[0001] The present disclosure relates to the field of evaluating access to a physical space and in particular to evaluating access to a physical space where an access request is received from an application server and a valid access credential is transmitted to a gateway.

BACKGROUND

[0002] Locks and keys are evolving from the traditional pure mechanical locks.

These days, electronic locks are becoming increasingly common. For electronic locks, no mechanical key profile is needed for authentication of a user. The electronic locks can e.g. be opened using an electronic key stored on a special carrier (fob, card, etc.) or in a mobile device, such as a smartphone. The electronic key and electronic lock can often communicate over a wireless interface. Such electronic locks provide a number of benefits, including improved flexibility in management of access rights, audit trails, key management, etc.

[0003] When an electronic key, e.g. as part of a mobile device, approaches a door secured by an offline lock, one solution is for the mobile device to establish communication with the lock and to thereafter engage in a credential evaluation procedure. However, such a procedure requires a significant amount of implementation effort in the mobile device in order to securely and reliably perform the credential evaluation procedure. Moreover, such procedures can differ between locks and may need to be updated, requiring maintenance of software of all such mobile devices.

SUMMARY

[0004] One objective is to provide a solution where a mobile device which requests access to a lock does not need to implement a credential evaluation procedure for communicating with the lock.

[0005] According to a first aspect, it is provided a method for evaluating access to a physical space secured by a lock. The method is performed in an access evaluator and comprises the steps of: receiving an access request from an application server, the access request comprising a user identifier and a lock identifier; evaluating, based on the user identifier and the lock identifier, whether access is to be granted; and transmitting a valid access credential for the lock to a gateway being proximate to the lock when access is granted.

[0006] The valid access credential may be in a format which complies with mobile credentials usable with the lock.

[0007] The method may further comprise the step, prior to the step of transmitting the valid access credential, of: encrypting a section of the valid access credential.

[0008] The encrypted section of the valid access credential may comprise an access rights to unlock the lock.

[0009] The valid access credential may comprise a credential identifier and a verification section comprising a key derivation based on the credential identifier and a secret key.

[0010] The method may further comprise the step of: receiving audit trail data from the gateway.

[0011] The method may further comprise the step of: providing audit trail data to the application server.

[0012] The method may further comprise the steps of: generating the valid access credential after the step of evaluating; and deleting the valid access credential from the access evaluator after the step of transmitting the valid access credential.

[0013] According to a second aspect, it is provided an access evaluator for evaluating access to a physical space secured by a lock. The access evaluator comprises: a processor; and a memory storing instructions that, when executed by the processor, cause the access evaluator to: receive an access request from an application server, the access request comprising a user identifier and a lock identifier; evaluate, based on the user identifier and the lock identifier, whether access is to be granted; and transmit a valid access credential for the lock to a gateway being proximate to the lock when access is granted.

[0014] The valid access credential may be in a format which complies with mobile credentials usable with the lock.

[0015] The access evaluator may further comprise instructions that, when executed by the processor, cause the access evaluator to encrypt a section of the valid access credential.

[0016] The encrypted section of the valid access credential may comprise an an access rights to unlock the lock.

[0017] The valid access credential may comprise a credential identifier and a verification section comprising a key derivation based on the credential identifier and a secret key.

[0018] The access evaluator may further comprise instructions that, when executed by the processor, cause the access evaluator to: receive audit trail data from the gateway.

[0019] The access evaluator may further comprise instructions that, when executed by the processor, cause the access evaluator to: provide audit trail data to the application server.

[0020] The access evaluator may further comprise instructions that, when executed by the processor, cause the access evaluator to: generate the valid access credential prior to executing the instructions to evaluate; and delete the valid access credential from the access evaluator after executing the instructions to transmit the valid access credential.

[0021] According to a third aspect, it is provided a computer program for evaluating access to a physical space secured by a lock. The computer program comprises computer program code which, when run on an access evaluator causes the access evaluator to: receive an access request from an application server, the access request comprising a user identifier and a lock identifier; evaluate, based on the user identifier and the lock identifier, whether access is to be granted; and transmit a valid access credential for the lock to a gateway being proximate to the lock when access is granted. [0022] According to a fourth aspect, it is provided a computer program product comprising a computer program according to the third aspect and a computer readable means on which the computer program is stored.

