[go: up one dir, main page]

CN115085911B - Security enhancement method and system based on entrance guard - Google Patents

Security enhancement method and system based on entrance guard Download PDF

Info

Publication number
CN115085911B
CN115085911B CN202210527673.7A CN202210527673A CN115085911B CN 115085911 B CN115085911 B CN 115085911B CN 202210527673 A CN202210527673 A CN 202210527673A CN 115085911 B CN115085911 B CN 115085911B
Authority
CN
China
Prior art keywords
access control
mobile terminal
key
information
card reader
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210527673.7A
Other languages
Chinese (zh)
Other versions
CN115085911A (en
Inventor
梁松涛
彭金辉
李鑫
李顶占
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Xinda Jiean Information Technology Co Ltd
Original Assignee
Zhengzhou Xinda Jiean Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Xinda Jiean Information Technology Co Ltd filed Critical Zhengzhou Xinda Jiean Information Technology Co Ltd
Priority to CN202210527673.7A priority Critical patent/CN115085911B/en
Publication of CN115085911A publication Critical patent/CN115085911A/en
Application granted granted Critical
Publication of CN115085911B publication Critical patent/CN115085911B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/22Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder
    • G07C9/23Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder by means of a password
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/27Individual registration on entry or exit involving the use of a pass with central registration
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/30Individual registration on entry or exit not involving the use of a pass
    • G07C9/32Individual registration on entry or exit not involving the use of a pass in combination with an identity check
    • G07C9/37Individual registration on entry or exit not involving the use of a pass in combination with an identity check using biometric data, e.g. fingerprints, iris scans or voice recognition
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/30Individual registration on entry or exit not involving the use of a pass
    • G07C9/38Individual registration on entry or exit not involving the use of a pass with central registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Human Computer Interaction (AREA)
  • Lock And Its Accessories (AREA)

Abstract

The invention provides a security enhancement method and a security enhancement system based on an access control, wherein the method comprises the following steps that an access control card reading device extracts a derivative key from n local derivative keys according to a synchronous key pointer as a first real-time unlocking key, generates a random number, encrypts the random number by the first real-time unlocking key to obtain ciphertext information, sends the ciphertext information to an access control APP of a mobile terminal through an NFC communication link, the access control APP extracts the derivative key from n derivative keys in a card application according to the synchronous key pointer as a second real-time unlocking key, decrypts the ciphertext information by the second real-time unlocking key to obtain plaintext information and returns the plaintext information to the access control card reading device, and the access control card reading device compares whether the plaintext information is consistent with the random number or not, if so, continuously judges whether the corresponding seed key exceeds effective time or not, and if not, the access control APP is opened. The invention can effectively improve the portability of users and the safety of the access control system.

Description

Security enhancement method and system based on entrance guard
Technical Field
The invention relates to the technical field of intelligent door locks, in particular to a security enhancement method and system based on an access control.
Background
The existing door control systems of resident communities or offices are various in variety, including simple card punching systems, namely users carry door cards with user identifications inside, the door cards are close to card readers when entering doors, if the door cards are authorized to be accessed, a background server sends information allowing access to the door control systems, the door control systems open doors provided with the card readers for the users to access, the method has the advantages that equipment is simple, the steps of entering the doors of the users are relatively simple, the defects are obvious, that if the door cards are lost, any person picking up the door cards can enter at will, and the method is a great challenge for resident and office safety.
Based on the above, it is proposed to copy information of the access control card by using a mobile phone and store the copied information in a mobile phone wallet in the form of a copy card, when the access control needs to be opened, the mobile phone performs NFC communication with an access control card reader, and if the copied information in the mobile phone wallet is authorized, the access control card reader opens the access control. In this way, although the user does not need to carry the door card, the security coefficient is not high because anyone can copy and acquire the door card information.
Disclosure of Invention
Based on the above, it is necessary to provide a security enhancement method and system based on access control, which not only can promote the portability of users, but also can effectively promote the security of access control systems.
