM (1 14) which may be in the form of a cryptographic label which is fitted to a SIM card (1 16). The second electronic device is associated with a second individual hereafter termed a requestor (1 18). Both the first and second electronic devices are able to communicate with a communication interface (120) of the resource through first and second communication channels respectively (122, 124).
[0038] In some embodiments the communication interface (120) is also a SIM card to which a cryptographic label has been applied. In other embodiments the communication interface is a virtual communication point such as a network address, for example where the resource is a web site, electronic document or file. The first and second communication channels can be wireless mobile communication channels such GSM, Wi-Fi or Bluetooth channels. In some embodiments, such as those in which the resource is a physical resource such as a building to which access is requested, the first, second or third communication channels may be near- field communication (NFC) channels, and the second electronic device is able to communicate with the communication interface by the requestor bringing the second electronic device into proximity with an NFC reader associated with the communication interface, such as a door access reader. [0039] In the embodiment of FIG. 1 , where the resource is capable of remotely communicating with the first electronic device through the first communication channel using, for example, GSM or Wi-Fi, the resource will be referred to as a "network-enabled resource".
[0040] FIG. 2 is a flow diagram of a method for controlling and authorizing access to a resource using the system of FIG. 1 . At a first stage (200), the second electronic device (1 12) requests access to the resource (102) by communicating with the communication interface (120) of the resource (102) through the second communication channel (124). This may, for example, be by the second electronic device (1 12) being tapped on an NFC reader associated with the resource (102) in a case when the second electronic device (1 12) is in close proximity to the resource (102); by the second electronic device (1 12) transmitting a request to a remote resource; or by any other means of communication with the resource (102) through the second communication channel (124).
[0041] The request is encrypted by the HSM (1 14) of the second electronic device (1 12). The HSM (1 14) may encrypt the request using Data Encryption Standard (DES), Triple Data Encryption Standard/Algorithm (TDES/TDEA), DES-X, Secure Socket Layer (SSL), Advanced Encryption Standard (AES), Blowfish, Serpent, Twofish, Threefish, International Data Encryption Algorithm (IDEA), Rivest, Shamir, & Adleman (RSA), Digital Signature Algorithm (DSA), Tiny Encryption Algorithm (TEA), extended TEA (XTEA), and/or other encryption algorithms or protocols. [0042] In one embodiment, the cryptographic label HSM (1 14) includes a public section and a security section, each of which corresponds to a processor on the adhesive label that are physically and/or logically separated from each other. The operations of the security section are handled by a security processor and the operations of the public section will be handled by a public processor. In one embodiment, the security processor will only be exposed to the public processor which will act in strict accordance with HSM standards, i.e. the secure processor will only respond to encryption and decryption attempts; no further information will be offered to the public processor.
[0043] At a next stage (202), the resource (102) forwards the request to the first electronic device (104) associated with the grantor (108), preferably without the resource (102) being capable of decrypting the request. At a next stage (204), the first electronic device (1 12) decrypts the request using its HSM (106) and presents the request to the grantor (108), for example by displaying the request and the identity of the requestor (1 18) to the grantor (108) on a display of the first electronic device. Such a display could, for example, be in the format of, "<NAME OF REQUESTOR> REQUESTS ACCESS TO <NAME OF RESOURCES. It will be appreciated that because both the requestor and grantor have HSM-enabled electronic devices, both can trust that they are being identified to each other correctly, since the communication between the HSMs of the first and second electronic devices is hardware-encrypted and includes information which uniquely identifies both parties. [0044] At a next stage (206), the grantor (108) is able to approve or deny the request by responding using the first electronic device (104). For example, the grantor (108) may respond by pressing an "approve" or "deny" button presented adjacent the displayed request. If the grantor (108) denies the request, then at stage (208), the first electronic device (104) transmits a denial of authorization instruction to the resource (102), and the resource (102) then prevents the requestor (1 18) from gaining access. If the grantor (108) approves the request, then at stage (210), the first electronic device (104) transmits a grant of authorization instruction to the resource (102). The resource (102) then permits the requestor (1 18) to gain access to the resource (102), for example by opening a door or barrier, unlocking a feature or area of a website or program, or enabling a document or file to be opened.
