NL2024201B1 - Space access control module and remote key provisioning system - Google Patents
Space access control module and remote key provisioning system Download PDFInfo
- Publication number
- NL2024201B1 NL2024201B1 NL2024201A NL2024201A NL2024201B1 NL 2024201 B1 NL2024201 B1 NL 2024201B1 NL 2024201 A NL2024201 A NL 2024201A NL 2024201 A NL2024201 A NL 2024201A NL 2024201 B1 NL2024201 B1 NL 2024201B1
- Authority
- NL
- Netherlands
- Prior art keywords
- access key
- key
- control module
- room
- space access
- Prior art date
Links
- 238000000034 method Methods 0.000 claims description 30
- 238000004891 communication Methods 0.000 claims description 26
- 230000004888 barrier function Effects 0.000 claims description 10
- 230000003213 activating effect Effects 0.000 claims description 8
- 230000004044 response Effects 0.000 claims description 6
- 238000010200 validation analysis Methods 0.000 claims description 5
- 230000011664 signaling Effects 0.000 claims description 4
- 238000013475 authorization Methods 0.000 claims 5
- 230000001419 dependent effect Effects 0.000 abstract description 4
- 238000012545 processing Methods 0.000 description 23
- 238000003860 storage Methods 0.000 description 22
- 230000006870 function Effects 0.000 description 20
- 238000004590 computer program Methods 0.000 description 16
- 230000015654 memory Effects 0.000 description 16
- 238000010586 diagram Methods 0.000 description 14
- 230000008569 process Effects 0.000 description 13
- 238000005516 engineering process Methods 0.000 description 6
- 230000001960 triggered effect Effects 0.000 description 6
- 238000012795 verification Methods 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 238000009826 distribution Methods 0.000 description 4
- 239000004065 semiconductor Substances 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 241000238876 Acari Species 0.000 description 2
- BXNJHAXVSOCGBA-UHFFFAOYSA-N Harmine Chemical compound N1=CC=C2C3=CC=C(OC)C=C3NC2=C1C BXNJHAXVSOCGBA-UHFFFAOYSA-N 0.000 description 2
- 230000009471 action Effects 0.000 description 2
- 230000007274 generation of a signal involved in cell-cell signaling Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000003044 adaptive effect Effects 0.000 description 1
- 230000002411 adverse Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004137 mechanical activation Methods 0.000 description 1
- 230000001902 propagating effect Effects 0.000 description 1
- 238000005096 rolling process Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00571—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated by interacting with a central unit
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/20—Individual registration on entry or exit involving the use of a pass
- G07C9/215—Individual registration on entry or exit involving the use of a pass the system having a variable access-code, e.g. varied as a function of time
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/20—Individual registration on entry or exit involving the use of a pass
- G07C9/27—Individual registration on entry or exit involving the use of a pass with central registration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0846—Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/40—Security arrangements using identity modules
- H04W12/47—Security arrangements using identity modules using near field communication [NFC] or radio frequency identification [RFID] modules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/80—Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00309—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
- G07C2009/0042—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks the transmitted data signal containing a code which is changed
- G07C2009/00428—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks the transmitted data signal containing a code which is changed periodically after a time period
- G07C2009/00436—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks the transmitted data signal containing a code which is changed periodically after a time period by the system
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C2209/00—Indexing scheme relating to groups G07C9/00 - G07C9/38
- G07C2209/08—With time considerations, e.g. temporary activation, valid time window or time limitations
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C2209/00—Indexing scheme relating to groups G07C9/00 - G07C9/38
- G07C2209/60—Indexing scheme relating to groups G07C9/00174 - G07C9/00944
- G07C2209/63—Comprising locating means for detecting the position of the data carrier, i.e. within the vehicle or within a certain distance from the vehicle
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/63—Location-dependent; Proximity-dependent
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Lock And Its Accessories (AREA)
- Selective Calling Equipment (AREA)
Abstract
One aspect of this disclosure relates to a control module comprising a first receiver interface and a second receiver interface. The first receiver interface is configured for wirelessly receiving a first 5 space access key generated at a remote space access key provisioning system and the second receiver interface is configured for wirelessly receiving a second space access key from a handheld user device (e.g. a smartphone). The module also comprises a processor, configured for triggering a time interval dependent on the first space access key and to generate a space access control allow signal when the second space access key is received over the second receiver interface within the 10 time interval and at least a part of the first space access key matches at least a part of the second space access key. +FIG. 3
Description
NL30440-Lg/td Space access control module and remote key provisioning system
FIELD OF THE INVENTION This disclosure relates to a space access control module, a method for operating a space access control module and to a remote key provisioning system. The disclosure also relates to system comprising a plurality of space access control module and a remote key provisioning system.
BACKGROUND With the advent of handheld electronic devices, such as smartphones, there is a trend to integrate all kinds of functions with these devices. One of these functions pertains to access control to spaces, wherein a lock on a barrier (e.g. a door) to such a space can be opened with the handheld device instead of with a conventional keys.