The first aspect of the invention provides a security enhancement method based on access control, which comprises the following steps:
Step 1, downloading and installing an access control APP at a mobile terminal, registering registered user information to a cloud platform through the access control APP, and registering self equipment identification information to the cloud platform through access control card reading equipment;
step 2, establishing a binding relation between the user information and the equipment identification information by the cloud platform, generating an AID and a PIN code based on the binding relation, respectively transmitting the AID and the PIN code to an access control APP and an access control card reading device of the mobile terminal, generating a card application by the access control APP of the mobile terminal based on the received AID, and storing the PIN code in the card application;
step 3, generating a seed key by the cloud platform, setting the effective time of the seed key according to management requirements, and simultaneously, drawing up a synchronous key pointer;
step 4, the cloud platform sends the seed key, the effective time of the seed key and the synchronous key pointer to the entrance guard card reading equipment, and sends the seed key and the synchronous key pointer to a card application of the mobile terminal;
Step 5, the access control APP of the mobile terminal and the access control card reading equipment generate n derived keys based on the same seed key and the same key derivation algorithm respectively, and perform local storage;
Step 6, when the mobile terminal approaches the access control card reading equipment, the access control card reading equipment and the mobile terminal establish an NFC communication link based on the same AID and PIN code;
Step 7, the entrance guard card reading equipment extracts a derivative key from n derivative keys pre-stored locally according to the synchronous key pointer as a first real-time unlocking key, generates a random number, encrypts the random number by adopting the first real-time unlocking key to obtain ciphertext information, and then sends the ciphertext information to an entrance guard APP of the mobile terminal through the NFC communication link;
Step 8, the access control APP of the mobile terminal extracts a derivative key from n derivative keys in the card application according to the synchronous key pointer as a second real-time unlocking key, decrypts the ciphertext information by adopting the second real-time unlocking key to obtain plaintext information and returns the plaintext information to the access control card reading equipment through the NFC communication link;
and 9, comparing whether the plaintext information is consistent with the random number or not by the access control card reading equipment, if so, continuously judging whether the corresponding seed key exceeds the effective time, and if not, executing the operation of opening the access control.
The invention provides a security enhancement system based on an access control, which comprises a mobile terminal, an access control card reading device and a cloud platform, wherein the mobile terminal and the access control card reading device are respectively in network communication with the cloud platform, and the mobile terminal is in near-end communication with the access control card reading device;
the mobile terminal is used for downloading and installing an access control APP and registering user information to the cloud platform through the access control APP;
the cloud platform is used for establishing a binding relation between the user information and the equipment identification information of the access card reading equipment, generating an AID and a PIN code based on the binding relation, respectively sending the AID and the PIN code to an access control APP of the mobile terminal and the access card reading equipment, generating a card application based on the AID by the access control APP of the mobile terminal and storing the PIN code in the card application, generating a seed key, setting the effective time of the seed key according to management requirements, simultaneously drawing a synchronous key pointer, sending the seed key, the effective time of the seed key and the synchronous key pointer to the access card reading equipment, and sending the seed key and the synchronous key pointer to the card application of the mobile terminal, so that the access control APP of the mobile terminal and the access card reading equipment respectively generate n derivative keys based on the same seed key and the same key derivative algorithm, and locally storing the derivative keys;
The access control APP of the mobile terminal is used for extracting one derivative key from n derivative keys in the card application according to the synchronous key pointer to serve as a second real-time unlocking key, decrypting ciphertext information from the access control card reading equipment by adopting the second real-time unlocking key to obtain plaintext information, and returning the plaintext information to the access control card reading equipment through the NFC communication link;
The access control card reading device is used for registering self device identification information to the cloud platform, is also used for establishing an NFC communication link with the mobile terminal based on the same AID and PIN code when the mobile terminal is close to the cloud platform, is also used for extracting a derivative key from n local derivative keys according to the synchronous key pointer after establishing the NFC communication link as a first real-time unlocking key to generate a random number, encrypts the random number by the first real-time unlocking key to obtain ciphertext information, and then sends the ciphertext information to an access control APP of the mobile terminal through the NFC communication link, and is also used for comparing whether plaintext information from the mobile terminal is consistent with the random number or not, if so, continuing to judge whether the corresponding seed key exceeds the effective time, if not, executing access control opening operation.