[0045] The grant or denial of authorization instruction may also be encrypted by means of the first electronic device's HSM (106), and decrypted by a decryption module (126) of the resource. In some embodiments, a different encryption arrangement is employed for communication between the first electronic device (1 12) and the resource (102), so that the resource (102) is only able to decrypt communications received form the grantor (108), and is not able to decrypt the request received from the requestor (1 18), which the resource simply forwards to the grantor (108). [0046] It will be appreciated that the system (100) illustrated in FIG.1 and the method illustrated in FIG. 2 require that the grantor (108) be available to approve or deny access requests at the time those requests are made.
[0047] FIG. 3 illustrates a system (300) for controlling and authorizing access to a resource (102) according to a second embodiment of the invention. The system (300) of FIG. 3 is similar to the system (100) of FIG. 1 and like reference numerals refer to like entities or devices. In this embodiment, the grantor (108) does not need to be available to approve or deny access requests at the time that those requests are made, but can do so in advance. Furthermore, in the embodiment illustrated in FIG. 3, the first and second electronic devices (104, 1 12) are enabled to communicate with each other directly by means of a third communication channel (302). [0048] FIG. 4 is a flow diagram of a method for controlling and authorizing access to a resource using the system of FIG. 3. At a first stage (400), the second electronic device (1 12) identifies the resource (102) and requests access to the resource (102) from the first electronic device (104) by transmitting a request through the third communication channel (302), where the request is encrypted by the HSM (1 14) of the second electronic device (1 12).
[0049] The identification of the resource (102) may be carried out by any one of a number of methods, including by entering an identifier of the resource (such as a unique code which may have been obtained from the grantor) into an interface of the second electronic device (1 12), by automatically obtaining an identifier of the resource (102) by first bringing the second electronic (1 12) device into proximity with the resource (102) and communicating with the resource (102) through the second communication channel (124) to obtain the resource's identifier, by obtaining an identifier of the resource (102) through wireless data exchange over a Wi-Fi network, or any other suitable communication through the second communication channel (124).
[0050] At a next stage (402), the first electronic device (104) decrypts the request using its HSM (106) and presents the request to the grantor (108) on a display of the first electronic device (104). At a next stage (404), the grantor (108) is able to approve or deny the request by, for example pressing an approve button or deny button, as previously described. If the grantor (108) denies the request, at a next stage (406), the first electronic device (104) transmits a denial of authorization instruction to the resource (102), whereas if the grantor (108) approves the request, at a next stage (406), the first electronic device (104) transmits a grant of authorization instruction to the resource (102).
[0051] It will be appreciated that because the second electronic device (1 12) requests access to the resource (102) directly from the first electronic device, and not from the resource (102) as in FIGs. 1 and 2, that the request can be granted in advance of the requestor (1 18) first requesting access to the resource (102), or at least in advance of subsequent requests for access to the resource (102). In other words, the grantor (108) does not have to be available to approve the request for access at the time that access is required, but can do so in advance. [0052] In the case described above, the grant of authorization instruction will be stored on the resource (102) to enable the resource (102) to check whether the second electronic device (1 12) is authorized when the second electronic device (1 12) subsequently wishes to obtain access to the resource (102). The resource (102) may grant access to the requestor (1 18) once per authorization instruction, or the authorization instruction may be persistent in that once authorized, a requestor is able to access the resource (102) according to a set of conditions that may be included in the authorization instruction, such as that access is only to be given during certain times, or for a certain number of times within a set period. For example, in a case where the requestor is an employee requiring access to a working facility, the authorization instruction may command the resource (102) to only allow access to the specific requestor during working hours on weekdays.
[0053] In both of the previous embodiments, as illustrated by FIGs.1 to 2 and FIGs. 3 to 4 respectively, the resource (102) is network-enabled in that it is capable of communicating with the grantor (108) by means of the first communication channel (122).
