EP3208777A1 - Control panel, use, and process for the manufacture thereof - Google Patents
Control panel, use, and process for the manufacture thereof Download PDFInfo
- Publication number
- EP3208777A1 EP3208777A1 EP16155889.5A EP16155889A EP3208777A1 EP 3208777 A1 EP3208777 A1 EP 3208777A1 EP 16155889 A EP16155889 A EP 16155889A EP 3208777 A1 EP3208777 A1 EP 3208777A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- control panel
- public key
- card reader
- key
- certificate authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00309—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00309—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
- G07C2009/00412—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks the transmitted data signal being encrypted
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00571—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated by interacting with a central unit
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00944—Details of construction or manufacture
Definitions
- the invention pertains to the field of security engineering, particularly physical security.
- physical security describes any security measure that is designed to protect personnel or property from damage or harm. More specifically, access control is the selective restriction of access to facilities, equipment, and other physical resources. State-of-the-art electronic access control systems manage large user populations, controlling for user lifecycles times, dates, and individual access points.
- control panel any electronics panel that can interface with or control access to control system field devices such as credential readers, electrified locks, door position switches, and request-to-exit devices.
- credential readers such as credential readers, electrified locks, door position switches, and request-to-exit devices.
- An overview of such panels and associated networks is provided in NORMAN, Thomas L.. Electronic Access Control. 1st edition. Oxford: Butterworth-Heinemann, 2012. ISBN 0123820286. p.221-239 .
- a system for physical access control is disclosed in US 8881252 B (BRIVO SYSTEMS, INC.) 04.11.2014 and includes, inter alia, a conventional control panel.
- the invention aims to provide an improved concept of physical access control.
- control panel Using a control panel according to Claim 1 bears the advantage that control commands and particulars may be exchanged cryptographically securely.
- key material may be bound to the secure hardware of the main device in a non-exportable fashion, mitigating the risk of keys being extracting and protecting the latter from eavesdropping and unauthorized use.
- Claim 2 enable a local web service to be used as a communication handler, offering various standard protocols for communicating with arbitrary host systems. Also, by maintaining an additional local web server, any functional parameters required for operating the panel may be accessed through the device's configuration homepage.
- a method according to Claim 3 is advantageously prepared for data privacy protection as may be required by national regulations such as the German Federal Data Protection Act or United States Privacy Act. These and other rules or codes govern the collection, maintenance, use, or dissemination of personally identifiable information about individuals and are thus applicable to master data such as access profiles.
- An embodiment according to Claim 4 eliminates the need for an impractical and potentially insecure pre-distribution of cryptographic keys to control panel and front ends, as would be required in a traditional symmetric cryptosystem.
- Claim 5 by means of a digital certificate, serves to prevent an attacker from "impersonating" a legit control panel, an approach commonly referred to in the art as a man-in-the-middle attack.
- Claim 6 proves especially useful in the scenario where control panel and card readers are supplied by different vendors devoid of a joint public-key infrastructure.
- Claim 7 consolidates the control panel and its associated card readers into a single on-site infrastructure.
- Claim 9 essentially implementing a Diffie-Hellman key exchange between the control panel and its front ends, caters to the usually limited processing resources of conventional card readers by enabling the use of a session key that may be employed, for instance, throughout an entire power cycle.
- a method as recited in Claim 10 allows for a central configuration of the control panel by means of a securely connected host system.
- Claim 11 defines an alternative process of bringing the control panel into service that does not rely on a centralized infrastructure.
- FIG 1 is an overview of a control panel (10) for physical access control according to an embodiment of the invention.
- the control panel (10) is composed of a main device (11), which serves to control an arbitrary number of conventional front ends such as card readers, and an add-on module (17), which basically serves to attach a limited number of those front ends to the main device (11).
- the main device (11) and add-on module (17) are adapted to be mounted on a joint DIN rail or side by side on a wall.
- the main device (11) essentially consists of a generic first baseboard (18), an application-specific mainboard (12) carried by the first baseboard (18), and a user interface (13) connected to the mainboard (12), the user interface (13) of the present embodiment comprising light-emitting diodes (35), buttons (36), and an optional liquid-crystal display (37).
- the add-on module (17) comprises a second baseboard (19), the mainboard (12) and second baseboard (19) each being connected to the first baseboard (18) through an interface (20) and a power supply (21, 33).
- the mainboard (12) comprises a quad-core central processing unit (14) based on a reduced instruction-set computing (RISC) architecture, 1 GB of random-access memory (42) connected to the central processing unit (14) through a memory bus (43), and an additional 8 GB of flash memory (15) connected to the central processing unit (14) for storing master data such as access profiles, miscellaneous operating parameters, and transactional data such as entry or exit events.
- RISC reduced instruction-set computing
- the mainboard (12) is prepared to operate an Android system - as maintained by Google Inc., a subsidiary of Alphabet Inc. -, manage said parameters and data using a relational database management system (RDBMS), and even host a web service for configuring the access profiles through a host system (78), web browser, or application-specific client.
