SYSTEM AND METHOD FOR SECURE AND DISTRIBUTED PHYSICAL ACCESS CONTROL USING SMART CARDS

US 20080173709A1
Filed: 01/18/2007
Published: 07/24/2008
Est. Priority Date: 01/18/2007
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to a resource comprising:

reading a first code from a user carried device, wherein the first code comprises an encoded form of at least an ID of a user and at least one privilege, and wherein the privilege embodies a policy defining the user'"'"'s access to the resource;

comparing the first code to a second code; and

,permitting access only if the first code compares favorably to the second code.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first code is read from a user carried device useable in an access control system. The first code is an encoded form of at least an ID of a user carrying the device and at least one privilege. The privilege defines the user'"'"'s access to a resource. The first code is compared to a second code, and access is permitted only if the first code compares favorably to the second code. A reader of the access control system computes the second code based on the user ID and the privilege. The first and second codes may be also based on a secret key applicable only to the user.

75 Citations

View as Search Results

34 Claims

1. A method of controlling access to a resource comprising:
- reading a first code from a user carried device, wherein the first code comprises an encoded form of at least an ID of a user and at least one privilege, and wherein the privilege embodies a policy defining the user'"'"'s access to the resource;
  
  comparing the first code to a second code; and
  
  ,permitting access only if the first code compares favorably to the second code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 wherein the comparing of the first code to a second code comprises:
    - computing the second code based on the user ID, the privilege, and a secret key; and
      
      ,comparing the first code to the computed second code.
  - 3. The method of claim 2 wherein the first code is also based on the secret key.
  - 4. The method of claim 2 further comprising periodically changing the first code and the secret key synchronously.
  - 5. The method of claim 2 wherein the computing of the second code comprises:
    - generating an intermediate code based at least on the user ID and the secret key;
      
      concatenating the intermediate code and the privilege; and
      
      ,applying an encoding function to the concatenation of the intermediate code and the privilege so as to produce the second code.
  - 6. The method of claim 5 wherein the encoding function comprises a hash function.
  - 7. The method of claim 5 wherein the generating of an intermediate code comprises:
    - generating a first intermediate code by applying the secret key to an initial value;
      
      generating a second intermediate code by applying the secret key to the first intermediate code to produce a first result and by adding the user ID to the result; and
      
      ,generating a third intermediate code by applying the secret key to the second intermediate code to produce a second result and by adding a final value to the second result;
      
      and wherein the concatenating of the intermediate code and the privilege comprises concatenating the first, second, and third intermediate codes and the privilege.
  - 8. The method of claim 1 wherein the comparing of the first code to a second code comprises:
    - computing the second code based on the user ID, the privilege, a secret key, and a common key, wherein the secret key applies only to the user, and wherein the common key applies to a plurality of users; and
      
      ,comparing the first code to the computed second code.
  - 9. The method of claim 8 wherein the first code is also based on the secret key.
  - 10. The method of claim 8 further comprising periodically changing the first code and the secret key synchronously.
  - 11. The method of claim 8 wherein the computing of the second code comprises:
    - generating an intermediate code based at least on the user ID and the secret key;
      
      concatenating the intermediate coder the privilege, and the common key; and
      
      ,applying an encoding function to the concatenation of the intermediate code, the privilege, and the common key so as to produce the second code.
  - 12. The method of claim 11 wherein the encoding function comprises a hash function.
  - 13. The method of claim 11 wherein the generating of an intermediate code comprises:
    - generating a first intermediate code by applying the secret key to an initial value;
      
      generating a second intermediate code by applying the secret key to the first intermediate code to produce a result and by adding the user ID to the result; and
      
      ,generating a third intermediate code by applying the secret key to the second intermediate code to produce a second result and by adding a final value to the second result;
      
      and wherein the concatenating of the intermediate code, the privilege, and the common key comprises concatenating the first, second, and third intermediate codes, the privilege, and the common key.
  - 14. The method of claim 1 further comprising periodically changing the first and second codes synchronously.
  - 15. The method of claim 1 wherein the first code is self-expiring.

16. A method of controlling access to a resource comprising:
- storing a first code on a user carried device, wherein the first code is based on at least an ID of a user, at least one privilege, a first secret key, and an encoding function, and wherein the privilege defines the user'"'"'s access to the resource;
  
  computing a second code from the user ID, the privilege, a second secret key, and the encoding function, wherein the first and second secret keys are symmetrical, and wherein the second secret key is stored in a user carried device reader;
  
  comparing the first code to a second code; and
  
  ,permitting access only if the first code compares favorably to the second code.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The method of claim 16 wherein the encoding function comprises a hash function.
  - 18. The method of claim 16 further comprising periodically and synchronously changing the first code and the second secret key.
  - 19. The method of claim 16 wherein the computing of the second code comprises:
    - generating an intermediate code based at least on the user ID and the second secret key;
      
      concatenating the intermediate code and the privilege; and
      
      ,applying the encoding function to the concatenation of the intermediate code and the privilege so as to produce the second code.
  - 20. The method of claim 19 wherein the generating of an intermediate code comprises:
    - generating a first intermediate code by applying the second secret key to an initial value;
      
      generating a second intermediate code by applying the second secret key to the first intermediate code to produce a result and by adding the user ID to the result; and
      