[0054] FIG. 5 illustrates a system (500) for controlling and authorizing access to a resource (102) according to a third embodiment of the invention. The system (500) of FIG. 5 is similar to the system (100) of FIG. 1 and the system (300) of FIG.3, and like reference numerals refer to like entities or devices. In this embodiment the resource (102) is network-disabled in that it is not capable of communicating with the grantor (108) by means of a communications network. As shown in FIG.5, the resource (102) is only able to communicate with the second electronic device (1 12) through the second communication channel (124). An example of a network-disabled resource would be a building which has an access control system in the form of a gate reader which can communicate by Bluetooth or NFC but which is not otherwise connected to a communications network.
[0055] FIG. 6 is a flow diagram of a method for controlling and authorizing access to a resource using the system of FIG. 5. At a first stage (600), the second electronic device (1 12) identifies the resource (102) and requests access to the resource (102) from the first electronic device (104), as described above. At a next stage (602), the first electronic device (104) then decrypts the request and presents it to the grantor (108), who either approves or denies the request at a next stage (604).
[0056] If the grantor (108) denies the request, no authorization token is provided by the first electronic device, as shown at a next stage (606). However, if the grantor (108) approves the request, then the first electronic device (104) transmits a grant of authorization token to the second electronic device (1 12) at a next stage (608). The grant of authorization token is encrypted by the first electronic device (104) and is stored by the second electronic device (1 12). In a preferred embodiment of the invention, the authorization token includes an identifier of the resource (102) to which the grantor (108) has authorized access, and is encrypted in such a way that the contents thereof cannot be decrypted by the second electronic device (1 12). Instead, the second electronic device (1 12) is able to use the encrypted authorization token to gain access to the resource (102), as shown at a next stage (610), by presenting the encrypted authorization token to the resource (102), which decrypts it using the decryption module (126).
[0057] In embodiments of the invention, the authorization token also includes a set of conditions which includes, for example, data specifying times at which the requestor (1 18) is allowed to access the resource (102), or data specifying the number of times within specified periods that the requestor (1 18) is allowed to access the resource (102). In this way, a grantor can set up, in advance of a requestor obtaining access, conditions for that access. For example, a parent can grant a child access to a vehicle at certain times during the day, or a company manager can grant employees access to non-work related electronic content during specific times, on certain days or for a certain number of times per day. [0058] Additional information can also be encoded within the authorization token in addition to the identifier of the resource (102) to which the grantor (108) has authorized access and a set of conditions regarding access. Because the authorization token is encrypted and can only be decrypted by the resource (102) and not by the second electronic device (1 12), such additional information can be totally unrelated to the requestor (1 18) and can be any information which the grantor (108) wishes to communicate to the resource. [0059] For example, an authorization token may include instructions to revoke specific requestors' access to the resource (102), instructions to grant access to other requestors, or settings relating to the availability of the resource (102). It will be appreciated that in this way the second electronic device (1 12) can be utilized by the grantor (108) as a communication channel to the resource (102), particularly in the absence of a direct communication channel between the grantor (108) and the resource (102). The same instructions can be encoded into several requestors' electronic devices, so that the grantor (108) can be more certain that instructions will reach the resource (102) in the event of some requestors not requesting access to the resource (102) within an expected time period or at an expected time.
[0060] As a further additional feature, at the stage (600) of requesting access to the resource (102), the requestor (1 18) could also add a PIN number, password or a set of security questions to the request, which PIN number, password or security questions are encrypted into the authorization token by the first electronic device (104). The resource (102) will then prompt the requestor (108) for the PIN, password or answers to the security questions at the time that the requestor (108) provides the authorization token to the resource, thereby adding a second factor of authentication and preventing an unauthorized possessor of the second electronic device (1 12) from gaining access to the resource (102). In some embodiments, the grantor (108) could require that two or more requestors be present for the resource (102) to become available, similar to the case where two keys held by different holders are required to open a high-security deposit box.