- RDBMS relational database management system
- the control panel (10) is sufficiently equipped for advanced analytics required to, for instance, detect conspicuous usage, attempts at tampering, or collect forensic evidence in case of a security breach.
- the mainboard (12) further comprises a secure element (16, 44) connected to the central processing unit (14) for storing cryptographic keys, which in the present embodiment are used both to authenticate the control panel (10) to its front ends as well as to encrypt the entire database or file system maintained in flash memory (15).
- the secure element (16, 44) takes the form of an integrated circuit (16) brazed to the mainboard (12).
- a trusted platform module (TPM) microcontroller as specified in ISO/IEC 11889 offers a particularly powerful cryptoprocessor.
- an alternative may make use of an optional subscriber identity module (44) as defined by the 3 rd Generation Partnership Project (3GPP).
- the subscriber identity module (44) may take the form of a Java Card as specified by Oracle Corporation.
- the module (44) may be based on the Java Card OpenPlatform (JCOP) serviced by NXP Semiconductors, include a memory chip model trademarked by NXP as MIFARE, and feature MIFARE DESFire EV1 emulation as a proprietary Java Card API extension.
- JCOP Java Card OpenPlatform
- NXP Semiconductors include a memory chip model trademarked by NXP as MIFARE, and feature MIFARE DESFire EV1 emulation as a proprietary Java Card API extension.
- Corresponding contactless services are specified by Amendment C to the GlobalPlatform (GP) 2.2.1 architectural component of the JCOP.
- the mainboard (12) further comprises, inter alia, an Ethernet physical transceiver (30) connected to the central processing unit (14) through a media-independent interface (31), an embedded low-energy Bluetooth and Wi-Fi module (40) connected to the central processing unit (14) through a secure digital input/output (41) interface (20), and a short-range radio frequency module (38) connected to the central processing unit (14) through a universal asynchronous receiver/transmitter (39).
- RFID radio-frequency identification
- the service technician using a smartcard preloaded with digital certificates, e. g., according to the established X.509 standard.
- certificates may be transmitted to the module (38) by means of a conventional smartphone through near-field communication (NFC). Both ways, the transfer of keys in a hosted environment or manual confirmation may be considered dispensable.
- the low-energy Bluetooth module (40) supports the iBeacon protocol standardized by Apple Inc., taking the form of a so-called beacon.
- the mainboard (12) may be adapted to broadcast its identifier to nearby portable electronic devices such as smartphones and tablets. Using a compatible app and operating system, maintenance personnel can thus be guided indoors to the approximate location of a specific control panel (10).
- Figure 3 depicts the first baseboard (18). Aside from a power converter (32) feeding the power supply (21, 33) and sourcing its power over Ethernet (34), the first baseboard (18) most notably comprises a tamper detector (22) connected to the mainboard (12) through a general-purpose input/output (23).
- the tamper detector (22) serves a two-fold purpose: While physical intrusion into the main device (11) will trigger a first type of event, an integrated absolute position transducer and acceleration sensor will trigger a second type event. Such discrimination enables the security administrator to configure a distinct action to be performed in response to each of the two events.
- the second baseboard (19) for each of its attachable front ends, comprises an RS-485 transceiver (25) - connected to the first baseboard (18) through a serial network bus (26) - as well as two air-gap switches (27, 28) connected to the first baseboard (18) through an inter-integrated circuit (29).
- FIG. 5 now focusing on the functional rather than structural aspects of the proposed concept, defines a preferred allocation of the aforementioned keys to implement an asymmetric cryptosystem between the control panel (10) and a front end taking the form of a card reader (46).
- the cryptographic keys (51, 61) comprise a first private key (51) and a first public key (61).
- the control panel (10) further stores a digital certificate (55) of said first public key (61) signed (50) by a control-panel certificate authority (47).
- a second private key (52) and a second public key (62) are associated with and stored on the control-panel certificate authority (47) itself.
- the card reader (46) stores a third private key (53), a third public key (63), and a digital certificate (56) of the third public key (63) signed (50) by an additional front-end certificate authority (48).
- the front-end certificate authority (48) in turn stores its own fourth private key (54) and fourth public key (64).
- control-panel certificate authority (47) stores a digital certificate of the second public key (62) while the front-end certificate authority (48) stores a digital certificate of the fourth public key (64).
- These digital certificates of the second and fourth public key (64) themselves are each signed (50) by a trusted root certificate authority (49).
- a single root certificate authority (49) takes the roles of both the control-panel certificate authority (47) and the front-end certificate authority (48) recited in the context of Figure 5 .
- this certificate authority (49) During manufacture (57) of the control panel (10), this certificate authority (49) generates (59) the first private key (51) and the first public key (61) before signing (60) the digital certificate (55) of the first public key (61). It then transmits (65, 66) this digital certificate (55) to the control panel (10) along with the actual first private key (51) and the first public key (61), receiving from the control panel (10) a checksum (67) etc. in return.
