EP1626372A1 - Access control method, access control system and devices therefor - Google Patents

Abstract

The authorisation control for access to facilities such as computers and buildings has multiple time slots [Y,M,Md etc] that are identified by different code values [T]. The information data bits are fed to a central authorisation centre and uses bit masks [G1]. The authorisation has the user employing a mobile unit that carries out logic operations on the masked bits.

Description

Technical area

The present invention relates to an electronic authorization control method, an electronic authorization control system and devices suitable therefor. In particular, the present invention relates to an electronic authorization control method and an electronic authorization control system in which an authorization of a user at a current time is checked on the basis of authorization data of the user. In particular, the present invention also relates to a mobile electronic terminal, an electronic access control device, a computerized authorization center, and a computer program product suitable for executing the electronic authorization control and authorization control system.

State of the art

Methods and systems for controlling a time-dependent authorization of a user are known both in access control to buildings and premises and in access control to computer systems and networks. Typically, the user is assigned credentials that define the user's time-dependent permissions. The authorization data is stored, for example, in a centralized database of an authorization control system, in an access control device or on a mobile data carrier of the user. In the authorization control, both the authorization data and information about the current time are taken into account.

In order to eliminate or at least minimize the exchange of data between an authorization center and distributed access control devices and to eliminate the storage of individual authorization data in the access control devices, the authorization data are transmitted from the authorization center via a mobile radio network to the user's mobile telephones and stored there, according to EP 1 336 937 , In the authorization control, the authorization data according to EP 1 336 937 are preferably transmitted wirelessly by the mobile telephone of a user to the access control device, where the time-dependent access authorization of the user is determined there on the basis of the current time and the received authorization data. In the wireless transmission of the authorization data, the problem arises that the transmission channels used and / or transmission protocols only allow the transmission of a highly limited amount of data, for example, the standardized SMS short messages (Short Messaging Services) in GSM mobile networks (Global System for Mobile Communication ) is limited to 160 characters (bytes). This restriction also limits the possible complexity of the authorization data to be transmitted for time-dependent user authorizations if multiple transmissions and complex algorithms are to be prevented during the authorization checks. In other words, if complex and flexible design of time-dependent user privileges is to be possible, this requires increased complexity of authorization control, which puts a greater burden on the processor performance and program memory required for this purpose.

Presentation of the invention

It is an object of the present invention to propose an electronic authorization control method, a system for an electronic authorization control and devices suitable therefor, which do not have the disadvantages of the prior art. It is especially a task The present invention proposes an electronic authorization control method, a system for the electronic authorization control and suitable devices, by means of which a user's authorization is controlled at a current time on the basis of authorization data of the user, on the one hand a complex and flexible design of time-dependent user permissions and on the other hand an easy-to-execute control of the user's permission will be enabled.

According to the present invention, these objects are achieved in particular by the elements of the independent claims. Further advantageous embodiments are also evident from the dependent claims and the description.

The above-mentioned objects are achieved by the present invention in particular in that the current time at which the authorization of a user is controlled, is mapped to several time units of different significance, wherein for the time units in a time code each time unit area is provided, wherein Time unit range for each possible value of the time unit an information bit is provided, and wherein the value of the current time in the time code is mapped by setting one of the information bits for each of the time units in the associated time unit area. As time units, for example, years, months, days of the month, weeks, days of the week, day hours and / or minutes units are used. Moreover, the authorization data are generated with one or more bitmasks, which bitmasks determine the authorization of the user for the possible values of one of the time units. The bitmasks each include one bit for indicating the user's authority for each possible value of one of the time units. This means that the authorization of the user for a time range can be indicated by each bit in the bit mask, the time range being determined by the respective possible value, ie by the position of the relevant bit in the bit mask, and by a is defined by the valency of the time unit certain period of time. For example, for the time unit "days of the week", the permissions of a user can be defined by means of a seven-bit bit mask with regard to weekdays. For a definition of the time unit "weekdays" = {monday, tuesday, wednesday, thursday, friday, saturday, sunday}, a general authorization for the weekdays "tuesday" and "wednesday" can be defined for the user by the bitmask "0000110". Finally, the authorization of the user is controlled by logically linking the time code with the bit masks. The proposed coding of the value of the current time and the use of the proposed bit masks for the coding of the user authorizations allows extremely simple checking of time-dependent user authorizations by elementary logic operations such as Boolean "AND" or "OR" operations. The proposed encoding of the user authorizations based on bit masks for the possible values of multiple time units of different significance also allows a very flexible, compact and detailed coding of time-dependent user permissions, the time-dependent user permissions are nested, overlapping and periodically definable and over large periods of, for example, several Years can extend.

