Each and every one of us relies daily on keys to gain access to our cars, homes, and offices, to snap open the lock on our bicycles, or unlatch our postal boxes. Hence, keys are undeniably an integral part of modern society. Today, most of these keys are still of the mechanical type, as are the associated locks.
Although widely spread, these traditional, mechanical keys suffer from a number of shortcomings. First, in case of security breach, such as loss of a key, unauthorized duplication, or deprecation of trust assumptions, the lock must be replaced. Second, a key is valid as long as the corresponding lock remains in place. For example, once an access right is given to an individual by handing him/her a key, that right cannot be revoked unless the key is returned or the lock changed. As a consequence of these limitations, traditional lock-and-key systems do not allow to institute a time-based access policy, for example allowing access during office hours only, or protecting certain areas during certain times of the day. In the many environments where such requirements exist, traditional lock-and-key systems are no more sufficient.
Clearly, traditional keys offer only inflexible and rather limited management possibilities, but they are widely available, very reliable, and reasonably cheap. Still, replacement solutions with higher flexibility and extensive management possibilities have been invented and found their way to the market. For example in hotels and enterprises, electronic locks and appropriate electronic keys are widely used, providing very flexible and rather quick management of access rights.
An example of a system using smartcards of different kinds is shown in Lee U.S. Pat. No. 5,204,663 to Applied Systems Institute, Inc., which discloses an access control system with integrated-circuit cards, i.e. smartcards, some of which have a memory to store key access information and so-called transaction information. Whereas the key access information here relates to the immediate use of the key, e.g. the present access code of the card, relates the transaction information to other activity, e.g. a log of previous use of the lock as it is recorded in the lock's memory, specific new access codes to be uploaded into specific locks, or a log of failed entry attempts of the card user. Some of this transaction information is transferred from the lock into the card's memory, some from the card into the lock, and some just stored on the card for later readout.
One example of a lock which may be used in such an environment is the SaFixx smartlock, described in the Internet on http://acola.com, a lock made by ACOLA GmbH in Villingen-Schwenningen, Germany. The Safixx smartlock even exhibits some specific properties (discussed below) that may make it quite useful in connection with the present invention.
Other examples can be found in the literature. All of them have one disadvantage. They require a kind of “direct” access to each and every electronic lock in the system, be it that the locks are connected by a cabling or radio network to a management center, or that one has to walk up to each lock and “reprogram” it manually or electronically, as with the Safixx smartlock mentioned above or as with the system disclosed in the above-cited Lee U.S. Pat. No. 5,204,663. Either of these methods is burdensome: A network of cables to all locks in a hotel or an plant will usually cost more than the electronic locks themselves, a radio transmission system requires a transceiver and power in each and every lock and may thus be even more expensive (and failure-prone) than a cabling network, and walking to each and every lock may be simply impossible in a reasonable time frame.
Here, the invention intends to provide solutions. To summarize, it is an object of the present invention to avoid the above-described disadvantages and devise a reliable and flexible electronic lock-and-key system which has no need for “direct” (in the above sense) connections between locks and an associated management center controlling security within the system.
Another object is to simplify expansion of a given system when installing additional locks or other access or security devices, or to facilitate changes within a given system by installing new locks and/or exchanging existing ones.
A further object is to devise an architecture that allows a practically unlimited flexibility with regard to protocol changes or security updates between management center and locks. Such updates are necessary after a “successful” attack, or after card keys have been lost or stolen, or when security aspects of the system are changed, e.g. certain physical areas in a plant or lab become “restricted access” areas.
A specific object is to devise an architecture which allows an “on-the-fly” expansion of such a system.
The Invention
In essence, the novel approach according to the invention concentrates on using means, especially hardware, already existing in a usual electronic lock-and-key system. Access control and other information which need to be updated or changed is disseminated through existing smartcard or similar keys and the existing locks without any need for a connection between the latter and a central or distributed management center controlling this information. For this, a suitably adapted networking protocol is being used and, wherever appropriate, cryptography to protect the system against possible attacks.
In the following, the primary innovation, namely the propagation of access control information in cable-free environments, is discussed in more detail. It is also described how cost effective and easily manageable electronic locks can be generally implemented. Thereafter, attacks and implied security assumptions of such a system are discussed.
Contrary to most current electronic security systems, the system disclosed in this document does not require fixed network connectivity of any kind, be it wire-based or radio-based. Consequently, cost associated with cabling or radio transmission equipment is eliminated. Experience shows that this cost can be an order of magnitude higher than the cost of the locks themselves. It should be mentioned here that in this document the term “key” does not designate the traditional metallic key but rather any arbitrary carrier of information, e.g. smartcards or IBM's JavaCard. Similarly, the term “lock” will usually designate an electronic lock.
Instead of the locks receiving electrical power via a fixed cable, the required energy to operate the lock can be delivered either through the user's key or through an battery embedded in the lock or door. Clearly, in such a construction, power consumption must be kept to a strict minimum so that batteries last at least a few years. Electronic locks exhibiting the desired physical properties such as tamper resistance, operational reliability and long battery life, already exist on the market. The above mentioned SaFixx smartlock is an example of a lock exhibiting these properties. The present invention emphasizes the logical aspects of cable-free lock constructions, not so much the physical design.