- the certificate authority (49) generates (68) the third private key (53) and the third public key (63), signs (60) the digital certificate (56) of the third public key (63), then transmitting (65) the digital certificate (56) as well as the third private key (53) and the third public key (63) to the card reader (46) and expecting a further checksum (67) etc. as confirmation of receipt.
- control panel (10) Upon rollout, the control panel (10) scans (69) the local network for card readers (46) by broadcasting the first public key (61) on the network. Now in possession of the control panel's public key (61), the card reader (46) thus discovered first authenticates (70) the control panel (10) via the root certificate authority (49). The card reader (46) then sends (71) its own third public key (63) to the control panel (10), which in turn authenticates (70) the card reader (46) in the same fashion.
- control panel (10) Once authenticated, the control panel (10) generates (72) a symmetric key, encrypts (73) it using the third public key (63), and sends (74) the encrypted symmetric key to the card reader (46). The latter may now decrypt the symmetric key using the third private key (53), allowing the control panel (10) and the card reader (46) to communicate (76) using the symmetric key throughout their remaining power cycle.
- a service technician (77) to bring the control panel (10) into service, initiates the installation (79) and configuration.
- the control panel (10) first authenticates to the associated host system (78) and vice versa. Only after successful installation (79) has been confirmed (81) to her, the service technician (77) initiates the installation (79) and configuration of the card reader (46). Now, similar to the rollout phase of Figure 6 , the card reader (46) and the control panel (10) mutually authenticate (80) before the former again confirms (81) successful completion of the installation (79) to the service technician (77).
- Figure 8 illustrates the option of a local key exchange as opposed to the use of a public key infrastructure.
- the service technician (77) initiates installation (79) of the control panel (10)
- the latter scans (69) the local network for new card readers (46).
- the card reader (46) again sends (71) the third public key (63) to the control panel (10).
- the control panel (10) computes (82) a hash of said third public key (63), then displaying (83) the hash - for instance, on the user interface of the control panel (10) or by means of an independent app - and prompting (84) the service technician (77) to check the hash against the card reader (46).
- the panel encrypts (86) the first public key (61) using the third public key (63), sending (87) the encrypted first public key (61) to the card reader (46).
- the card reader (46) decrypts (88) the first public key (61) using the third private key (53) and is now prepared to encrypt (89) its own outgoing data using the first public key (61) and send (90) the encrypted data to the control panel (10), finally causing the latter to confirm (81) its installation (79) to the service technician (77).
- the invention is applicable throughout the security industry.
Abstract
controlling, based on the access profiles, front ends using the control panel (10), operating the control panel (10) using a user interface, and
storing on the control panel (10) parameters, master and transactional data based on the controlling and operating, and
further storing on the control panel (10) cryptographic keys (51, 61) associated with the control panel (10), wherein the front ends are controlled securely using the cryptographic keys (51, 61).
Description
- The invention pertains to the field of security engineering, particularly physical security.
- Throughout the above-mentioned field, physical security describes any security measure that is designed to protect personnel or property from damage or harm. More specifically, access control is the selective restriction of access to facilities, equipment, and other physical resources. State-of-the-art electronic access control systems manage large user populations, controlling for user lifecycles times, dates, and individual access points.
- In this context, by "control panel" is meant any electronics panel that can interface with or control access to control system field devices such as credential readers, electrified locks, door position switches, and request-to-exit devices. An overview of such panels and associated networks is provided in NORMAN, Thomas L.. Electronic Access Control. 1st edition. Oxford: Butterworth-Heinemann, 2012. ISBN 0123820286. p.221-239.
- A system for physical access control is disclosed in
US 8881252 B (BRIVO SYSTEMS, INC.) 04.11.2014 and includes, inter alia, a conventional control panel. - The invention aims to provide an improved concept of physical access control.
- A downside of conventional concepts lies in their sometimes inadequate level of security.
- The problem is solved by the features recited in
Claim 1. - Using a control panel according to
Claim 1 bears the advantage that control commands and particulars may be exchanged cryptographically securely. To this end, key material may be bound to the secure hardware of the main device in a non-exportable fashion, mitigating the risk of keys being extracting and protecting the latter from eavesdropping and unauthorized use. - The added features of Claim 2 enable a local web service to be used as a communication handler, offering various standard protocols for communicating with arbitrary host systems. Also, by maintaining an additional local web server, any functional parameters required for operating the panel may be accessed through the device's configuration homepage.
- A method according to Claim 3, assuming the use of a sufficient key length, is advantageously prepared for data privacy protection as may be required by national regulations such as the German Federal Data Protection Act or United States Privacy Act. These and other rules or codes govern the collection, maintenance, use, or dissemination of personally identifiable information about individuals and are thus applicable to master data such as access profiles.
- An embodiment according to Claim 4 eliminates the need for an impractical and potentially insecure pre-distribution of cryptographic keys to control panel and front ends, as would be required in a traditional symmetric cryptosystem.
- Claim 5, by means of a digital certificate, serves to prevent an attacker from "impersonating" a legit control panel, an approach commonly referred to in the art as a man-in-the-middle attack.