Most of these locks are being advertised as smart locks, but are far from smart in reality. In most cases systems, the handheld device functions as a remote control providing an electronic key to a control module connected to the lock and the lock opens when the key received from the handheld device matches with the electronic key stored in the control module. The control module may employ rolling keys for increased security.
However, the security of these systems is worse than for conventional physical key — lock combinations because the keys in the control modules can be retrieved without great difficulty, e.g. using replay attacks or other ways to obtain the electronic keys stored in the control module. Hence there exists a need for enhanced security in space access control while still providing easy entry to a space.
SUMMARY One aspect of the present disclosure relates to a space access control module comprising a first receiver interface and a second receiver interface. The receiver interfaces may provide interfaces for different communication technologies. The first receiver interface is configured for wirelessly receiving a first space access key generated at a remote space access key provisioning system (e.g. a cloud system, but the system may also be provided at a location with a substantial number of space access control modules, e.g. in a company or office or hotel) and the second receiver interface is configured for wirelessly receiving a second space access key from a handheld user device (e.g. a smartphone). The module also comprises a processor, configured for triggering a time interval dependent on the first space access key and to generate a space access control allow signal when the second space access key is received over the second receiver interface within the time interval and at least a part of the first space access key matches at least a part of the second space access key.
Another aspect of the disclosure pertains to a method for space access control in a space 40 access control module. The method comprises the steps of receiving a first space access key generated at a remote space access key provisioning system and a second space access key from a handheld user device. A time interval is triggered dependent on the first space access key and a space access control allow signal is generated when the second space access key is received within the time interval when at least a part of the first space access key matches at least a part of the second space access key.
The present disclosure presents a system and method wherein the space access control module receives a first space access key over a first communication path at the first receiver interface. This enables just-in-time delivery of the first space access key at the space access control module, so that access keys are not necessarily stored permanently at or near the point of entry to the space. At the same time, when the first space access key has arrived at the space access control module, it triggers only a limited time interval during which a match of the first key with a second key received over a second receiver interface from a handheld user device results in a space access allow signal. Access to the space is therefore not possible before arrival of the first space access key at the control module and after expiry of the time interval, so there is only a limited time to have a key match.
Transmission from the handheld user device to the control module of the second space access key is preferably unencrypted. Hence, the space access control module does not need to be paired with the handheld device in order to provide the second space access control key to the space access control module. Transmission from the handheld user device to the control module preferably takes place using short range communication technology, such as Near Field Communication (NFC), Bluetooth Low Energy (BLE) or Bluetooth 5.
It should be noted that the first space access key and the second space access key are copies of the same key generated at the remote space access key provisioning system but are transmitted and receiver over different key provisioning paths and are therefore referred to as first space access key and second space access key, respectively.
In one embodiment, the first space access key, or a part thereof (e.g. a time stamp), is typically stored until a new first space access key is received. The second space access key is discarded after a match has been tried.
The time interval may be less than 10 minutes, preferably less than one minute, e.g. less than 10 seconds.
In one embodiment, the time interval is triggered by the receipt or presence of the first space access key at the space access control module. The space access control module may apply a programmable timer to that effect. The space access control module may, for example, only listen for the second space access key during the time interval (e.g. by activating the second receiver interface) or may enable generation of the space access allow signal at the processor only during the time interval. The value of the programmable timer may be programmed from a remote system, such as the remote space access key provisioning system disclosed herein.
In one embodiment, the first space access key is received over the first receiver interface and comprises time information from which the processor is enabled to derive the time interval. This embodiment allows setting the time interval on a per-key basis and may e.g. be applied when the key 40 provisioning system is time-synchronized with the space access control modules.
The first space access key and/or second space access key may comprise one or more parts with different functions.
In one embodiment of the present disclosure, the first space access key and/or second space access key comprises at least one of a space access control module identifier, a validation value and position information. The space access control module identifier may be a part of the key that is unique for the space access control module and provides for a key dedicated to the control module. The validation value is applied to enable detection of tampering with one or more parts of the key. For example, the validation value may be a hash value calculated over at least a part of the key to allow inspection of the validity of the key. The position information (e.g. LAT/LON information) may be used to enable a key match only at or near the location of the space access control module or within a programmable range from this module. Further information can be included in the keys when longer keys are used. One example of such further information pertains to an open time reflecting how long the lock stays open after the space access allow signal is generated. This enables personalisation of the lock or for a person.
In one embodiment, the first space access key and the second space access key comprise a time stamp. The processor is configured to generate the space access allow signal only when the processor detects that the time stamp of a last valid space access key generated at the remote space access key provisioning system precedes the time stamp of the first space access key and/or the second space access key. The embodiment prevents replay attacks wherein an adverse party intercepts the first and/or second space access key and makes an attempt to use that key later.
In one embodiment, the space access control module is connected to a barrier lock that can be activated when receiving the space access allow signal (open) to provide access to the space. The barrier may, for example, be a door or tourniquet, providing access to a space behind. The space access allow signal may be received by a small motor enabling mechanical activation of the lock. The space access allow signal may be received wirelessly from the space access control module or in a wired fashion. Preferably, the space access control module is integrated with the barrier lock.