[0023] Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein. All references to "a/an/the element, apparatus, component, means, step, etc." are to be interpreted openly as referring to at least one instance of the element, apparatus, component, means, step, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.

BRIEF DESCRIPTION OF THE DRAWINGS

[0024] Aspects and embodiments are now described, by way of example, with refer ence to the accompanying drawings, in which:

[0025] Fig 1 is a schematic diagram illustrating an environment in which embodiments presented herein can be applied;

[0026] Fig 2 is a sequence diagram illustrating communication between various entities of embodiments which can be applied in the environment of Fig 1;

[0027] Fig 3 is a flow chart illustrating embodiments of methods for requesting access to a physical space secured by a lock;

[0028] Fig 4 is a schematic diagram illustrating components of the access evaluator of Fig 1 according to one embodiment; and

[0029] Fig 5 shows one example of a computer program product comprising computer readable means.

DETAILED DESCRIPTION

[0030] The aspects of the present disclosure will now be described more fully hereinafter with reference to the accompanying drawings, in which certain embodiments of the invention are shown. These aspects may, however, be embodied in many different forms and should not be construed as limiting; rather, these embodiments are provided by way of example so that this disclosure will be thorough and complete, and to fully convey the scope of all aspects of invention to those skilled in the art. Like numbers refer to like elements throughout the description.

[0031] Fig 1 is a schematic diagram illustrating an environment in which embodiments presented herein can be applied. A lock 4 is provided to secure access to a physical space 16. The physical space 16 can e.g. be or be part of a hotel, cruise ship, office, factory, home or any other suitable physical space which can be secured by an electronic lock 4 provided by a door, window, gate, etc. While only one lock 4 is shown in Fig 1, there can be many more locks, each securing access to a physical space.

[0032] The lock 4 is an electronic lock and can be unlocked using a mobile device 2 as described in more detail below. The mobile device 2 is carried by a user 9. The mobile device 2 maybe implemented as part of a mobile phone, a smartphone, a key fob, wearable device, smart phone case, access card, electronic physical key, etc.

[0033] The mobile device 2 reads a lock identifier from the lock 4 over a local communication link. The local communication link can be any suitable short-range wired or short-range wireless communication, e.g. using Near Field Communication (NFC), Bluetooth, Bluetooth Low Energy (BLE), any of the IEEE 802.15 standards, etc.

[0034] The mobile device 2 is connected to a communication network 6. The communication network 6 can e.g. be based on Internet Protocol (IP) over WiFi or any suitable cellular network standard, and can form part of the Internet.

[0035] To request access, the mobile device 2 sends the lock identifier and a user identifier to an application server 3. The functionality in the mobile device 2 described herein can be implemented by an application (also known as app) executing in the mobile device 2. The mobile device 2 and its application co-operates with the application server 3 over the communication network 6.

[0036] The application server 3 is a server which performs server related functionality in cooperation with the application executing in the mobile device. As known in the art per se, the application server 3 can be implemented using one or more physical servers in one or more physical locations. The party responsible for the application server 3 can also be the party which is responsible for the application 2 mentioned to form part of the mobile device 2, used, i.a., for requesting and obtaining access to the physical space 16 secured by the lock 4.

[0037] The application server 3 requests access to the physical space 16 for the user 9 by communicating with an access evaluator 1. This communication occurs over the communication network 6.

[0038] The access evaluator 1 is a server which can receive access requests for one or more physical spaces 16 secured by respective locks 4. Significantly, the access requests are received from one node (the application server 3), but any access grants are implemented using another node, namely a gateway 7. Communication between the access evaluator 1 and the gateway 7 occurs over the communication network 6. The access evaluator 1 can form part of an electronic access control system, comprising also the lock 4 and optionally the gateway 7. The application server 3 and the mobile device 2 do not need to form part of the access control system.

