Access Control(s) - this is any system designed to restrict access to some type of property. Some access controls like tire spikes and boarded doors are indiscriminant in that they bar access for everyone. More useful access controls are selective, which is to say they operate on a pass-or-halt basis. This project is a selective access control.

Bypass Capacitor - any capacitor meant to absorb energy spikes by providing a low impedence path to ground. A bypass usually has one pin tied to ground and the other pin attached to some supply lead. In this non-precision application any capacitor type can be used, including basic ceramics.

Debouncing - a noise-cancelling method used to eliminate keypad noise. This noise is inherent to most pushbuttons and switches and occours as the contacts break/complete the circuit. Debouncing methods will either filter the noise or mute (ignore) it. This project uses software to wait for the key signals to stablize.

EEPROM - a non-volitile data storage medium. Electronically Erasable Programable Read Only Memory can reside within the microcontroller in the absence of electric power. This memory is accessable through the microcontroller's 3 EEPROM registers. EEPROM will be used to store the passwords.

Floating Pin - an input pin is said to be floating if it is not connected to anything. Floating pins may report random bit states that "float" between '1' and '0'.

Keypad - this is our input device. The keypad comprises 16 or 12 membrane buttons on a 4x4 or 4x3 matrix. Key activity is detected by monitoring the keypad's output pins and waiting for a closed circuit to appear between a row pin and a column pin. The keypad is a passive device.

Queue - an array of intergers in which data is shifted in on one side and deleted on the other end. Queues follow FIFO ("First In First Out") behavior, whereas a stack will use a FILO ("First In Last Out") scheme. This project will use the Queue to hold key codes.

SRAM - the volitile data storage medium. Static Random Access Memory is destroyed during power-off and reset conditions. This memory is accessable through the microcontrollers's X and Y pointer-registers and by the "lds" and "sts" commands. SRAM will contain the keypress queue.

Volatility - this term will be associated with the system's memory types. The term indicates wheter the memory will retain its state after power has been removed. A volatile system will be reset if power is removed. A non-volitale system will retain its latest state.

This console project is intended to be a low-end and low-cost system that will focus mainly on affordability and simplicity rather than connectivity or even ease-of-use. Hence this will be a stand-alone system that will not need a special communications interface. This limits the desing phase to four sub-systems: keypad, encoder, controller, and visual/mechanical interface.

[ Keypad concept drawing ]

Keypad Selection

The properties of the key interface will determine the type of environment the system may be deployed to. For example, the availability of sealed and hardened models would allow the system to function in industrial and outdoor settings. Conversely, the indoor models will allow for quicker and more accurate keystrokes, which is important in access control. Hence, two keypad models will be featured in this treatise.

Keystroke Encoding

In order to process the user's commands in a binary environment, the microcontroller must use an encoder device to translate on/off keystrokes into a digital form. Furthermore, the system needs to counteract the unwanted effects of ghosting, masking, and contact noise to some degree. During this phase of research, the 74C922 4x4 Keypad Encoder stood out as the most useful encoder for the application.

Controller Selection

The ATMEL AVR 2313 controller was selected from the beginning as the sole candidate device, however there was more decision-making to be made. Mainly, this centered around the choice between a commercial or industrial-grade controller. After a great deal of thought, the industrial-grade controller was chosen so that the system could make the most of its rugged and weather-proof design.

Visual and Mechanical Interface

One of the smaller conserns in the early phase was how to build a useful interface. Simplicity proved to be the winning strategy, the visual feedback system was based on a highly-intuitive LED system.

The electro-mechanical interface will be responcible for engaging and disengaging the external locking machine. To be more specific, the controller is supposed to provide signalling to the outside device, plus limited power for locking and unlocking. The relay-control systems required a bit more though because of the possibility of corrosion sabotage. In order to remedy this problem, several control components were internalized within the console's casing.

More Design Problems

Weather-proofing

If the console is to ever be deployed to outdoor environments, it must be able to withstand a reasonable amount of physical abuse. Components used internally had to be selected very carefully to ensure a good level of durabilty before any core system failures could occour. Part temperature ranges were especially important. Methods of water sealing and insulation also had to be researched prior to construction.

Sabotage

In the event of a sabotage attempt, the console should be built to withstand hardware explotation or "hacking." This defense is proved by a combination of hardware and software.

Here is the schematic for the latest Security Keypad version (the Mark 3). Unlike pervious versions, the unlocking circuits have been internalized and isolated from the main circuit to protect from sabotage.

Program	Version	Platform	Content	Modified
e5_3_schematic.zip	3.0.0	ATMEL AVR 2313	EAGLE (CadSoft) schematic, notes	May 2005

[ Click for larger image ]

One note about the schematic: the optical isolator shown is a generic circuit. Virtually any type can be placed here as long as it can drive the attached relay (not shown). Otherwise, it would have to send its output signal to a switching transistor that is rated for the high current.

Keypad Recommendations

For compatibility with the 74C922 Encoder, the keypad needs an 8-pin output made up of four "row" lines and four "column" lines.

Velleman Keypad

One option is a basic indoor like this one from VELLEMAN. For those curious to know, this keypad operates more or less like 16 discreet pushbuttons. Each button belongs to a row (1-4) and a column (1-4) of the matrix. When a button is pressed, a closed circuit will appear between the proper row and column pin on the output. All other pins will be open. Since this keypad is a passive device, it does not generate its own logic. That's where the 74C922 interpreter comes in. A similar chip --74C921 may be used for 4x3 pushbutton keypads. The only disadvantage is the vunerability to water and dust--which might eliminate it from outdoor deployment. In general, I would recommend using the VELLEMAN keypad from indoor residential or commercial settings.