- The subject matter of Claim 6 proves especially useful in the scenario where control panel and card readers are supplied by different vendors devoid of a joint public-key infrastructure.
- By introducing a superordinate link to these independent chains of trust, Claim 7 consolidates the control panel and its associated card readers into a single on-site infrastructure.
- Claim 9, essentially implementing a Diffie-Hellman key exchange between the control panel and its front ends, caters to the usually limited processing resources of conventional card readers by enabling the use of a session key that may be employed, for instance, throughout an entire power cycle.
- A method as recited in
Claim 10 allows for a central configuration of the control panel by means of a securely connected host system. - Finally, the features of
Claim 11 define an alternative process of bringing the control panel into service that does not rely on a centralized infrastructure. -
-
Figure 1 is a block diagram of a control panel according to an embodiment of the invention. -
Figure 2 is a block diagram of a mainboard. -
Figure 3 is a block diagram of a first baseboard. -
Figure 4 is a block diagram of a second baseboard. -
Figure 5 is a deployment diagram of cryptographic keys throughout a public key infrastructure. -
Figure 6 to Figure 8 are sequence diagrams of the interaction between the control panel and associated card readers. -
Figure 1 is an overview of a control panel (10) for physical access control according to an embodiment of the invention. In this embodiment, the control panel (10) is composed of a main device (11), which serves to control an arbitrary number of conventional front ends such as card readers, and an add-on module (17), which basically serves to attach a limited number of those front ends to the main device (11). Physically, the main device (11) and add-on module (17) are adapted to be mounted on a joint DIN rail or side by side on a wall. - The main device (11) essentially consists of a generic first baseboard (18), an application-specific mainboard (12) carried by the first baseboard (18), and a user interface (13) connected to the mainboard (12), the user interface (13) of the present embodiment comprising light-emitting diodes (35), buttons (36), and an optional liquid-crystal display (37). The add-on module (17) comprises a second baseboard (19), the mainboard (12) and second baseboard (19) each being connected to the first baseboard (18) through an interface (20) and a power supply (21, 33).
-
Figure 2 elucidates the mainboard (12) in further detail. As may be gathered from this drawing, the mainboard (12) comprises a quad-core central processing unit (14) based on a reduced instruction-set computing (RISC) architecture, 1 GB of random-access memory (42) connected to the central processing unit (14) through a memory bus (43), and an additional 8 GB of flash memory (15) connected to the central processing unit (14) for storing master data such as access profiles, miscellaneous operating parameters, and transactional data such as entry or exit events. - The mainboard (12), based on the aforementioned specifications, is prepared to operate an Android system - as maintained by Google Inc., a subsidiary of Alphabet Inc. -, manage said parameters and data using a relational database management system (RDBMS), and even host a web service for configuring the access profiles through a host system (78), web browser, or application-specific client. As a consequence, the control panel (10) is sufficiently equipped for advanced analytics required to, for instance, detect conspicuous usage, attempts at tampering, or collect forensic evidence in case of a security breach.
- The mainboard (12) further comprises a secure element (16, 44) connected to the central processing unit (14) for storing cryptographic keys, which in the present embodiment are used both to authenticate the control panel (10) to its front ends as well as to encrypt the entire database or file system maintained in flash memory (15). On the mainboard (12) at hand, the secure element (16, 44) takes the form of an integrated circuit (16) brazed to the mainboard (12). Specifically, a trusted platform module (TPM) microcontroller as specified in ISO/IEC 11889 offers a particularly powerful cryptoprocessor. However, an alternative may make use of an optional subscriber identity module (44) as defined by the 3rd Generation Partnership Project (3GPP).
- In a preferred embodiment, the subscriber identity module (44) may take the form of a Java Card as specified by Oracle Corporation. Specifically, the module (44) may be based on the Java Card OpenPlatform (JCOP) serviced by NXP Semiconductors, include a memory chip model trademarked by NXP as MIFARE, and feature MIFARE DESFire EV1 emulation as a proprietary Java Card API extension. Corresponding contactless services are specified by Amendment C to the GlobalPlatform (GP) 2.2.1 architectural component of the JCOP.
- The mainboard (12) further comprises, inter alia, an Ethernet physical transceiver (30) connected to the
central processing unit (14) through a media-independent interface (31), an embedded low-energy Bluetooth and Wi-Fi module (40) connected to the central processing unit (14) through a secure digital input/output (41) interface (20), and a short-range radio frequency module (38) connected to the central processing unit (14) through a
universal asynchronous receiver/transmitter (39). The latter components enable radio-frequency identification (RFID) by the service technician using a smartcard preloaded with digital certificates, e. g., according to the established X.509 standard. As an alternative, such certificates may be transmitted to the module (38) by means of a conventional smartphone through near-field communication (NFC). Both ways, the transfer of keys in a hosted environment or manual confirmation may be considered dispensable. - Preferably, the low-energy Bluetooth module (40) supports the iBeacon protocol standardized by Apple Inc., taking the form of a so-called beacon. Based on such transmitter, the mainboard (12) may be adapted to broadcast its identifier to nearby portable electronic devices such as smartphones and tablets. Using a compatible app and operating system, maintenance personnel can thus be guided indoors to the approximate location of a specific control panel (10).