[0039] The gateway 7 is a device which can communicate both over the communication network 6 and over the local communication link with the lock 4. As explained in more detail below, the gateway 7 is used in a credential evaluation procedure to unlock the lock 4 when access is granted by the access evaluator 1.

[0040] It is to be noted that the lock 4 can equally well work with mobile devices which implement also the credential evaluation, i.e. mobile devices 2 that store a credential (e.g. key cards, etc.) which is used in the credential evaluation with the lock 4.

[0041] Fig 2 is a sequence diagram illustrating communication between various entities of embodiments which can be applied in the environment of Fig 1.

[0042] When the user reaches the lock 4, the mobile device 2 obtains a lock identifier 20 from the lock 4 over the local communication link. If the lock was in a low-power mode, the lock 4 first wakes up e.g. by a sensor detecting metal in its presence. Instead of sending an access request to the lock 4, the mobile device 2 sends an access request 22 to the application server 3. This access request can be implemented easily in the mobile device 2 and the mobile device does not need to implement a complete credential evaluation procedure.

[0043] The access request 22 comprises the lock identifier 20 and a user identifier 21. The user identifier 21 can be any suitable identifier which allows the application server to identify the user and can e.g. be a phone number, an e-mail address, an identifier issued by the application server 3, or an identifier issued by a third party, such as Facebook, Instagram, WeChat, Google, Apple, Snapchat, etc.

[0044] The application server 3 generates a corresponding access request 22’, corresponding to the access request 22 from the mobile device 2. The corresponding access request 22’ can be in the same format as the access request 22 from the mobile device 2, or it can differ, but the corresponding access request 22’ also comprises the lock identifier 20 and the user identifier 21. The application server 3 transmits the corresponding access request 22’ to the access evaluator 1 over the communication network 6.

[0045] Once the access evaluator 1 has received the corresponding access request 22’, the access evaluator 1 determines whether access through the lock 4 should be granted. If access is denied, the sequence ends. Otherwise, the access evaluator 1 obtains a credential 25 which is valid for unlocking the lock 4 and transmits the credential 36 to the gateway 7 over the communication network 6.

[0046] The lock 4 and the gateway 7 now engage in a credential evaluation procedure 26, where the communication occurs of the local communication link. The credential evaluation procedure 26 can e.g. comprise a challenge-response procedure or other suitable procedure. Such as the gateway providing the credential 25 to the lock 4 for evaluation. When the credential evaluation procedure 26 is successful, the lock 4 sets itself in an unlocked state, to allow the user of the mobile device 2 access to the physical space secured by the lock 4.

[0047] Actions by the lock 4, such as unlocking, opening, closing, denied access, unlocking without subsequent opening, etc., are optionally captured in an audit trail. Each action is then stored as a data item, together with user id and time. One or more data items of the audit trail is provided over the local communication link as audit trail data 27 to the gateway 7. For instance, the audit trail data 27 can be sent after each action. Alternatively, the audit trail data 27 is transmitted periodically in time or after a certain number of actions. The gateway 7 forwards corresponding audit trail data 27 to the access evaluator 1. This audit trail data can 27 be made available to the application server 3 to collect statistics on access events.

[0048] Using this procedure, the first access request 22 is generated in the mobile device 2 based on local communication with the lock 4, but the credential evaluation 26 is performed between the lock 4 and the gateway 7. In this way, the mobile device is relieved from implementing and keeping up-to-date a credential evaluation procedure which is complicated and can even be different for different entities of the lock 4. Such credential evaluation procedures have previously formed part of SDKs (Software Development Kits) provided by the developer of the access control system to form part of the application in the mobile device. However, such SDKs can take up space and require updating to stay functional with all types of locks. By using embodiments presented herein, the SDK for access control do not need to form part of the application in the mobile device 2.

[0049] Moreover, the credential does not need to be stored in the mobile device 2. Instead, the gateway 7, which can be under control of the party of the access evaluator 1 and/or the lock 4, receives the credential from the access evaluator 1 and implements the credential evaluation procedure 26. From the perspective of the lock 4, the local communication appears the same as if a mobile device 2 were to implement also the credential evaluation. Hence, the lock 4 does not need to be modified to operate correctly in accordance with embodiments presented herein.

