Entry control system

US 9,652,911 B2
Filed: 09/17/2007
Issued: 05/16/2017
Est. Priority Date: 12/22/2003
Status: Active Grant

First Claim

Patent Images

1. A method for physically controlling access to a protected location, comprising:

establishing a secure communications connection over a network between a security controller and at least an authentication server;

operatively coupling a security token to said security controller;

sending a critical security parameter from said security token to said security controller for authentication after using a token remote authentication application on said security token to verify a user supplied critical security parameter against one or more reference critical security parameters operatively stored in said security token;

sending said critical security parameter to at least said authentication server via said secure communications connection;

performing an authentication transaction by said authentication server for said critical security parameter;

sending a result of said authentication transaction from said authentication server to said security controller via said secure communications connection; and

energizing an electromechanical circuit coupled to and controlled by said security controller if said result is affirmative of said authentication transaction being successful, wherein energizing said electromechanical circuit is limited to a pre-established duration specific to said security token to control opening of a physical access gateway and wherein the duration corresponds to an amount of time the physical access gateway is open in a single instance.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An integrated security system which seamlessly assimilates with current generation logical security systems. The integrated security system incorporates a security controller having standard network interface capabilities including IEEE 802.x and takes advantage of the convenience and security offered by smart cards and related devices for both physical and logical security purposes. The invention is based on standard remote authentication dial-in service (RADIUS) protocols or TCP/IP using SSL, TLS, PCT or IPsec and stores a shared secret required by the secure communication protocols in a secure access module coupled to the security controller. The security controller is intended to be a networked client or embedded intelligent device controlled remotely by to an authentication server. In another embodiment of the invention one or more life cycle management transactions are performed with the secure access module. These transactions allow for the updating, replacement, deletion and creation of critical security parameters, cryptographic keys, user data and applications used by the secure access module and/or security token. In another embodiment of the invention a security access module associated with the security controller locally performs local authentication transactions which are recorded in a local access list used to update a master access list maintained by the authentication server.

17 Citations

View as Search Results

30 Claims

1. A method for physically controlling access to a protected location, comprising:
- establishing a secure communications connection over a network between a security controller and at least an authentication server;
  
  operatively coupling a security token to said security controller;
  
  sending a critical security parameter from said security token to said security controller for authentication after using a token remote authentication application on said security token to verify a user supplied critical security parameter against one or more reference critical security parameters operatively stored in said security token;
  
  sending said critical security parameter to at least said authentication server via said secure communications connection;
  
  performing an authentication transaction by said authentication server for said critical security parameter;
  
  sending a result of said authentication transaction from said authentication server to said security controller via said secure communications connection; and
  
  energizing an electromechanical circuit coupled to and controlled by said security controller if said result is affirmative of said authentication transaction being successful, wherein energizing said electromechanical circuit is limited to a pre-established duration specific to said security token to control opening of a physical access gateway and wherein the duration corresponds to an amount of time the physical access gateway is open in a single instance.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1 wherein said secure communications connection includes a shared secret established between said security controller which is securely maintained by a secure access module operatively coupled to said security controller.
  - 3. The method according to claim 2 wherein said security controller is further in secure communications over said network with a life cycle management server.
  - 4. The method according to claim 3 wherein said life cycle management server is adapted to perform life cycle management functions related to applications, critical security parameters or user data installed in either said security token or said secure access module.
  - 5. The method according to claim 1 wherein said security controller is one of a plurality of security controllers, wherein said plurality of security controllers are networked clients of at least said authentication server.
  - 6. The method according to claim 1 wherein at least a portion of said secure communications connection is established over a wireless telecommunications link.
  - 7. The method according to claim 1 wherein said secure communications connection incorporates a security protocol including SSL, IPsec, PCT, TLS or RADIUS.

8. A method for physically controlling access to a protected location, comprising:
- establishing a secure communications connection over a network between at least an authentication server and a secure access module associated with a security controller, wherein said secure communications connection incorporates a shared secret which is maintained by said authentication server and said secure access module;
  
  operatively coupling a security token to said secure access module via an interface coupled to said security controller;
  
  sending a critical security parameter from said security token to said secure access module after using a token remote authentication application on said security token to verify a user supplied critical security parameter against one or more reference critical security parameters operatively stored in said security token;
  
  sending said critical security parameter to said authentication server via said secure communications connection;
  
  performing an authentication transaction by said authentication server via a process which incorporates said critical security parameter;
  
  sending a result of said authentication transaction from said authentication server to said security controller via said secure communications connection; and
  