[0061] FIG. 7 illustrates a system (700) for controlling and authorizing access to a resource (102) according to a fourth embodiment of the invention. The system (500) of FIG. 5 is similar to the system (100) of FIG.3, and like reference numerals refer to like entities or devices. In this embodiment, the grantor (108) is capable of first identifying the requestor (1 18) before the grantor (108) initiates a request for access to the resource (102). The requestor (1 18) may, optionally, be requested to confirm its identity before the grantor (108) transmits a grant of authorization instruction to the resource (102). An example of such a case would be when an employer acts as a grantor to grant a new employee access to certain workplace facilities, without the new employee initiating such authorization by transmitting a request for access to the employer or to a resource. [0062] FIG. 8 is a flow diagram of a method for controlling and authorizing access to a resource using the system of FIG. 7. At a first stage (800), the first electronic device (104) of the grantor (108) identifies the second electronic device (1 12) of the requestor (1 18) and sends a request to the second electronic device (1 12) to confirm the identity of the requestor (1 18).
[0063] The identification of the second electronic device (1 12) may be carried out by any one of a number of methods, including by entering an identifier of the second electronic device (1 12), such as a unique code which may have been obtained from the requestor, into an interface of the first electronic device (104); by automatically obtaining an identifier of the second electronic device (1 12) by first bringing the second electronic (1 12) device into proximity with the first electronic device (104) and communicating with the second electronic device (1 12) through the third communication channel (302) to obtain the second electronic device's identifier; by obtaining an identifier of the second electronic device (1 12) through wireless data exchange over a Wi-Fi network; or any other suitable communication through the third communication channel (124).
[0064] At a next stage (802), the second electronic device (1 12) receives the encrypted request and decrypts the request. The request is then presented to the requestor (1 18), who either approves or denies the identity request at a next stage (804). At a following stage (806), if the requestor (1 18) denies the request, the first electronic device (104) receives a denial response to the identity request. Optionally, if the requestor does not respond to the request within a specified time period, the validity of the identity request lapses. If the requestor (1 18) confirms the identity request, the second electronic device (1 12) transmits a confirmation thereof (808) to the first electronic device (104). At a next stage (810), the first electronic device decrypts the confirmation message and presents it to the grantor (108). The first electronic device (104) then, at a next stage (812), transmits an authorization instruction to the resource.
[0065] Similarly to the embodiment illustrated in FIG. 3, the authorization instruction is typically in the form of digital data which is encrypted by means of the first electronic device's HSM (106) and decrypted by means of a decryption module (126) of the resource (102). The authorization instruction includes an identifier of the second electronic device (1 12), for example, a unique code obtained from the requestor (1 18), to thereby enable the resource (102) to grant access to the requestor (1 18) associated with the second electronic device (1 12).
[0066] It is foreseen that the system of FIG. 7 may, in other embodiments, also function without communication between the first electronic device (104) and the second electronic device (1 12) through the third communication channel (302), which is indicated by a broken line in FIG. 7. In such cases, the grantor (108) would typically already have details of the second electronic device (1 12). For example, the requestor (1 18) may provide these details to the grantor (108) without use of the second electronic device (1 12). The grantor (108) then transmits an authorization instruction to the resource (102) without the step of requesting the requestor (1 18) to confirm or deny its identity.
[0067] Although the systems and methods illustrated and described with reference to FIGs. 1 to 8 include only one grantor, one requestor, and one resource, it should be appreciated that the invention extends to systems and methods for controlling and authorizing access to a resource in the case of a plurality of grantors, a plurality of requestors, and/or a plurality of resources. For example, the same methods can be applied in systems comprising one grantor and multiple requestors, multiple grantors and multiple requestors and/or multiple grantors and one requestor without departing from the scope of the invention. The invention further extends to systems including any of the above combinations of requestors and grantors wherein access to more than one resource is controlled.
[0068] FIG. 9 shows a mobile device (900) that can be used as a first electronic device or second electronic device according to the embodiments described above. The mobile device (900) includes a display (912), an input element (914), computer readable medium (924) such as volatile and non-volatile memory, processor (910) and at least one antenna (920). In addition, the mobile device may include a dual interface including both contact (not shown) and contactless interface (916) for transferring information through direct contact or through an integrated chip, which may be coupled to a second antenna. In addition, the mobile device (900) may be capable of communicating through a cellular network, such as GSM through an antenna (920). Thus, the mobile device (900) may be capable of transmitting and receiving information wirelessly through both short range, radio frequency (RF) and cellular connections. The device of FIG. 9 may include an account identifier associated with an account.