[0050] Fig 3 is a flow chart illustrating embodiments of methods for evaluating access to a physical space secured by a lock. The method is performed in the access evaluator. The method essentially corresponds to actions performed by the access evaluator in the sequence diagram of Fig 2, described above. [0051] In a receive access request step 40, the access evaluator receives an access request from an application server. The access request comprises a user identifier and a lock identifier.

[0052] In an evaluate step 41, the access evaluator evaluates, based on the user identifier and the lock identifier, whether access is to be granted. This evaluation can be based on access rules available to the access evaluator, stored in the access evaluator or externally.

[0053] In an optional generate credential step 42, the access evaluator generates the valid access credential after the step of evaluating. When this step is performed, the credential is generated on demand, and is not otherwise stored for a long time.

[0054] When step 42 is not performed, the credential can be retrieved from storage, internal or external to the access evaluator.

[0055] In an optional encrypt step 43, the access evaluator encrypts a section of the valid access credential. The encrypted section of the valid access credential can comprise an access rights to unlock the lock. For instance, the section (in decrypted plain form) can indicate an access right to open lock x and locks y-z, and/or locks belonging to group A. Optionally, the section comprises a sequence number. For certain types of locks, e.g. hotel room locks, the sequence number can be used to invalidate all keys with earlier sequence numbers. In this way, a new person having a key to the hotel room can be assured that any previous guests do not have access to the hotel room.

[0056] The section can be encrypted with a symmetric key that is available also to the lock (but not to the gateway). In this way, the lock can decrypt the section and can rest assured that the access evaluator has provided the section with the access rights.

[0057] The valid access credential can comprise a credential identifier and a verification section. The verification section comprises a key derivation based on the credential identifier and a secret key. In other words, the access credential then contains both the credential identifier and the verification section, which has been generated using a key derivation function based on the credential identifier and the secret key. [0058] When the lock reads the credential, the lock can be assured that the credential identifier is verified by the access evaluator, by verifying the verification section. The verification is performed by generating its own verification using the key derivation function based on the credential identifier and the secret key, and comparing the result with the verification section received from the gateway. In order to perform this, the lock has access to (e.g. locally stores) the secret key.

[0059] In a transmit credential step 44, the access evaluator transmits a valid access credential for the lock to a gateway being proximate to the lock. The gateway is not the same device as the application server. The valid access credential is in a format which complies with mobile credentials (and optionally card-based credentials) usable with the lock. The credential is valid in the sense that it can be used to unlock the lock in a credential evaluation procedure as described above. By providing the valid access credential in compliance with mobile credentials/card-based credentials, no modification is needed to be done to the lock.

[0060] In an optional delete step 45, the access evaluator deletes the valid access credential from the access evaluator. This is performed after the step of transmitting the valid access credential, since the access credential is needed for the transmission. When step 42 and this step is implemented, the credential is only present in the access evaluator for a short time, which significantly reduces the risk that a hacker could gain access to any particular credential.

[0061] In an optional receive audit trail data step 46, the access evaluator receives audit trail data from the gateway.

[0062] In an optional provide audit trail data step 48, the access evaluator provides audit trail data to the application server, based on the audit trail data received from the gateway (in step 46). The audit trail data provided to the application server can be identical to or a subset of the audit trail data received from the gateway.

[0063] Fig 4 is a schematic diagram illustrating components of the access evaluator 1 of Fig 1 according to one embodiment. A processor 60 is provided using any combination of one or more of a suitable central processing unit (CPU), multiprocessor, microcontroller, digital signal processor (DSP), etc., capable of executing software instructions 67 stored in a memory 64, which can thus be a computer program product. The processor 60 could alternatively be implemented using an application specific integrated circuit (ASIC), field programmable gate array (FPGA), etc. The processor 60 can be configured to execute the method described with reference to Fig 3 above.

[0064] The memory 64 can be any combination of random-access memory (RAM) and/or read-only memory (ROM). The memory 64 also comprises persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid-state memory or even remotely mounted memory.