Preferably, the authorization data is generated in a computerized authorization center and transmitted by the authorization center wirelessly to a mobile electronic terminal of the user. The time code is preferably generated in an electronic access control device and transmitted from the access control device to the mobile terminal of the user. Finally, the logical combination of the time code with the bit masks is preferably carried out in the mobile terminal of the user and a result of the logical link is transmitted from the mobile terminal to the access control device. As a result, the authorization data does not have to be transmitted via the wireless interface between the mobile terminal and the Access control device are transmitted. In addition, the access control device can be made simpler, since it does not have to perform the logical combination of the time code with the bit masks.

Preferably, codes are inserted in the authorization data, which codes determine how the bit masks are logically linked to time unit areas of the time code. This enables flexible and compact encoding of the authorizations.

Typically, the authorization data is generated with a plurality of bit masks, whereby preferably time unit codes each assigned to a bit mask are inserted into the authorization data. The time unit codes indicate the weight of the time unit for which time unit the associated bit mask determines the authorization of the user. The bitmasks are each logically linked to the time unit area determined by the associated time unit code. By assigning the time unit codes to the bit masks can be dispensed with a fixed sequence of bit masks with prescribed significance, so that more compact codes are possible in which bit masks can be omitted depending on the relevant user permissions for certain weights.

Preferably, the authorization data is generated with multiple bitmasks, wherein different groups of bitmasks determine user permissions for different timeslots, and rule codes are inserted between the groups in the authorization data. The rule codes determine how a first result, from a logical combination of bitmasks of a first group with the time code, and a second result, from a logical combination of bitmasks of a second group with the time code, are to be logically linked. The proposed rule codes make it easy to define time-nested user permissions.

Preferably, compression codes each assigned to a bit mask are inserted into the authorization data. The compression codes specify whether authorization of the user is finally determined by the assigned bit mask or whether further bit masks have to be taken into account. The proposed compression codes enable a particularly simple and compact encoding of the user authorizations, if depending on the respective user permissions for certain time unit ranges on bit masks can be dispensed with.

Brief description of the drawings

• Figur 1 zeigt ein Blockdiagramm, welches schematisch ein mobiles Endgerät illustriert, das über ein Telekommunikationsnetz mit einer Berechtigungszentrale verbunden ist und mit einer Zutrittskontrollvorrichtung drahtlos Daten austauscht.
• Figur 2 zeigt ein Blockdiagramm, das die logische Verknüpfung zwischen Gruppen von Bitmasken und einem Zeitcode illustriert.

Hereinafter, an embodiment of the present invention will be described by way of example. The example of the embodiment is illustrated by the following attached figures:

• FIG. 1 shows a block diagram which schematically illustrates a mobile terminal which is connected via a telecommunications network to an authorization center and exchanges data wirelessly with an access control device.
• Figure 2 is a block diagram illustrating the logical association between groups of bitmasks and a timecode.