[0069] A method, system and device for controlling and authorizing access to a resource is therefore provided. The method, system and device disclosed enables a grantor in an access-control system to grant, control and modify access to a resource without requiring physical exchanges of possession. This may reduce the costs associated with maintaining an access-control system and may improve the efficiency of the system. [0070] Furthermore, because both the requestor and grantor have HSM-enabled electronic devices, both can trust that they are being identified to each other correctly, since the communication between the HSMs of the first and second electronic devices is hardware-encrypted and includes information which uniquely identifies both parties. Furthermore, the resource includes a decryption module for decrypting the encrypted information it receives from either the first electronic device or the second electronic device.
[0071] These secure elements and the encrypted communication channels used may reduce the risk of fraudulent activities, such as the copying of requestor passwords, intercepting of requestor, grantor, or resource information, or the risk of unauthorized persons or entities gaining access to a resource.
[0072] The provision of an authorization instruction to a resource or an authorization token to a requestor allows the person or entity in control of the access-control system to grant access to requestors, control and/or modify access to the resource while in a location physically remote from an access point of the access-control system. Finally, additional factors of authentication, such as passwords or security questions, can easily be incorporated into the system in order to improve the grantor's level of certainty regarding the identity of the requestor to whom access is granted.
[0073] The above description is illustrative and not restrictive or intended to limit the invention to the precise forms disclosed. Persons skilled in the relevant art can appreciate that many modifications and variations are possible in light of the above disclosure. [0074] The scope of the invention should, therefore, be determined not with reference to the above description, but instead should be determined with reference to the claims along with their full scope or equivalents.
[0075] Some portions of this description describe the embodiments of the invention in terms of algorithms and symbolic representations of operations on information. These algorithmic descriptions and representations are commonly used by those skilled in the data processing arts to convey the substance of their work effectively to others skilled in the art. These operations, while described functionally, computationally, or logically, are understood to be implemented by computer programs or equivalent electrical circuits, microcode, or the like. Furthermore, it has also proven convenient at times, to refer to these arrangements of operations as modules, without loss of generality. The described operations and their associated modules may be embodied in software, firmware, hardware, or any combinations thereof. [0076] Any of the software components or functions described in this application, may be implemented as software code to be executed by a processor using any suitable computer language such as, for example, Java, C++ or Perl using, for example, conventional or object-oriented techniques. The software code may be stored as a series of instructions, or commands on a computer readable medium, such as a random access memory (RAM), a read only memory (ROM), a magnetic medium such as a hard-drive or a floppy disk, or an optical medium such as a CD- ROM. Any such computer readable medium may reside on or within a single computational apparatus, and may be present on or within different computational apparatuses within a system or network. [0077] Any of the steps, operations, or processes described herein may be performed or implemented with one or more hardware or software modules, alone or in combination with other devices. In one embodiment, a software module is implemented with a computer program product comprising a computer-readable medium containing computer program code, which can be executed by a computer processor for performing any or all of the steps, operations, or processes described.
[0078] Finally, the language used in the specification has been principally selected for readability and instructional purposes, and it may not have been selected to delineate or circumscribe the inventive subject matter. It is therefore intended that the scope of the invention be limited not by this detailed description, but rather by any claims that issue on an application based hereon. Accordingly, the disclosure of the embodiments of the invention is intended to be illustrative, but not limiting, of the scope of the invention, which is set forth in the following claims.

