REALIZATION OF ACCESS CONTROL CONDITIONS AS BOOLEAN EXPRESSIONS IN CREDENTIAL AUTHENTICATIONS

US 20100235905A1
Filed: 03/15/2010
Published: 09/16/2010
Est. Priority Date: 03/13/2009
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

detecting the presence of a first credential in proximity to a reader;

determining that group authentication is required to make an access control decision; and

invoking a group authentication process that includes;

exchanging data between the reader and the first credential;

obtaining a first value based on the exchange of data between the reader and the first credential;

exchanging data between the reader and a second credential;

obtaining a second value based on the exchange of data between the reader and the second credential;

analyzing a group authentication rule with the first and second values; and

making a group authentication decision based on the analysis step.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, reader, and system are provided for performing group authentication processes. In particular, a group access decision can be made upon the analysis of a group rule. The group rule may contain a Boolean expression including one or more Boolean conditions. If an appropriate group of credentials are presented to a reader such that the Boolean expression is satisfied, then the group of credentials and the holders thereof are allowed access to a protected asset.

Citations

22 Claims

1. A method comprising:
- detecting the presence of a first credential in proximity to a reader;
  
  determining that group authentication is required to make an access control decision; and
  
  invoking a group authentication process that includes;
  
  exchanging data between the reader and the first credential;
  
  obtaining a first value based on the exchange of data between the reader and the first credential;
  
  exchanging data between the reader and a second credential;
  
  obtaining a second value based on the exchange of data between the reader and the second credential;
  
  analyzing a group authentication rule with the first and second values; and
  
  making a group authentication decision based on the analysis step.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein a group of credentials comprising at least the first, second, and a third credentials are detected in proximity to the reader, the method further comprising:
    - determining that sequential processing is allowed in the group authentication process; and
      
      permitting group access in the absence of exchanging data between the reader and the third credential.
  - 3. The method of claim 2, wherein sequential processing is allowed in the group authentication process when the group authentication rule does not contain one or both of a NOT and XOR operation.
  - 4. The method of claim 1, wherein a group of credentials are detected in proximity to the reader, the method further comprising:
    - determining that sequential processing is not allowed in the group authentication process; and
      
      conditioning group access upon each credential in the group of credentials exchanging data with the reader.
  - 5. The method of claim 1, wherein the group authentication rule comprises a Boolean expression and at least one Boolean operation.
  - 6. The method of claim 1, further comprising:
    - implementing an action consistent with the group authentication decision, wherein the action is one of admitting access to an asset protected by the reader and denying access to the asset protected by the reader.
  - 7. The method of claim 1, wherein the group authentication process is performed at the reader.
  - 8. The method of claim 1, wherein the group authentication process is performed at a selected one of the first and second credentials.
  - 9. The method of claim 8, wherein the first credential performs the group authentication process because it is one of a designated credential and a randomly selected credential.
  - 10. The method of claim 8, wherein the second credential performs the group authentication process.
  - 11. The method of claim 1, wherein the group authentication process is performed at least partially at both the reader and a selected one of the first and second credentials.
  - 12. The method of claim 1, wherein determining that group authentication is required involves determining that one or more of the following conditions exist:
    - a plurality of credentials are detected within proximity of the reader;
      
      a plurality of users are detected within proximity of the reader; and
      
      access to an asset protected by the reader is only allowed upon satisfaction of a group rule.

13. An access control system, comprising:
- memory including instructions in the form of machine-readable code, the instructions including an authentication module and authentication data;
  
  a processor, configured to execute the instructions stored in the memory; and
  
  wherein the authentication module is configured to detect the presence of a first credential in proximity to a reader, determine that group authentication is required to make an access control decision, and invoke a group authentication process that includes;
  
  exchanging data between the reader and the first credential;
  
  obtaining a first value based on the exchange of data between the reader and the first credential;
  
  exchanging data between the reader and a second credential;
  
  obtaining a second value based on the exchange of data between the reader and the second credential;
  
  analyzing a group authentication rule contained within the authentication data with the first and second values; and
  
  making a group authentication decision based on the analysis step.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 14. The system of claim 13, wherein a group of credentials comprising at least the first, second, and a third credentials are detected in proximity to the reader, and wherein the authentication module is further configured to determine that sequential processing is allowed in the group authentication process and permit group access in the absence of exchanging data between the reader and the third credential.
  - 15. The system of claim 14, wherein sequential processing is allowed in the group authentication process when the group authentication rule does not contain one or both of a NOT and XOR operation.
  - 16. The system of claim 13, wherein a group of credentials are detected in proximity to the reader, and wherein the authentication module is further configured to determine that sequential processing is not allowed in the group authentication process and condition group access upon each credential in the group of credentials exchanging data with the reader.
  - 17. The system of claim 13, wherein the group authentication rule comprises a Boolean expression and at least one Boolean operation.
  - 18. The system of claim 13, wherein the reader is configured to implement an action consistent with the group authentication decision, wherein the action is one of admitting access to an asset protected by the reader and denying access to the asset protected by the reader.
  - 19. The system of claim 13, wherein the group authentication process is performed at the reader.
  - 20. The system of claim 13, wherein the group authentication process is performed at a selected one of the first and second credentials.
  - 21. The system of claim 13, wherein the group authentication process is performed at least partially at both the reader and a selected one of the first and second credentials.
  - 22. The system of claim 13, wherein the authentication module is configured to determine that group authentication is required by determining that one or more of the following conditions exist:
    - a plurality of credentials are detected within proximity of the reader;
      
      a plurality of users are detected within proximity of the reader; and
      
      access to an asset protected by the reader is only allowed upon satisfaction of a group rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Assa Abloy AB
Original Assignee
Assa Abloy AB
Inventors
Guthery, Scott B.

Granted Patent

US 8,474,026 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/19
CPC Class Codes

G06F 21/31   User authentication

G06F 21/40   by quorum, i.e. whereby two...

G06F 21/6209   to a single file or object,...

G07C 9/22   in combination with an iden...

REALIZATION OF ACCESS CONTROL CONDITIONS AS BOOLEAN EXPRESSIONS IN CREDENTIAL AUTHENTICATIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

REALIZATION OF ACCESS CONTROL CONDITIONS AS BOOLEAN EXPRESSIONS IN CREDENTIAL AUTHENTICATIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links