Ways to carry out the invention

In Fig. 1, reference numeral 1 denotes a mobile electronic terminal having a communication module 11 for wireless data exchange with a computerized authentication center 3 via the telecommunication network 2. The mobile terminal 1 is, for example, a mobile phone, a personal digital assistant (PDA) computer or mobile notebook or laptop computer. The telecommunications network comprises a mobile radio network, for example a GSM (Global System for Mobile Communication), a Universal Mobile Telephone System (UMTS) or another, such as a satellite-based mobile network, or a Wireless Local Area Network (WLAN). The mobile terminal 1 additionally comprises a communication module 12 for wireless data exchange with the electronic access control device 4. The communication module 12 preferably comprises an infrared (eg IrDA) or radio-based (eg Bluetooth) device interface. The mobile terminal 1 also comprises a control module 13, which is preferably designed as a programmed software module for controlling a processor of the mobile terminal 1. The control module 13 is executed, for example, on a processor of a SIM card (Subscriber Identity Module), which is removably connected to the mobile terminal 1. The function of the control module 13 will be discussed later, but those skilled in the art will understand that the control module 13 may also be partially or completely hardware implemented.

The authorization center 3 comprises one or more computers each having one or more processors, a communication module 32 for data exchange with the mobile terminal 1 (eg by means of SMS messages), a user database 31 and a coding module 33. The coding module 33 is preferably a programmed software module to control a processor of the authorization center 3 executed. The function of the coding module 33 will be discussed later, but the person skilled in the art will understand that the coding module 33 can also be executed partially or completely in terms of hardware.

The access control device 4 includes a communication module 41 for wireless data exchange with the mobile terminal 1. The access control device 4 also includes a time determination module 42 for determining the value of the current time including date and time, such as an electronic clock. Moreover, the access control device 4 comprises a time mapping module 43, preferably as a programmed Software module for controlling a processor of the access control device 4 is executed. The function of the time map module 43 will be discussed below, but those skilled in the art will understand that the time map module 43 may also be implemented partially or fully hardware.

The above-mentioned functional modules, namely the coding module 33, the control module 13 and the time mapping module 43, are preferably implemented on one or more separate computer program products, each comprising a computer-readable medium, wherein the programmed software modules, that is the computer program code means of the functional modules , are included. The computer program code means of the coding module 33, the control module 13 and the time map module 43 are each stored on a different data carrier, for example. The computer program code means of the functional modules control the processors of the electronic authorization control system as described below, wherein the system comprises at least one authorization center 3, at least one mobile terminal 1 and at least one access control device 4.

The time map module 4 is set up to map the current time determined by the time determination module 42 to a plurality of time units of different significance. In each case, a time unit area is provided for the time units in a time code, and an information bit is provided in each time unit area for each possible value of the time unit. The value of the current time is mapped in the time code by setting one of the information bits for each of the time units in the associated time unit area. As already mentioned in the introduction, the time units of different valence are years, months, days of the month, weeks, days of the week, hours of the day and units of minutes. Depending on the application requirement, millennium, century, Decade or even seconds can be used as additional time units.

The possible values for the time units millennium, century, decade and year include the values {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}. Thus, to map the current millennium, century, decade or year, ten bits of information are each provided, with the value "0" assigned to the least significant bit and the value "9" to the highest significant bit. For example, the current value of the year "4" is coded by the information bits "0000010000". The ten information bits are stored as least significant bits in a time unit area of two bytes, with the unused bits set to "1". For the current value of the year "4", this results in the value "11111100 00010000", which is expressed in hexadecimal form as "FC 10".

The possible values for the unit of time month are {January, February, March, April, May, June, July, August, September, October, November, December}. Thus, twelve bits of information are provided for the map of the current month, with the value "January" assigned to the least significant bit and the value "December" to the highest significant bit. For example, the current value of the month "May" (5) is coded by the information bits "000000010000". The twelve information bits are stored as least significant bits in a time unit area of two bytes, with the unused bits again set to "1". For the current value of the month "May", this results in the value "11110000 00010000", which is expressed in hexadecimal form as "F0 10".

The possible values for the unit of time monthdays include the values {1, 2, 3, ... 31}. As a result, the picture of the current month will become thirty-one bits of information are provided, with the value "1" assigned to the least significant bit and the value "31" to the highest significant bit. For example, the current value of the month "20" is coded by the information bits "0000000000010000000000000000000". The thirty-one bits of information are stored as least significant bits in a time unit area of four bytes, with the unused bits set to the value "1". For the current value of the month "20", the value "10000000 00001000 00000000 00000000" is obtained, which is expressed in hexadecimal form as "80 08 00 00".