-
Figure 3 depicts the first baseboard (18). Aside from a power converter (32) feeding the power supply (21, 33) and sourcing its
power over Ethernet (34), the first baseboard (18) most notably comprises a tamper detector (22) connected to the mainboard (12) through a general-purpose input/output (23). In the present embodiment, the tamper detector (22) serves a two-fold purpose: While physical intrusion into the main device (11) will trigger a first type of event, an integrated absolute position transducer and acceleration sensor will trigger a second type event. Such discrimination enables the security administrator to configure a distinct action to be performed in response to each of the two events. - Similarly, now referencing
Figure 4 , the second baseboard (19), for each of its attachable front ends, comprises an RS-485 transceiver (25) - connected to the first baseboard (18) through a serial network bus (26) - as well as two air-gap switches (27, 28) connected to the first baseboard (18) through an inter-integrated circuit (29). -
Figure 5 , now focusing on the functional rather than structural aspects of the proposed concept, defines a preferred allocation of the aforementioned keys to implement an asymmetric cryptosystem between the control panel (10) and a front end taking the form of a card reader (46). Accordingly, the cryptographic keys (51, 61) comprise a first private key (51) and a first public key (61). The control panel (10) further stores a digital certificate (55) of said first public key (61) signed (50) by a control-panel certificate authority (47). A second private key (52) and a second public key (62) are associated with and stored on the control-panel certificate authority (47) itself. - Correspondingly, the card reader (46) stores a third private key (53), a third public key (63), and a digital certificate (56) of the third public key (63) signed (50) by an additional front-end certificate authority (48). The front-end certificate authority (48) in turn stores its own fourth private key (54) and fourth public key (64).
- Adding a further level of security to the hierarchy of nodes, the control-panel certificate authority (47) stores a digital certificate of the second public key (62) while the front-end certificate authority (48) stores a digital certificate of the fourth public key (64). These digital certificates of the second and fourth public key (64) themselves are each signed (50) by a trusted root certificate authority (49).
- In the somewhat simplified embodiment of
Figure 6 , a single root certificate authority (49) takes the roles of both the control-panel certificate authority (47) and the front-end certificate authority (48) recited in the context ofFigure 5 . During manufacture (57) of the control panel (10), this certificate authority (49)
generates (59) the first private key (51) and the first public key (61) before signing (60) the digital certificate (55) of the first public key (61). It then transmits (65, 66) this digital certificate (55) to the control panel (10) along with the actual first private key (51) and the first public key (61), receiving from the control panel (10) a checksum (67) etc. in return. - Similarly, the certificate authority (49) generates (68) the
third private key (53) and the third public key (63), signs (60) the digital certificate (56) of the third public key (63), then transmitting (65) the digital certificate (56) as well as the third private key (53) and the third public key (63) to the card reader (46) and expecting a further checksum (67) etc. as confirmation of receipt. - Upon rollout, the control panel (10) scans (69) the local network for card readers (46) by broadcasting the first public key (61) on the network. Now in possession of the control panel's public key (61), the
card reader (46) thus discovered first authenticates (70) the
control panel (10) via the root certificate authority (49). The card reader (46) then sends (71) its own third public key (63) to the control panel (10), which in turn authenticates (70) the card reader (46) in the same fashion. - Once authenticated, the control panel (10) generates (72) a symmetric key, encrypts (73) it using the third public key (63), and sends (74) the encrypted symmetric key to the card reader (46). The latter may now decrypt the symmetric key using the third private key (53), allowing
the control panel (10) and the card reader (46) to communicate (76) using the symmetric key throughout their remaining power cycle. - According to
Figure 7 , a service technician (77), to bring the
control panel (10) into service, initiates the installation (79) and configuration. In this extended use case however, the control panel (10) first authenticates to the associated host system (78) and vice versa. Only after successful installation (79) has been confirmed (81) to her, the
service technician (77) initiates the installation (79) and configuration of the card reader (46). Now, similar to the rollout phase ofFigure 6 , the card reader (46) and the control panel (10) mutually authenticate (80) before the former again confirms (81) successful completion of the installation (79) to the service technician (77). - Lastly,
Figure 8 illustrates the option of a local key exchange as opposed to the use of a public key infrastructure. In this scenario, as soon as the service technician (77) initiates installation (79) of the control panel (10), the latter scans (69) the local network for new card readers (46). Thus discovered, the card reader (46) again sends (71) the third public key (63) to the control panel (10). Now, as opposed to the embodiments outlined above, the control panel (10) computes (82) a hash of said
third public key (63), then displaying (83) the hash - for instance, on the user interface of the control panel (10) or by means of an independent app - and prompting (84) the service technician (77) to check the hash against the card reader (46). - Once the service technician (77) confirms (85) the hash to the control panel (10), the panel encrypts (86) the first public key (61) using the third public key (63), sending (87) the encrypted first public key (61) to the card reader (46). The card reader (46), on its part, decrypts (88) the first public key (61) using the third private key (53) and is now prepared to encrypt (89) its own outgoing data using the first public key (61) and send (90) the encrypted data to the control panel (10), finally causing the latter to confirm (81) its installation (79) to the service technician (77).