In one embodiment, the space access control module comprises at least one of: - wake-up means for activating the space access control module; - beacon signal generation means for control module recognition by the handheld user device; - a location module for determining and/or signaling location information; and - a short range communication module for at least the second receiver interface.
The wake-up means for activating the space access control module serves to save power for the space access control module which is particularly relevant for a battery powered module.
The beacon signal generation means enables the handheld device to automatically recognize the proximity of the space access control module and to either present a user interface to the user to request the second space access key or to even automatically retrieve the second space access key to enable opening the barrier without needing to operate the handheld user device.
The location module (e.g. a GPS module) for determining and/or signaling location information 40 of the space access control module may be used for a variety of functions. The location module may be used by the remote space access key provisioning system to determine and/or register the position of the space access control module. The position may be compared with a registered position of the space access control module and actions may be taken when the registered position is different from a determined position. One action that has been envisaged is to not send the first space access key and/or to send the second space access key when the registered position differs from the determined position or a particular distance or range therefrom.
The space access control module may also use the position information for itself. In one embodiment, the first space access key and/or the second space access key may contain position information and the space access control module compares its position information with the position information in the key. The space access control module may refrain from generating the space access signal when the position information in the key differs from its own position information.
The short-range communication module for the second receiver interface limits the range to provide the second space access key to less than 50 meters, e.g. approximately 10 meters when a Bluetooth interface is provided. One example of a communication technology applied between the handheld device and the space access control module is Bluetooth Low Energy (BLE). The communication range may be set for the application. Encryption is not applied for the communication path between the handheld user device and the space access control module when providing the second space access key to the space access control module and, therefore, pairing is not required.
In one embodiment, the space access control module is configured for receiving the first space access key from a local gateway device connected to the remote space access key provisioning system. The local gateway device provides for connectivity to the remote space access key provisioning system (e.g. a Microsoft Azure 10T Hub) and is able to provide the first space access keys to a plurality of space access control modules in its vicinity (e.g. using radio frequency communication using e.g. the 2.4 GHz band). Examples include Adaptive Network Topology (ANT) as marketed by Garmin or Bluetooth 5. Communications between the remote key provisioning system and the local gateway device may be protected using a public-private key scheme. It should be appreciated that the local gateway device may be integrated in the space access control module, i.e. the space access control module is in direct communication with the remote space access key provisioning system.
In one embodiment, the space access control module or the local gateway device is configured for wirelessly transmitting an acknowledge signal for the remote space access key provisioning system in response to receiving the first space access key. The acknowledge signal may serve as a trigger for the remote space access key provisioning system to provide the second space access key to the handheld user device only when safe receipt at the premises where the first space access key is delivered is confirmed. The remote space access key provisioning system may send a fail signal to the handheld user device when the acknowledge signal is not received from the space access control module or the local gateway after a certain time interval.
One other aspect of the present disclosure pertains to a remote space access key provisioning system for use with a plurality of space access control modules. The remote space access key provisioning system may be a cloud system. The space access key provisioning system comprises at 40 least one of a backend system, a first system and a second system. The backend system is configured for generating a space access key and providing this key as a first space access key and a second space access key.
The first system is configured for providing the first space access key for a space access control module over a first space access key provisioning path.
The second system is configured for providing a second space access key to a handheld user device over a second space 5 access key provisioning path, different from the first space access key provisioning path.
Controlled key distribution over separate provisioning paths enables just-in-time availability of the keys in a safe manner.
In one embodiment, the first space access key comprises time information for deriving a time interval at the space access control module during which a match between the first space access key and the second space access key can be detected.
This embodiment allows setting the time interval on a per-key basis and may e.g. be applied when the key provisioning system is time-synchronized with the space access control modules.
In one embodiment, the first system is configured for receiving an acknowledge signal from a space access control module, or a local gateway device connected to the space access control module, wherein the space access key provisioning system only provides the second space access key over the second space access key provisioning path upon receipt of the acknowledge signal.
The acknowledge signal may serve as a trigger for the remote space access key provisioning system to provide the second space access key to the handheld user device only when safe receipt at the premises where the first space access key is delivered is confirmed. . The remote space access key provisioning system may send a fail signal to the handheld user device when the acknowledge signal is not received from the space access control module or the local gateway after a certain time interval.
In one embodiment, the second system is configured for receiving a key request signal from the handheld user device, wherein the key request signal contains information for obtaining an identifier of the space access control module.
In this manner, the remote space access key provisioning system is informed for which space access control module a key is requested to enable the key provisioning system to generate and provide a suitable key.
The transmission of the key request signal may be triggered in response to a user interaction with the handheld user device or may be triggered automatically, e.g. when in the vicinity of the space access control module (using e.g. a beacon). In one embodiment, the backend system receives the identifier (or a derivative thereof) from the second system and provides the second space access key to the second system for delivery to the handheld device.
By defining an API between the second system and the backend system as a request-response API, unauthorized access to the keys in the backend system is made difficult.
In one embodiment, the remote space key provisioning system is configured to provide the last key generated by the system as the initial first space access key to the space access control module.
By providing the space access control module with an initial key having recent time stamp, it is ensured that a secure module is obtained upon initialization.