As already mentioned, the possible values for the time unit days of the week include {Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday}. Thus, seven bits of information are provided for mapping the current day of the month, with the value "Monday" assigned to the least significant bit and the value "Sunday" to the highest significant bit. For example, the current value of the Thursday "Thursday" is coded by the information bits "0001000". The seven information bits are stored as least significant bits in a one-byte unit time range, with the unused bit set to "1". For the current value of the weekday "Thursday", the value "10001000" is obtained, which is expressed in hexadecimal form as "88".

The possible values for the time unit hours include the values {0, 1, 2, 3, ... 23}. Thus, for the current hour figure, twenty-four bits of information are provided, with the value "0" assigned to the least significant bit and the value "23" to the highest significant bit. For example, the current value of the hour "4" is coded by the information bits "000000000000000000010000". The twenty-four bits of information are referred to as least significant bits stored in a time unit area of three bytes. For the current value of the hour "4", this results in the value "00000000 00000000 00010000", which is expressed in hexadecimal as "00 00 10".

The possible values for the time unit of minutes at a resolution of five minutes are {0, 5, 10, 15, 20, 25, ... 55}. Thus, twelve bits of information are provided for mapping the current minute, with the value "0" assigned to the least significant bit and the value "55" to the highest significant bit. For example, the current value of the minute "17" (rounded "15") is coded by the information bits "000000001000". The twelve information bits are stored as least significant bits in a time unit area of two bytes, with the unused bits set to the value "1". For the (rounded) current value of the minute "15", this results in the value "11110000 00001000", which is expressed in hexadecimal form as "F0 08". One skilled in the art will understand that other resolutions (accuracies) can be used for the minutes.

The current time "May 20, 2004, 4 o'clock 17" is thus mapped by the time map module 4 without mapping the time units millennium, century and decade on a time code in the form of a bit string, the hexadecimal as "FC 10 F0 10 80 08 00 00 88 00 00 10 F0 08 ", whereby the order of year, month, day of the month, day of the week, hour and minute is observed with decreasing bit position value.

The coding module 33 is set up to generate authorization data for the wireless transmission to the mobile terminal 1 from the user authorization data stored in the user database 31. The coding module 33 generates authorization data with at least one bit mask (for all years without further restrictions) but typically with multiple bit masks. In the authorization data will be the individual Bitmasks each assigned a time unit code (notation "u"). The time unit codes indicate the unit of time or the value of the time unit for which the assigned bit mask determines the authorization of the user. For the coding of the time unit code, one byte suffices, into which, for example, the values {0, 1, 2, 3,... N} are inserted for the identification of the different time units (the value of N depends on the number of different time units used become). The bitmasks determine the authorization of the user for the possible values of the assigned time unit. That is, by setting or not setting a bit in the bitmask corresponding to a possible value of the assigned time unit, the user's authority for a time range is determined, the time period of the time range being determined by the assigned significance of the time unit, and the time of the time Time is determined by the relevant possible value of the assigned time unit or by the position of the bit in the bit mask. For example, if the user's authority is to be restricted to the years 2004 through 2006, this is achieved in a bitmask associated with the time unit years by setting the bits for years 4, 5 and 6, resulting in the bit sequence "0001110000", from which insert in two bytes, the bit mask "00000000 01110000" (hexadecimal "00 70") is formed. Correspondingly, a limitation of the user authorization to the weekdays Monday to Friday results in the bit sequence "0011111", from which the bit mask "00011111" (hexadecimal "1F") is formed in one byte. Limiting the user authorization to the hours from 9 am to 6 pm results in the three-byte bitmask "00000111 11111110 00000000" (hexadecimal "07 FE 00"). Restricting the user authorization to the minutes from 30 to 60 results in the bit sequence "0000111111000000", from which the bit mask "00001111 11000000" (hexadecimal "0F C0") is formed by insertion in two bytes.

