Controlling access using additional data

US 7,600,129 B2
Filed: 07/16/2004
Issued: 10/06/2009
Est. Priority Date: 10/02/1995
Status: Expired due to Fees

First Claim

Patent Images

1. A method of determining access, comprising:

using at least one processor to determine whether credentials/proofs indicate that access is allowed, wherein the credentials/proofs include credentials and proofs;

using at least one processor to determine whether additional data associated with the credentials/proofs has been received, wherein the additional data is separate from the credentials/proofs; and

using at least one processor to determine whether to deny access according to the credentials/proofs and the additional data that is received, wherein access is denied if the credentials/proofs do not indicate that access is allowed, and wherein access is denied if information provided by the additional data directly indicates revocation of access rights, wherein the information provided by the additional data is obtained by performing a one-way function on the additional data, and wherein the information is locally verifiable at a point of access.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Determining access includes determining if particular credentials/proofs indicate that access is allowed, determining if there is additional data associated with the credentials/proofs, wherein the additional data is separate from the credentials/proofs, and, if the particular credentials/proofs indicate that access is allowed and if there is additional data associated with the particular credentials/proofs, then deciding whether to deny access according to information provided by the additional data. The credentials/proofs may be in one part or in separate parts. There may be a first administration entity that generates the credentials and other administration entities that generate proofs. The first administration entity may also generate proofs or may not generate proofs. The credentials may correspond to a digital certificate that includes a final value that is a result of applying a one way function to a first one of the proofs.

230 Citations

45 Claims

1. A method of determining access, comprising:
- using at least one processor to determine whether credentials/proofs indicate that access is allowed, wherein the credentials/proofs include credentials and proofs;
  
  using at least one processor to determine whether additional data associated with the credentials/proofs has been received, wherein the additional data is separate from the credentials/proofs; and
  
  using at least one processor to determine whether to deny access according to the credentials/proofs and the additional data that is received, wherein access is denied if the credentials/proofs do not indicate that access is allowed, and wherein access is denied if information provided by the additional data directly indicates revocation of access rights, wherein the information provided by the additional data is obtained by performing a one-way function on the additional data, and wherein the information is locally verifiable at a point of access.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 2. A method, according to claim 1, wherein the credentials/proofs are in one part.
  - 3. A method, according to claim 1, wherein the credentials/proofs are in separate parts.
  - 4. A method, according to claim 3, wherein there is a first administration entity that generates the credentials and other administration entities that generate proofs.
  - 5. A method, according to claim 4, wherein the first administration entity also generates proofs.
  - 6. A method, according to claim 4, wherein the first administration entity does not generate proofs.
  - 7. A method, according to claim 1, wherein the credentials correspond to a digital certificate that includes a final value that is a result of applying a one way function to a first one of the proofs.
  - 8. A method, according to claim 7, wherein each of the proofs is a result of applying a one way function to a future one of the proofs.
  - 9. A method, according to claim 7, wherein the digital certificate includes an identifier for the electronic device.
  - 10. A method, according to claim 1, wherein the credentials include a final value that is a result of applying a one way function to a first one of the proofs.
  - 11. A method, according to claim 10, wherein each of the proofs is a result of applying a one way function to a future one of the proofs.
  - 12. A method, according to claim 1, wherein the credentials include an identifier for a user requesting access.
  - 13. A method, according to claim 1, wherein the credentials/proofs include a digital signature.
  - 14. A method, according to claim 1, wherein access is access to an area enclosed by walls and a door.
  - 15. A method, according to claim 14, further comprising:
    - providing a door lock, wherein the door lock is actuated according to whether access is being denied.
  - 16. A method, according to claim 1, further comprising:
    - providing a reader that receives credentials/proofs.
  - 17. A method, according to claim 16, wherein the credentials/proofs are provided on a smart card presented by a user.
  - 18. A method, according to claim 1, wherein the credentials/proofs include a password entered by a user.
  - 19. A method, according to claim 1, wherein the credentials/proofs include user biometric information.
  - 20. A method, according to claim 1, wherein the credentials/proofs include a handwritten signature.
  - 21. A method, according to claim 1, wherein the credentials/proofs include a secret value provided on a card held by a user.
  - 22. A method, according to claim 1, wherein the credentials/proofs expire at a predetermined time.
  - 23. A method, according to claim 1, wherein the additional data is digitally signed.
  - 24. A method, according to claim 1, wherein the additional data is a message that is bound to the credentials/proofs.
  - 25. A method, according to claim 24, wherein the message identifies the particular credentials/proofs and includes an indication of whether the particular credentials/proofs have been revoked.
  - 26. A method, according to claim 25, wherein the indication is the empty string.
  - 27. A method, according to claim 1, wherein the additional data includes a date.
  - 28. A method, according to claim 1, wherein the additional data is a message containing information about the particular credentials/proofs and containing information about one or more other credentials/proofs.
  - 29. A method, according to claim 1, further comprising:
    - storing the additional data.
  - 30. A method, according to claim 29, wherein the additional data includes an expiration time indicating how long the additional data is to be saved.
  - 31. A method, according to claim 30, wherein the expiration time corresponds to an expiration of the particular credentials/proofs.
  - 32. A method, according to claim 1, further comprising:
    - storing the additional data for a predetermined amount of time.
  - 33. A method, according to claim 32, wherein credentials/proofs all expire after the predetermined amount of time.
  - 34. A method, according to claim 1, wherein the additional data is provided using a smart card.
  - 35. A method, according to claim 34, wherein the smart card is presented by a user attempting to gain access to an area.
  - 36. A method, according to claim 35, wherein access to the area is restricted using walls and at least one door.
  - 37. A method, according to claim 35, wherein the additional data is for a user different from the user attempting to gain access.
  - 38. A method, according to claim 1, further comprising:
    - providing a communication link; and
      
      transmitting the additional data using the communication link.
  - 39. A method, according to claim 38, wherein the communication link is provided the additional data by a smart card.
  - 40. A method, according to claim 39, wherein the smart card requires periodic communication with the communication link in order to remain operative.
  - 41. A method, according to claim 39, wherein the smart card is provided with the additional data by another smart card.
  - 42. A method, according to claim 39, wherein the additional data is selectively provided to a subset of smart cards.
  - 43. A method, according to claim 39, further comprising:
    - providing a priority level to the additional data.
  - 44. A method, according to claim 43, wherein the additional data is selectively provided to a subset of smart cards according to the priority level provided to the additional data.
  - 45. A method, according to claim 39, wherein the additional data is randomly provided to a subset of smart cards.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Assa Abloy AB
Original Assignee
Corestreet, Ltd. (Assa Abloy AB)
Inventors
Libin, Phil, Sinelnikov, Alex, Engberg, David, Micali, Silvio
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US10/893,150
Publication Number

US 20050044386A1
Time in Patent Office

1,908 Days
Field of Search

713/158, 713/159, 713/175, 713/180, 713/185, 713/155, 380/278, 380/282, 726/1, 726/2, 726/5, 726/9, 726/20
US Class Current

713/185
CPC Class Codes

H04L 9/00   Cryptographic mechanisms or...

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

Controlling access using additional data

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

230 Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling access using additional data

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

230 Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links