Description
System and method for access control
The present invention relates to a system and method for
access control.
An access control system typically comprises means granting
access to a user by receiving a user identification value
(also referred to as user ID), and verifying whether or not
the user ID is registered in said access control system. In
existing access control systems, users IDs of all registered
users are stored serially in a memory, such as a flash
memory, or an EEPROM. Each address location of the memory
generally stores one byte (i.e. 8 bits) of data, each user ID
being made up one or more bytes of data, depending on number
of digits in the user ID. In order to verify a user, the user
ID received from the user is searched in the memory using a
linear search algorithm. In this algorithm, the user ID
received from the user is compared with memory data
comprising all registered user IDs. This process is continued
till the user ID of the user gets matched with a user ID
stored in the memory. The disadvantage of this approach is
that user verification time is not fixed it varies according
to the location of the user ID in the memory. Thus, the time
required to verify a user whose user ID is stored at an
initial memory location is less than that of a user whose
user ID is stored at the last memory location.
Moreover, in certain applications, it is required that a user
is granted access only within a specified time slot allotted
for the user. In existing systems, the permissible time slots
of each user is stored on a server, which requires the server
to be up and running all the time to verify the access of a
user. Due to this limitation, such systems cannot perform
offline.

The object of the present invention is to provide an improved
system and method for access control.
The above object is achieved by a system for access control,
comprising:
- memory means comprising a memory having sequentially
addressable memory locations, each addressable memory
location further containing a fixed number of bit locations,
each bit location being adapted for storing one bit of data,
said memory being initialized by writing a first binary value
to all bit locations in all addressable memory locations of
said memory, and
- user registration means for registering a user based upon a
user identification value received from said user, said user
registration means further comprising:

- means for determining a memory location in said
memory whose address corresponds to a quotient obtained from
division of said user identification value by the number of
bits per memory location in said memory,
- means for determining a bit location within said
determined memory location whose position within said
determined memory location corresponds to a remainder
obtained from said division of said user identification value
by the number of bits per memory location in said memory, and
- means for writing a second binary value in the
determined bit location.
The above object is also achieved by a method for access
control, comprising:
- receiving a user identification value from a user,
- registering said user identification value into a memory
having sequentially addressable memory locations, each
addressable memory location further containing a fixed number
of bit locations, each bit location being adapted for storing
one bit of data, said memory being initialized by writing a
first binary value to all bit locations in all addressable
memory locations of said memory, wherein registering said
user identification value further comprises:

- determining a memory location in said memory whose
address corresponds to a quotient obtained from division of
said user identification value by the number of bits per
memory location in said memory,
- determining a bit location within said determined
memory location whose position within said determined memory
location corresponds to a remainder obtained from said
division of said user identification value by the number of
bits per memory location in said memory, and
- writing a second binary value in the determined bit
location.
The underlying idea of the present invention is to register a
user using only a single bit of data, instead of using one or
more bytes. The location of that bit in the memory is mapped
to the user identification value received from the user. That
is, the bit location for storing this single bit corresponds
to the user identification value received from the user. This
leads to reduction in memory requirements for user
registration, hence allowing an increased number of user
identification values (user IDs) to be stored in the memory.
In a further embodiment, the access control system further
comprises user verification means for verifying a user
seeking access, based upon a user identification value
received from said user seeking access, said user
verification means further comprising:
- means for identifying a memory location in said memory
whose address corresponds to a quotient obtained from
division of said user identification value of the user
seeking access by the number of bits per memory location in
said memory,
- means for reading the binary value stored in a bit location
within the identified memory location whose position within
said identified memory location corresponds to a remainder
obtained from the division of said user identification value
of said user seeking access by the number of bits per memory
location in said memory, and

