Search

EP-4738295-A1 - ENABLING THE PROVISION OF CREDENTIALS FOR ELECTRONIC LOCKS

EP4738295A1EP 4738295 A1EP4738295 A1EP 4738295A1EP-4738295-A1

Abstract

It is provided a method for enabling the provision of credentials for electronic locks (12). The method comprises: receiving (40) an access provision request comprising an identifier of a credential carrier (2); obtaining (46) an access list; transmitting (48), by an access control server (3), an access preparation message (24) to an access provision server (4), the access preparation message comprising the access list ;transmitting (50) an access list message (26) comprising the access list and/or an identifier associated with the access list, to the credential carrier (2); receiving (144) a credential request (28), the credential request (28) comprising the access list and/or the identifier associated with the access list; obtaining (145), at least one credential corresponding to the access list; and providing (146) a credential message (30), comprising the at least one credential corresponding to the access list, to the credential carrier (2).

Inventors

  • HAMSTRÖM, Mikael
  • LINDROOS, Kristoffer
  • PERSSON, Maria

Assignees

  • ASSA ABLOY AB

Dates

Publication Date
20260506
Application Date
20251028

Claims (15)

  1. A method for enabling the provision of credentials for electronic locks (12), the method being performed by a system (1) comprising an access control server (3) and an access provision server (4), wherein the access provision server (4) is distinct from the access control server (3), the method comprising: receiving (40), by the access control server (3), an access provision request comprising an identifier of a credential carrier (2); obtaining (46), by the access control server (3), an access list indicating at least one access right for a restricted physical space to be provided to the credential carrier (2); transmitting (48), by the access control server (3), an access preparation message (24) to the access provision server (4), the access preparation message comprising the access list; transmitting (50), by the access control server (3), an access list message (26) comprising the access list and/or an identifier associated with the access list, to the credential carrier (2); receiving (144), by the access provision server (4), from the credential carrier (2), a credential request (28), the credential request (28) comprising the access list and/or the identifier associated with the access list; obtaining (145), by the access provision server (4), at least one credential corresponding to the access list; and providing (146), by the access provision server (4), a credential message (30), comprising the at least one credential corresponding to the access list, to the credential carrier (2).
  2. A method for enabling the provision of credentials for electronic locks (12), the method being performed by an access control server (3), the method comprising: receiving (40) an access provision request comprising an identifier of a credential carrier (2); obtaining (46) an access list indicating at least one access right for a restricted physical space to be provided to the credential carrier (2); transmitting (48) an access preparation message (24) to an access provision server (4) being distinct from the access control server (3), the access preparation message comprising the access list; and transmitting (50) an access list message (26) comprising the access list and/or an identifier associated with the access list to the credential carrier (2).
  3. The method according to claim 2, wherein in the obtaining (46) the access list, the access list is obtained based on the identifier of the credential carrier (2).
  4. The method according to claim 2 or 3, further comprising: receiving (49) lock data for at least one lock associated with an access right of the access list.
  5. The method according to any one of claims 2 to 4, wherein the access provision request further comprises a space indicator (7) being associated with a restricted physical space (16, 16-b) to be accessed by the credential carrier (2); the access list comprises at least one access right for accessing the restricted physical space (16, 16-b); the method further comprising: transmitting (42) an authentication data message (21), comprising authentication data (22), to the credential carrier (2); receiving (44) an access right request (24) comprising the authentication data; and authenticating (45) the access right request (24) by verifying the authentication data of the access right request (24).
  6. The method according to claim 5, wherein the obtaining (46) the access list further comprises obtaining the access list based on the space indicator (7), wherein the access list comprises access rights for a plurality of electronic locks that need to be unlocked for access to the restricted physical space (16, 16-b) associated with the space indicator (7).
  7. The method according to claim 5 or 6, wherein the authenticating (45) the access right request (24) comprises verifying that it is the first time that the authentication data is used for authentication of an access right request (24) by the access control server (3).
  8. An access control server (3) for enabling the provision of credentials for electronic locks (12), the access control server (3) comprising: processing circuitry (60); and memory circuitry (64) storing instructions (67) that, when executed by the processing circuitry, cause the access control server (3) to: receive an access provision request comprising an identifier of a credential carrier (2); obtain an access list indicating at least one access right for a restricted physical space to be provided to the credential carrier (2); transmit an access preparation message (24) to an access provision server (4) being distinct from the access control server (3), the access preparation message comprising the access list; and transmit an access list message (26) comprising the access list and/or an identifier associated with the access list to the credential carrier (2).
  9. A computer program (67, 91) for enabling the provision of credentials for electronic locks (12), the computer program comprising computer program code which, when executed on a access control server (3) causes the access control server (3) to: receive an access provision request comprising an identifier of a credential carrier (2); obtain an access list indicating at least one access right for a restricted physical space to be provided to the credential carrier (2); transmit an access preparation message (24) to an access provision server (4) being distinct from the access control server (3), the access preparation message comprising the access list; and transmit an access list message (26) comprising the access list and/or an identifier associated with the access list to the credential carrier (2).
  10. A computer program product (64, 90) comprising a computer program according to claim 9 and a computer readable means comprising non-transitory memory in which the computer program is stored.
  11. A method for enabling the provision of credentials for electronic locks (12), the method being performed by an access provision server (4), the method comprising: receiving (140) an access preparation message (24) from an access control server (3) being distinct from the access provision server (4), the access preparation message comprising an access list indicating at least one access right to be provided to a credential carrier (2); receiving (144), from the credential carrier (2), a credential request (28), the credential request (28) comprising the access list and/or an identifier associated with the access list; and obtaining (145) at least one credential corresponding to the access list; and providing (146) a credential message (30), comprising the at least one credential corresponding to the access list, to the credential carrier (2).
  12. The method according to claim 11, wherein the obtaining (145) at least one credential comprises generating each one of the at least one credential based on secret data that is shared with the lock that is associated with the credential.
  13. An access provision server (4) for enabling the provision of credentials for electronic locks (12), the access provision server (4) comprising: processing circuitry (60); and memory circuitry (64) storing instructions (67) that, when executed by the processing circuitry, cause the access provision server (4) to: receive an access preparation message (24) from an access control server (3) being distinct from the access provision server (4), the access preparation message comprising an access list indicating at least one access right to be provided to a credential carrier (2); receive, from the credential carrier (2), a credential request (28), the credential request (28) comprising the access list and/or an identifier associated with the access list; obtain at least one credential corresponding to the access list; and provide a credential message (30), comprising the at least one credential corresponding to the access list, to the credential carrier (2).
  14. A computer program (67, 91) for enabling the provision of credentials for electronic locks (12), the computer program comprising computer program code which, when executed on a access provision server (4) causes the access provision server (4) to: receive an access preparation message (24) from an access control server (3) being distinct from the access provision server (4), the access preparation message comprising an access list indicating at least one access right to be provided to a credential carrier (2); receive, from the credential carrier (2), a credential request (28), the credential request (28) comprising the access list and/or identifier associated with the access list; obtain at least one credential corresponding to the access list; and provide a credential message (30), comprising the at least one credential corresponding to the access list, to the credential carrier (2).
  15. A computer program product (64, 90) comprising a computer program according to claim 14 and a computer readable means comprising non-transitory memory in which the computer program is stored.

