Challenge-response badge

US 10,521,984 B1
Filed: 03/31/2015
Issued: 12/31/2019
Est. Priority Date: 03/31/2015
Status: Active Grant

First Claim

Patent Images

1. An access-control system comprising:

a card reader configured to transmit a challenge message that includes a first sequence value;

an access card configured to determine validity of the challenge message based at least in part on the first sequence value and a high-water-mark value stored on the access card, the high-water mark value based at least in part on a second sequence value associated with a previously-received valid challenge message, and in response to determining that the challenge message is valid, transmit a response message and update the high-water-mark value based at least in part on the first sequence value; and

a security server configured to;

determine that the response message is valid as a result of a timespan between a first recorded time when the challenge message is transmitted and a second recorded time when the response message is received does not exceed a threshold value; and

as a result of determining that the response message is valid, cause an access control point device to grant access to an enclosed physical space.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques described and suggested in the present document include access-card systems and methods that are resistant to attack. In certain implementations, a card reader transmits a challenge message to an access card. When the access card receives the challenge message, the access card validates the challenge message, and then generates a response message based at least in part on the information contained in the challenge message. A security server validates the response message, and when the security server determines that the response is secure, valid, and from an authorized access card, the security server grants access to a physical space. In some implementations, the challenge and response messages are digitally signed using a cryptographic key. Additional implementations include various tests that, when performed on the challenge and/or response messages detect and defeat many attempts to compromise the access-card system.

Citations

15 Claims

1. An access-control system comprising:
- a card reader configured to transmit a challenge message that includes a first sequence value;
  
  an access card configured to determine validity of the challenge message based at least in part on the first sequence value and a high-water-mark value stored on the access card, the high-water mark value based at least in part on a second sequence value associated with a previously-received valid challenge message, and in response to determining that the challenge message is valid, transmit a response message and update the high-water-mark value based at least in part on the first sequence value; and
  
  a security server configured to;
  
  determine that the response message is valid as a result of a timespan between a first recorded time when the challenge message is transmitted and a second recorded time when the response message is received does not exceed a threshold value; and
  
  as a result of determining that the response message is valid, cause an access control point device to grant access to an enclosed physical space.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The access-control system of claim 1, wherein the access card determines the validity of the challenge message at least in part by:
    - determining a geolocation of the access card;
      
      determining a geolocation of the card reader; and
      
      determining that the challenge message is invalid when the distance between the geolocation of the access card and the geolocation of the card reader exceeds a threshold.
  - 3. The access-control system of claim 1, wherein:
    - the access card is further configured to digitally sign the response message using a first private cryptographic key, thereby generating a response-message signature; and
      
      the security server is further configured to determine the validity of the response message by at least in part validating the response-message signature using a first public cryptographic key, and as a result of determining that the response message is invalid, recording the response message in a log.
  - 4. The access-control system of claim 3, wherein:
    - the security server is further configured to digitally sign the challenge message with a challenge-message signature using a second private cryptographic key;
      
      the access card is further configured to determine the validity of the challenge message by at least in part validating the challenge-message signature using a second public cryptographic key; and
      
      the security server further configured to, as a result of determining that the response message is invalid, transmit a disabling-challenge message to the access card that prevents the access card from responding to additional challenge messages.
  - 5. The access-control system of claim 4, wherein the validity of the challenge message is determined at least in part by the access card:
    - determining whether a reader identifier that is included in the challenge message is present in a collection of reader identifiers stored on the access card; and
      
      as a result of determining that the reader identifier is not present in the collection, determining that the challenge message is invalid.

6. One or more devices, comprising:
- a card reader configured to transmit a challenge message that includes a first sequence value;
  
  an access card configured to determine validity of the challenge message based at least in part on the first sequence value and a high-water-mark value stored on the access card, the high-water mark value based at least in part on a second sequence value associated with a previously-received valid challenge message, and in response to determining that the challenge message is valid, transmit a response message and update the high-water-mark value based at least in part on the first sequence value; and
  
  a security server configured to;
  
  determine that the response message is valid as a result of a timespan between a first recorded time when the challenge message is transmitted and a second recorded time when the response message is received does not exceed a threshold value; and
  
  as a result of determining that the response message is valid,cause an access control point device to grant access to an enclosed physical space.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The one or more devices of claim 6, wherein the access card determines the validity of the challenge message at least in part by:
    - determining a geolocation of the access card;
      