- means for denying access to said user seeking access if the
read binary value does not equal said second binary value.
The above embodiment provides that verification time is
drastically reduced, and is identical for all users, since
the same operational steps are performed for each user
irrespective of the position of the user ID in the memory.
In a still further embodiment, the access control system
further comprises means for verification of time slot
allotted to said user seeking access with respect to a
current day and time, said means for verification of time
slot further comprising:
- means for storing a matrix of time slot indices for each of
a plurality of users of said system, each row of said matrix
representing a day, the number of indices in each row of said
matrix corresponding to the number of time slots per day for
that user, each index in said matrix being mapped to a time
interval defined by a start time and end time,
- means for identifying the matrix corresponding to the user
seeking access based upon the user identification value of
said user seeking access,
- means for identifying the row in said identified matrix
that corresponds to the current day, and
- means for denying access if the current time does not lie
within the time intervals mapped to any of the indices in
said identified row.
The above embodiment provides a large number of time slots
per user a day and also provides a convenient technique for
storing the time slots of individual users locally and hence
allows offline operation of the system.
The present invention is further described hereinafter with
reference to illustrated embodiments shown in the
accompanying drawings, in which:
FIG 1 is a block diagram of an access control system,

FIG 2 is a schematic diagram illustrating memory structure of
the addressable memory used in the access control system,
FIG 3 is as schematic diagram illustrating the memory
structure of the addressable memory before user registration,
FIG 4 is as schematic diagram illustrating the memory
structure of the addressable memory after a user
registration,
FIG 5 illustrates an exemplary time slot allocation matrix
for a single user showing time slot indices for the user, and
FIG 6 illustrates an exemplary time table showing actual time
slots corresponding to each time slot index.
Referring now to FIG 1, an access control system 10 is
illustrated that may be used, for example, for time
attendance and access control of employees in an
organization. The system 10 comprises a sensor 12, which may
be, for example, an access card reader. A user seeking access
swipes his/her access card at the reader 12 that reads a user
identification value (also referred to herein as "user ID")
from the access card. A list of registered user IDs is stored
in memory means 14 having an addressable memory 16. The
memory means 16 communicates with a host computer 20 which
determines whether the user ID read from the access card
matches with the registered user IDs in the memory 16. The
user is deemed to be verified if the user ID received from
the user matches a registered user ID in the memory 16. The
embodiments illustrated below describe a user registration
and subsequent user verification technique in accordance with
the present invention.
Referring to FIG 2, the structure of the memory 16 is
illustrated, which may be, for example, a flash memory, or an
EEPROM, among others. As shown, the memory 16 comprises N
sequentially addressable memory locations 22, each of which

has eight bit locations 24, each adapted for storing one bit
of data, comprising a binary value of either 1 or 0. Thus
each memory location 22 of the memory 16 can store eight bits
(i.e. one byte) of data. The memory 16 is initialized, at
the time of manufacture or otherwise, by writing a first
binary value (which is '1' in the illustrated example) in all
bit locations 24 in all the memory location 22. Thus the
value stored at each memory location 22 initially is OXFF. As
would be known to those skilled in the art, in the present
description, the prefix OX before a value indicates that the
value is expressed in hexadecimal system. Hence OxFF is
hexadecimal whose value in the decimal system is 255.
In accordance with the present invention, a user is
registered in the memory 16 using only a single bit of data
(i.e., a single bit location), instead of using one or more
bytes. The location of that bit in the memory is mapped to
the user ID received from the user. That is, the bit location
for storing this single bit corresponds to the user ID
received from the user. The above approach for user
registration is illustrated referring to FIG 3 and FIG 4. As
shown in FIG 3, the value at all bit locations is 1
initially. It is assumed that the user ID is 0X1234. Upon
receiving user ID from the user, a memory location 28 is
determined such that the address of the memory location 28 is
equal to the quotient obtained by dividing the user ID by the
number of bits per memory location (i.e., eight). Thus memory
location 28 will have an address 0X246 as arrived at by the
calculation below:
User ID = 0X1234
Number of bits per memory location = 8
Address of the memory location = 0X1234 / 0X08
= 0X246
Referring now to FIG 4, once the memory location 28 is
obtained, the exact bit location 3 0 of the registering bit
within the memory location 28 may be obtained from the