The authorization data is constructed by the coding module 33 so that from left to right (ie from the highest priority bits to the Bits with the lowest digits), the bitmasks as stated above are listed according to the valency of the assigned unit of time from the highest to the lowest valency. In addition to the unit code, the bitmasks are also each assigned a compression code which indicates whether an authorization of the user is finally determined by the assigned bit mask or whether further bitmasks must be taken into account for the determination of the relevant authorization. For example, four bits may be provided for encoding the compression code. A compression code with the value "1" indicates, for example, that at least one further bit mask follows with another condition (notation "c"). In order to determine the authorization, these additional bitmasks, which are assigned to time units of lower significance, must be taken into account. A compression code with the value "2" indicates, for example, that the respective authorization of the user is finally determined by the optionally preceding bit masks (which are assigned to time units with higher significance) and the subsequent bit mask (notation "a"). As a result, not all bit masks for the time units of all weights have to be inserted in the authorization data for a user authorization. It is therefore sufficient to determine the maximum permissible time window and then specify the specific exception conditions. A compression code with the value "3" finally indicates that the subsequent bit masks determine an exact time (date / time) (notation "=").

As already mentioned, the authorization data from the coding module 33 is typically formed with multiple bit masks. The bitmasks and their associated unit codes and compression codes are separated by control codes from other bitmasks and their associated unit codes and compression codes. In the authorization data, different sets of bitmasks, each defining user permissions for different time windows, are separated by special rule codes that are inserted between the groups in the authorization data. The special rule codes determine, like a first result, from a logical one determine how a first result, from a logical combination of bit masks of a first group with the time code, and a second result, a logical combination of bit masks of a second group with the time code to be logically linked. For example, four bits can also be provided for the coding of the control codes. A rule code with the value "0" indicates, for example, that another bit mask follows the same group (rule code for separation with the notation ";"), wherein the further bit mask is assigned to a time unit with lower significance and taken into account for determining the authorization got to. For example, rule codes with the values "1" or "2" correspond to special rule codes that indicate that the subsequent bitmasks belong to a different, new set of bitmasks and designate user permissions for a different timeslot. For example, the special control code of value "1" indicates that the time window with the user permission determined by the subsequent group of bitmasks is to be added to the other user privileges defined by the authorization data (rule code for addition with the notation "+"). The special rule code with the value "2" indicates, for example, that the time window with the user authorization determined by the following group of bitmasks is to be subtracted from the further user authorizations defined by the authorization data as exception (non-authorization) (rule code for subtraction with the notation "). "). The rule code with the value "3" finally indicates that the time window is completed with the user authorization determined by the previous group of bitmasks (rule code for termination with the notation "#"). Table 1 Group A for time window A + Group B for time window B Time unit 1 ; Time unit 2 ; Time unit 3 + Time unit 4 ; Time unit 5 u c b1 ; u c b2 ; u a b3 + u c b4 ; u a b5

Table 1 illustrates an example of the coding of authorization data by the coding module 33. In the illustrated example, the authorization data comprises two groups of bitmasks separated by the addition "+" rule code. Corresponding to the rule code for addition "+", the user authorizations defined by the two groups for the different time windows A and B are to be cumulated. The group A comprises three bit masks b1, b2, b3, which are identified by the rule code for separation ";" are separated and each of which a time unit code "u" is assigned with a different significance of a unit of time. The bit masks b1 and b2 are respectively associated with compression codes "c" indicating that another bit mask follows with a condition. The bit mask b3 is assigned a compression code "a" which indicates that the user authorization defined by the bit masks b1 and b2 is finally determined taking into account the bit mask b3. The group B comprises two bit masks b4 and b5, which are identified by the rule code for separation ";" are separated and each of which a time unit code "u" is assigned with a different significance of a unit of time. The bitmask b4 is assigned a compression code "c" indicating that another bitmask follows with a condition. The bit mask b5 is assigned a compression code "a" which indicates that the user authorization defined by the bit mask b4 is finally determined taking into account the bit mask b5.

