For stand-alone offline systems I would suggest trying HMAC-SHA1 like @StarGate01 mentioned. You set keys 1 and 2 and then you can present challenges to it. If you present the same challenge over and get back the same thing every time. Present different challenges and get back different responses. It’s a simple data conversion machine based on secret keys.
This is how it can be useful;
Registration
- put lock in “register mode”
- present Apex
- lock sends random challenge to Apex
- Apex responds
- lock stores challenge and response
- Apex is registered
Authentication
- Apex presented to lock
- lock sends stored challenge
- Apex responds
- lock checks response (match)
- lock sends new random challenge
- Apex responds
- lock stores new challenge and response (rolling code)
This way, the lock never needs to know the secret key stored in the Apex, it simply needs to know that the Apex will respond with the same response it expects to receive. Once it does so, the lock can roll the challenge so risk of replay attack is extremely limited.