remainder from the above division operation as explained in
the calculation below:
Bit location = User ID (Hexadecimal) & 0X00000007
i.e., Bit location = 0X1234 & 0X00000007
i.e., Bit location = 0x04
From the above calculation, the bit location 30 o"f the
registering bit is 0X04, which means that the bit location
30 is fifth bit location from the rightmost bit location
within the memory location 28 (given that the rightmost bit
location is 0X00 and the leftmost bit location is 0X07). Once
the memory location 22 and the exact bit location 30 are
determined, the user registration is done by writing a second
binary value (i.e., '0' in the present example) in the bit
location 30, as shown in FIG 4.
This approach reduces the required storage capacity per user
drastically, as a result of which, the maximum number of user
IDs that can be registered for a given memory size is greatly
increased, as can be seen from example 1 below:
Example 1
Size of the memory is assumed to be 128 Kilobytes
Therefore,
Number of memory locations = number of bytes
128000
Since there are 8 bits per memory location,
Total number of bits = 128000*8 = 1024000
Since only one bit is used to register one user.
Maximum number of users = Number of bits = 1024000
It can be seen that in accordance with the above approach, a
value of 0 at any bit location in the memory 16 indicates
that the user, whose user ID maps on to that bit location, is

a registered user. Taking this into account, a user seeking
access can be verified by determining whether or not the bit
location corresponding to the user ID of the user seeking
access has a value of 0. An example may be illustrated taking
the example of a user seeking access having a user ID 0X1234.
To determine whether the user is registered, a memory
location identified whose address corresponds to the quotient
obtained by dividing the user ID by the number of bits per
memory location as explained in the calculation below:
User ID = 0X1234
Number of bits per memory location = 8
Address of the memory location = 0X1234 / 0X08
= 0X246
As in the case of registration, an exact bit location is
identified within the identified memory location whose
position within the identified memory location corresponds to
the remainder obtained from the above division operation.
Thus, in the present example:
Bit location = User ID (Hexadecimal) & 0X0000.0007
i.e., Bit location = 0X1234 & 0X00000007
i.e., Bit location = 0x04
Having identified the exact bit location, the next step is to
read the value at the identified bit location 0X04 (i.e.,
fifth bit location from the right). If this value is 0, the
user seeking access is verified to be a registered user. If,
on the other hand, the value at the identified bit location
is 1, the user is denied access.
In accordance with a further embodiment of the present
invention, user verification may also include verification of
the time slot allotted to the user seeking access with
respect to the current day and time, that is, to grant access
to only those users seeking access during a time slot
allotted to them. To achieve the same, a time slot allocation

matrix is stored for every user, for example in a local
storage means. An exemplary time slot allocation matrix 40 is
illustrated in FIG 5. The matrix 40 contains indices that map
on to various time slots in the day, defined by a start time
and an end time as shown in the time table 50 in FIG 6. In
the time table 50, the column 52 contains the time slot
indices, columns 54 and 56 contain the start times of the
time slots corresponding to the indices, and columns 58 and
60 contain the end times of the time slots corresponding to
the indices. The granularity of the start time and end time
specification is shown to be 2 (i.e., including hours and
minutes in the specification). However, the granularity of
the start and end times may also be three (including hours,
minutes and seconds in the specification) or one (including
only hours in the specification) depending on the number of
bytes available for the time table 50. As shown, each index
in the matrix 40 in FIG 5 maps on to a time interval in FIG
6. In the illustrated example, the number of time slot
indices is 10. Hence only one byte is required for storing
the value of each index (i.e., the index size is one byte).
Given that a single byte can store a value up to 255, if the
number of indices exceeds 255, it would require at least two
bytes to store the value of each index.
Referring to FIG 5, each row of the matrix 40 represents a
day, and the number of indices per row corresponds to the
number of time slots allotted per day to the user. In this
example, the matrix 40 contains time slots for seven days
(i.e., for a week), wherein the user is allotted five time
slots per day. The total number of bytes in the matrix 40 for
a user is given by the equation (1) below:
Number of bytes per User = (Number of slots per Days) X
(Number of Days) X (Size of
index in bytes) (1)
As mentioned earlier, a time slot allocation matrix of the
type described above is stored for every user of the system.