According to the invention, the keys are synchronized between the mobile terminal and the access control card reading equipment based on the synchronous pointer mode, so that access control operation is performed based on the synchronized keys, and a user does not need to carry a traditional access control card in the whole operation process, so that the portability of the user is improved. In addition, the keys of access control operation are different in the similar time, and even if other people steal all the derivative keys, normal access control operation cannot be realized due to lack of synchronous pointers or asynchronous pointers, so that replay attack by other people through stealing the keys is effectively prevented, and the security of the access control system is further improved.
Additional aspects and advantages of the invention will be set forth in part in the description which follows, or may be learned by practice of the invention.
Drawings
The foregoing and/or additional aspects and advantages of the invention will become apparent and may be better understood from the following description of embodiments taken in conjunction with the accompanying drawings in which:
FIG. 1 shows a flow chart of a door access based security enhancement method of the present invention;
Fig. 2 shows a block diagram of a door access based security enhancement system of the present invention.
Detailed Description
In order that the above-recited objects, features and advantages of the present application will be more clearly understood, a more particular description of the application will be rendered by reference to the appended drawings and appended detailed description. It should be noted that, without conflict, the embodiments of the present application and features in the embodiments may be combined with each other.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways than those described herein, and therefore the scope of the present invention is not limited to the specific embodiments disclosed below.
Example 1
As shown in fig. 1, the invention provides a security enhancement method based on entrance guard, which comprises the following steps:
Step 1, downloading and installing an access control APP at a mobile terminal, registering registered user information to a cloud platform through the access control APP, and registering self equipment identification information to the cloud platform through access control card reading equipment;
step 2, establishing a binding relation between the user information and the equipment identification information by the cloud platform, generating an AID and a PIN code based on the binding relation, respectively transmitting the AID and the PIN code to an access control APP and an access control card reading device of the mobile terminal, generating a card application by the access control APP of the mobile terminal based on the received AID, and storing the PIN code in the card application;
step 3, generating a seed key by the cloud platform, setting the effective time of the seed key according to management requirements, and simultaneously, drawing up a synchronous key pointer;
step 4, the cloud platform sends the seed key, the effective time of the seed key and the synchronous key pointer to the entrance guard card reading equipment, and sends the seed key and the synchronous key pointer to a card application of the mobile terminal;
Step 5, the access control APP of the mobile terminal and the access control card reading equipment generate n derived keys based on the same seed key and the same key derivation algorithm respectively, and perform local storage;
step 6, when the mobile terminal approaches the access control card reading equipment, the access control card reading equipment and the mobile terminal establish an NFC communication link based on the same AID and PIN code;
step 7, the entrance guard card reading equipment extracts a derivative key from the n local derivative keys according to the synchronous key pointer as a first real-time unlocking key, generates a random number, encrypts the random number by adopting the first real-time unlocking key to obtain ciphertext information, and then sends the ciphertext information to an entrance guard APP of the mobile terminal through the NFC communication link;
Step 8, the access control APP of the mobile terminal extracts one derivative key from n derivative keys in the card application according to the synchronous key pointer as a second real-time unlocking key, decrypts the ciphertext information by adopting the second real-time unlocking key, obtains plaintext information and returns the plaintext information to the access control card reading equipment;
and 9, comparing whether the received plaintext information is consistent with the random number (the random number generated in the step 7) by the access control card reading equipment, if so, continuously judging whether the corresponding seed key exceeds the effective time, and if not, executing the operation of opening the access control.
In general, when the entrance guard card reading equipment leaves a factory or delivers a customer, the equipment identification information of the entrance guard card reading equipment needs to be registered with the cloud platform, if the user needs to request to open the entrance guard, the user sends request information to the cloud platform, the request information at least comprises user information and the entrance guard card reading equipment identification information which needs to be opened, the cloud platform is used for checking later, and if the checking passes, the binding relation of the user information and the entrance guard card reading equipment is established.
