Emergency access control management via attribute based encrypted QR codes

In dynamic environments such as disaster management, mechanisms for the controlled override of access restrictions, a.k.a. break-glass need to be supported. These access control mechanisms should ensure access to facilities, for example, an office building, in an emergency situation, without relying on the use of an online authentication server as connectivity might not be available. In this paper, we propose a break-glass access control mechanism based on a novel use of QR codes, Shamir's Secret Sharing Scheme and Attribute Based Encryption. Our proposed solution is such that a secret access key is split using Shamir's secret sharing scheme and encrypted using attribute based encryption, then encoded in a QR code. Subsequently, emergency actors scan the QR code and recover the individual secret key using their attributes satisfying an access policy associated with the ciphertext. The novelty of our solution lies in the fact that a flexible access control is ensured only when a sufficient number of authorized users collaborate to get access to a building without requiring an online third party. In addition, the access secret key is only decrypted by the authorized users thanks to the use of an attribute based encryption scheme. Finally, we demonstrate the feasibility and the efficiency of the solution by implementing a prototype and analysing its performance.