According to the above, the following notation of authorization data results for the example of a user authorization from Monday to Friday, from 8:30 am to 6:00 pm:
Year c 03FF; Day of the week c 1F; Hour a 07FE00 + day of the week c 1F; Hour c 000100; Minute a 0FC0

For the full coding of the authorization data by the coding module 33, the time unit codes "u" for year, hour, and minute, the Compression codes for "c" and "a", as well as the special rule code for addition "+" used. According to the example, the user authorization is granted for all years and months with the restriction to the time window for the weekdays from Monday to Friday in the time window from 9:00 am to 6:00 pm, with the permission for the time window also being available for the weekdays from Monday to Friday from 8 o'clock for the minutes of the second half hour (8:30 o'clock to 8:59 o'clock) is granted.

At this point, it should be noted that in an alternative embodiment, unlike the above description, instead of setting the unused bits to the value "1" in the encoding of the current time units, the unused bits in the bit masks of Authorization data can be set to "1".

The authorization data generated by the coding module 33 are transmitted from the authorization center 3 via the telecommunications network 2 to the mobile terminal 1 and stored there, for example on the SIM card. The authorization data are preferably assigned to one or more access control devices.

When the user approaches the mobile terminal 1 of the access control device 4, the time code generated by the time map module 43 of the current time is wirelessly transmitted to the mobile terminal 1 and stored there. The access control device 4 also transmits an identification of the access control device 4 wirelessly to the mobile terminal 1. The data exchange between the access control device 4 and the mobile terminal 1 is preferably carried out with the aid of cryptographic means, for example encrypted and / or with challenge codes as described for example in EP 1 336 937.

Due to the received identification of the access control device 4, the control module 13 determines the corresponding stored authorization data. In order to check the authorization of the user, the control module 13 preferably performs a logical combination of the time code with the bit masks in the mobile terminal 1. In this case, all the bitmasks of the authorization data belonging to a group are respectively logically linked to the corresponding time unit area of the time code received by the access control device 4. This means that a bit mask is linked to the time unit area which is determined by the time unit code assigned to the bit mask. Time unit ranges of the time code for which no corresponding bit mask is contained in the relevant group are ignored. The individual groups of bitmasks in the authorization data are processed according to the notation from left to right. If a positive match results for all bit masks of a group from the logical "AND" link between the bit mask and the corresponding time unit range in each case, a positive value results otherwise a negative value for the group. As shown in FIG. 2, the time code T includes the time unit ranges Y (year), M (month), MD (day of the month), WD (day of the week), H (hour) and M5 (minute unit with a resolution of five minutes). The group G1 comprises the bit masks b11, b12, b13, b14, b15 and b16, which are each associated with the associated time unit ranges Y, M, MD, WD, H and M5 with a logical "AND" function. Similarly, the bit masks b21, b22, b23, b24, b25 and b26 of the group Gm, respectively b31, b32, b33, b34, b35 and b36 of the group Gn are associated with the associated time unit areas of the time code T. In FIG. 2, for the groups G1, Gm, Gn, bitmasks are assigned for all time unit ranges only for a better understanding of the logical processing, for the definition of authorizations this is typically not necessary, as already mentioned. A match in a bit of the same significance (ie same position) between the bit mask and the time unit area is sufficient for a positive result for the respective bit mask or for the respective time unit range concerned. As shown in FIG. 2, by a logical "AND" function, the results of all logical "AND" links between the bit masks and time unit areas of a group G1, Gm, Gn are respectively output 71, 7m, 7n for that one Group G1, Gm respectively Gn formed. When a group of bitmasks is separated from the preceding groups by a special addition "+" rule code, then the value of the group resulting from the logical association with the timecode becomes a logical "OR" association with the resulting values of the preceding groups connected. If a group of bitmasks are separated from the preceding groups by a special subtraction control code "-", then the value of the group resulting from the logical association with the time code is inverted and a logical "AND" association is made with the resulting values of the group linked to preceding groups. In FIG. 2, the reference numeral 5 designates schematically all the groups G1,... Gm (notation "+") to be added, whose output values 71, 7m are combined with a logical "OR" function and form the resulting output value 7. In Fig. 2, reference numeral 6 schematically indicates all the groups Gn ... (notation "-") to be subtracted, whose output values 7n are inverted with a logical inverter function and combined with a logical "AND" function with the resulting output value 7, and the resulting Form final value 8. When all groups of authorization data bitmasks have been processed, the final value 8 resulting from the logical operations corresponds to the authorization of the user at the current time.