  energizing an electromechanical circuit coupled to and controlled by said security controller if said result is affirmative of said authentication transaction being successful, wherein energizing said electromechanical circuit is limited to a pre-established duration specific to said security token to control opening of a physical access gateway and wherein the duration corresponds to an amount of time the physical access gateway is open in a single instance.
- View Dependent Claims (9, 10, 11)
- - 9. The method according to claim 8 wherein said secure communications connection incorporates a security protocol including SSL, IPsec, PCT, TLS or RADIUS.
  - 10. The method according to claim 8 wherein said secure access module is further in secure communications over said network with a life cycle management server.
  - 11. The method according to claim 10 wherein said life cycle management server is adapted to perform life cycle management functions related to applications, critical security parameters or user data installed in either said security token or said secure access module.

12. A method for performing one or more life cycle management transactions with a secure access module coupled to a security controller and a life cycle management server, comprising:
- establishing a secure communications connection between a secure access module and at least a life cycle management server; and
  
  performing one or more life cycle management transactions with said secure access module in conjunction with said at least a life cycle management server;
  
  operatively coupling a security token to the security controller, wherein at least one critical security parameter is sent from the security token to the security controller after using a token remote authentication application on said security token to verify a user supplied critical security parameter against one or more reference critical security parameters operatively stored in said security token; and
  
  energizing an electromechanical circuit coupled to and controlled by said security controller if the security controller affirms that the critical security parameter is authorized, wherein energizing said electromechanical circuit is limited to a pre-established duration specific to said security token to control opening of a physical access gateway and wherein the duration corresponds to an amount of time the physical access gateway is open in a single instance.
- View Dependent Claims (13)
- - 13. The method according to claim 12 wherein said one or more life cycle management transactions comprises distributing, exchanging, deleting, adding or modifying one or more critical security parameters, applications or user data installed in said secure access module.

14. A method for physically controlling access to a protected location, comprising:
- sending one or more critical security parameters from one or more security tokens to a secure access module operatively coupled to a security controller for authentication after using a token remote authentication application on said one or more security tokens to verify a user supplied critical security parameter against one or more reference critical security parameters operatively stored in said one or more security tokens;
  
  performing one or more authentication transactions by said secure access module using said one or more critical security parameters;
  
  temporarily maintaining a local access list of at least said one or more critical security parameters which have been authenticated by said secure access module;
  
  sending said local access list to an authentication server;
  
  updating a master access list maintained by said authentication server; and
  
  for at least one of said one or more authentication transactions and at least one of said one or more security tokens, energizing an electromechanical circuit coupled to and controlled by said security controller if a result is affirmative of said at least one authentication transaction being successful, wherein energizing said electromechanical circuit is limited to a pre-established duration specific to said at least one security token to control opening of a physical access gateway and wherein the duration corresponds to an amount of time the physical access gateway is open in a single instance.
- View Dependent Claims (15, 16)
- - 15. The method according to claim 14 wherein said local access list is sent to said authentication server via a secure communications channel.
  - 16. The method according to claim 14 wherein said local access list is sent over an IEEE 802.x standard network arrangement.

17. A system for physically controlling access to a protected location, comprising:
- a security token operatively coupled to a security controller and including a module that sends a critical security parameter to said security controller for authentication after using a token remote authentication application on said security token to verify a user supplied critical security parameter against one or more reference critical security parameters operatively stored in said security token;
  
  a secure access module operatively coupled to said security controller and including a module that securely maintains a shared secret established by an authentication server and incorporating said shared secret into a secure communications connection established with at least an authentication server;
  
  an electromechanical circuit that is coupled to and controlled by said security controller and that opens a physical access gateway when energized,wherein said security controller includes;
  
  a module that establishes said secure communications connection with at least said authentication server;
  
  a module that sends said critical security parameter to said authentication server via said secure communications connection; and
  
  a module that energizes said electromechanical circuit in response to an affirmative authentication result received from said authentication server, wherein energizing said electromechanical circuit is limited to a pre-established duration specific to said security token; and
  