The initial first access key, or a part thereof (such as the time stamp), may be stored at the space access control module.
One other aspect of the present disclosure relates to a system comprising at least one space access control module of one or more of the embodiments as described above and a remote space 40 access key provisioning system according to one or more of the embodiments as described above.
One aspect of this disclosure relates to a computer program comprising instructions to cause the space access control system and/or the remote space access key provisioning system as described herein to perform one or more of the method steps as described herein.
One aspect of this disclosure relates to a non-transitory computer-readable storage medium having stored thereon this computer program.
One aspect of this disclosure relates to a non-transitory computer-readable storage medium having stored thereon this computer program.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, a method or a computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a "circuit," "module" or "system." Functions described in this disclosure may be implemented as an algorithm executed by a processor/microprocessor of a computer. Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium{s) having computer readable program code embodied, e.g., stored, thereon.
Any combination of one or more computer readable medium(s) may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a computer readable storage medium may include, but are not limited to, the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of the present invention, a computer readable storage medium may be any tangible medium that can contain, or store, a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber, cable, RF, etc., or any suitable combination of the foregoing. Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, 40 including an object oriented programming language such as Java(TM), Smalltalk, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the person's computer, partly on the person's computer, as a stand-alone software package, partly on the person's computer and partly on a remote computer, or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the person's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
Aspects of the present invention are described below with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor, in particular a microprocessor or a central processing unit (CPU), of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer, other programmable data processing apparatus, or other devices create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the blocks may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations,
can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. Moreover, a computer program for carrying out the methods described herein, as well as a non- transitory computer readable storage-medium storing the computer program are provided. A computer program may, for example, be downloaded (updated) to the remote space access key distribution system and/or to the space access control module or be stored upon manufacturing of the device. Elements and aspects discussed for or in relation with a particular embodiment may be suitably combined with elements and aspects of other embodiments, unless explicitly stated otherwise. Embodiments of the present invention will be further illustrated with reference to the attached drawings, which schematically will show embodiments according to the invention. It will be understood that the present invention is not in any way restricted to these specific embodiments.
BRIEF DESCRIPTION OF THE DRAWINGS Aspects of the invention will be explained in greater detail by reference to exemplary embodiments shown in the drawings, in which: FIG. 1 schematically depicts a system comprising a remote space access key distribution system and a space access control module according to an embodiment of the invention; FIG. 2 presents a flow chart illustrating steps of a method of controlling space access to according to an embodiment of the invention; FIG. 3 is a schematic illustration of a system comprising a remote space access key distribution system and a space access control module according to another embodiment of the invention; FIG. 4A is a time diagram illustrating some steps of applying the system of FIG. 3; FIG. 5 is a schematic illustration of a process performed by a control module in the system of FIG. 3, and FIG. 6 depicts a processing system according to an embodiment.
DETAILED DESCRIPTION OF THE DRAWINGS Figure 1 is a schematic illustration of an access control system 1 comprising a space access control system 2 (hereinafter referred to as control system 2) and a remote space access key provision system 3 (hereinafter referred to as key provision system 3). The system 1 may also comprise a handheld user device 4 (e.g. a smartphone) to be used by a user to get access to a space for which activating a barrier is required. Control module 2 may be applied at any location where access control to a space is desired. The main function of control system 2 is to generate a space access allow signal that may e.g. activate a motor to operate a mechanical lock when a suitable key is provided from the handheld device 4 as will be described in more detail below. The space access allow signal may be transmitted to the motor wirelessly or in a wired fashion. Control module 2 may be integrated in a barrier, e.g. in a door, more particularly in a door handle or door knob and is a tamperproof module. Control module 2 comprises a first receiver interface 20 and a second receiver interface 21. 40 Signals received over the interfaces are processed by processor 22 that represents all functions of the control module 2 described in the present disclosure.
Control module 2 may comprise one or more further components, represented by 23, such as a beacon transmitter to inform the handheld device 4 of the presence of the control module 2 and/or a visual indication means (e.g. a light or sound indicating means) enabling providing a signal to the user reflecting success (e.g. a green light) or failure (e.g. a red light) of the key matching process.
Component 23 may also represent a location module for signaling and/or determining the location of the control module 2. Control module 2 may have a power means (not shown), such as a battery.
Control module may be awakened by another device to save power.
System 1 provides a first key provision path | between the key provision system 3 and the control module 2 for providing the first space access key (hereinafter referred to as the first key) to the control module 2 and a second key provision path Il between the key provision system 3 and the handheld user device 4 for providing the second space access key (hereinafter referred to as the second key) to the handheld user device 4. Handheld user device 4 is configured to transmit the second key to the control module 2 where the processor 22 compares the second key with the first key received before over the first key provision path I.
In order to transmit the second key to the control module, the user may need to operate a user interface Ul on the handheld device 4 provided by an application (app) associated with the remote key provision system 3. When the first key and second key match, the processor 22 generates a space access allow signal that may be fed to a motor M to activate a mechanical lock.
