Access control apparatus and method
First Claim
1. An information element comprising:
- means for storing a test authorization value, said test authorization value being related for all persons having the same authority;
means for comparing said test authorization value with a trial authorization value received from an element interface;
means for allowing access to information in said information element only if said test authorization value compares positively with said trial authorization value.
3 Assignments
0 Petitions
Accused Products
Abstract
An improved access control apparatus, method, and system are disclosed to enhance the security of information in cards of the type having data storage and functions which are not accessible without verification of the identity and the authority of a person requesting access. The card need not include identification information for others that may require access to information in a person'"'"'s card. Several authorization profiles are provided in a card, but there is no need that a profile be identified to any one person in order that they each may perform required tasks using or adding information in another person'"'"'s card. The identification card of a supervisor or doctor who requires access to another person'"'"'s card contains secret information Xsup identifying the supervisor or doctor as having the authority of supervisor or physician and an encryption key. The secret authorization information is encrypted and transmitted through the reader to the other person'"'"'s card where it is decrypted and compared with the X'"'"'sup secret value stored in the other person'"'"'s card. If they agree, the supervisor is permitted to perform functions authorized to be performed by supervisors in accordance with the profile for supervisors in the other person'"'"'s card. Each supervisor is identified by a supervisor'"'"'s own card using a password, PIN, or biometrics that may be changed as often as desired without recalling the cards of others for update. The authorization information is not exposed outside of a secure environment. Therefore, unlike PINs which are exposed during entry, it need not be changed or updated during the life of the card.
-
Citations
24 Claims
-
1. An information element comprising:
-
means for storing a test authorization value, said test authorization value being related for all persons having the same authority; means for comparing said test authorization value with a trial authorization value received from an element interface; means for allowing access to information in said information element only if said test authorization value compares positively with said trial authorization value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An element interface comprising:
-
means for receiving an identification element in communicating relationship with said interface; means for receiving from said identification element, a trial authorization value, said trial authorization value being the same for all persons having similar identification elements and the same authority; means for sending said trial authorization value to an information element, means for instructing said information element to perform a function in said information element, said function being performed only upon the positive correlation of said trial authorization value and a test authorization value stored in said information element. - View Dependent Claims (12, 13, 14, 15)
-
-
16. An identification element comprising:
-
means preprogrammed into said identification element for storing a trial authorization value; means for sending said trial authorization value from said identification element to an element interface, said trial authorization value being the same for all persons having similar identification elements and the same authority. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
-
23. The method of granting access to information in an information element comprising the steps of:
-
inserting an identification element into an element reader; establishing a session key KS1 between a computer in said identification element and a computer controlling said reader; computing in said identification element, a value eKS1(Xsup) of the encryption of an authorization value Xsup under said session key KS1; sending said value eKS1(Xsup) to said computer controlling said reader; computing in said computer controlling said reader, a value dKS1(eKS1(Xsup)) of the decryption of said value eKS1(Xsup) under said session key KS1; removing said identification element from said reader to make way for said information element; inserting said information element into said reader; establishing a session, key KS2 between a computer in said information element and said computer controlling said reader; computing in said computer controlling said reader, the value eKS2(dKS1(eKS1(Xsup))) of the encryption of the authorization value dKS1(eKS1(Xsup)) under the session key KS2; sending said value eKS2(dKS1(eKS1(Xsup))) to said information element; computing in said information element, the value dKS2(eKS2(dKS1(eKS1(Xsup)))) of the decryption of said value eKS2(dKS1(eKS1(Xsup))) under said session key KS2; comparing in said computer in said information element, said value dKS2(eKS2(dKS1(eKS1(Xsup)))) with a test authorization value X'"'"'sup; allowing execution of commands in said information element if said value dKS2(eKS2(dKS1(eKS1(Xsup)))) compares positively with said test authorization value X'"'"'sup. - View Dependent Claims (24)
-
Specification