It can be understood that in places such as hotels, guesthouses, apartments and the like, access rights for effective time are only required to be opened for users according to requirements, and the access rights are effective in a check-in period, so that the invention realizes the safety management of the access rights in a time dimension by setting the effective time of a seed key.
The cloud platform establishes a binding relation based on user information and equipment identification information and generates AID and PIN codes based on the binding relation, so that different user information and the same equipment identification information can establish a many-to-one binding relation, and under the condition that a plurality of users commonly manage and use the same access control card reading equipment, the cloud platform correspondingly generates effective time and synchronous key pointers of a plurality of groups of AID, PIN codes, seed keys and seed keys, sends each group of AID, PIN codes, seed keys and synchronous key pointers to an access control APP of a corresponding mobile terminal (corresponding to the user information), and sends a plurality of groups of AID, PIN codes, seed keys, effective time and synchronous key pointers of the seed keys to the same access control card reading equipment;
therefore, the invention can realize the safety management of the same access control among the access control APP of different mobile terminals by setting the binding relation between different user information and the same equipment identification information in many-to-one mode.
It can be understood that after the binding relation of many to one is established, multiple groups of access control management information, namely AID, PIN code, seed key, effective time of the seed key and synchronous key pointer, are prestored in the access control card reading equipment, the multiple groups of access control management information correspond to access control APPs of multiple mobile terminals, the seed key, the effective time of the seed key and the synchronous key pointer in the access control management information of different groups can be different, so that the access control APPs of different mobile terminals are not affected when the same access control is managed together.
Further, in the step 6, when the access control card reading device and the mobile terminal establish an NFC communication link based on the AID and the PIN code, the method is executed:
The access control card reading equipment generates adaptation request information based on the AID and transmits the adaptation request information to the mobile terminal, wherein the adaptation request information comprises the AID;
The mobile terminal traverses a local card packet to find a card application consistent with the AID in the adaptation request information;
After receiving a response message of the mobile terminal for finding a corresponding card application, the access control card reading device sends a PIN verification instruction to the mobile terminal, wherein the PIN verification instruction comprises a PIN code;
After the corresponding card application of the mobile terminal receives the PIN verification instruction, comparing whether the PIN code in the PIN verification instruction is consistent with a pre-stored PIN code, and if so, returning verification passing information.
It can be understood that the AID is an identification ID of the card application, and since a plurality of card applications may be stored in a card package of the mobile terminal, different card applications hold different AIDs, the mobile terminal is traversed to read the card application with the same AID based on the current access control card reading device, if the card application is read, the subsequent PIN code verification is continued, and if the card application is not read, the reading failure information is fed back.
It should be noted that when the entrance guard APP of different mobile terminals manages and uses the same entrance guard together, the AID and PIN code in the entrance guard management information of different groups are different;
Since the access card reading device may store a plurality of AIDs in advance, when the access card reading device generates the adaptation request information based on the AIDs, the access card reading device may obtain the required AIDs according to the following manner:
When the mobile terminal is close to the access control card reading equipment, the mobile terminal performs near field communication with the access control card reading equipment based on an NFC communication function, the access control card reading equipment reads equipment identification (or NFC identification) from the mobile terminal, and searches for corresponding AID based on a mapping relation between the pre-stored equipment identification (or NFC identification) of the mobile terminal and access control management information.
Further, after the step 9, the method further includes the steps of:
after the entrance guard card reading equipment sends entrance guard successfully-opened information to the mobile terminal, updating a local synchronous key pointer to the next pointer;
And after the mobile terminal receives the entrance guard successfully-opened information, updating a local synchronous key pointer to the next pointer so as to enable the synchronous key pointer updated by the entrance guard card reading equipment to be consistent with the synchronous key pointer updated by the mobile terminal.
