Anonymous decisions in an access control system
First Claim
1. A method, performed by a controller device, the method comprising:
- accessing, by the controller device, a global database that includes access control information for a plurality of controller devices,wherein the controller device belongs to a distributed system that includes the plurality of controller devices, andwherein the global database corresponds to a consensus-based distributed dataset in the distributed system and identifies users and access rules for granting access to a plurality of entities;
deriving, by the controller device, a local access rules table from the global database,wherein the controller device uses the local access rules table to determine whether or not to grant access to an entity associated with the controller device,wherein the controller device stores the local access rules table,wherein the local access rules table lists a plurality of users and associates a rule for each corresponding user to access the entity associated with the controller device, andwherein the local access rules table is encrypted with a local access rules key;
deriving, by the controller device, a local credentials table from the global database,wherein the local credentials table relates each of the plurality of users to a corresponding hashed credential, andwherein the local credentials table stores, for each of the plurality of users, the local access rules key encrypted with the corresponding unhashed credential associated with the corresponding user;
receiving, by the controller device, a credential value from a reader device;
identifying, by the controller device, one of the plurality of users from among the plurality of users listed in the derived local credentials table based on the received credential value, when a hashed credential associated with the one of the plurality of users exists in the derived local credentials table, wherein the corresponding unhashed credential is not stored in the controller device as being associated with the corresponding one of the plurality of users before identifying the one of the plurality of users; and
executing, by the controller device, one or more access rules associated with the identified one of the plurality of users based on the derived local access rules table, when an access rules entry exists for the user in the derived local access rules table.
1 Assignment
0 Petitions
Accused Products
Abstract
A controller device may correspond to a physical access controller in a distributed physical access control system. The controller device may include logic configured to obtain access to a global database that include access control information for a plurality of controller devices. The logic may be further configured to derive a local access rules table from the global database, wherein the local access rules table relates users to access rules, and wherein the local access rules table is encrypted with a local access rules key; and derive a local credentials table from the global database, wherein the local credentials table relates hashed credentials to users, wherein the local credentials table stores, for a user, the local access rules key encrypted with unhashed credentials associated with the user, wherein the unhashed credentials are not stored in the controller device.
-
Citations
26 Claims
-
1. A method, performed by a controller device, the method comprising:
-
accessing, by the controller device, a global database that includes access control information for a plurality of controller devices, wherein the controller device belongs to a distributed system that includes the plurality of controller devices, and wherein the global database corresponds to a consensus-based distributed dataset in the distributed system and identifies users and access rules for granting access to a plurality of entities; deriving, by the controller device, a local access rules table from the global database, wherein the controller device uses the local access rules table to determine whether or not to grant access to an entity associated with the controller device, wherein the controller device stores the local access rules table, wherein the local access rules table lists a plurality of users and associates a rule for each corresponding user to access the entity associated with the controller device, and wherein the local access rules table is encrypted with a local access rules key; deriving, by the controller device, a local credentials table from the global database, wherein the local credentials table relates each of the plurality of users to a corresponding hashed credential, and wherein the local credentials table stores, for each of the plurality of users, the local access rules key encrypted with the corresponding unhashed credential associated with the corresponding user; receiving, by the controller device, a credential value from a reader device; identifying, by the controller device, one of the plurality of users from among the plurality of users listed in the derived local credentials table based on the received credential value, when a hashed credential associated with the one of the plurality of users exists in the derived local credentials table, wherein the corresponding unhashed credential is not stored in the controller device as being associated with the corresponding one of the plurality of users before identifying the one of the plurality of users; and executing, by the controller device, one or more access rules associated with the identified one of the plurality of users based on the derived local access rules table, when an access rules entry exists for the user in the derived local access rules table. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A controller device comprising:
-
a memory storing instructions; and a processor configured to execute the instructions to; access a global database that includes access control information for a plurality of controller devices, wherein the global database identifies users and access rules for granting access to a plurality of entities, and wherein the controller device belongs to a distributed system that includes the plurality of controller devices, and wherein the global database corresponds to a consensus-based distributed dataset in the distributed system; derive a local access rules table from the global database, wherein the controller device uses the local access rules table to determine whether or not to grant access to an entity associated with the controller device, wherein the controller device stores the local access rules table, wherein the local access rules table lists a plurality of users and associates a rule for each corresponding user to access the entity associated with the controller device, and wherein the local access rules table is encrypted with a local access rules key; derive a local credentials table from the global database, wherein the local credentials table relates each of the plurality of users to a corresponding hashed credential, wherein the local credentials table stores, for each of the plurality of users, the local access rules key encrypted with the corresponding unhashed credential associated with the user receive a credential value from a reader device; identify one of the plurality of users from among the plurality of users listed in the derived local credentials table based on the received credential value, when a hashed credential associated with the one of the plurality of users exists in the derived local credentials table, wherein the corresponding unhashed credential is not stored in the controller device as being associated with the corresponding one of the plurality of users before identifying the one of the plurality of users; and execute one or more access rules associated with the identified one of the plurality of users based on the derived local access rules table, when an access rules entry exists for the user in the derived local access rules table. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A distributed system comprising:
a plurality of physical access control devices, wherein a particular one of the plurality of physical access control devices is configured to; access a global database that includes access control information for a plurality of controller devices, wherein the global database identifies users and access rules for granting access to a plurality of entities, and wherein the plurality of physical access control devices belong to a distributed system, and wherein the global database corresponds to a consensus-based distributed dataset in the distributed system; derive a local access rules table from the global database, wherein the controller device uses the local access rules table to determine whether or not to grant access to an entity associated with the controller device, wherein the controller device stores the local access rules table, wherein the local access rules table lists a plurality of users and associates a rule for each corresponding user to access the entity associated with the controller device, and wherein the local access rules table is encrypted with a local access rules key; derive a local credentials table from the global database, wherein the local credentials table relates each of the plurality of users to a corresponding hashed credential, wherein the local credentials table stores, for each of the plurality of users, the local access rules key encrypted with the corresponding unhashed credential associated with the user receive a credential value from a reader device; identify one of the plurality of users from among the plurality of users listed in the derived local credentials table based on the received credential value, when a hashed credential associated with the one of the plurality of users exists in the derived local credentials table, wherein the corresponding unhashed credential is not stored in the controller device as being associated with the corresponding one of the plurality of users before identifying the one of the plurality of users; and execute one or more access rules associated with the identified one of the plurality of users based on the derived local access rules table, when an access rules entry exists for the user in the derived local access rules table. - View Dependent Claims (25, 26)
Specification