      determining a geolocation of the card reader; and
      
      determining that the challenge message is invalid when the distance between the geolocation of the access card and the geolocation of the card reader exceeds a threshold.
  - 8. The one or more devices of claim 6, wherein:
    - the access card is further configured to digitally sign the response message using a first private cryptographic key, thereby generating a response-message signature; and
      
      the security server is further configured to determine the validity of the response message by at least in part validating the response-message signature using a first public cryptographic key, and as a result of determining that the response message is invalid, recording the response message in a log.
  - 9. The one or more devices of claim 8, wherein:
    - the security server is further configured to digitally sign the challenge message with a challenge-message signature using a second private cryptographic key;
      
      the access card is further configured to determine the validity of the challenge message by at least in part validating the challenge-message signature using a second public cryptographic key; and
      
      the security server further configured to, as a result of determining that the response message is invalid, transmit a disabling-challenge message to the access card that prevents the access card from responding to additional challenge messages.
  - 10. The one or more devices of claim 9, wherein the validity of the challenge message is determined at least in part by the access card:
    - determining whether a reader identifier that is included in the challenge message is present in a collection of reader identifiers stored on the access card; and
      
      as a result of determining that the reader identifier is not present in the collection, determining that the challenge message is invalid.

11. A computer-implemented method, comprising:
- transmitting, by a card reader, a challenge message that includes a first sequence value;
  
  determining, by an access card, validity of the challenge message based at least in part on the first sequence value and a high-water-mark value stored on the access card, the high-water mark value based at least in part on a second sequence value associated with a previously-received valid challenge message, and in response to determining that the challenge message is valid, transmit a response message and update the high-water-mark value based at least in part on the first sequence value;
  
  determining, by a security server, that the response message is valid as a result of a timespan between a first recorded time when the challenge message is transmitted and a second recorded time when the response message is received does not exceed a threshold value; and
  
  as a result of determining that the response message is valid, cause an access control point device to grant access to an enclosed physical space.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer-implemented method of claim 11, wherein the access card determines the validity of the challenge message at least in part by:
    - determining a geolocation of the access card;
      
      determining a geolocation of a card reader; and
      
      determining that the challenge message is invalid when the distance between the geolocation of the access card and the geolocation of the card reader exceeds a threshold.
  - 13. The computer-implemented method of claim 11, wherein:
    - the access card is further configured to digitally sign the response message using a first private cryptographic key, thereby generating a response-message signature; and
      
      the security server is further configured to determine the validity of the response message by at least in part validating the response-message signature using a first public cryptographic key, and as a result of determining that the response message is invalid, recording the response message in a log.
  - 14. The computer-implemented method of claim 13, wherein:
    - the security server is further configured to digitally sign the challenge message with a challenge-message signature using a second private cryptographic key;
      
      the access card is further configured to determine the validity of the challenge message by at least in part validating the challenge-message signature using a second public cryptographic key; and
      
      the security server further configured to, as a result of determining that the response message is invalid, transmit a disabling-challenge message to the access card that prevents the access card from responding to additional challenge messages.
  - 15. The computer-implemented method of claim 14, whereinthe validity of the challenge message is determined at least in part by the access card:
    - determining whether a reader identifier that is included in the challenge message is present in a collection of reader identifiers stored on the access card; and
      
      as a result of determining that the reader identifier is not present in the collection, determining that the challenge message is invalid.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Johansson, Jesper Mikael, MacIntosh, Eric Allan, Roth, Gregory Branchek
Primary Examiner(s)
Syed, Nabil H
Assistant Examiner(s)
Eustaquio, Cal J

Application Number

US14/675,654
Time in Patent Office

1,736 Days
Field of Search
US Class Current
CPC Class Codes

G07C 2009/00388   code verification carried o...

G07C 2009/00412   the transmitted data signal...

G07C 2009/00476   dynamically

G07C 2009/00555   comprising means to detect ...

G07C 2009/00793   by Hertzian waves

G07C 2209/08   With time considerations, e...

G07C 9/00309   operated with bidirectional...

G07C 9/00571   operated by interacting wit...

G07C 9/23   by means of a password

H04L 63/0838   using one-time-passwords

H04L 63/107   wherein the security polici...

H04L 63/108   when the policy decisions a...

Challenge-response badge

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Challenge-response badge

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links