Login| Sign Up| Help| Contact|

Patent Searching and Data


Title:
COMMUNICATION METHOD OF ACCESS CONTROL SYSTEM
Document Type and Number:
WIPO Patent Application WO/2006/136662
Kind Code:
A1
Abstract:
A method for remote controlling an electrical lock within an access control infrastructure including access database for access information and incidents, the lock being controlled by a door manager computer (DM), the method using mobile terminal (MT) with short range communication link (BT) to establish a communication link to the door manager (DM) and a mobile network connection (PNW) to establish a communication link to the access control infrastructure to communicate the authentication information between the door manager and the access control infrastructure.

Inventors:
KOLJONEN JOUNI (FI)
Application Number:
PCT/FI2006/050277
Publication Date:
December 28, 2006
Filing Date:
June 22, 2006
Export Citation:
Click for automatic bibliography generation   Help
Assignee:
MOHINET OY (FI)
KOLJONEN JOUNI (FI)
International Classes:
G07C9/00; G04C
Domestic Patent References:
WO2001074045A12001-10-04
WO2001023694A12001-04-05
Foreign References:
US20020031228A12002-03-14
FI114183B2004-08-31
Other References:
See also references of EP 1897066A4
Attorney, Agent or Firm:
LEITZINGER OY (Helsinki, FI)
Download PDF:
Claims:
Claims
1. A method for remote controlling an electrical lock within an access control infrastructure including access database for access information and incidents, the lock being controlled by a door manager computer (DM), using mobile terminal (MT) with short range communication link (BT) to establish a communication link to the door manager (DM) and a mobile network connection (PNW) to establish a communication link to the access control infrastructure to communicate the authentication information between the door manager and the access control infrastructure, characterized by that the door manager (DM) sends a beacon signal to mobile terminal (MT) and the mobile terminal automatically communicates in a background process at least part of the authentication process with door manager (DM) before the user of the mobile terminal (MT) triggers the opening of the lock.
2. Method according to the claim 1, characterized by that the door manager (DM) is offline and has no steady communications channel to the rest of the access control infrastructure except short range communications link (BT).
3. Method according to the claim 1 or 2, characterized by that the mobile terminal receives an authorization code from the access control infrastructure and the code is valid for short time and for one opening of the lock.
4. Method according to the claim 1 or 2, characterized by that the mobile terminal receives an authorization code from the access control infrastructure and the code is valid for a period of time for opening one or more locks one or more times.
5. A method according any of claims 14, characterized by the door manager (DM) being without other online means of communication than the communication link through the mobile terminals (MT) of the users.
6. A method according any of claims 14, characterized by sending the incident information in a public key encrypted message in a way that the mobile terminal (MT) cannot read or alter the messages, the messages may contain incident information of other users also.
7. An midlet/software for the phone, characterized by that the software uses short range communication link to establish a communication link to the door manager (DM) controlling an electronic lock and a mobile network connection to establish a communication link to the access control infrastructure to communicate the authentication information between the door manager and the access control infrastructure.
8. A gateway server (GW) software for use in a network element of a access control infrastructure performing the method according any of claims 15, characterized by the gateway server comprising means for simulating an network element of the access control infrastructure towards the access control network and means for communicating in safe way through the public network (PNW) to the mobile terminal (MT) of the lock user for communicating the authentication codes between the access control infrastructure and the mobile terminal (MT) having a short range communicating means (BT) to further bypass the authentication information between the lock controller (DM) and the gateway (GW).
Description:
Communication method of access control system

The invention relates to access control systems and especially to mobile communication between the lock and the access control system.

The objective of the invention is to create a cost effective way to connect a lock in separate premises to a centralized control system with minimum required hardware and to create a way for occasional visitors to get the access licence for a remote lock in cost efficient and easy way.

The present access control systems are based on hierarchical structure. Usually the database of the access control data is in one server, and the database is at least partially copied to the lower level servers. If the main database server is down or disconnected from the network, the rest of the system works still autonomously. All the lower level components are working in the same way. This makes the system fail tolerant, only updating of the control data is delayed, if the connection to the control data database is lost. Typically one building has at least one server for managing doors and routing the communications between the door controllers and the rest of the infrastructure. This makes it very costly to connect a separate building with only one controlled door to the infrastructure.