ACT Keypad

This rugged design seems to be known only as the "J2 4x4 keypad." Electrical testing revealed that its behavior was identical to the VELLEMAN design. The only exeption was presence of a "dead" pin in the center of it's 9-pin interface, which seems to serve no definable purpose. If I were to guess, this pin was meant for pin-compatibility with a 20-key designs. Once again, this keypad uses the row-column approach, giving it great compatibility with the 74C921/992/993 Encoders chips. Another advantage is its sealed keys, which give it immunity from water, dust, and possibly ice. The only disadvantage is that the weatherproofing makes the keys noticebly tougher to. Because of this, I would recommend reserving the J2 design for outdoor or industrial environments.

74C922 Encoder

There are a lot of oppourtunities to work around the keypad if a 4x4 array was not available. The 74C921 encoder works with 3x4 arrays like the type used on landline phones. The 74C923 works for 4x5 arrays. A word of caution: The "C" in "74C922" does stand for CMOS. This means the device will have a higher suseptability to ESD shock than a typical 7400 device.

Here is a sample pin diagram for the 74C922 chip that will be featured in this project:

Weather Proofing

Some parts that may stifle the weather-proofing effort are the two IC's, the batteries, and clock crystal. Freezing is the main concern. Efforts are underway to locate an artic-rated battery; for now standard AAA cells will due.

Water sealing was provided by a mix of hot glue and a cyanoacrylate-based super glue on the enclosure. The 2-pin connector coming from JP1 in the schematic had to be covered or pluged into the external locking motor at all times.

Sabotage Control

Key Sample Rate Limit

Although not included in the Mark 2 design, limits to the keyscan interval would accomplish 2 functions. First, it creates a software low-pass filter to reject broadband key contact noise. Second, it will boost security by restricting the key input rate to about 60 characters per second. This may not sound slow enough, but with a 6-digit passcode, it would take a password thief 77 hours to generate every permutation. This figure does not include the defensive timeout [see below], which is much for effective at spoiling brute-force attacks.

Defensive Timeout

Entering several invalid passcodes will trigger the flood control timeout. The lockout lasts for several seconds and mutes all key activity and limit the effectivness of "brute force" cracking attacks. The current E-5 version, the Mark 3 goes into lockout after 3 bad attempts. This mode is indicated by the rapid blinking of the red and green indicators.

Reprogramming Lockout

Certain AVR controllers will allow the programmer(s) to enforce a specific programming lockout. These lockouts vary in degree of protection, ranging from no protections complete re-programming and verification lockouts. Once the lockouts are in place, the chip cannot be reprogrammed or re-read by anyone. Lockouts are supported by the new AT_Tiny2313 chips but not the original AVR2313. This may provide encouragement to upgrade to the more-secure Tiny2313 whenever possible.

Keypad Noise Rejection

The original Mark 1 designs called for a software lowpass filter to the key input routines for noise rejection purposes. According to 74C922 literature, the 0.1uF capacitor (C7) should allow the encoder to transmit up to 600 characters per second. Even though this exceeded our usual goal of 60 scans per second, noise rejection software was omitted after testing suggested it was unnecessary.

Project hardware development went suprisingly smoothly; with no significant errors or pitfalls to speak of. This was attributed to the availibility of well-documented components.

Software developement happened to hit a few problems during the EEPROM read tests. This bug was caused by a corrupt byte at address 0x00 of the AVR's internal EEPROM array, and hence was not detected by the software simulation. The bug was corrected by avoiding the corrupt area and moving the password to the next available byte, 0x02.

1000-hour Test: Review

The Security Keypad was powered by a large unknown battery and left in the "active" state for a period of 42 calander days. At the end of the 42nd day, the disarming code was entered, and the device responded normally. Next, power was removed and the program was uploaded a computer for inspection. The inspection revealed no change had occoured in either the Flash or EEPROM memories, indicating that the device was still operational.

This test was performed in the indoor setting.

Weatherproofing Test: Preview

A weatherproofing test will be performed in the future by subjecting the security device to a salt water spray for period of time. Logic components will be removed in this excercise.

The lack of a programming lockout feature for the AVR 2313 controller chip was a disappointment. Luckily, the chip's replacement --the Tiny 2313--supports full lockout behavior and is compatible with the Security Keypad's software and hardware. If the project is ever revised in the future, the top priority will be implimenting the level-3 lockout.

The addition of an audio queue to indicate keypress may be useful in future modifications. This feature was used in the Security Keypad's successor, the E-12 Secure Monitor.

Here is a list of question that relate to access control engineering in general.

Q: Will the EEPROM save the password if the battery dies?
A: Yes! The password should be completely uneffected unless there is significant noise on the power bus when the EEPROM is operating. The presence of the 7805 regulator should mitigate the risk.

Q: How do passwords get stolen?
A: Some professional theives may apply keystroke-counting and fingerprinting to try to extropolate a password. Counteract this by choosing a long "random-looking" password.

Q: Just how good are keypad locks?
A: In general, the industry considers a keypad-only system to be less secure. This happens because authorized users have been know to "lend" out security codes to outsiders as favors. The problem is that all the outsider has to do is memorize the code and return whenever feels. The most secure systems have multiple security layers, plus a set of other authenticators like card readers.

Q: What are lockbits?
A: Lockbits will allow you to disable further chip programming by activating certain lockout features. A Mode 2 lock disallows chip reprogramming. A Mode 3 lock disallows both reprogramming and verification, and will make the program "invisible" to the outside. One a lock mode is set, it can't be changed to a lowered degree of protection without running a chip erase. More details on lockbits can be found at Atmel.com.