During time slot verification of a user seeking access, the
time slot matrix for that user is first identified based on
the user ID provided, from which a row is identified
corresponding to the day of the week in which the access is
sought. This may be carried out mathematically using the
equation (2) below.
Time Slot Location = [(Base Address) + (User ID) x (Number of
Bytes per User)]
+ [(Day of Week) x (Number of Time Slots
per day) x (size of time slot index in
bytes)] (2)
In equation (2), the expression before the summation
calculates the base address of the matrix identified for the
user seeking access, which depends on the user ID of that
user. The expression after the summation indicates the offset
in the identified matrix caused by the day of the week. The
calculations for the present example are illustrated in
example 2 below:
Example 2
Assumptions
1. Size of time slot index (in bytes) = 1
2. Number of slots per day = 5
3. Number of days = 7
4. Maximum value of time slot index = 10
5. Day of the week in which access is sought = 3 (Wednesday)
6. Base address = 1000
7. User ID = 1
From equation (1),
Number of bytes per user = Number of bytes per User = (5) X
(7) X (1)
= 35 Bytes

From equation (2)
Time Slot Location = [(1000) + (1) x (35)]
+ [(3) x (5) x (1)]
i.e.. Time Slot Location = 1035 +15 = 1050
Thus, the base address of the identified matrix is 1035
(corresponding to day 0 of the week), and the starting
address of the identified row (corresponding to day 3) is
1050. This is referred to by the numeral 42 in FIG 5. Once
this location is identified, a check is made to see if the
current time lies within the time intervals indicated by any
of the indices in the row 42, on the basis of which, access
is granted or denied based on whether the outcome of the
check is positive or negative. In the illustrated example,
the time slot corresponding to the identified index is shown
by the reference numeral 62.
Further, it may be desirable to provide full day accesses to
registered users on certain days of the week. This may be
implemented by having the value 0XFF in the time slot
allocating matrix in a row identified for that day.
Similarly, a full day no-access may be implemented by having
the value 0X00 in the time slot allocating matrix in a row
identified for that day. Thus, as shown in FIG 5, the matrix
40 provides for a full day access on day 4 of the week (row
46) and a full day no-access on day 2 of the week (row 44).
The above embodiment makes it possible to provide a large
number of time slots per user a day and also provides a
convenient technique for storing the time slots of individual
users locally and hence allows offline operation of the
system.

Summarizing, the present invention deals with a system and
method for access control. The proposed system comprises
memory means comprising a memory having sequentially
addressable memory locations. Each addressable memory
location further contains a fixed number of bit locations.
Each bit location is adapted for storing one bit of data. The
memory is initialized by writing a first binary value to all
bit locations in all addressable memory locations of said
memory. The proposed system also includes user registration
means for registering a user based upon a user identification
value received from said user. The user registration means
includes means for determining a memory location in said
memory whose address corresponds to a quotient obtained from
division of said user identification value by the number of
bits per memory location in said memory. The user
registration means further includes means for determining a
bit location within said determined memory location whose
position within said determined memory location corresponds
to a remainder obtained from said division of said user
identification value by the number of bits per memory
location in said memory. The user is registered by writing a
second binary value in the determined bit location.
Although the invention has been described with reference to
specific embodiments, this description is not meant to be
construed in a limiting sense. Various modifications of the
disclosed embodiments, as well as alternate embodiments of
the invention, will become apparent to persons skilled in the
art upon reference to the description of the invention. It is
therefore contemplated that such modifications can be made
without departing from the spirit or scope of the present
invention as defined.

We claim,
1. A system (10) for access control, comprising:
- memory means (14) comprising a memory (16) having
sequentially addressable memory locations (22), each
addressable memory location (22) further containing
a fixed number of bit locations (24), each bit
location (24) being adapted for storing one bit of
data, said memory (16) being initialized by writing
a first binary value to all bit locations (24) in
all addressable memory locations (22) of said memory
(16), and
- user registration means for registering a user based
upon a user identification value received from said
user, said user registration means further
comprising:

- means for determining a memory location (28) in
said memory (16) whose address corresponds to a
quotient obtained from division of said user
identification value by the number of bits per
memory location in said memory (16),
- means for determining a bit location (30) within
said determined memory location (28) whose
position within said determined memory location
(28) corresponds to a remainder obtained from
said division of said user identification value
by the number of bits per memory location in said
memory (16), and
- means for writing a second binary value in the
determined bit location (30).
2. The system (10) according to claim 1, further
comprising user verification means for verifying a
user seeking access, based upon a user identification
value received from said user seeking access, said
user verification means further comprising:
- means for identifying a memory location in said
memory (16) whose address corresponds to a quotient