A lock needs to be connected in some way to the server in order to get the access right information from the database and report the transactions to the database. The problem is that the needed infrastructure is very expensive for one separate door, as the cost of servers and network infrastructure is needed only for small amount of doors in one building and the need for temporary keys and connection to infrastructure is still needed for security. An example of that kind of access control need is for a telecommunications switch, a cross-connection closet, a base station, or a transformer room or other kind of technical premises that are not maintained by the occupant of the house. In this case, often the visitors should be logged and the access

licences should often be only for some hours at a time. If the lock is standalone, the present infrastructure model needs communication channel, and local infrastructure for even only one lock. This is extremely expensive, as only one lock shares a communications server and door manager and the wiring in also a considerable cost.

The aim of invention is to create an inexpensive infrastructure for a single or only a few doors to connect to the access control infrastructure without needing any costly cabling, computer system or complicated configuration. Further the aim is to create an easy way to grant access licences and to track use of them. Further the licences should be granted without distributing access control tag or badges to users.

The invention makes effectively use of the existing access control infrastructure, connecting only a gateway to the controlling servers of the access control infrastructure. The communications between the lock controller and the gateway is enabled by a mobile terminal of the lock user. This makes the infrastructure cost per door very small, the lock is off-line, but the user's mobile terminal is online-key to it, and the infrastructure is able to log events and use up-to-date licensing and key-database with minimal changes to the existing system. The user identification is based on the mobile terminal's phone number (embedded in the phone's SW) and an (optional) password inquiry which makes the identification fairly safe. This makes it possible to give an authorization to a user of defined phone number and password instead of giving authorization to a key badge that must be sent in advance to the user. The licences can be easily granted to a user of other organization, and still having a track of at least the phone number of the user.

The invention is based on using an on-line mobile terminal as a key and communication gateway for an off-line lock. The lock is still controlled by the

infrastructure for each event, if necessary. Another object is to grant and cancel "keys" or licences to mobile terminal users without a badge.

The invention is described with reference to figures

Fig 1: Schematic diagram of a known access control infrastructure

Fig 2: Schematic diagram of the arrangement according to the invention

Figure 1 shows an example of an infrastructure of existing technology. The system is redundant and hierarchical, geographically distributed. Database server DS (also called application server) maintains and controls the central database. Communication Servers CS are often in same strictly guarded premises with database server DS. Door manager controllers DMC are based for each location, and finally the door managers DM are reading the badges, communicating with the rest of the infrastructure and monitoring the door. The complicated hierarchical system is necessary for decentralizing and for fault-proofing. Also the load balancing is one issue, so that the data base can be updated hierarchically. In practice door manager DM is a small computer with I/0-lines for communication to DMC and for controlling the lock, reading badges or cards, motion detection, or for example to connect to biometric devices. In this kind of hierarchical structure one separate lock in one building needs always 2 computers, namely Door Manager DM and Door manager controller DMC and the wiring and communications channel from the building to the access manager. Therefore, connecting one separate door to the system needs a lot work and expensive hardware.

Figure 2 shows infrastructure needed for a door controlled with method according to the invention. The Front Manager and the Door manager controller is replaced by a Gateway GW, and a mobile terminal MT. The Lock Manager sends its identification to the mobile terminal MT. The software in the mobile terminal MT sends the identification information of the door

together with the identification information of the MT itself to GW. In the figure 2 the gateway is connected to DS, so it acts like a CS. If gateway is under a CS, it acts like a DMC towards the closed network of the infrastructure. The port of the gateway is connected to public network PNW, for example to internet or to public telecomm network or to public mobile network through which the mobile terminal can communicates with the gateway.

The door manager used in the method according to the invention may be much simpler than the door manager in the system of figure 1. The door manager in the system according to the invention may have very limited amount of connections. The necessary connections for the DM are power supply, Bluetooth and lock control, maybe also keyboard. The door manager should have enough processing power for encrypting messages and memory for storing the encryption keys and badge key codes and their validity information.