It should be noted that when different access control APP of the mobile terminal are managing and using the same access control together, the synchronous key pointers in the access control management information of different groups may be different, so as to ensure that the synchronous key pointers in the access control management information corresponding to the access control APP and the access control card reading device of the same mobile terminal are consistent before updating and consistent after updating.
Furthermore, the synchronous key pointers are in a clock shape, the initial pointer positions of the mobile terminal and the entrance guard card reading equipment are the same, the number of the preset pointers is m, the m pointers respectively correspond to different derivative keys, m is smaller than or equal to n, and the m pointers periodically poll the n derivative keys.
It will be appreciated that the synchronisation key pointer is used to point to a storage location for a derivative key.
The method and the device for realizing the off-line access control authentication of the mobile terminal are capable of realizing the off-line access control authentication rapidly and safely when the mobile terminal approaches the access control card reading device, and improving user experience when the mobile terminal approaches the access control card reading device.
Further, the step 9 further includes the following steps:
and if the corresponding seed key is judged to exceed the effective time, feeding back the access failure information to the mobile terminal.
Specifically, the mobile terminal may be a mobile phone terminal, an intelligent watch or other portable devices capable of being provided with an access control APP and an NFC communication function.
Example 2
Based on the embodiment 1, the embodiment provides a specific implementation manner of a security enhancement system based on entrance guard, as shown in fig. 2;
The security enhancement system based on the entrance guard comprises a mobile terminal, an entrance guard card reading device and a cloud platform, wherein the mobile terminal and the entrance guard card reading device are respectively in network communication with the cloud platform, and the mobile terminal and the entrance guard card reading device are in near-end communication;
the mobile terminal is used for downloading and installing an access control APP and registering user information to the cloud platform through the access control APP;
The cloud platform is used for establishing a binding relation between the user information and the equipment identification information of the access card reading equipment, generating an AID and a PIN code based on the binding relation, respectively sending the AID and the PIN code to an access control APP of the mobile terminal and the access card reading equipment, generating a card application based on the AID by the access control APP of the mobile terminal and storing the PIN code in the card application, generating a seed key, setting the effective time of the seed key according to management requirements, simultaneously, formulating a synchronous key pointer, sending the seed key, the effective time of the seed key and the synchronous key pointer to the access card reading equipment, and sending the seed key and the synchronous key pointer to the card application of the mobile terminal, so that the access control APP of the mobile terminal and the access card reading equipment respectively generate n identical derivative keys based on the same seed key and the same key derivative algorithm, and locally store the n identical derivative keys;
The access control APP of the mobile terminal is used for extracting one derivative key from n derivative keys in the card application according to the synchronous key pointer to serve as a second real-time unlocking key, decrypting ciphertext information from the access control card reading equipment by adopting the second real-time unlocking key to obtain plaintext information, and returning the plaintext information to the access control card reading equipment through the NFC communication link;
The access control card reading device is used for registering self device identification information to the cloud platform, establishing an NFC communication link with the mobile terminal based on the same AID and PIN code when the mobile terminal is close to the cloud platform, extracting a derivative key from n local derivative keys according to the synchronous key pointer to serve as a first real-time unlocking key to generate a random number, encrypting the random number by the first real-time unlocking key to obtain ciphertext information, then sending the ciphertext information to an access control APP of the mobile terminal through the NFC communication link, and further comparing whether plaintext information from the mobile terminal is consistent with the random number or not, if so, continuing to judge whether the corresponding seed key exceeds the effective time, and if not, executing access control opening operation.
The access control card reading device and the mobile terminal establish an NFC communication link before the mobile terminal and the access control card reading device based on the same AID and PIN code, the access control card reading device extracts a derivative key from n local derivative keys according to the synchronous key pointer to serve as a first real-time unlocking key to generate a random number, the random number is encrypted by the first real-time unlocking key to obtain ciphertext information, the ciphertext information is then sent to an access control APP of the mobile terminal through the NFC communication link, the access control APP of the mobile terminal extracts a derivative key from n derivative keys in the card application according to the same synchronous key pointer to serve as a second real-time unlocking key, the second real-time unlocking key is adopted to decrypt the ciphertext information to obtain plaintext information and return the plaintext information to the access control card reading device, the access control card reading device compares whether the plaintext information is consistent with the random number or not, if the plaintext information is consistent, whether the corresponding seed key exceeds the effective time is continuously judged, and if the plaintext information is not consistent, the access control APP is opened.
