[go: nahoru, domu]

NZ743638B - Method for operating an access control system comprising a server, at least one access control device and at least one point of sale device for access permissions for the area covered by the access control system - Google Patents

Method for operating an access control system comprising a server, at least one access control device and at least one point of sale device for access permissions for the area covered by the access control system

Info

Publication number
NZ743638B
NZ743638B NZ743638A NZ74363818A NZ743638B NZ 743638 B NZ743638 B NZ 743638B NZ 743638 A NZ743638 A NZ 743638A NZ 74363818 A NZ74363818 A NZ 74363818A NZ 743638 B NZ743638 B NZ 743638B
Authority
NZ
New Zealand
Prior art keywords
point
access
server
access control
sales device
Prior art date
Application number
NZ743638A
Other versions
NZ743638A (en
Inventor
Harasek Alois
Malmborg Anders
Dachs Georg
Furhapter Peter
Original Assignee
Skidata Ag
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from EP17185104.1A external-priority patent/EP3441945A1/en
Application filed by Skidata Ag filed Critical Skidata Ag
Publication of NZ743638A publication Critical patent/NZ743638A/en
Publication of NZ743638B publication Critical patent/NZ743638B/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/04Payment circuits
    • G06Q20/047Payment circuits using payment protocols involving electronic receipts
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/12Payment architectures specially adapted for electronic shopping systems
    • G06Q20/127Shopping or accessing services according to a time-limitation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/18Payment architectures involving self-service terminals [SST], vending machines, kiosks or multimedia terminals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/20Point-of-sale [POS] network systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B15/00Arrangements or apparatus for collecting fares, tolls or entrance fees at one or more control points
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C2209/00Indexing scheme relating to groups G07C9/00 - G07C9/38
    • G07C2209/08With time considerations, e.g. temporary activation, valid time window or time limitations
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/27Individual registration on entry or exit involving the use of a pass with central registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time

Abstract

access control systems, in the event of a network failure, no access permissions can be sold, since these cannot be generated and encrypted by the sales outlets as generation and encryption of access privileges are stored on a server in the network. One solution is a method for operating an access control system comprising a server, at least one access control device and at least one point of sales device for access permissions for the area covered by the access control system, an algorithm for generating and encrypting the access permissions is installed on the at least one point of sales device, wherein said algorithm can only be locally executed if it is unlocked by means of a key, wherein when powering up or switching on a point of sales device, the key is transmitted to the point of sales device by the server, wherein if a point of sales device is not connected to the server, the algorithm installed on the point of sales device is executed using the key, wherein by means of the algorithm an access permission is generated, encrypted and marked as an offline-generated access permission, which is encoded onto a customer medium using an encoding device of the point of sales device, wherein if an access control is carried out while the point of sales device is not connected to the server, the offline-generated access permission is read out by an access control device, wherein based on the labelling as an offline-generated access permission, it is identified as such and the validity of the access permission is verified on the basis of the data encoded by the point of sales device. s control system comprising a server, at least one access control device and at least one point of sales device for access permissions for the area covered by the access control system, an algorithm for generating and encrypting the access permissions is installed on the at least one point of sales device, wherein said algorithm can only be locally executed if it is unlocked by means of a key, wherein when powering up or switching on a point of sales device, the key is transmitted to the point of sales device by the server, wherein if a point of sales device is not connected to the server, the algorithm installed on the point of sales device is executed using the key, wherein by means of the algorithm an access permission is generated, encrypted and marked as an offline-generated access permission, which is encoded onto a customer medium using an encoding device of the point of sales device, wherein if an access control is carried out while the point of sales device is not connected to the server, the offline-generated access permission is read out by an access control device, wherein based on the labelling as an offline-generated access permission, it is identified as such and the validity of the access permission is verified on the basis of the data encoded by the point of sales device.