The gateway server is working as a link between the mobile net or the internet or other equivalent communications media (PNW) and the network of the access control infrastructure. The later network is usually physically strictly isolated, usually inside locked and guarded room. The gateway is acting towards the servers of the access control infrastructure as a network element of the infrastructure. Therefore, there is no need for change of configure the infrastructure, the system according the invention is bolt-on solution, that is transparent to the rest of the infrastructure.

The lock is controlled by a door manager DM next to the lock. The controller includes a short range communication means (BT), for example a display, Bluetooth, IrDA or WLAN. Presently Bluetooth is the preferred option, but also WLAN or even manual entry with keyboard and a display is a possible option, even it is more expensive to install, and inconvenient and slow for the user. The short-range communication means (BT) are used to send the

identifying information of the lock to a mobile terminal of the user of the lock. In the mobile terminal there is a midlet that recognizes the identifying information, and possibly the midlet asks confirmation or password from the user. After that, the terminal sends the identifying information of the user, itself and the lock to the gateway.

The lock uses first a beacon-signal, after a MT makes a communication link with the DM; the DM sends a single use random code to MT. The MT sends this random code, its own identification information and maybe a pass code of the user to GW. GW verifies the message, sends an encrypted, unique reply to the MT, and MT can use the content of the reply once or several times to open the door by sending the content of message from GW to the DM.

The gateway sends the information in a form of a key and the lock information and asks authentication from the infrastructure to open the lock. In the same time the GW send the auditing information of the users acts. In case of later described automatic mode, where the key code is valid for opening the lock several times, the GW does not necessarily get the auditing information immediately or maybe never gets detailed information about all the incidents. If the key code is valid for single use only, the infrastructure is always aware of all the incidents.

All the communications are preferably encrypted with public key encryption, preferably the messages include a single use random number to ensure that recording or copying the message is not useful for fraud. Especially the communications in the public network must be encrypted. The public key encryption is easier, as the mobile terminal needs not to exchange secret key. With random encryption keys for each communication session there is no way for outsider to track the users by capturing the radio- communications, as only the door beacon is always the same and the first connection of the MT is already encrypted with the public single use key of

the DM. The DM and GW may know each others public keys, so they do not need to change the public key every time, but the message needs to have an order number or time stamp, so that the code is unique.

An important security issue is that the gateway is critical point, as it connects the closed network to the public network. The gateway may be therefore a combination of several computers, for example a firewall and a gateway. This makes cracking into the closed network more difficult, as both computers in serial must be cracked.

The system can work in two different modes, manual mode works every time on-line. In manual mode the mobile terminal asks every time the authorization information from the central lock infrastructure. The authorization is therefore for single use. In automatic mode the mobile terminal may ask the authorization automatically in a background process and the authorization is valid for a time period.

In automatic mode the mobile terminal asks an authorization that is valid for a certain time interval and maybe also for a set of doors. The phone may ask a new authorization after the old authorization is expired. This may be done automatically in a background process or when first time trying to open the door after the expiration or when entering to the coverage area of the DM transmitter. The authorization for multiple uses is easier to abuse, but the opening the door does not need to open the GPRS-connection to the gateway, so the opening of the lock is practically instantaneous. The automatic mode is preferably using public key encryption, so that the lock uses every time a different code, and the mobile terminal uses its authorization code for creating the reply message. The opening message is never the same twice, so capturing the message would not make possible to copy the authorization.

The automatic mode authorization code is not normally easy to cancel, so the automatic "key code" should be for moderately short period. The lock controller may have a list of cancelled codes, but it can be updated only if there is a communication channel to the infrastructure. Typically automatic mode is used for less critical areas, where a lost phone and key code is not critical. The software in the mobile phone may also be able to cancel the code by remote control from the network. If the code of the MT software is for example Java, this is moderately easy to tamper by end user and the cancelling may be inactivated. Typically the key codes are valid only for some hours, so the probability of misuse of a lost phone is relatively small in any case. The infrastructure may command the lock (DM) to manual mode, that case the next mobile terminal requesting a key does not receive automatic mode key-code but a command to enter manual mode, this code may be encrypted and transparent for the MT, so it is not possible to tamper. The message from GW may also contain more information, a list of banned key- codes, and the lock manager may send access information to the infrastructure with the authorization request. This way the off-line lock is practically on-line each time there is a transaction with first to MT and maybe later (automatic mode) to GW, as the communications is preferably encrypted with keys of DM and GW, the MT is not able to detect or alter the contents of the messages. So there no easy way to false any codes, as the MT can be also recognized by the mobile network, as the MT has unique number and also it is possible to detect the IMEI and the MT software serial number together with the software password, if necessary.

