US2022270420A1PendingUtilityA1

Enhanced Security for Contactless Access Card System

66
Assignee: DELPHIAN SYSTEMS LLCPriority: Jun 15, 2020Filed: Mar 15, 2022Published: Aug 25, 2022
Est. expiryJun 15, 2040(~13.9 yrs left)· nominal 20-yr term from priority
G07C 9/00309G07C 2009/00412G07C 2009/00769G07C 2009/00976G07C 9/00571G06K 19/07309G07C 2009/00523G07C 9/00944
66
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

An access card may store an encrypted operation key and a key used to read the encrypted operation key from the access card. The encrypted operation key and the key may be based on a unique identifier (UID) of the access card. The encrypted operation key may be obtained by encrypting an operation key using a cryptographic key that is also based on the UID of the access card. An access card reader may read the UID from the access card and use it to generate the key used to read the encrypted operation key from the access card. The access card read may also use the UID read from the access card to generate a cryptographic key used to decrypt the encrypted operation key. The access card reader may validate the decrypted operation key and determine whether to grant or deny access, for example, via an access control device.

Claims

exact text as granted — not AI-modified
1 . A non-transitory computer-readable medium storing instructions that, when executed by a computing device, cause the computing device to:
 detect, by an access card reader comprising at least one key generation algorithm, an access card, wherein the access card comprises:
 a plurality of memory sectors and a plurality of keys, wherein read access to each memory sector of the plurality of memory sectors is controlled by a corresponding key of the plurality of keys; 
 wherein the plurality of memory sectors comprise:
 a first memory sector storing a unique identifier (UID) of the access card; and 
 a second memory sector storing an encrypted operation key that is based on the UID of the access card; and 
 
 wherein the plurality of keys comprises:
 a first key that controls read access to the first memory sector; and 
 a second key that controls read access to the second memory sector and that is based on the UID of the access card; 
 
 based on the detecting the access card: 
 read, from the access card, the UID of the access card; 
 generate, using the at least one key generation algorithm and based on the UID of the access card, the second key of the plurality of keys; 
 read, from the access card and using the second key, the encrypted operation key; 
 generate, using the at least one key generation algorithm and based on the UID of the access card, a decryption key; 
 decrypt, using the decryption key, the encrypted operation key to obtain a decrypted operation key; 
 validate the decrypted operation key; and 
 based on successful validation of the decrypted operation key, provide, to an access control device, an indication of granted access. 
   
     
     
         2 . The non-transitory computer-readable medium of  claim 1 , wherein an operation key of the encrypted operation key is based on at least one of a plurality of predetermined characters or a manufacturing code. 
     
     
         3 . The non-transitory computer-readable medium of  claim 2 , wherein:
 a first plurality of bytes of the operation key are based on a first portion of the UID of the access card;   a second plurality of bytes of the operation key are based on a second portion of the UID of the access card; and   the first plurality of bytes are arranged, in the operation key, non-sequentially relative to the second plurality of bytes.   
     
     
         4 . The non-transitory computer-readable medium of  claim 3 , wherein:
 a third plurality of bytes of the operation key are based on the predetermined characters or a portion of the manufacturing code; and   the third plurality of bytes is arranged, in the operation key, in between the first plurality of bytes of the operation key and the second plurality of bytes of the operation key.   
     
     
         5 . The non-transitory computer-readable medium of  claim 1 , wherein the validating the decrypted operation key comprises validating a format of the decrypted operation key. 
     
     
         6 . The non-transitory computer-readable medium of  claim 1 , wherein the generating the decryption key comprises generating the decryption key further based on an embedded key that is embedded in firmware of the access card reader. 
     
     
         7 . The non-transitory computer-readable medium of  claim 1 , wherein the decrypting the encrypted operation key comprises using cipher block chaining decryption. 
     
     
         8 . The non-transitory computer-readable medium of  claim 7 , wherein the instructions, when executed by the computing device, further cause the computing device to:
 generate, using the at least one key generation algorithm and based on the UID of the access card, an initialization vector; and   wherein the decrypting the encrypted operation key further comprises using the initialization vector with the cipher block chaining decryption.   
     
     
         9 . The non-transitory computer-readable medium of  claim 1 , wherein the generating the second key comprises generating the second key further based on an embedded key that is embedded in firmware of the access card reader. 
     
     
         10 . The non-transitory computer-readable medium of  claim 1 , wherein the access card reader is a contactless access card reader. 
     