Motor M may or may not be integrated within the control module 2. FIG. 2 is a flow chart illustrating some steps of a method 200 performed in control module 2 operating in the key provisioning system 1 as depicted schematically in FIG. 1. In step 201, the control module 2 receives the first key over key provision path | at receiver interface 20. The first key is generated at the remote key provisioning system 3 and may be received directly or indirectly from this system by control module 2. The receipt of the first key may wake-up the control module 2 in order to save power for the control module 2 which is particularly relevant when the control module 2 is provided with ae power source, such as a battery.
In step 202, processor 22 of the control module 2 processes the first key and triggers a time interval in response to receiving the first key.
The time interval may have any length, but will generally be less than 10 minutes, preferably less than one minute, e.g. less than 10 seconds.
In one embodiment, the time interval is 4 seconds.
During the time interval, control module 2 listens to a second key in that may be received from handheld device 4 over the second receiver interface 21 by activating the radio communication for this interface.
The radio communication may be short-range radio communication such as BLE communication.
Handheld device 4 has obtained the second key from the same remote key provisioning system 3 over key provision path II.
Key provisioning paths | and II are independent communication paths.
Transmission from handheld device 4 to the communication module 2 is unencrypted.
It should be noted that control module 2 may return an acknowledgement to the remote key provisioning system 3 when receiving the first key (not shown). This acknowledgement can be used 40 by remote key provisioning system 3 as a trigger to provide the second key to the handheld device 4.
However, the first and second keys may also be provisioned simultaneously over the respective key provisioning paths | and II.
If processor 22 receives the second key in step 203 within the time interval, it analyses the second key for a match in step 204.
The matching analysis may include one or more steps, such as verifying whether the second key is intended for the control module 2 using e.g. a control module identifier in the keys and verifying whether the second key is valid using well-known hash verifications.
The first and second keys may also contain a time stamps in order to see whether the second key has been received before to prevent replay attacks. To that end, control module 2 has stored a time stamp of a previous first key (which may be an initial first key or time stamp provided upon initialization). The time stamp of the second key is compared with the time stamp of the previous first key in order to determine whether the time stamp of the second key is later than the time stamp of the previous first key. Only when this is the case, the space access allow signal may be generated provided that other verifications are also successful. After these verifications were also successful, the current first key, or preferably one the timestamp thereof, is stored as the last validated key in the control module 2. This last validated key is then used for a next verification of the time stamp when a next second key is received.
Finally, the complete keys may be compared.
It should be noted that the matching process may be limited to one or more of these steps and that further steps may be included in the matching process. The order of the steps may be varied as well.
If the matching analysis in step 204 fails, processor 22 does not generate a space access allow signal as shown by step 205. As a result, indicator 23 may show a red flashing light.
If the matching analysis in step 204 is successful, processor 22 generates a space access allow signal as shown by step 206. As a result, indicator 23 may show green flashing light. Space access allow signal may be sent to motor M (over a, preferably, wired connection} in order to activate (open the mechanical lock of a barrier.
FIG. 3 is a schematic illustration of a key provisioning system 1 according to another embodiment. Control modules 2A-2C are integrated with respective door locks L. Control modules 2A-2C may have a nRF52 series processor 22 which is manufactured by e.g. Nordic Semiconductors. These processors have integrated BLE and radio communications technologies.
The control modules 2 are provided with first keys using a gateway device 5.Gateway device 5 is configured to provide first keys to the control module positioned in different areas A, B and C. In one embodiment, Gateway device 5 employs Garmin ANT to communicate with the control modules 2.
Gateway device 5 is connected over a first key provisioning path | to a cloud key provisioning system 3. Communications between the remote key provisioning system 3 and the local gateway device 5 may be protected using a public-private key scheme.
It should be noted that the key matching functionality of the control module 2 may be implemented in the local gateway device 5. The gateway device 5 would, in case the first and second keys match, send the space access allow signal to the motor M to control entrance to the space, for example via a wired connection.
Cloud key provisioning system 3 has a backend system 6, a first system 7 and a second system
8. Backend system 6 is communicatively connected to first system 7 and second system 8.
Backend system 6 is configured for generating the first and second keys to be provisioned over respective different key provisioning paths | and II. Backend system 6 provides an API to the second system 8 to provide the second key in accordance with an identifier presented from the second system 8 as will be explained below in further detail. To this end, backend system 6 applies a link table to link the received identifier from the second system 8 to the appropriate control module 2A-2C.
First system 7 may be an internet of things (loT) platform, e.g. a Microsoft Azure loT Hub. The first system 7 connects to the plurality of gateway devices 5 and is configured for checking, configuring and supporting the operation of the gateway devices 5. In one embodiment, first system 7 may be used to manipulate the time interval applied by one or more control modules 2A-2C for responding to the second key.
It should be noted that the first system 7 may also be connected directly to the plurality of control modules 2A-2C. In one embodiment, the control modules 2A-2C are connected directly to the cloud key provisioning system 3 over a 5G telecommunications network.
Second system 8 may comprise a portal for users to define user rights and may also comprise a communicative connection with handheld user devices 4 over key provisioning path 4. The second system 8 hosts a user rights system wherein user rights can be defined in order to, for example, assign entrance rights to users. In the second system, various information may be registered, such as identification of one or more user devices 4 that will be used for entering the space, addresses where the control modules 2A-2C are located, locations (e.g. LAT/LON coordinates) of the control modules and other preferences.