obtained from division of said user identification
value of the user seeking access by the number of
bits per memory location in said memory (16),
- means for reading the binary value stored in a bit
location within the identified memory location whose
position within said identified memory location
corresponds to a remainder obtained from the
division of said user identification value of said
user seeking access by the number of bits per memory
location in said memory (16), and
- means for denying access to said user seeking access
if the read binary value does not equal said second
binary value.
3. The system (10) according to claim 2, further
comprising means for verification of time slot
allotted to said user seeking access with respect to a
current day and time, said means for verification of
time slot further comprising:
- means for storing a matrix (40) of time slot indices
for each of a plurality of users of said system
(10), each row of said matrix (40) representing a
day, the number of indices in each row of said
matrix corresponding to the number of time slots per
day for that user, each index in said matrix being
mapped to a time interval defined by a start time
and end time,
- means for identifying the matrix (40) corresponding
to the user seeking access based upon the user
identification value of said user seeking access,
- means for identifying the row (42) in said
identified matrix that corresponds to the current
day, and
- means for denying access if the current time does
not lie within the time intervals mapped to any of
the indices in said identified row (42).
4. A method for access control, comprising:

- receiving a user identification value from a user,
- registering said user identification value into a
memory (16) having sequentially addressable memory
locations (22), each addressable memory location
(22) further containing a fixed number of bit
locations (24), each bit location (24) being adapted
for storing one bit of data, said memory (16) being
initialized by writing a first binary value to all
bit locations (24) in all addressable memory
locations (22) of said memory (16), wherein
registering said user identification value further
comprises:
- determining a memory location (28) in said memory
(16) whose address corresponds to a quotient
obtained from division of said user
identification value by the number of bits per
memory location in said memory (16),
- determining a bit location (30) within said
determined memory location (28) whose position
within said determined memory location (28)
corresponds to a remainder obtained from said
division of said user identification value by the
number of bits per memory location in said memory
(16), and
- writing a second binary value in the determined
bit location (30).
5. The method according to claim 4, further comprising
verifying a user seeking access, said verification
comprising:
- receiving a user identification value from said
user seeking access,
- identifying a memory location in said memory (16)
whose address corresponds to a quotient obtained
from division of said user identification value of
the user seeking access by the number of bits per
memory location in said memory (16),

- reading the binary value stored in a bit location
within the identified memory location whose position
within said identified memory location corresponds
to a remainder obtained from the division of said
user identification value of said user seeking
access by the number of bits per memory location in
said memory (16), and
- denying access to said user seeking access if the
read binary value does not equal said second binary
value.
6. The method according to claim 5, further comprising
verification of time slot allotted to said user
seeking access with respect to a current day and time,
by storing a matrix (40) of time slot indices for each
of a plurality of users, each row of said matrix
representing a day, the number of indices in each row
of said matrix (4 0) corresponding to the number of
time slots per day for that user, each index in said
matrix being mapped to a time interval by a specified
start time and end time, said verification further
comprising:
- identifying the matrix (4 0) corresponding to the
user seeking access based upon the user
identification value of said user seeking access,
- identifying the row (42) in said identified matrix
(40) that corresponds to the current day,
- denying access if the current time does not lie
within the time intervals mapped to any of the
indices in said identified row (42).
7. A system or method substantially as herein above
described in the specification with reference to the
accompanying drawings.

The present invention deals with a system and method for
access control. The proposed system (10) comprises memory
means (14) comprising a memory (16) having sequentially
addressable memory locations (22) Each addressable memory
location (22) further contains a fixed number of bit
locations (24) Each bit location (24) is adapted for storing
one bit of data. The memory (16) is initialized by writing a
first binary value to all bit locations (24) in all
addressable memory locations (22) of said memory (16).The
proposed system also includes user registration means for
registering a user based upon a user identification value
received from said user. The user registration means includes
means for determining a memory location (28) in said memory
(16) whose address corresponds to a quotient obtained from
division of said user identification value by the number of
bits per memory location in said memory (16). The user
registration means further includes means for determining a
bit location (30) within said determined memory location (28)
whose position within said determined memory location (28)
corresponds to a remainder obtained from said division of
said user identification value by the number of bits per
memory location in said memory (16). The user is registered
by writing a second binary value in the determined bit
location (30).