Description

METHOD FOR OPERATING AN ACCESS CONTROL SYSTEM COMPRISING A SERVER, AT LEAST ONE ACCESS CONTROL DEVICE AND AT LEAST ONE POINT OF SALE DEVICE FOR ACCESS PERMISSIONS FOR THE AREA COVERED BY THE ACCESS CONTROL SYSTEM Field The present invention relates to a method for operating an access control system comprising a server, at least one access control device and at least one point of sale device for access permissions for the area covered by the access control system.
Background From the prior art, access control systems are known which have a server and at least one access control device which is connected to the server for the purpose of data communication.
For selling the access permissions for the area covered by the access control system, points of sales are provided, wherein when an access permission is purchased, the access permission is encoded onto a customer medium by means of a point of sales device connected to the server for the purpose of data communication using an encoding device, by means of an RFID standard, preferably the ISO 15693 standard. In this case, the access permission is generated and encrypted in the server.
Summary of Invention According to the prior art the algorithms for the generation and encryption of access privileges are stored on the server and are not distributed to the point of sales devices connected to the server for the purpose of communication. The access permissions are generated and encrypted in the server and are encoded onto the customer medium via the point of sales devices connected to the server for the purpose of data communication, wherein after the coding of the access permissions information concerning the validity of the respective access permissions is transmitted from the server to the access control devices. 16514045 Disadvantageously, in the event of a network failure, i.e. in an offline mode of the point of sales devices, no access permissions can be sold, since according to the prior art these cannot be generated and encrypted by the sales outlets.
A need of the present invention is to specify a method for operating an access control system comprising a server, at least one access control device and at least one point of sales device for access permissions for the area covered by the access control system, by the execution of which for the case when a point of sales device of an access control system is in an offline mode, the operation of the access control system and, in particular, the sale of access permissions, is maintained.
It is an object of the present invention to meet this need or to substantially overcome, or at least ameliorate, one or more disadvantages of existing arrangements.
Consequently, a method is proposed for operating an access control system comprising a server, at least one access control device and at least one point of sales device for access permissions for the area covered by the access control system, in the context of which the algorithm for generating and encrypting the access permissions is installed on the at least one point of sales device, wherein the algorithm can only be executed locally, i.e. in the at least one point of sales device, if it is unlocked using a key.
According to the invention, when powering up or switching on a point of sales device, the key for unlocking the algorithm for generating and encrypting access permissions, which is installed in the point of sales device, is transferred from the server to the point of sales device, wherein in the online case, i.e. when the point of sales device is connected to the server, the point of sales device requests an access permission from the server, which is generated and encrypted in the server and transmitted from the server to the point of sales device, wherein the access permission is encoded on a customer medium using an encoder device of the point of sales device. Subsequently, the information concerning the validity of the coded access permission is transmitted from the server to the at least one access control device, wherein for the purpose of access control the access permission is read out by the respective access control device and the validity of the access permission is verified on the basis of the information transmitted from the server. 16514045 In the offline case, i.e. when a point of sale device is not connected to the server, the algorithm installed on the point of sales device is executed using the key for unlocking the algorithm installed on the point of sales device, wherein by means of the algorithm installed on the point of sale device an access permission is generated, encrypted and labelled as an offline- generated access permission, wherein this access permission is then encoded onto a customer medium using the encoding device of the point of sales device.
If an access control is performed while the point of sale device is not connected to the server, the offline-generated access permission is read out by an access control device, wherein on the basis of the labelling as an offline-generated access permission it is recognized as such, wherein the validity of the access permission is verified on the basis of the data encoded by the point of sales device.
If the point of sales device is subsequently in an online mode, which corresponds to the normal operating state, the information concerning the access permissions generated by the point of sales device in the offline mode is transmitted from the point of sales device to the server, which in turn transmits the information concerning the validity of the access permissions to the at least one access control device.