Claims

WHAT IS CLAIMED IS: 1 . A method performed by a first electronic device which has a hardware security module and which is associated with a first individual hereafter termed a grantor, comprising:
receiving a request for access to a resource which request originates from a second electronic device, the second electronic device having a hardware security module and being associated with an individual hereafter termed a requestor, and the request being in the form of digital data which is encrypted by the second electronic device's hardware security module and which uniquely identifies both the second electronic device as well as the resource to which access is requested;
decrypting the digital data by using the first electronic device's hardware security module;
presenting the request and the identity of the requestor to the grantor; and
in response to the grantor authorizing access to the resource, transmitting an authorization instruction or token to either the resource or to the second electronic device.
2. A method as claimed in claim 1 in which the resource is network-enabled in that it is capable of communicating with the grantor through a communications network.
3. A method as claimed in claim 2 which includes the step of:
transmitting an authorization instruction to the resource, the authorization instruction being in the form of digital data which is encrypted by the first electronic device's hardware security module and decrypted by a decryption module of the resource, the authorization instruction including an identifier of the second electronic device to thereby enable the resource to grant access to the requestor associated with the second electronic device.
4. A method as claimed in claim 3 in which the resource grants access to the requestor once per authorization instruction or a specific number of times per authorization instruction.
5. A method as claimed in claim 3 in which the authorization instruction is persistent in that once authorized, a requestor is able to access the resource according to a set of conditions that may be included in the authorization instruction.
6. A method as claimed in claim 1 in which the resource is network-disabled in that it is not capable of communicating with the grantor through a communications network.
7. A method as claimed in claim 6 which includes the step of:
transmitting a token to the second electronic device,
the token being in the form of digital data which is encrypted by the first electronic device's hardware security module and includes an identifier of the resource to which the grantor has authorized access, the token thereby enabling the resource to grant access to the requestor associated with the second electronic device when the second electronic device presents the token to the resource and the resource decrypts the token.
8. A method as claimed in claim 7 in which the digital data of the token includes a set of conditions.
9. A method as claimed in claim 8 in which the set of conditions includes one or both of data specifying times at which the requestor is allowed to access the resource and data specifying the number of times within specified periods that the requestor is allowed to access the resource.
10. A method as claimed in any one of claims 7 to 9 in which the token includes data which the grantor wishes to communicate to the resource.
1 1 . A method as claimed in claim 1 0 in which the data which the grantor wishes to communicate to the resource includes one or both of instructions to revoke one or more specific requestors' access to the resource and settings regarding the availability of the resource.
12. A method performed by a first electronic device which has a hardware security module and which is associated with a grantor, the method comprising:
identifying a second electronic device associated with a requestor, the second electronic device having a hardware security module;
optionally transmitting an encrypted identity confirmation request to the second electronic device, the identity confirmation request prompting the requestor to confirm or deny its identity, and receiving, decrypting by the hardware security module of the first electronic device, and presenting to the grantor a confirmation or denial response to the identity confirmation request from the second electronic device; and
transmitting an authorization instruction to a resource, the resource being network-enabled in that it is capable of communicating with the grantor though a communications network, the authorization instruction being in the form of digital data which is encrypted by the first electronic device's hardware security module and decrypted by a decryption module of the resource, the authorization instruction including an identifier of the second electronic device to thereby enable the resource to grant access to the requestor associated with the second electronic device.
13. A method performed by an electronic device associated with a requestor, the method comprising:
identifying a resource;
transmitting a request for access to the resource to a grantor; receiving an encrypted token from the grantor;
storing the encrypted token; and
presenting the encrypted token to the resource, the resource being configured to decrypt the encrypted token and grant the requestor with access to the resource in the event that the token indicates that the request for access is to be allowed.
14. A system comprising:
a first electronic device which has a hardware security module and which is associated with a grantor;
a second electronic device which has a hardware security module and being associated with a requestor; and
one or more resources; wherein the first electronic device is configured to:
receive a request, originating from the second electronic device, for access to one or more of the resources, the request being in the form of digital data which is encrypted by the second electronic device's hardware security module and which uniquely identifies both the second electronic device as well as the resource to which access is requested;
decrypt the digital data by the first electronic
device's hardware security module;
present the request and the identity of the requestor to the grantor; and
in response to the grantor authorizing access to one or more of the resources, transmit an authorization instruction or token to one or more of the resources or to the second electronic device.
15. A method as claimed in any one of claims 1 to 13 in which one or both of the first electronic device and the second electronic device is a mobile phone.
16. A system as claimed in claim 14 in which in which one or both of the first electronic device and the second electronic device is a mobile phone.
17. A first electronic device comprising:
a processor;
an antenna coupled to the processor;
a computer readable medium coupled to the processor, the computer readable medium comprising code executable by the processor for implementing a method comprising: receiving a request for access to a resource which request originates from a second electronic device, the second electronic device having a hardware security module and being associated with an individual hereafter termed a requestor, and the request being in the form of digital data which is encrypted by of the second electronic device's hardware security module and which uniquely identifies both the second electronic device as well as a resource to which access is requested;
decrypting the digital data by a hardware security module of the first electronic device;
presenting the request and the identity of the requestor to an individual associated with the first electronic device, hereafter termed a grantor; and in response to the grantor authorizing access to the resource, transmitting an authorization instruction or token to either the resource or to the second electronic device.
PCT/IB2013/054305 2012-05-25 2013-05-24 Controlling and authorizing access to a resource WO2013175444A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
ZA2014/07012A ZA201407012B (en) 2012-05-25 2014-09-26 Controlling and authorizing access to a resource

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
ZA201203838 2012-05-25
ZA2012/03838 2012-05-25

Publications (1)

Publication Number Publication Date
WO2013175444A1 true WO2013175444A1 (en) 2013-11-28