- First and foremost, the invention is applicable throughout the security industry.
- Similar reference signs denote corresponding features consistently throughout the attached drawings:
- 10
- Control panel
- 11
- Main device
- 12
- Mainboard
- 13
- User interface
- 14
- Central processing unit (CPU)
- 15
- Flash memory
- 16
- Secure element (brazed)
- 17
- Add-on module
- 18
- First baseboard
- 19
- Second baseboard
- 20
- Interface
- 21
- Internal system supply
- 22
- Tamper detector
- 23
- General-purpose input/output
- 24
- For each front end
- 25
- RS-485 transceiver and termination
- 26
- Universal serial bus
- 27
- First air-gap switch
- 28
- Second air-gap switch
- 29
- Inter-integrated circuit (I2C)
- 30
- Ethernet physical transceiver (PHY)
- 31
- Media-independent interface
- 32
- DC/DC power converter
- 33
- Supply for reader, door opener and add-on modules
- 34
- Power over Ethernet plus (PoE+)
- 35
- Light-emitting diode (LED)
- 36
- Button
- 37
- Liquid-crystal display (LCD)
- 38
- Short-range radio frequency (RF) module
- 39
- Universal asynchronous receiver/transmitter (UART)
- 40
- Wireless-fidelity (Wi-Fi) module
- 41
- Secure digital input/output (SDIO)
- 42
- DDR3 random-access memory (RAM)
- 43
- DDR3 memory bus
- 44
- Subscriber identity module (SIM)
- 45
- Module bus connector
- 46
- Card reader
- 47
- Panel certificate authority
- 48
- Reader certificate authority
- 49
- Root certificate authority
- 50
- Signed
- 51
- First private key
- 52
- Second private key
- 53
- Third private key
- 54
- Fourth private key
- 55
- Digital certificate of first public key
- 56
- Digital certificate of third public key
- 57
- Manufacture
- 58
- Operation
- 59
- Generation of first private key and first public key
- 60
- Signing of digital certificate by root certificate authority
- 61
- First public key
- 62
- Second public key
- 63
- Third public key
- 64
- Fourth public key
- 65
- Transmission of digital certificate
- 66
- Transmission of private key and public key
- 67
- At least checksum
- 68
- Generation of third private key and third public key
- 69
- Scan of local network for card reader
- 70
- Authentication via root certificate authority
- 71
- Transmission of third public key from card reader to control panel
- 72
- Generation of symmetric key
- 73
- Encryption of symmetric key using third public key
- 74
- Transmission of encrypted symmetric key from control panel to card reader
- 75
- Decryption of symmetric key using third private key
- 76
- Communication between control panel and card reader using symmetric key
- 77
- Service technician
- 78
- Host system
- 79
- Initiation of installation
- 80
- Mutual authentication
- 81
- Confirmation of integration and installation
- 82
- Computation of hash of third public key
- 83
- Display of hash
- 84
- Prompt to check hash against card reader
- 85
- Confirmation of hash
- 86
- Encryption of first public key using third public key
- 87
- Transmission of encrypted first public key from control panel to card reader
- 88
- Decryption of first public key using third private key
- 89
- Encryption of data using first public key
- 90
- Transmission of encrypted data from card reader to control panel
- The following literature is cited throughout this document.
-
- NORMAN, Thomas L.. Electronic Access Control. 1st edition. Oxford: Butterworth-Heinemann, 2012. ISBN 0123820286. p.221-239.