The authorization determined by the control module 13, that is to say the end value 8 resulting from the logical operations, is transmitted from the mobile terminal 1 to the access control device 4. Preferably, as mentioned above, cryptographic means are used, for example the formation of an electronic certificate as described in EP 1 336 937. The access control device 4 gives a positive permission unlocks the access and, for example, opens a door lock or unlocks access to a network or computer system.

The person skilled in the art will understand that the control of the authorization of the user described above by the control module 13 in an alternative embodiment can also be carried out in the access control device 4 by a corresponding functional module if the authorization data are transmitted to the access control device 4.

Claims (13)

Electronic authorization control method in which, at a current time, a user's authorization is controlled on the basis of user's authorization data, characterized by : Mapping the current time to a plurality of time units of different valence, wherein a time unit area (Y, M, MD, WD, H, M5) is provided for the time units in a time code (T), wherein in the time unit area (Y, M, MD, WD , H, M5) an information bit is provided for each possible value of the time unit, and wherein the value of the current time in the time code (T) is mapped by providing for each of the time units in the associated time unit area (Y, M, MD, WD, H , M5) one of the information bits is set, Generating the authorization data with one or more bit masks (b11, b12, b13, b14, b15, b16, b21, b22, b23, b24, b25, b26, b31, b32, b33, b34, b35, b36), which bit masks respectively for the possible values of one of the time units determine the authorization of the user, and Check the authorization of the user by logically combining the time code (T) with the bit masks. Authorization control method according to claim 1, characterized in that the authorization data are generated in an authorization center (3) that the generated authorization data is transmitted wirelessly from the computerized authorization center (3) to a mobile electronic terminal (1) of the user that the time code (T ) is generated in an electronic access control device (4) that the time code (T) from the access control device (4) to the mobile terminal (1) of the user is transmitted, that the logical link of the Time codes (T) with the bit masks in the mobile terminal (1) of the user is executed, and that a result of the logical link from the mobile terminal (1) to the access control device (4) is transmitted. Authorization control method according to one of claims 1 or 2, characterized in that codes are inserted into the authorization data, which codes determine how the bitmasks are logically linked to time unit ranges (Y, M, MD, WD, H, M5) of the time code (T) , Authorization control method according to one of Claims 1 to 3, characterized in that the authorization data are generated with a plurality of bit masks, wherein time unit codes are each assigned to the authorization data assigned to a bit mask, which time unit codes indicate the significance of the time unit, for which time unit the associated bit mask the authorization of the time User determined, and that the bit masks are each logically linked to the time unit area determined by the associated time unit code (Y, M, MD, WD, H, M5). Authorization control method according to one of claims 1 to 4, characterized in that the authorization data are generated with a plurality of bit masks, wherein different groups (G1, Gm, Gn) of bit masks determine user permissions for different time windows, and wherein control codes between the groups (G1, Gm, Gn) are inserted in the authorization data which determine control codes, such as a first result, from a logical combination of bitmasks of a first group with the time code (T), and a second result, from a logical combination of bitmasks of a second group the time code (T), logically linked. Authorization checking method according to one of claims 1 to 5, characterized in that compression codes are each assigned to a bit mask in the authorization data, which specify compression codes, whether an authorization of the user is finally determined by the associated bit mask or whether further bit masks must be taken into account. Authorization control method according to one of Claims 1 to 6, characterized in that the time units used are years, months, month days, weeks, weekdays, day hours and / or minute units. Mobile electronic terminal (1) comprising means for wirelessly receiving authorization data of a user from a computerized authorization center (3) and for exchanging data with an electronic access control device (4), characterized by : a control module (13) for controlling an authorization of the user by logically combining a time code (T) received from the access control device (4) with bit masks (b11, b12, b13, b14, b15, b16, b21, b22, b23) received in the authorization data , b24, b25, b26, b31, b32, b33, b34, b35, b36), wherein