[0065] A data memory 66 is also provided for reading and/ or storing data during execution of software instructions in the processor 60. The data memory 66 can be any combination of RAM and/or ROM.

[0066] The access evaluator 1 further comprises an 1/ O interface 62 for communicating with external and/or internal entities. Optionally, the I/O interface 62 also includes a user interface.

[0067] Other components of the access evaluator 1 are omitted in order not to obscure the concepts presented herein.

[0068] Fig 5 shows one example of a computer program product 90 comprising computer readable means. On this computer readable means, a computer program 91 can be stored, which computer program can cause a processor to execute a method according to embodiments described herein. In this example, the computer program product is an optical disc, such as a CD (compact disc) or a DVD (digital versatile disc) or a Blu-Ray disc. As explained above, the computer program product could also be embodied in a memory of a device, such as the computer program product 64 of Fig 4. While the computer program 91 is here schematically shown as a track on the depicted optical disk, the computer program can be stored in any way which is suitable for the computer program product, such as a removable solid-state memory, e.g. a Universal Serial Bus (USB) drive. [0069] Here now follows another perspective comprising itemised embodiments enumerated with roman numerals.

[0070] i. A method for evaluating access to a physical space secured by a lock, the method being performed in an access evaluator and comprising the steps of: receiving an access request from an application server, the access request comprising a user identifier and a lock identifier; evaluating, based on the user identifier and the lock identifier, whether access is to be granted; and transmitting a valid access credential for the lock to a gateway being proximate to the lock when access is granted.

[0071] ii. The method according to item i, wherein the valid access credential is in a format which complies with mobile credentials usable with the lock.

[0072] iii. The method according to item i or ii, further comprising the step of: receiving audit trail data from the gateway.

[0073] iv. The method according to item iii, further comprising the step of: providing audit trail data to the application server.

[0074] v. The method according to any one of the preceding items, further comprising the steps of: generating the valid access credential after the step of evaluating; and deleting the valid access credential from the access evaluator after the step of transmitting the valid access credential.

[0075] vi. An access evaluator for evaluating access to a physical space secured by a lock, the access evaluator comprising: a processor; and a memory storing instructions that, when executed by the processor, cause the access evaluator to: receive an access request from an application server, the access request comprising a user identifier and a lock identifier; evaluate, based on the user identifier and the lock identifier, whether access is to be granted; and transmit a valid access credential for the lock to a gateway being proximate to the lock when access is granted.

[0076] vii. The access evaluator according to item vi, wherein the valid access credential is in a format which complies with mobile credentials usable with the lock.

[0077] viii. The access evaluator according to item vi or vii, further comprising instructions that, when executed by the processor, cause the access evaluator to: receive audit trail data from the gateway.

[0078] ix. The access evaluator according to item viii, further comprising instructions that, when executed by the processor, cause the access evaluator to: provide audit trail data to the application server.

[0079] x. The access evaluator according to any one of items vi to ix, further comprising instructions that, when executed by the processor, cause the access evaluator to: generate the valid access credential prior to executing the instructions to evaluate; and delete the valid access credential from the access evaluator after executing the instructions to transmit the valid access credential.

[0080] xi. A computer program for evaluating access to a physical space secured by a lock, the computer program comprising computer program code which, when run on an access evaluator causes the access evaluator to: receive an access request from an application server, the access request comprising a user identifier and a lock identifier; evaluate, based on the user identifier and the lock identifier, whether access is to be granted; and transmit a valid access credential for the lock to a gateway being proximate to the lock when access is granted. [0081] xii. A computer program product comprising a computer program according to item xi and a computer readable means on which the computer program is stored.

[0082] The aspects of the present disclosure have mainly been described above with reference to a few embodiments. However, as is readily appreciated by a person skilled in the art, other embodiments than the ones disclosed above are equally possible within the scope of the invention, as defined by the appended patent claims. Thus, while various aspects and embodiments have been disclosed herein, other aspects and embodiments will be apparent to those skilled in the art. The various aspects and embodiments disclosed herein are for purposes of illustration and are not intended to be limiting, with the true scope and spirit being indicated by the following claims.