FIG. 4A shows a time diagram 400 illustrating several steps in operating the system 1 of FIG.
3 with respect of control module 2B. It is assumed that the portal 8 has stored a user profile for the control modules 2A-2C for a particular user.
Prior to use, in step 401, the control module 2B is initialized by sending a first key from cloud system 3 to control module 2B. To that end, the last first key generated by backend system 6 is provided as in initialization key to IoT Hub 7 that transmit the initialization key to gateway 5 that sends the initialization key to control module 2B. Control module 2B stores the initialization key, or a part thereof, such as the time stamp, and uses this time stamp for verifying the next first and/or second key received over the first resp. second interface.
At some later point in time, a user with handheld device 4 enters into the area B. A key request signal is transmitted in step 402 from handheld device 4 to the second system 8 over a telecommunications network. Transmission of the key request signal may occur in various ways.
The user of handheld device 4 may open an app on handheld device 4 that presents a user interface with various entrances of areas A, B and C. Since the user desires to access the entrance of area B, he or she interacts with the user interface to express this desire. The key request signal 40 contains an identifier for this entrance that is fed from the second system 8 to the backend system 6 over an API provided for this purpose to the second system 8. The backend system 6 contains information linking the identifier to the control module 2B.
The key request signal of step 402 may also be generated automatically using for example geofencing or beacon technology.
In one example, control module 2B transmits a beacon signal using means 23 specific for control means 2B and the handheld device 4 transmits the key request signal containing the identifier for the entrance.
In response to receiving the key request signal from second system 8, the backend system 6 generates a key to provide the key as a first key over the first key provision path | and as a second key of the second key provision path II.
In one embodiment, the key may comprise a plurality of parts.
Keys may consist of 10-50 bytes.
Longer keys may be applied as well, e.g. 124 bytes for a Bluetooth 5 environment.
One example of a key is shown in the below table.
Character ~~ [Bytes | Description [Example ~~ | Facility Identifier Room (major/minor) | 01-01 [7-14 [8 | Timestamp in ticks 08-D3-A7-43-A0-36-FB-D7 15-19 00-82-78-AE Characters 1-6 uniquely identify the communication module 2B so that neighboring communication modules 2A and 2C would not respond to the key.
The purpose of the time stamp is to make sure that the same key is not used twice (replay attacks). The hash serves as a validity value to determine the integrity of the key.
The hash is calculated over e.g. the first 14 bytes.
A more extended key has the following structure: Character ~~ [Bytes | Description ~~ [Example ~~ | Facility Identifier Room (major/minor) | 01-01 [9-16 [8 | Timestamp in ticks 08-D3-A7-43-A0-36-FB-D7 17-18 Expiration time 19-26 00-00-00-00 27-34 00-82-78-AE In addition to the characters mentioned in the previous table, the extended key contains an expiration time that may be used by a control module 2 to set the time interval during which the control module is receptive for the second key.
Such an expiration time may e.g. be applied when cloud system 3 is time-synchronized with the control modules 2. The user data field comprises a user identifier that can be used by other portals of other parties than the key provisioning party.
Other fields can be added to the key, such a position information for the control module 2 and personalization information.
In step 403, backend system 6 sends the first key to IoT Hub 7 that provides the first key over the first communication path | to the gateway device 5. Gateway device 5 determines from characters 1-6 that the first key is intended for control module 2B.
Gateway device 5 forwards the key to control module 2B in step 404.
Process 405 illustrates the processing in the control module 2B which is described in further detail with reference to FIG. 5 below.
In step 4086, the gateway device 5 transmits an acknowledgement signal back to cloud system 3, more in particular to [oT Hub 7. loT Hub 7 informs backend system 6 so that backend system 6 provides the key as second key to the second system 8. Second system 8 transmits the second key over a telecommunications system to handheld device 4 in step 407.
In step 408, the handheld device 4 broadcasts the second key using a short-range communication technology such as BLE. The second key may be accepted by the control module 2B dependent on the process 405 as will now be described with reference to FIG. 5.
FIG. 5 is a schematic illustration of a matching process 500 performed by a control module 2B in the system of FIG. 3.
In step 501, the control module 2B parses the control module identifier part of the first key received from the gateway device 5 in step 404 of FIG. 4. The control module identifier (e.g. constituted by the characters 1-6 of the first key) signals whether the piece of information that is received from the gateway device 5 is a key intended for control module 2B. If this is correct (i.e. the key is not intended for control modules 2A and 2C), the control module 2B triggers the start of a time interval T (as indicated in the time diagram of FIG. 4) in step 502. The duration of time interval T may be programmed in the control module and triggered by the receipt of the first key or may be obtained from the first key itself (e.g. from the expiration time field in characters 17-18 in the above table). The start of the time interval may also be at a different point in time, e.g. when steps 503 and/or 504 have been performed.
In step 503, the control module 2B checks the validity of the first key based on a validation value. This verification can be done by applying a hash function to the first key based on characters in the key (see tables).