Further, when the access control card reading device and the mobile terminal establish an NFC communication link based on the same AID and PIN code,
The access control card reading equipment is specifically used for generating adaptation request information based on AID and transmitting the adaptation request information to the mobile terminal, and sending a PIN verification instruction to the mobile terminal after receiving a response message of the mobile terminal for finding a corresponding card application, wherein the adaptation request information comprises AID and the PIN verification instruction comprises PIN;
The mobile terminal is specifically used for traversing a local card packet to find a card application consistent with the AID in the adaptation request information, comparing whether a PIN code in the PIN verification instruction is consistent with a pre-stored PIN code after the PIN verification instruction is received by the corresponding card application of the mobile terminal, and returning verification passing information if the PIN code is consistent with the pre-stored PIN code.
Further, after the door access opening operation is performed,
The entrance guard card reading equipment is also used for sending entrance guard success opening information to the mobile terminal and updating a local synchronous key pointer to the next pointer;
And the mobile terminal is further used for updating the local synchronous key pointer to the next pointer after receiving the entrance guard successfully-opened information so as to enable the synchronous key pointer updated by the entrance guard card reading equipment to be consistent with the synchronous key pointer updated by the mobile terminal.
Furthermore, the synchronous key pointers are in a clock shape, the initial pointer positions of the mobile terminal and the entrance guard card reading equipment are the same, the number of the preset pointers is m, the m pointers respectively correspond to different derivative keys, m is smaller than or equal to n, and the m pointers periodically poll the n derivative keys.
According to the invention, the keys are synchronized between the mobile terminal and the access control card reading equipment based on the synchronous pointer mode, so that access control operation is performed based on the synchronized keys, and a user does not need to carry a traditional access control card in the whole operation process, so that the portability of the user is improved. In addition, the invention has one-time pad, even if the real-time unlocking keys adopted for the access control operation are different in similar time, even if other people steal all the derivative keys, the normal access control operation cannot be realized due to lack of synchronous pointers or asynchronous pointers, and the replay attack of other people through stealing the keys can be effectively prevented, so that the security of the access control system is further improved.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (9)

1.一种基于门禁的安全增强方法,其特征在于,包括以下步骤:1. A security enhancement method based on access control, characterized in that it includes the following steps: 步骤1,在移动终端下载安装门禁APP,并通过所述门禁APP向云平台注册登记用户信息,由门禁读卡设备向所述云平台登记自身的设备标识信息;Step 1: Download and install the access control APP on the mobile terminal, register the user information with the cloud platform through the access control APP, and register the device identification information of the access control card reader with the cloud platform; 步骤2,由所述云平台建立所述用户信息与所述设备标识信息之间的绑定关系,并基于绑定关系生成AID和PIN码,并将所述AID和所述PIN码分别发送给所述移动终端的门禁APP和所述门禁读卡设备,由所述移动终端的门禁APP基于AID生成卡应用,并将PIN码存储在卡应用中;Step 2, the cloud platform establishes a binding relationship between the user information and the device identification information, generates an AID and a PIN code based on the binding relationship, and sends the AID and the PIN code to the access control APP of the mobile terminal and the access control card reader device