Claims (15)
- Method of physical access control using a control panel (10),
comprising
storing access profiles on the control panel (10),
controlling, based on the access profiles, front ends using the control panel (10), operating the control panel (10) using a user interface, and
storing on the control panel (10) parameters, master and transactional data related to the controlling and operating,
characterized in
further storing on the control panel (10) cryptographic keys (51, 61) associated with the control panel (10), wherein the front ends are controlled securely using the cryptographic keys (51, 61). - Method according to Claim 1,
characterized in
hosting on the control panel (10) a web service for configuring the access profiles using the cryptographic keys (51, 61). - Method according to Claim 1 or Claim 2,
characterized in
encrypting the parameters, master and transactional data using the cryptographic keys (51, 61). - Method according to any of the preceding claims,
characterized in that
the cryptographic keys (51, 61) comprise a first private key (51) and a first public key (61), wherein the front ends are controlled using an asymmetric cryptosystem. - Method according to any of the preceding claims,
characterized in
further storing on the control panel (10) a digital certificate (55) of the first public key (61) signed (50) by a control-panel certificate authority (47), wherein the control-panel certificate authority (47) stores a second private key (52) and a second public key (62) associated with the control-panel certificate authority (47). - Method according Claim 5,
characterized in
storing on a card reader (46) among the front ends a third private key (53), a third public key (63), and a digital certificate (56) of the third public key (63) signed (50) by a front-end certificate authority (48), wherein the front-end certificate authority (48) stores a fourth private key (54) and a
fourth public key (64) associated with the front-end certificate authority (48). - Method according to Claim 6,
characterized in
storing on the control-panel certificate authority (47) a digital certificate of the second public key (62) and
storing on the front-end certificate authority (48) a digital certificate of the fourth public key (64), wherein the digital certificates of the second and
fourth public key (64) are each signed (50) by a root certificate authority (49). - Method according to Claim 6,
characterized in that
the control-panel certificate authority (47) and the front-end certificate authority (48) are one and the same
root certificate authority (49). - Method according to Claim 8,
characterized in that
the control panel (10) scans (69) a local network for the card reader (46) by broadcasting the first public key (61) on the network,
the card reader (46) authenticates (70) the control panel (10) via the root certificate authority (49),
the card reader (46) sends (71) the third public key (63) to the control panel (10), the control panel (10) authenticates (70) the card reader (46) via the root certificate authority (49),
the control panel (10) generates (72) a symmetric key,
the control panel (10) encrypts (73) the symmetric key using the third public key (63),
the control panel (10) sends (74) the encrypted symmetric key to the card reader (46),
the card reader (46) decrypts (75) the symmetric key using the third private key (53), and
the control panel (10) and the card reader (46) communicate (76) using the symmetric key. - Method according to any Claim 6 to Claim 9,
characterized in that, to bring the control panel (10) into service,
a service technician (77) initiates an installation (79) and configuration of the control panel (10),
the control panel (10) and a host system (78) mutually authenticate (80), the control panel (10) confirms (81) the installation (79) to the service technician (77),
the service technician (77) initiates the installation (79) and configuration of the card reader (46),
the card reader (46) and the control panel (10) mutually authenticate (80), and the card reader (46) confirms (81) the installation (79) to the
service technician (77). - Method according to any of Claim 6 to Claim 8,
characterized in that, to bring the control panel (10) into service,
a service technician (77) initiates an installation (79) of the control panel (10),
the control panel (10) scans (69) a local network for the card reader (46),
the card reader (46) sends (71) the third public key (63) to the control panel (10),
the control panel (10) computes (82) a hash of the third public key (63),
the control panel (10) displays (83) the hash on the user interface,
the control panel (10) prompts (84) the service technician (77) to check the hash against the card reader (46),
the service technician (77) confirms (85) the hash to the control panel (10),
the control panel (10) encrypts (86) the first public key (61) using the third public key (63),
the control panel (10) sends (87) the encrypted first public key (61) to the card reader (46),
the card reader (46) decrypts (88) the first public key (61) using the third private key (53),
the card reader (46) encrypts (89) data using the first public key (61),
the card reader (46) sends (90) the encrypted data to the control panel (10), and the control panel (10) confirms (81) the installation (79) to the
service technician (77). - Control panel (10) comprising means for carrying out a method
according to any of Claim 6 to Claim 11. - Process for the manufacture (57) of the control panel (10) according to
Claim 12,
characterized in
generating (59) the first private key (51) and the first public key (61),
signing (60) the digital certificate (55) of the first public key (61),
transmitting (65) the digital certificate (55) of the first public key (61) to the control panel (10),
transmitting (66) the first private key (51) and the first public key (61) to the control panel (10),
receiving from the control panel (10) at least a checksum (67),
generating (68) the third private key (53) and the third public key (63),
signing (60) the digital certificate (56) of the third public key (63),
transmitting (65) the digital certificate (56) of the third public key (63) to the card reader (46),
transmitting (66) the third private key (53) and the third public key (63) to the card reader (46), and
receiving from the card reader (46) at least a further checksum (67). - Computer program adapted to perform the method according to any of Claim 1 to Claim 11.