As a next step 504, the control module 2B may verify whether the time stamp in the first key is later than the time stamp of a previous first key. As mentioned above, the control module 2 may receive an initial first key during initialization of the control module 2B to enable time stamp comparison for the first entry by the user.
The new first key, or at least the time stamp thereof, may be stored in the control module 2B as a last valid key after the key matching process has been performed successfully..
During the time interval T, the control module 2B is receptive to a second key received from a handheld user device 4 over a different communication path as shown in step 408 in FIG. 4. As mentioned above, the receipt of the first key by the control module 2B was triggered by the same handheld user device 4 transmitting the key request signal in step 402 of FIG. 4.
When the second key is received in step 505 during the time interval T, the second key is verified as well by parsing the second key first for the control module identifier (step 508), performing the integrity verification process (step 507) and verifying (step 508)the time stamp against the time stamp of a previously stored last valid key .
As a final step, the key sequences may be compared to verify that the first key and the second 40 key are identical. This is shown in step 509. When the first and second key are found to match, the access allow signal may be generated by control module 2B as shown by step 510. At this stage, the time stamp of the first key verified in steps 501-504 will be stored as a last valid key for checking time stamps (steps 504 and/or 508) in a next matching process 500. Although some of the steps are drawn in parallel in FIG. 5 to reflect that the steps are performed simultaneously for both the first key and the second key, the steps may be performed sequentially an in another order.
Figure 6 depicts a block diagram illustrating an exemplary processing system according to an embodiment. As shown in figure 6, the processing system 600 may include at least one processor 602 coupled to memory elements 604 through a system bus 606. As such, the processing system may store program code within memory elements 604. Further, the processor 602 may execute the program code accessed from the memory elements 804 via a system bus 606. In one aspect, the processing system may be implemented as a computer that is suitable for storing and/or executing program code. It should be appreciated, however, that the processing system 600 may be implemented in the form of any system including a processor and a memory that is capable of performing the functions described within this specification.
The memory elements 604 may include one or more physical memory devices such as, for example, local memory 608 and one or more bulk storage devices 610. The local memory may refer to random access memory or other non-persistent memory device(s) generally used during actual execution of the program code. A bulk storage device may be implemented as a hard drive or other persistent data storage device. The processing system 600 may also include one or more cache memories (not shown) that provide temporary storage of at least some program code in order to reduce the number of times program code must be retrieved from the bulk storage device 610 during execution.
Input/output (I/O) devices depicted as an input device 612 and an output device 614 optionally can be coupled to the processing system. Examples of input devices may include, but are not limited to, a space access keyboard, a pointing device such as a mouse, or the like. Examples of output devices may include, but are not limited to, a monitor or a display, speakers, or the like. Input and/or output devices may be coupled to the processing system either directly or through intervening I/O controllers.
In an embodiment, the input and the output devices may be implemented as a combined input/output device (illustrated in figure 7 with a dashed line surrounding the input device 612 and the output device 614). An example of such a combined device is a touch sensitive display, also sometimes referred to as a “touch screen display” or simply “touch screen”. In such an embodiment, input to the device may be provided by a movement of a physical object, such as e.g. a stylus or a finger of a person, on or near the touch screen display.
A network adapter 618 may also be coupled to the processing system to enable it to become coupled to other systems, computer systems, remote network devices, and/or remote storage devices through intervening private or public networks. The network adapter may comprise a data receiver for receiving data that is transmitted by said systems, devices and/or networks to the processing system 40 600, and a data transmitter for transmitting data from the processing system 600 to said systems,
devices and/or networks. Modems, cable modems, and Ethernet cards are examples of different types of network adapter that may be used with the processing system 600.
As pictured in figure 6, the memory elements 604 may store an application 618. In various embodiments, the application 618 may be stored in the local memory 608, the one or more bulk storage devices 610, or apart from the local memory and the bulk storage devices. It should be appreciated that the processing system 600 may further execute an operating system (not shown in figure 7) that can facilitate execution of the application 618. The application 618, being implemented in the form of executable program code, can be executed by the processing system 600, e.g., by the processor 602. Responsive to executing the application, the processing system 600 may be configured to perform one or more operations or method steps described herein.
In one aspect of the present invention, one or more components of the cloud system 3 and/or of the handheld user device 4 may represent processing system 600 as described herein.
Various embodiments of the invention may be implemented as a program product for use with a computer system, where the program(s) of the program product define functions of the embodiments (including the methods described herein). In one embodiment, the program(s) can be contained on a variety of non-transitory computer-readable storage media, where, as used herein, the expression “non-transitory computer readable storage media” comprises all computer-readable media, with the sole exception being a transitory, propagating signal. In another embodiment, the program(s) can be contained on a variety of transitory computer-readable storage media. Illustrative computer-readable storage media include, but are not limited to: (jl non-writable storage media (e.g., read-only memory devices within a computer such as CD-ROM disks readable by a CD-ROM drive, ROM chips or any type of solid-state non-volatile semiconductor memory) on which information is permanently stored; and (ii) writable storage media (e.g., flash memory, floppy disks within a diskette drive or hard-disk drive or any type of solid-state random-access semiconductor memory) on which alterable information is stored. The computer program may be run on the processor 602 described herein.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
The corresponding structures, materials, acts, and equivalents of all means or step plus function elements in the claims below are intended to include any structure, material, or act for performing the function in combination with other claimed elements as specifically claimed. The description of embodiments of the present invention has been presented for purposes of illustration, but is not intended to be exhaustive or limited to the implementations in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope of the claims. The embodiments were chosen and described in order to best explain the principles and 40 some practical applications of the present invention, and to enable others of ordinary skill in the art to understand the present invention for various embodiments with various modifications as are suited to the particular use contemplated.