     
         11 . A non-transitory computer-readable medium storing instructions to provision an access card of an access control system that, when executed by a computing device, cause the computing device to:
 read, by an access card provisioning system, a unique identifier (UID) of an access card, wherein the access card comprises:
 a plurality of memory sectors and a plurality of keys, wherein read access to each memory sector of the plurality of memory sectors is controlled by a corresponding key of the plurality of keys; 
 wherein the plurality of memory sectors comprise:
 a first memory sector storing the UID of the access card; and 
 a second memory sector; 
 
 wherein the plurality of keys comprises:
 a first key that controls read access to the first memory sector; and 
 a second key that controls read access to the second memory sector; 
 
   based on the reading the UID of the access card:
 generate, using at least one key generation algorithm and based on the UID of the access card, a replacement key and an encryption key;
 generate, based on the UID of the access card, an operation key; 
 encrypt, using the encryption key, the operation key to obtain an encrypted operation key; 
 store, in the second memory sector of the access card, the encrypted operation key; and 
 replace, at the access card, the second key with the replacement key. 
 
   
     
     
         12 . The non-transitory computer-readable medium of  claim 11 , wherein encrypting the operation key comprises encrypting the operation key using cipher block chaining encryption. 
     
     
         13 . The non-transitory computer-readable medium of  claim 12 , wherein the instructions, when executed by the computing device, further cause the computing device to: generate, using the at least one key generation algorithm and based on the UID of the access card, an initialization vector, wherein the encrypting the operation key further comprises using the initialization vector with the cipher block chaining encryption. 
     
     
         14 . The non-transitory computer-readable medium of  claim 11 , wherein the generating the replacement key comprises generating the replacement key further based on an embedded key that is embedded in firmware of an access card reader. 
     
     
         15 . The non-transitory computer-readable medium of  claim 11 , wherein the generating the encryption key comprises generating the encryption key further based on an embedded key that is embedded in firmware of an access card reader. 
     
     
         16 . The non-transitory computer-readable medium of  claim 11 , wherein the generating the operation key further comprises generating the operation key further based on at least one of a plurality of predetermined characters or a manufacturing code. 
     
     
         17 . The non-transitory computer-readable medium of  claim 16 , wherein:
 a first plurality of bytes of the operation key are based on a first portion of the UID of the access card;   a second plurality of bytes of the operation key are based on a second portion of the UID of the access card; and   the generating the operation key comprises arranging, in the operation key, the first plurality of bytes non-sequentially relative to the second plurality of bytes.   
     
     
         18 . The non-transitory computer-readable medium of  claim 17 , wherein:
 a third plurality of bytes of the operation key are based on the predetermined characters or a portion of the manufacturing code; and   the generating the operation key further comprises arranging, in the operation key, the third plurality of bytes in between the first plurality of bytes of the operation key and the second plurality of bytes of the operation key.   
     
     
         19 . A method of access control comprising:
 providing, by an access card to an access card reader, a unique identifier (UID) of the access card based on receiving, from the access card reader after the access card reader detects the access card, a first signal that indicates a first key, wherein the access card comprises:
 a first memory sector of a plurality of memory sectors of the access card, wherein the first memory sector stores the UID of the access card; 
 a second memory sector of the plurality of memory sectors of the access card, wherein the second memory sector stores an encrypted operation key that is based on the UID of the access card; 
 the first key that controls read access to the first memory sector; and 
 a second key that controls read access to the second memory sector, wherein the second key is based on the UID of the access card; 
   based on receiving, by the access card from the access card reader after the access card reader receives the UID of the access card, a second signal that indicates the second key, providing, to the access card reader, the encrypted operation key, wherein the second key is generated by the access card reader using at least one key generation algorithm and based on the UID of the access card.   
     
     
         20 . The method of  claim 19 , further comprising:
 receiving, by the access card, the second key; and   replacing, by the access card, a default key that controls read access to the second memory sector with the second key.   
     
     
         21 . The method of  claim 19 , further comprising:
 receiving, by the access card, the encrypted operation key; and   storing, by the access card in the second memory sector, the encrypted operation key.   
     
     
         22 . The method of  claim 19 , wherein the encrypted operation key is further based on at least one of a plurality of predetermined characters or a manufacturing code. 
     
     
         23 . The method of  claim 19 , wherein the second key is further based on an embedded key that is embedded in firmware of the access card reader. 
     
     
         24 . The method of  claim 19 , wherein the access card is configured to be read by the access card reader from a distance of no more than about 2-3 millimeters. 
     
     
         25 . The method of  claim 19 , wherein the encrypted operation key stored at the access card corresponds to an operation key that is based on at least one of a plurality of predetermined characters or a manufacturing code. 
     
     
         26 . The method of  claim 25 , wherein the operation key, corresponding to the encrypted operation key stored at the access card, comprises:
 a first plurality of bytes that are based on a first portion of the UID of the access card;   a second plurality of bytes that are based on a second portion of the UID of the access card; and   wherein the first plurality of bytes are arranged, in the operation key, non-sequentially relative to the second plurality of bytes.   
     
     
         27 . The method of  claim 26 , wherein the operation key, corresponding to the encrypted operation key stored at the access card, further comprises:
 a third plurality of bytes that are based on the predetermined characters or at least a portion of the manufacturing code; and   wherein the third plurality of bytes is arranged, in the operation key, in between the first plurality of bytes of the operation key and the second plurality of bytes of the operation key.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.