The present disclosure relates generally to access control systems, and more particularly, to a system and a method of programming an access control.
An access control system is typically operated by encoding data on a physical key card that indicates access rights. Some access control systems are online where the access control reader that reads key cards can use some means to communicate with the access control system. In online systems the access rights are usually a reference identifier. An example is a building entry system where an employee uses a RFID badge to access a door that has a reader with means to convey the badge id into a networked access control system that has means to permit or deny access based on access rights associated to the reference identifier and additionally based upon the time and date allowed for access. In this example, the reader does not have means to determine the time and date, but the access control system does. Other access control systems are offline and the access rights are encoded as data that can be decoded and interpreted by the offline access control lock to retrieve the access rights. An example is a hotel locking system where a front desk encodes a guest card and an offline, battery powered lock on a guest room door has the means to decode the key card and permit or deny access based on the encoded access rights and based on the time and date allowed for access. In this example, the door lock has means to determine time and date. Some methods of encoding access rights include sequencing where subsequent access rights have a sequence number that is greater than the prior access rights. Some other methods of encoding access rights include an expiration window where the access rights will not provide access before a certain date and time or after another certain date and time.
Conventional access control systems utilize encryption, i.e., AES, RSA, ECC, etc., to perform cryptographic operations to authenticate communications with physical cards or virtual cards passed over Near Field Communications (NFC) or Bluetooth. Additionally, encryption is also used to encode data on the key card where the access rights may be encoded as encrypted data or as a digital certificate which may also be encrypted. Sometimes the keys used for authenticating cards are different than the encryption keys used to encode data on the cards. Locks and readers and encoders require these various encryption keys to be programmed before entry into service or are occasionally changed as part of normal encryption key management. Management of these encryption keys requires a programming device and programming operation to program the encryption keys that are specific to the access control system being put into service. A conventional method of setting keys in a reader or lock is to use a programming device. Another conventional method is to use a single configuration card that has the new keys on the card rather than access rights. The card can be read by an online reader, but since the reader does not have a real time clock, it cannot expire the configuration card even if an expiration window is encoded on the card. In some cases, a reader that is part of a lock may not be able to expire the configuration card either as the reader is a module that doesn't have means to get the time and date from the lock. Because the configuration card may not expire, it needs to be carefully controlled. Another conventional cryptographic operation, is to preload the specific encryption keys in the factory and pre-configure the lock for the property before being put into service, however this creates an operational process that can be cumbersome for a factory to manage.
High security RFID systems are available to replace older, less secure technologies. For example, MIFARE Plus uses high security AES 128-bit encryption keys and is an upgrade from MIFARE Classic which uses 48-bit keys for a proprietary encryption algorithm. However locks and readers can be made that support both MIFARE Plus and MIFARE Classic. In some cases there is a need to switch the reader into a high security only mode and optionally to set the high security encryption keys.
It would be advantageous to be able to operate high-security locks with legacy software systems to minimize the operational impact of upgrading the entire system all at once. Additionally, it would be advantageous to have a secure process for upgrading or rolling keys that uses a card and is not dependent on a programmer or special device or required to be pre-configured in a factory. Additionally, it would be advantageous to have a configuration card that expires for all types of devices.