Description

TECHNICAL FIELD The present disclosure relates to the field of electronic locks and in particular to enabling the provision of credentials for electronic locks. BACKGROUND Electronic access control systems are commonly employed to secure physical spaces, such as buildings, rooms, or other restricted areas. Some of these systems use electronic locks that interact with digital credentials provided using smartphones or other portable electronic devices. The credentials are often issued by a centralised system, which manages the process of creating, distributing, and revoking access rights. Such centralised systems in the prior art may work well for situations where a single party is responsible for managing access rights. However, there are more complicated situations where various parties are responsible for different aspects of the access control. It would be of great benefit if access control systems could support multiple parties having different responsibilities. SUMMARY One object is to support electronic access control systems where multiple parties have different responsibilities. According to a first aspect, it is provided a method for enabling the provision of credentials for electronic locks. The method is performed by a system comprising an access control server and an access provision server, wherein the access provision server is distinct from the access control server. The method comprises: receiving, by the access control server, an access provision request comprising an identifier of a credential carrier; obtaining, by the access control server, an access list indicating at least one access right for a restricted physical space to be provided to the credential carrier; transmitting, by the access control server, an access preparation message to the access provision server, the access preparation message comprising the access list; transmitting, by the access control server, an access list message comprising the access list and/or an identifier associated with the access list, to the credential carrier; receiving, by the access provision server, from the credential carrier, a credential request, the credential request comprising the access list and/or the identifier associated with the access list; obtaining, by the access provision server, at least one credential corresponding to the access list; and providing, by the access provision server, a credential message, comprising the at least one credential corresponding to the access list, to the credential carrier. According to a second aspect, it is provided a method for enabling the provision of credentials for electronic locks. The method is performed by an access control server. The method comprises: receiving an access provision request comprising an identifier of a credential carrier; obtaining an access list indicating at least one access right for a restricted physical space to be provided to the credential carrier; transmitting an access preparation message to an access provision server being distinct from the access control server, the access preparation message comprising the access list; and transmitting an access list message comprising the access list and/or an identifier associated with the access list to the credential carrier. In the obtaining the access list, the access list may be obtained based on the identifier of the credential carrier. The method may further comprise: receiving lock data for at least one lock associated with an access right of the access list. The lock data may comprise information whether the lock is associated with the access control server. The access provision request may further comprise a space indicator being associated with a restricted physical space to be accessed by the credential carrier; the access list comprises at least one access right for accessing the restricted physical space. In this case, the method further comprises: transmitting an authentication data message, comprising authentication data, to the credential carrier; receiving an access right request comprising the authentication data; and authenticating the access right request by verifying the authentication data of the access right request. The obtaining the access list may further comprise obtaining, the access list based on the space indicator, wherein the access list comprises access rights for a plurality of electronic locks that need to be unlocked for access to the restricted physical space associated with the space indicator. The transmitting the authentication data message may comprise providing the authentication data message as a text message or an e-mail to the credential carrier. The authenticating the access right request may comprise verifying that it is the first time that the authentication data is used for authentication of an access right request by the access control server. According to a third aspect, it is provided an access control server for enabling the provision of credentials for electronic locks. The ac