Family

ID=49623247

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2013/054305 WO2013175444A1 (en) 2012-05-25 2013-05-24 Controlling and authorizing access to a resource

Country Status (2)

Country Link
WO (1) WO2013175444A1 (en)
ZA (1) ZA201407012B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109104281A (en) * 2017-06-20 2018-12-28 谷歌有限责任公司 Tokenized hardware security module
CN111183660A (en) * 2017-10-11 2020-05-19 金泰克斯公司 System and method for operating a transmitter
US11025420B2 (en) * 2016-09-26 2021-06-01 Amazon Technologies, Inc. Stateless service-mediated security module

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020124184A1 (en) * 2001-03-01 2002-09-05 Fichadia Ashok L. Method and system for automated request authorization and authority management
US20050010756A1 (en) * 2003-06-25 2005-01-13 France Telecom Granting authorization to access a resource
US20100071033A1 (en) * 2008-08-13 2010-03-18 Hitachi, Ltd. Authentication coordination system, terminal apparatus, storage medium, authentication coordination method, and authentication coordination program

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020124184A1 (en) * 2001-03-01 2002-09-05 Fichadia Ashok L. Method and system for automated request authorization and authority management
US20050010756A1 (en) * 2003-06-25 2005-01-13 France Telecom Granting authorization to access a resource
US20100071033A1 (en) * 2008-08-13 2010-03-18 Hitachi, Ltd. Authentication coordination system, terminal apparatus, storage medium, authentication coordination method, and authentication coordination program

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11025420B2 (en) * 2016-09-26 2021-06-01 Amazon Technologies, Inc. Stateless service-mediated security module
US11888980B2 (en) 2016-09-26 2024-01-30 Amazon Technologies, Inc. Stateless service-mediated security module
CN109104281A (en) * 2017-06-20 2018-12-28 谷歌有限责任公司 Tokenized hardware security module
CN109104281B (en) * 2017-06-20 2021-08-20 谷歌有限责任公司 Tokenized hardware security module
CN111183660A (en) * 2017-10-11 2020-05-19 金泰克斯公司 System and method for operating a transmitter
CN111183660B (en) * 2017-10-11 2023-09-26 金泰克斯公司 System and method for operating a transmitter

Also Published As

Publication number Publication date
ZA201407012B (en) 2015-10-28

Similar Documents

Publication Publication Date Title
US20200244658A1 (en) Method and System for Associating a Unique Device Identifier with a Potential Security Threat
US9660814B2 (en) Providing digital certificates
EP2905925B1 (en) System and method for remote access, Remote digital signature
EP2798777B1 (en) Method and system for distributed off-line logon using one-time passwords
US9256725B2 (en) Credential recovery with the assistance of trusted entities
US20190251561A1 (en) Verifying an association between a communication device and a user
US20150235215A1 (en) System and Method for Mobile or Web-Based Payment/Credential Process
CN110612698B (en) Security authentication system and security authentication method for generating security key by combining authentication factors of multiple users
CN105393569A (en) Systems and methods for verification conducted at a secure element
US9443069B1 (en) Verification platform having interface adapted for communication with verification agent
JP5992535B2 (en) Apparatus and method for performing wireless ID provisioning
CN114450990A (en) Multi-factor authentication for providing credentials for secure messages via contactless cards
US20240121112A1 (en) Mutual authentication with pseudo random numbers
WO2013175444A1 (en) Controlling and authorizing access to a resource
US8464941B2 (en) Method and terminal for providing controlled access to a memory card
US11941100B2 (en) Selective access and verification of user information
CN110582986B (en) Security authentication method for generating security key by combining authentication factors of multiple users
KR102053993B1 (en) Method for Authenticating by using Certificate
KR101513434B1 (en) Method and Module for Protecting Key Input
JP2016076022A (en) Authentication and approval system, communication terminal device, authentication and approval server device, authentication and approval method, and program
KR20150084605A (en) Method for authentication using user apparatus, digital system, and authentication system thereof
KR20150083562A (en) Method for authentication using user apparatus, digital system, and authentication system thereof
KR20150056951A (en) Method for providing active service control, active service control system, and client system thereof
KR20150056950A (en) Method for providing active service control, active service control system, and client system thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13793992

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13793992

Country of ref document: EP

Kind code of ref document: A1