If after the point of sale device has changed into the online mode an access control process takes place with an access permission generated by the point of sale device in the offline mode, the offline-generated access permission is read out of the customer medium by the access control device, wherein an access permission is encoded onto the customer medium based on the information transmitted by the server, and the validity of the access permission is then verified.
As part of an extension of the invention, it is provided that if an access control is performed while the point of sale device is not connected to the server, a time-restricted validity, namely the information that the access permission becomes invalid after a specified time, is encoded onto the customer medium by the access control device, wherein the time-restricted validity is removed if an access control operation takes place after the point of sale device has changed into the online mode.
Brief Description of the Drawings 16514045 In the following an embodiment of the invention is described in greater detail on the basis of the attached figure, which shows a sequence diagram to illustrate the features of the method according to the invention.
Detailed Description According to the invention the algorithm for generating and encrypting the access permissions is installed on the at least one point of sales device of the access control system, wherein the algorithm installed on the at least one point of sales device can only be executed if it is unlocked using a key. Referring to the attached figure, when powering up or switching on a point of sales device 1, the key for unlocking the algorithm installed in the point of sales device 1 for generating and encrypting access permissions is transmitted from the server 3 to the point of sales device 1 (step 1).
If the point of sales device 1 is in the online mode, the point of sales device 1 requests from the server 3 an access permission, which is generated and encrypted in the server 3 and transmitted from the server 3 to the point of sales device (step 2), wherein the access permission is then encoded on a customer medium (step 3) using an encoding device 2 of the point of sales device 1.
Subsequently, the information concerning the validity of the coded access permission is transmitted from the server 3 to the at least one access control device 4 of the access control system (step 4), wherein for the purpose of access control the access permission is read out by the respective access control device (step 5) and the validity of the access permission is verified on the basis of the information transmitted by the server 3.
When a point of sale device is in an offline mode, the algorithm installed on the point of sales device 1 is executed using the key for unlocking the algorithm installed in the point of sales device 1, wherein by means of the algorithm installed on the point of sales device 1 an access permission is generated, encrypted and labelled as an offline-generated access permission (step 7), wherein this access permission is then encoded onto a customer medium by the encoding device of the point of sales device (step 8). 16514045 In the event of an access control while the point of sale device 1 is not connected to the server 3, the offline-generated access permission is read out (step 9) by an access control device, wherein on the basis of the labelling as an offline-generated access permission it is recognized as such, the validity of which is verified (step 10) on the basis of the data encoded by the encoding device 2 of the point of sales device 1 and a time-restricted validity restriction, namely the information that the access permission becomes invalid after a specified time, is encoded onto the customer medium (step 11).
If the point of sales device 1 then changes into the online mode, the information concerning the access permissions generated by the point of sales device 1 in the offline mode is transmitted from the point of sales device 1 to the server 3 (step 12), where the server 3 transmits the information about the validity of the access permissions to the at least one access control device 4 of the access control system (step 13).
In the event of a subsequent access control with an access permission generated by the point of sales device 1 in the offline mode, i.e. without a connection to the server 3, the offline- generated access permission is read out by an access control device (step 14), wherein if a time- restricted validity was encoded on the customer medium, which means that the customer medium was verified by an access control device 4 during the offline mode of the point of sales device 1, the time-restricted validity is removed and an access permission is encoded onto the customer medium based on the information transmitted from the server 3 (step 15), wherein the validity of the access permission is then checked.
If the customer medium was not verified during the offline mode of the point of sales device 1, i.e. if no time-restricted validity is encoded on the customer medium, an access permission is encoded on the customer medium (step 16) based on the information transmitted from the server concerning the validity of the access permission, wherein the validity of the access permission is then checked. 16514045 I/WE