In one preferable embodiment the mobile terminal is listening in a background process the beacon signals and the mobile terminal automatically makes a contact to the door managers (DM) the mobile terminal assumes the user may want to open or the user may have access rights. The phone may also ask automatically a short term ticket for each door, or open a connectionless channel to GW in advance. When the user wants to open the door, there is no need for handshaking the Bluetooth

connection and the connection to the GW. If the authentication information is asked automatically, the infrastructure also receives more often information from the door managers and the infrastructure gats also information about the movement of the users, even they do not open any door. This enables higher security, and the door managers may receive cancelling message of user rights faster, as any user nearby can relay the information between the DM and GW. Also the stolen MT or user with cancelled user rights may cause alarm even by entering to the coverage of any DM.

This background process is cost effective, as the GPRS data needed is very limited and the Bluetooth is mainly only receiving. The battery consumption of the mobile terminal is not raised too much and a few kilobytes of data sent automatically are not too costly to send over GPRS or UMTS even in daily bases.

In the experiments the time for opening in full manual mode is around 10 to 20 seconds more than in the automatic mode with background negotiating in advance. The opening tickets expiry times may vary from some minutes to days. The operation of door is virtually immediate, the user selects the door from the door list and the door opens immediately.

The beacon signals of the doors enable the mobile terminals to connect to all the DMs that are in the range of the Bluetooth, and therefore the Bluetooth connection to the DM is ready all the time, and if the opening "key code" or ticket is asked in advance from the GW, the phone can open the door immediately. When the phone next time takes contact to the GW, and the door, the incident information is sent to the GW. The DM and GW can track the communications and if there is fraud detected the user may be banned and the system makes an alarm.

The fraud may be for example, that the terminal is refusing to pass the messages after opening the door. That case the alarm may be set, and also the next user's terminal is passing the necessary information in any case. There is no easy way to prevent the incident information transmission, as the encrypted message content is not readable by the mobile terminal, and the user cannot control the message content.

The method is as fast for the user as a pass code ticket stored in the mobile terminal used in the prior art. The pure gateway solution for data transmission via mobile phone offers high security for the user identification, and the user rights may be checked for each incident. But if the authentication is not prepared in advance, the opening of the lock takes typically over ten seconds, which is annoyingly slow. The automatic negotiation and frequent connection between the lock and the lock solves both security problem and smooth operation for the user.

The mobile phone (MT) of the user is replacing the need for own communication channel for the lock and the infrastructure can be sure, that the mobile phone is in the proximity of the lock before opening the lock. Also the lock manager computer with Bluetooth is much cheaper to manufacture and to maintain than if the lock would have own GPRS-, WLAN- or Ethernet- connection for connecting to the gateway. This case, still the identity of the mobile phone must be verified through the telecomm or GPRS-network and the short distance communications is needed anyway for the proximity check, i.e. the user is close to the door, he wants to open. So, if the phone is to be used to open the lock, it is advantageous to use the user's phone for all the communications between the lock manager and the gateway. The amount of the data to be transferred is relatively small, much less than a kilobyte for authorization. In automatic mode the authorization is made relatively seldom. It is possible to use the text-messages (SMS) to transfer the authorization codes, but typically the GPRS is cheaper to use for a short two-way connection. The connection type is not relevant; the connection

may as well be WLAN with user authentication, if available for the MT. The GW is connected to public internet, to mobile cellular network with SMS or with GPRS or equivalent, or to several communication channels or it may use external gateways for reception of SMS from public internet.