the time code (T) for a plurality of time units of different valence each comprise a time unit area (Y, M, MD, WD, H, M5) an information bit is provided in the time unit ranges (Y, M, MD, WD, H, M5) for each possible value of the time unit, wherein the value of a current time in the time code (T) is mapped by the fact that for each of the time units in the associated time unit Time unit range (Y, M, MD, WD, H, M5) is set one of the information bits, and wherein the bit masks each determine the authorization of the user for the possible values of one of the time units. An electronic access control device (4) comprising means for exchanging data with a user's mobile electronic device (1), characterized by : a time map module (43) for mapping a current time to a plurality of time units of different significance, wherein a time unit area (Y, M, MD, WD, H, M5) is provided for the time units in a time code (T), wherein in the time unit area (Y , M, MD, WD, H, M5) for each possible value of the time unit, an information bit is provided, and wherein the value of the current time in the time code (T) is mapped by the fact that for each of the time units in the associated time unit area (Y, M , MD, WD, H, M5) one of the information bits is set, and Means for transmitting the time code (T) to the mobile terminal (1) of the user. A computerized authorization center (3) comprising means for wirelessly transmitting authorization data to a mobile electronic terminal (1) of a user, characterized by : Means for generating the authorization data with one or more bit masks (b11, b12, b13, b14, b15, b16, b21, b22, b23, b24, b25, b26, b31, b32, b33, b34, b35, b36), which bit masks in each case determine the authorization of the user for the possible values of one of a plurality of time units of different significance, the bitmasks each comprising for each possible value of one of the time units a bit for indicating the authorization of the user for a time range, which time range is covered by the relevant possible value and a time period is defined by the valency of the unit of time determined time. A computer program product comprising: a computer readable medium having computer program code means therein for controlling a plurality of processors of an electronic authorization control system at a current time based on user authorization data, such
the system maps the current time to a plurality of time units of different significance, wherein a time unit area (Y, M, MD, WD, H, M5) is provided for the time units in a time code (T), wherein in the time unit area (Y, M, MD, WD, H, M5) an information bit is provided for each possible value of the time unit, and wherein the value of the current time in the time code (T) is mapped by the fact that for each of the time units in the associated time unit area (Y, M, MD, WD, H, M5) one of the information bits is set,
the system generates the authorization data with one or more bit masks (b11, b12, b13, b14, b15, b16, b21, b22, b23, b24, b25, b26, b31, b32, b33, b34, b35, b36) which Bitmasks determine the authorization of the user for each of the possible values of one of the time units, and
the system controls the authorization of the user by logically linking the time code (T) with the bit masks. An electronic authorization control system comprising means for controlling, at a current time, a user's authorization based on user's authorization data, characterized by : a time map module (43) for mapping the current time to a plurality of time units of different weight, wherein a time unit area (Y, M, MD, WD, H, M5), wherein in the time unit area (Y, M, MD, WD, H, M5) an information bit is provided for each possible value of the time unit, and wherein the value of the current time in the time code (T) is thereby mapped in that one of the information bits is set for each of the time units in the associated time unit area (Y, M, MD, WD, H, M5), Means for generating the authorization data with one or more bit masks (b11, b12, b13, b14, b15, b16, b21, b22, b23, b24, b25, b26, b31, b32, b33, b34, b35, b36), which bit masks determine the authorization of the user for each of the possible values of one of the time units, and a control module (13) for controlling the authorization of the user by logically combining the time code (T) with the bitmasks. System according to claim 12, characterized by a computerized authorization center (3), which is set up to generate the authorization data and to transmit wirelessly to a mobile terminal (1), a mobile terminal (1) of the user, which is set up the wirelessly transmitted authorization data an access control device (4), which comprises the time map module (43) for generating the time code (T) and is adapted to transmit the time code (T) to the mobile terminal (1) of the user, wherein the control module (13) in the mobile Terminal (1) of the user is arranged, and wherein the mobile terminal (1) of the user is arranged to transmit a result of the logical link to the access control device (4).

Images