Claims (19)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| NL2024201A NL2024201B1 (en) | 2019-11-08 | 2019-11-08 | Space access control module and remote key provisioning system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| NL2024201A NL2024201B1 (en) | 2019-11-08 | 2019-11-08 | Space access control module and remote key provisioning system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| NL2024201B1 true NL2024201B1 (en) | 2021-07-20 |
Family
ID=69375956
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| NL2024201A NL2024201B1 (en) | 2019-11-08 | 2019-11-08 | Space access control module and remote key provisioning system |
Country Status (1)
| Country | Link |
|---|---|
| NL (1) | NL2024201B1 (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1321901A2 (en) * | 2001-12-21 | 2003-06-25 | Kaba AG | Method for controlling access rights to an object |
| US20160035165A1 (en) * | 2011-03-17 | 2016-02-04 | Unikey Technologies Inc. | Wireless access control system and related methods |
| US9710987B2 (en) * | 2014-01-15 | 2017-07-18 | HLT Domestic IP, LLC | Systems and methods for use in acquiring credentials from a portable user device in unlocking door lock systems |
| US20180191889A1 (en) * | 2011-05-02 | 2018-07-05 | The Chamberlain Group, Inc. | Systems and methods for controlling a locking mechanism using a portable electronic device |
| US20180276928A1 (en) * | 2015-09-28 | 2018-09-27 | Moboxi | Hotel facility, system and method |
| US20180322718A1 (en) * | 2016-02-17 | 2018-11-08 | Tencent Technology (Shenzhen) Company Limited | Authorization method, apparatus, and system applied to electronic lock |
-
2019
- 2019-11-08 NL NL2024201A patent/NL2024201B1/en active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1321901A2 (en) * | 2001-12-21 | 2003-06-25 | Kaba AG | Method for controlling access rights to an object |
| US20160035165A1 (en) * | 2011-03-17 | 2016-02-04 | Unikey Technologies Inc. | Wireless access control system and related methods |
| US20180191889A1 (en) * | 2011-05-02 | 2018-07-05 | The Chamberlain Group, Inc. | Systems and methods for controlling a locking mechanism using a portable electronic device |
| US9710987B2 (en) * | 2014-01-15 | 2017-07-18 | HLT Domestic IP, LLC | Systems and methods for use in acquiring credentials from a portable user device in unlocking door lock systems |
| US20180276928A1 (en) * | 2015-09-28 | 2018-09-27 | Moboxi | Hotel facility, system and method |
| US20180322718A1 (en) * | 2016-02-17 | 2018-11-08 | Tencent Technology (Shenzhen) Company Limited | Authorization method, apparatus, and system applied to electronic lock |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6682592B2 (en) | Time-limited secure access | |
| CN110622222B (en) | Universal Access Control Device | |
| EP3259741B1 (en) | Method and system for credential management | |
| CN111324672A (en) | Block chain safety processing system and method | |
| US20170195322A1 (en) | Entry and exit control method and apparatus, and user terminal and server for the same | |
| CN110033534A (en) | Safety is seamless to enter control | |
| CN107079266B (en) | Method and system for controlling equipment | |
| CN103489233A (en) | Electronic door control system with dynamic password | |
| US12323792B2 (en) | Virtual key sharing system and method | |
| US9742784B2 (en) | Account registration and login method, and network attached storage system using the same | |
| CN105118127A (en) | Visiting system and control method thereof | |
| US11869291B2 (en) | Smart locker with assistance for visually impaired users | |
| KR101638585B1 (en) | entrance system exploiting smart phone | |
| NL2004825C2 (en) | A method of authorizing a person, an authorizing architecture and a computer program product. | |
| NL2024201B1 (en) | Space access control module and remote key provisioning system | |
| WO2019037603A1 (en) | Method and device for carrying out wireless connection pre-authorization for user equipment | |
| KR102346761B1 (en) | Method, device and system for authenticating of user in a cloud environment | |
| US20240056306A1 (en) | Intelligent arrangement of unlock notifications | |
| KR20150081387A (en) | Certification System and Method For User | |
| KR101801851B1 (en) | Method and system for providing two channel OTP authentication service using sonic signal | |
| US11778473B2 (en) | Mobile identification using thin client devices | |
| CN208834479U (en) | Thief-proof code remote controler identification device | |
| KR102274066B1 (en) | Authentication apparatus and method for providing emm service | |
| EP3659313B1 (en) | Using received audio identifications for access control | |
| KR20150134298A (en) | Certification Method For User |