- Computer-readable storage medium (15, 42) comprising the program according to Claim 14.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP16155889.5A EP3208777A1 (en) | 2016-02-16 | 2016-02-16 | Control panel, use, and process for the manufacture thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP16155889.5A EP3208777A1 (en) | 2016-02-16 | 2016-02-16 | Control panel, use, and process for the manufacture thereof |
Publications (1)
Publication Number | Publication Date |
---|---|
EP3208777A1 true EP3208777A1 (en) | 2017-08-23 |
Family
ID=55404588
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP16155889.5A Withdrawn EP3208777A1 (en) | 2016-02-16 | 2016-02-16 | Control panel, use, and process for the manufacture thereof |
Country Status (1)
Country | Link |
---|---|
EP (1) | EP3208777A1 (en) |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2003088166A2 (en) * | 2002-04-08 | 2003-10-23 | Corestreet, Ltd. | Physical access control |
US20070094716A1 (en) * | 2005-10-26 | 2007-04-26 | Cisco Technology, Inc. | Unified network and physical premises access control server |
US20080029598A1 (en) * | 2001-12-26 | 2008-02-07 | Vivotech, Inc. | Adaptor for magnetic stripe card reader |
US20080072314A1 (en) * | 2006-09-15 | 2008-03-20 | Tyco Safety Products Canada Ltd. | Method and apparatus for automated activation of a security system |
US20130222107A1 (en) * | 2012-01-20 | 2013-08-29 | Identive Group, Inc. | Cloud Secure Channel Access Control |
US20140282993A1 (en) * | 2013-03-14 | 2014-09-18 | Brivo Systems, Inc. | System and Method for Physical Access Control |
US20140320261A1 (en) * | 2011-03-17 | 2014-10-30 | Assa Abloy Ab | Method for upgrading rfid readers in situ |
-
2016
- 2016-02-16 EP EP16155889.5A patent/EP3208777A1/en not_active Withdrawn
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080029598A1 (en) * | 2001-12-26 | 2008-02-07 | Vivotech, Inc. | Adaptor for magnetic stripe card reader |
WO2003088166A2 (en) * | 2002-04-08 | 2003-10-23 | Corestreet, Ltd. | Physical access control |
US20070094716A1 (en) * | 2005-10-26 | 2007-04-26 | Cisco Technology, Inc. | Unified network and physical premises access control server |
US20080072314A1 (en) * | 2006-09-15 | 2008-03-20 | Tyco Safety Products Canada Ltd. | Method and apparatus for automated activation of a security system |
US20140320261A1 (en) * | 2011-03-17 | 2014-10-30 | Assa Abloy Ab | Method for upgrading rfid readers in situ |
US20130222107A1 (en) * | 2012-01-20 | 2013-08-29 | Identive Group, Inc. | Cloud Secure Channel Access Control |
US20140282993A1 (en) * | 2013-03-14 | 2014-09-18 | Brivo Systems, Inc. | System and Method for Physical Access Control |
US8881252B2 (en) | 2013-03-14 | 2014-11-04 | Brivo Systems, Inc. | System and method for physical access control |
Non-Patent Citations (2)
Title |
---|
NORMAN, THOMAS L.: "Electronic Access Control", 2012, BUTTERWORTH-HEINEMANN, pages: 221 - 239 |
NORMAN, THOMAS L: "Electronic Access Control", 2012, BUTTERWORTH-HEINEMANN, pages: 221 - 239 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110995642B (en) | Providing secure connections using pre-shared keys | |
CN103714639B (en) | A kind of method and system that realize the operation of POS terminal security | |
CN102315942B (en) | Security terminal with Bluetooth and communication method thereof of security terminal and client end | |
US10567428B2 (en) | Secure wireless ranging | |
CN101131756B (en) | Security authentication system, device and method for electric cash charge of mobile paying device | |
EP2424185A1 (en) | Method and device for challenge-response authentication | |
JP2005509231A5 (en) | ||
CN107104795B (en) | Method, framework and system for injecting RSA key pair and certificate | |
EP2937806A1 (en) | Method and system for securing electronic data exchange between an industrial programmable device and a portable programmable device | |
CN110738776B (en) | Method and system for opening Bluetooth access control, Bluetooth device and working method thereof | |
CN109544747A (en) | Encryption key update method, system and the computer storage medium of intelligent door lock | |
CN104464048A (en) | Electronic coded lock unlocking method and electronic coded lock unlocking device | |
CN105827656A (en) | Identity authentication method based on NFC payment and device | |
CN112669104B (en) | Data processing method of leasing equipment | |
EP2215553A1 (en) | System and method for authenticating one-time virtual secret information | |
KR20120072032A (en) | The system and method for performing mutual authentication of mobile terminal | |
CN106027249A (en) | Identity card reading method and system | |
CN102355662A (en) | Key exchanging method on basis of wireless low-cost equipment | |
EP2993856B1 (en) | Establishment of communication connection between mobile device and secure element | |
CN111444496A (en) | Application control method, device, equipment and storage medium | |
CN202918498U (en) | SIM card adapter, mobile terminal and digital signature authentication system | |
EP3208777A1 (en) | Control panel, use, and process for the manufacture thereof | |
CN115297137A (en) | Shared bicycle using method, electronic equipment and storage medium | |
CN106372557B (en) | Certificate card information acquisition method, device and system | |
US8953804B2 (en) | Method for establishing a secure communication channel |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20180223 |
|
RAV | Requested validation state of the european patent: fee paid |
Extension state: MA Effective date: 20180223 Extension state: MD Effective date: 20180223 |
|
RAX | Requested extension states of the european patent have changed |
Extension state: BA Payment date: 20180223 Extension state: ME Payment date: 20180223 |
|
RBV | Designated contracting states (corrected) |
Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
19U | Interruption of proceedings before grant |
Effective date: 20191230 |
|
19W | Proceedings resumed before grant after interruption of proceedings |
Effective date: 20200901 |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: XCCELO SYSTEMS GMBH |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
17Q | First examination report despatched |
Effective date: 20201111 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20210323 |