Claims (2)

CLAIM 1.:
1. A method for operating an access control system comprising a server, at least one access control device and at least one point of sale device for access permissions for the area covered by the access control system, wherein an algorithm for generating and encrypting the access permissions is installed on the at least one point of sale device, wherein the algorithm installed on the at least one point of sale device can only be executed locally, i.e. in the at least one point of sale device, if it is unlocked using a key, wherein when powering up or switching on a point of sale device the key for unlocking the algorithm for generating and encrypting access permissions installed in the point of sales device is transmitted from the server to the point of sales device, wherein if a point of sales device is connected to the server, the point of sales device requests from the server an access permission, which is generated and encrypted in the server and transmitted from the server to the point of sales device, wherein the access permission is then encoded via an encoding device of the point of sales device onto a customer medium and wherein the information concerning the validity of the encoded access permission is transferred from the server to the at least one access control device, wherein for the purpose of access control the access permission is read out by the respective access control device and the validity of the access permission is verified on the basis of the information transmitted from the server, wherein if a point of sales device is not connected to the server, the algorithm installed on the point of sales device is executed using the key for unlocking the algorithm installed in the point of sale device, wherein by means of the algorithm installed on the point of sale device an access permission is generated, encrypted and labelled as an offline-generated access permission, wherein this access permission is then encoded onto a customer medium using the encoding device of the point of sales device, wherein if an access control is performed while the point of sales device is not connected to the server, the offline-generated access permission is read out by an access control device, wherein on the basis of the labelling as an offline-generated access permission it is recognized as such and the validity of the access permission is verified on the basis of the data encoded by the point of sales device, wherein if the point of sales device is subsequently connected to the server, the information concerning the access permissions generated by the point of sales device in the offline mode is transmitted from the point of sales device to the server, which transmits the information concerning the validity of the access permissions to the at least one access control device, wherein if, after the point of sale device has changed into the online mode an access control process takes place with an access permission 16514045 which was generated by the point of sales device in the offline mode, the offline-generated access permission is read out of the customer medium by the access control device and an access permission is encoded onto the customer medium based on the information transmitted by the server, and wherein the validity of the access permission is then verified.
2. A method for operating an access control system comprising a server, at least one access control device and at least one point of sales device for access permissions for the area covered by the access control system, according to Claim 1, wherein if an access control is performed while the point of sales device is not connected to the server, a time-restricted validity is encoded onto the customer medium by the access control device, wherein the time-restricted validity is removed if an access control operation takes place after the point of sales device has changed into the online mode. SKIDATA AG By the Attorneys for the Applicant SPRUSON & FERGUSON Per: 16514045
NZ743638A 2017-08-07 2018-06-20 Method for operating an access control system comprising a server, at least one access control device and at least one point of sale device for access permissions for the area covered by the access control system NZ743638B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP17185104.1A EP3441945A1 (en) 2017-08-07 2017-08-07 Method for operating an access control system comprising a server, at least one access control device and at least one point-of-sale terminal for access rights for the area covered by the access control system
EP17185104.1 2017-08-07

Publications (2)

Publication Number Publication Date
NZ743638A NZ743638A (en) 2019-11-29
NZ743638B true NZ743638B (en) 2020-03-03

Family

ID=

Similar Documents

Publication Publication Date Title
US10999293B2 (en) Examining a consistency between reference data of a production object and data of a digital twin of the production object
CN107180175B (en) Distribution method, distribution device, and distribution system
RU2496144C2 (en) System and method for control over access to people conveyance carrier control system
CN105261096A (en) Network smart lock system
EP3507701B1 (en) Method and apparatus for restoring access to digital assets
WO2014014525A1 (en) Implementing security measures for authorized tokens used in mobile transactions
WO2014014526A1 (en) Mobile transactions using authorized tokens
WO2014014527A1 (en) Distributing authorized tokens to conduct mobile transactions
CN105930892A (en) Variable logo two-dimensional code anti-counterfeiting method and system
CN102855504A (en) Method and device for ownership transfer of radio frequency identification (RFID) tag
CN110225038B (en) Method, device and system for industrial information security
CN101404052A (en) Method for remotely activating software
CN112530053B (en) Control method and system of intelligent lock, lock equipment, server and storage medium
AU2018204444B2 (en) Method for operating an access control system comprising a server, at least one access control device and at least one point of sale device for access permissions for the area covered by the access control system
CN103795539B (en) ID number generation method, allocation method, control method, device and system
EP2716510B1 (en) Authentication system and method for a pool of vehicles
CN107409043B (en) Distributed processing of products based on centrally encrypted stored data
WO2015163967A2 (en) Cryptographic method and system of protecting digital content and recovery of same through unique user identification
NZ743638B (en) Method for operating an access control system comprising a server, at least one access control device and at least one point of sale device for access permissions for the area covered by the access control system
US20210021415A1 (en) Communication system using a random code as an encryption code
CN100561913C (en) A kind of method of access code equipment
CN113282945B (en) Intelligent lock authority management method and device, electronic equipment and storage medium
CN112989406A (en) Information processing method, device, equipment and storage medium
WO2008051688A2 (en) Network centered recovery process for cryptographic processing modules
CN106656947B (en) Data encryption system