1. Field of the Invention
The present invention relates to a secured system of access checking that enables the automatic transfer of entitlement to produce keys.
The invention can be applied especially in the field of the checking of access to buildings, computer systems or any kind of object for which the opening or use has to be checked.
2. Description of the Related Art
There is the known patent application PCT/FR95/00935 published under number WO96/029899, for an access checking system limited to authorized and renewable time slots.
This system relies on the use of portable storage carriers such as flush-contact or contact-free chip cards (integrated circuit cards), magnetic cards, badges and electronic keys with or without contact. These carriers are distributed to all users to whom access is to be authorized.
For this purpose, the magnetic carriers have a memorized electronic key giving a right of access.
This key has a data element corresponding to an access authorization period and a digital signature of this data element. The period of use corresponds in practice to a date of use and to a time slot of use so much so that the key is valid only for one day and for the defined time slot.
These keys have a short lifetime and are especially well suited to applications such as the distribution and collection of mail by a postman. The user of such a carrier must recharge his carrier with a new valid key every day.
The problem of the theft and loss of an information carrier comprising a key of this kind no longer arises since the lifetime of the logic key is ephemeral.
Anyone who has found or stolen the carrier will no longer be able to use it the next day. Consequently, it is no longer even necessary to keep a black list of all the carriers that have been stolen or lost.
This access checking system is highly efficient in applications where no permanent access right or very long-term access right has to be provided. However, if this is not the case, the system proves to be unsuitable.
Earlier checking systems propose the keeping of a black list for stolen or lost carriers in order to prevent the unauthorized persons who hold such carriers from accessing the protected unit.
The maintaining of such lists requires action on electronic locks. For it is necessary to make recordings, on these locks, of the identification numbers of the carriers that are stolen or lost after their holder has reported their loss. Such action is a source of constraint.
Should a person who is entitled to produce electronic keys and record them on the storage carriers have his entitlement withdrawn (in the case of right of access to a building, this could be for example because of a change in the managing agent or manager of the building), the transfer of entitlement to another person makes it necessary to provide all users who had access rights with new carriers on which the electronic keys are computed with the key-producing means possessing the new entitlement.
This is a constraint that leads to substantial costs.
The secured access checking system according to the invention can be used to resolve this problem. The carriers delivered remain always valid even in the event of a transfer of entitlement to another person or more specifically to another key-producing means.
An object of the invention more particularly is a system of access checking by means of a portable storage carrier C on which there is recorded an electronic key CL, comprising means LE for the production of the electronic keys and a means fulfilling an electronic lock L function capable of authorizing access should the storage carrier contain the requisite electronic key, according to which the production means comprise a information element HA for entitlement to produce the keys CL, including a public key K, and the digital signature CER of this information element; and in which a transfer of entitlement to new production means is made by the recording of a new public key Kxe2x80x2 and the corresponding signature CERxe2x80x2. This new public key is, after verification of the entitlement, recorded in the electronic lock L which verifies the keys CL produced by these means LE.
According to another particular feature, the data elements pertaining to the production means comprise an identification data element ID, a period of validity VAL and the public key K, the period of validity assigned to the former key K having an ending date that corresponds to the starting date of validity of the period of validity of the new key Kxe2x80x2, this ending date possibly being later than the starting date (for example later by one month).
Advantageously, for the verification of a new version of a key Kxe2x80x2 with a signature CERxe2x80x2, the lock compares and replaces the ending date of the period of validity of the former key with the starting date of validity of the next key (the new key).
The public keys K and Kxe2x80x2 are obtained by the authority through a production function FKA with public key KA, using a secret key ka. The lock has, in memory, at the time of verification, a verification function VKA and the key KA for the verification of these signatures CER or CERxe2x80x2.
The lock verifies any new entitlement.
Thus, when a new production means is in service, this means is declared to the lock which will check the keys produced by this means.
For this purpose, the authority records the entitlement certificate in the lock and the key KA that it has used for the computation. The production means may itself record its entitlement in the lock.
Carriers for which the keys have been produced fraudulently using means that no longer possess entitlement do not permit access to the units protected.
Indeed, the transfer of entitlement is done by the secured loading of a new public key into the lock.
The previous public keys are in principle preserved unless the production algorithm has been broken or the secret key of the pair formed by the secret key and the public key has been discovered.
According to another characteristic, an electronic signature S is computed from an algorithm with a secret key k and from a corresponding public key K by production means LE, and the lock has, in memory, the public key K, a function VK for the verification of this signature S and a means to implement this verification function.
The electronic key CL recorded in a carrier has a data element identifying the user and a data element identifying the carrier. For example, the latter data element will be the serial number of manufacture of the carrier and the electronic signature of these data elements.
Other advantages and particular features of the invention shall appear from the following description given by way of a non-exhaustive indication with reference to the appended drawing of FIG. 1 which shows the diagram of a secured access checking system according to the object of the invention.
It is specified that the term xe2x80x9cauthorityxe2x80x9d is understood to mean an organization possessing secret keys, means capable of delivering public keys and entitlement data elements.
The term xe2x80x9csecret keyxe2x80x9d is understood to mean a digital data element that is known only by a unit of the authority or of the production means.
The term xe2x80x9cpublic keyxe2x80x9d, KA, K, Kxe2x80x2, is understood to mean a digital data element shared among several users, the authority and the means of production of the electronic keys or the means of production and the electronic lock.
The term xe2x80x9ckey production meansxe2x80x9d LE is understood to mean a digital data processing machine, for example a microcomputer, possessing an entitlement information element HA and having computation means to obtain the digital data signal implementing functions such as an algorithm with a conventional public key.
The term xe2x80x9celectronic keyxe2x80x9d or xe2x80x9clogic keyxe2x80x9d CL is understood to mean one or more digital data elements accompanied by their digital signature giving right to access.
The invention is described by way of an example in its application to the management of access to buildings.
Reference may be made to the diagram of FIG. 1 for a clearer understanding.
The storage carriers C comprising the electronic keys distributed to authorized users could be either chip cards or chip keys or badges or magnetic cards. The transmission between the carrier C and the lock L may be done through electronic contacts or by radioelectric means or by the reading of a magnetic tape.
By way of an example, a chip card has been chosen as a carrier.
It has an input/output interface I/O 100 and an electrically recordable non-volatile memory 101.
In the example described, the customization of a carrier C consists especially of the recording in the memory of an identification information element IDA of the user A comprising for example, his name, the number of his apartment and the specific data element DpA that is assigned to him. In a preferred exemplary embodiment, this data element DpA is the date of customization of his storage carrier.
A recording is also made in the memory of an information element identifying the carrier. It is, for example, the serial number NS of manufacture of the carrier. In general, this information element is entered at the end of manufacture, before the carrier is handed over to the authority AT.
The customization of the carriers is done by the machine LE (and the person who uses it) possessing an entitlement HA (ID, KA, CER, K).
The production machine LE is for example formed by a PC type microcomputer provided with a card reader.