  ,wherein said authentication server includes;
  
  a module that establishes said secure communications with said security controller;
  
  a module that performs an authentication transaction in response to receiving said critical security parameter from said security controller; and
  
  a module that supplies said affirmative authentication result to said security controller via said secure communications connection following a successful authentication of said critical security parameter to control opening of the physical access gateway and wherein the duration corresponds to an amount of time the physical access gateway is open in a single instance.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The system according to claim 17 wherein said at least a portion of said secure communications connection is established over a wireless telecommunications link.
  - 19. The system according to claim 17 wherein said secure communications connection incorporates a security protocol including SSL, IPsec, PCT, TLS or RADIUS.
  - 20. The system according to claim 17 wherein said secure access module further includes a module that locally performs said authentication transaction.
  - 21. The system according to claim 20 wherein either said security controller or said secure access module further includes a module that maintains at least an access list of locally authenticated critical security parameters.
  - 22. The system according claim 21 wherein said authentication server further includes a module that receives said at least an access list of locally authenticated critical security parameters and updating a master access associated with said authentication server.
  - 23. The system according to claim 17 further comprising a life cycle management server includes:
    - a module that establishes a secure communications connection between either said secure access module or said security; and
      
      a module that performs one or more life cycle management transactions with said secure access module in conjunction with said at least a life cycle management server.
  - 24. The system according to claim 23 wherein said one or more life cycle management transactions comprises distributing, exchanging, deleting, adding or modifying one or more critical security parameters, applications or user data installed in said secure access module.

25. A security apparatus for physically controlling access to a protected location, comprising:
- a security controller including;
  
  a processor;
  
  a memory coupled to said processor;
  
  a security token interface coupled to said processor;
  
  a network transceiver coupled to said processor;
  
  a secure access module coupled to said processor;
  
  an electromagnetic control circuit coupled to and controlled by said processor; and
  
  at least one application installed in at least a portion of said memory having logical instructions executable by said processor to;
  
  establish a secure communications connection over a network with at least an authentication server over a network via said network transceiver;
  
  perform an authentication transaction in conjunction with said authentication server for a critical security parameter received via said security token interface after a corresponding security token uses a token remote authentication application to verify a user supplied critical security parameter against one or more reference critical security parameters operatively stored in the security token;
  
  receive and maintain a shared secret in said secure access module;
  
  incorporate said shared secret into said secure communications connection; and
  
  energize said electromechanical control circuit upon receipt of an affirmative authentication result associated with said authentication transaction, wherein energizing said electromechanical control circuit is limited to a pre-established duration specific to a security token that interfaces with the security token interface to control opening of a physical access gateway and wherein the duration corresponds to an amount of time the physical access gateway is open in a single instance.
- View Dependent Claims (26, 27, 28)
- - 26. The apparatus according to claim 25 wherein said secure communications connection incorporates a security protocol including SSL, IPsec, PCT, TLS or RADIUS.
  - 27. The apparatus according to claim 25 wherein said secure access module includes a module that performs one or more life cycle management transactions in conjunction with either said authentication server or a life cycle management server.
  - 28. The apparatus according to claim 25 wherein said one or more life cycle management transactions comprises distributing, exchanging, deleting, adding or modifying one or more critical security parameters, applications or user data installed in said secure access module.

29. A system for performing one or more life cycle management transactions with a secure access module coupled to a security controller and a life cycle management server, comprising:
- a secure access module operatively coupled to a security controller and including a module that securely performs life cycle management functions in conjunction with a life cycle management server, wherein said security controller includes a module that exchanges communications between said secure access module and said life cycle management server, wherein said life cycle server includes a module that securely performs one or more life cycle management transactions in conjunction with said secure access module, and wherein said one or more life cycle management transactions comprises distributing, exchanging, deleting, adding or modifying one or more critical security parameters, applications or user data installed in said secure access module;
  
  a security token operative coupled to the security controller, wherein at least one critical security parameter is sent from the security token to the security controller after using a token remote authentication application on the security token to verify a user supplied critical security parameter against one or more reference critical security parameters operatively stored in the security token; and
  
  an electromechanical circuit that is coupled to and controlled by said security controller and that opens a physical access gateway when energized, wherein the electromechanical circuit is energized by the security controller if the at least one critical security parameter is authorized, and wherein energizing said electromechanical circuit is limited to a pre-established duration specific to said security token to control opening of a the physical access gateway and wherein the duration corresponds to an amount of time the physical access gateway is open in a single instance.
- View Dependent Claims (30)
- - 30. The system according to claim 29 wherein said security controller and said life cycle server are in processing communications over a wireless telecommunications link.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Assa Abloy AB
Original Assignee
Assa Abloy AB
Inventors
Wen, Wu, Fedronic, Dominique Louis Joseph
Primary Examiner(s)
Hailu, Teshome

Application Number

US11/856,549
Publication Number

US 20080059798A1
Time in Patent Office

3,529 Days
Field of Search

713172
US Class Current
CPC Class Codes

G07C 9/27   with central registration

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

Entry control system

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Entry control system

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links