Every smart lock in the market has a specific limit for storage which imposes restrictions on how certain aspects are handled. In this post, we will go deeper into the limitation defined for revocation lists which is specifically applicable to the revocation of NFC Transponders.
Revocation is initiated when a Smartphone User or an NFC Transponder needs to have their access blocked. This is despite the fact that the user or transponder has previously been granted access that has not yet expired. If a previously issued key (be it smartphone-based or transponder-based) needs to be revoked, it is added to what is called the revocation list (short: RCL), which is then transferred to the affected lock. The lock will then block access to any user or transponder listed in the RCL.
Within the Tapkey App, the revocation process is started when an NFC transponder is marked as lost. In contrast, when using the ‘Remove grants’ function, the transponder’s keys will not be added to the RCL. The transponder stays functional until it is either synchronized or marked as lost.
Due to the limited amount of storage available on locking devices, the RCL is limited in size as well. So if too many keys are added to the RCL, the available capacity can be exceeded, which is called an overflow of the RCL. In the case of smartphone-based keys, a potential overflow is handled automatically by the Tapkey system. This is possible because smartphones usually have internet connectivity, which allows for the automatic renewal of affected keys. However, when it comes to NFC transponders, an overflow of the RCL needs special attention. The strategy of how Tapkey deals with such a situation is outlined in this article. Note that the revocation lists for smartphone-based keys and NFC transponders are distinct, so the revocation of grants issued to smartphone users will never have side effects on NFC transponders.
The first and most effective method to avoid an overflow is to keep the RCL as small as possible. For that reason Tapkey does not include keys in or even remove them from the RCL if one of the following applies:
- The key’s validity date has expired.
- The affected NFC transponder is synchronized with the Tapkey system (usually by using the Tapkey app). In this case, the key is securely and reliably deleted from the transponder, removing the need to keep it listed in the RCL.
The items we are going to cover in this post are the following:
Overflow strategies
To have a more straightforward visual representation of the scenario we are going to create a hypothetical scenario where we have an Owner with 10 transponders and 1 lock, where the given lock has space available for 5 items in its revocation list (please note that on real locking devices the size is significantly larger).
To start with the example, we are going to assume that the Owner has already registered all the transponders and has given them permission to the Tapkey Smart Lock.
Info: For a Tapkey-enabled NFC transponder to access a certain lock, it needs to store keys for the given lock or one of the lock’s groups. Each key that is stored on a transponder is automatically assigned a serial number. Each transponder can hold multiple keys for multiple locks or groups. Serial numbers increase over time, so keys being issued earlier have lower serial numbers for a certain lock than those issued later. When a transponder is synchronized, it can even receive new keys with new serial numbers. When referring to a transponder’s serial number throughout this text, we refer to the serial number of the key stored on the given transponder for the given lock.
The Owner has identified that it is required to mark multiple transponders as revoked, given that they have been lost. In this scenario, we assume that the transponders 3, 4, 5, 6, 7, and 9 have been lost.
How to deactivate lost or stolen transponders
After marking the transponders as Lost or stolen, the Tapkey Trust Service will add them to the affected lock’s revocation list. Because 6 transponders have been revoked but there’s only space for 5 keys to be listed in the RCL, there’s an overflow.
The diagram above illustrates that because of the limited capacity, transponder number 3 cannot be added to the RCL, even though it has been revoked. This is because in this case the size of the RCL is too small for holding all items, and Tapkey prefers adding transponders to the RCL that have been issued more recently (therefore have a greater serial number) over those that have been issued earlier. The transponder with serial number 4 is the oldest one that still fits into the revocation list. We’ll refer to this item as the Overflow marker.
For all transponders with a serial number greater than or equal to 4, the lock can find out, by looking at the revocation list, whether a transponder has been revoked or not. For example it is clear that 8 is still valid, while 5 must be blocked. However, for transponders with a serial number lower than 4 (i.e. those that have been issued earlier than s/n 4), the lock cannot know whether they have been revoked or not and there are at least two options of how to deal with such a situation. For that reason Tapkey locks can be configured to one of two modes of how to deal with such a situation, to either Restrictive or Lenient.
Restrictive Mode(Default)
In this mode, the lock will block access for all overflowed keys. In the example, even if transponders 1 and 2 would still be allowed to use the lock, they will be blocked by the lock together with transponder 3 due to the lack of information available in the revocation list.
This mode is the default and should be used in most cases. Due to the automatic RCL-cleanup strategies implemented by Tapkey, an overflow of the RCL is quite unlikely to happen, making this the best choice in most cases except for those listed for the lenient mode. If an overflow still happens, affected transponders may be synchronized in order to make them work again.
Lenient Mode
In this mode, the lock will give access to all overflowed keys (except if they have expired or are blocked for another reason). In this example, transponder 3 would not be blocked by the lock, even though it has been marked as revoked.
This mode should be applied if all of the following applies:
- The number of transponders being able to access the particular lock is high.
- The transponders are issued with unlimited validity (i.e. they don’t expire).
- The level of security required is reduced, e.g. because additional locks are installed inside of the building, being configured to the strict mode.
- The cost of valid transponders being blocked is potentially high.
This mode is typically used for semi-public zones or public parts of multi-tenant or office buildings. It is specially designed for scenarios where:
- There is a high priority on giving access to people to reduce side effects, such as residential usage where it is not likely that people can recover themselves in case their transponders are no longer working.
- In multi-tenant scenarios where the management of transponders is distributed and issues with the revocation lists are not centrally managed, transponder access for the same locks is managed by multiple managers and side effects can be distributed and difficult to predict.
How to enable the Lenient Mode
This section will show you how to enable the Lenient Mode. To do so, use the Tapkey app and navigate to the lock details and tap the Settings tab.
1. Now tap the + button to add the Lenient RCL.. settings
2. A modal window will open. It is required to select the Property field as “Lenient RCL overflow strategy” and the value as On. Once selected, tap "Save".
3. A confirmation window will appear notifying that it is required to synchronize the lock after this change. Tap OK to continue.
4. Once finished, the Settings page should display the configured value above.
You are almost done! In the end, it is required to Synchronize the lock following this guide.