      ,generating a third intermediate code by applying the second secret key to the second intermediate code to produce a second result and by adding a final value to the second result;
      
      and wherein the concatenating of the intermediate code and the privilege comprises concatenating the first, second, and third intermediate codes and the privilege.
  - 21. The method of claim 16 wherein the computing of the second code comprises:
    - generating an intermediate code based at least on the user ID and the second secret key;
      
      concatenating the intermediate code, the privilege, and a common key; and
      
      ,applying an encoding function to the concatenation of the intermediate code, the privilege, and the common key so as to produce the second code.
  - 22. The method of claim 21 wherein the generating of an intermediate code comprises:
    - generating a first intermediate code by applying the second secret key to an initial value;
      
      generating a second intermediate code by applying the second secret key to the first intermediate code to produce a result and by adding the user ID to the result; and
      
      ,generating a third intermediate code by applying the second secret key to the second intermediate code to produce a second result and adding a final value to the second result;
      
      and wherein the concatenating of the intermediate code and the privilege comprises concatenating the first, second, and third intermediate codes, the privilege, and the common key.

23. A reader of an access control system that controls access to a resource comprising:
- a memory that stores a secret key; and
  
  ,a processor that reads the secret key from the memory, that reads an ID of a user, at least one privilege, and a first code from an user carried device carried by the user, that computes a second code based on the secret key read from the memory and the user ID and privilege read from the user carried device, that compares the first code to the second code, and that permits access to the resource based on the comparison, wherein the privilege defines the user'"'"'s access to the resource, and wherein the first code comprises an encoded form of at least the user ID and the privilege.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31)
- - 24. The reader of claim 23 wherein the reader computes the second code by:
    - generating an intermediate code based at least on the user ID and the secret key;
      
      concatenating the intermediate code and the privilege; and
      
      ,applying an encoding function to the concatenation of the intermediate code and the privilege so as to produce the second code.
  - 25. The reader of claim 24 wherein the encoding function comprises a hash function.
  - 26. The reader of claim 24 wherein the reader generates the intermediate code by:
    - generating a first intermediate code by applying the secret key to an initial value;
      
      generating a second intermediate code by applying the secret key to the first intermediate code to produce a result and by adding the user ID to the result; and
      
      ,generating a third intermediate code by applying the secret key to the second intermediate code to produce a second result and by adding a final value to the second result;
      
      and wherein the concatenating of the intermediate code and the privilege comprises concatenating the first, second, and third intermediate codes and the privilege.
  - 27. The reader of claim 23 wherein the reader computes the second code based on the secret key read from the memory, the user ID and privilege read from the user carried device, and a common key.
  - 28. The reader of claim 27 wherein the reader computes the second code by:
    - generating an intermediate code based at least on the user ID and the secret key;
      
      concatenating the intermediate code, the privilege, and the common key; and
      
      ,applying an encoding function to the concatenation of the intermediate code, the privilege, and the common key so as to produce the second code.
  - 29. The reader of claim 28 wherein the encoding function comprises a hash function.
  - 30. The reader of claim 28 wherein the reader generates the intermediate code by:
    - generating a first intermediate code by applying the secret key to an initial value;
      
      generating a second intermediate code by applying the secret key to the first intermediate code to produce a result and by adding the user ID to the result; and
      
      ,generating a third intermediate code by applying the secret key to the second intermediate code to produce a second result and by adding a final value to the second result; and
      
      ,and wherein the concatenating of the intermediate code, the privilege, and the common key comprises concatenating the first, second, and third intermediate codes, the privilege, and the common key.
  - 31. The reader of claim 23 wherein the secret key comprises a first secret key, wherein the first code is based on a second secret key, and wherein the first and second secret keys are symmetrical.

32. A user carried device for use by an access control system that controls access to a resource comprising:
- a memory that stores an ID of a user, at least one privilege, and a hash value, wherein the hash value is based on an application of a hash function to encrypted data, wherein the encrypted data is based on the user ID, the privilege, and a key, and wherein the privilege embodies a policy governing the user'"'"'s access to the resource; and
  
  ,an interface that communicates the user ID, the privilege, and the hash value to a reader of the access control system.
- View Dependent Claims (33, 34)
- - 33. The user carried device of claim 32 wherein the key comprises a secret key applicable to only one user, wherein the hash value is further based on a common key, and wherein the common key is applicable to a plurality of users.
  - 34. The user carried device of claim 32 wherein the hash value comprises a self-expiring hash value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Honeywell International Inc.
Original Assignee
Honeywell International Inc.
Inventors
GHOSH, SUBHAS KUMAR

Granted Patent

US 9,286,481 B2
Time in Patent Office

Days
Field of Search
US Class Current

235/382
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/62   Protecting access to data v...

G07C 2009/0042   the transmitted data signal...

G07C 9/21   having a variable access code

G07C 9/27   with central registration

SYSTEM AND METHOD FOR SECURE AND DISTRIBUTED PHYSICAL ACCESS CONTROL USING SMART CARDS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

75 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR SECURE AND DISTRIBUTED PHYSICAL ACCESS CONTROL USING SMART CARDS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

75 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links