respectively, and the access control APP of the mobile terminal generates a card application based on the AID, and stores the PIN code in the card application; 步骤3,由所述云平台生成种子密钥,并根据管理需求设定所述种子密钥的有效时间,同时拟定同步密钥指针;Step 3, the cloud platform generates a seed key, sets the validity period of the seed key according to management requirements, and formulates a synchronization key pointer; 步骤4,由所述云平台将所述种子密钥、所述种子密钥的有效时间和所述同步密钥指针发送给所述门禁读卡设备,并将所述种子密钥和所述同步密钥指针发送给所述移动终端的卡应用;Step 4, the cloud platform sends the seed key, the effective time of the seed key and the synchronization key pointer to the access control card reader, and sends the seed key and the synchronization key pointer to the card application of the mobile terminal; 步骤5,所述移动终端的门禁APP和所述门禁读卡设备分别基于相同的种子密钥和相同的密钥派生算法,产生n个派生密钥,并进行本地存储;Step 5: The access control APP of the mobile terminal and the access control card reader device respectively generate n derived keys based on the same seed key and the same key derivation algorithm, and store them locally; 步骤6,当所述移动终端靠近所述门禁读卡设备时,所述门禁读卡设备与所述移动终端基于AID和PIN码建立NFC通信链路;Step 6: When the mobile terminal is close to the access control card reader, the access control card reader and the mobile terminal establish an NFC communication link based on the AID and the PIN code; 步骤7,由所述门禁读卡设备根据所述同步密钥指针从本地预存的n个派生密钥中提取出一个派生密钥作为第一实时开锁密钥,产生随机数,并采用第一实时开锁密钥加密所述随机数得到密文信息,然后将所述密文信息通过所述NFC通信链路发送给所述移动终端的门禁APP;Step 7, the access control card reader device extracts a derived key from the n derived keys pre-stored locally as the first real-time unlocking key according to the synchronization key pointer, generates a random number, and uses the first real-time unlocking key to encrypt the random number to obtain ciphertext information, and then sends the ciphertext information to the access control APP of the mobile terminal through the NFC communication link; 步骤8,所述移动终端的门禁APP根据所述同步密钥指针从卡应用中的n个派生密钥中提取出一个派生密钥作为第二实时开锁密钥,采用第二实时开锁密钥解密所述密文信息,得到明文信息并经所述NFC通信链路返回给所述门禁读卡设备;Step 8: The access control APP of the mobile terminal extracts a derived key from the n derived keys in the card application as the second real-time unlocking key according to the synchronization key pointer, decrypts the ciphertext information using the second real-time unlocking key, obtains the plaintext information and returns it to the access control card reader device via the NFC communication link; 步骤9,所述门禁读卡设备比对所述明文信息是否与随机数一致,如一致,则继续判断对应的种子密钥是否超出有效时间,如果否,则执行打开门禁操作。Step 9, the access control card reader compares the plain text information to see if it is consistent with the random number. If so, it continues to determine whether the corresponding seed key has exceeded its validity period. If not, it executes the access control opening operation. 2.根据权利要求1所述的基于门禁的安全增强方法,其特征在于,所述步骤6中,所述门禁读卡设备与所述移动终端基于AID和PIN码建立NFC通信链路时,执行:2. The access control-based security enhancement method according to claim 1, characterized in that in step 6, when the access control card reader and the mobile terminal establish an NFC communication link based on the AID and the PIN code, the following steps are performed: 所述门禁读卡设备基于AID生成适配请求信息,并传输至所述移动终端;The access control card reader generates adaptation request information based on the AID and transmits it to the mobile terminal; 所述移动终端遍历本地卡包,找寻与所述适配请求信息中的AID相一致的卡应用;The mobile terminal traverses the local card package to find the card application that is consistent with the AID in the adaptation request information; 在接收到所述移动终端找寻到对应卡应用的响应消息后,所述门禁读卡设备向所述移动终端发送PIN验证指令;After receiving a response message from the mobile terminal that the corresponding card application has been found, the access control card reading device sends a PIN verification instruction to the mobile terminal; 在所述移动终端对应卡应用接收到PIN验证指令后,比对所述PIN验证指令中的PIN码与预存的PIN码是否一致,如果一致,则返回验证通过信息。After the mobile terminal corresponding card application receives the PIN verification instruction, it compares the PIN code in the PIN verification instruction with the pre-stored PIN code to see if they are consistent. If they are consistent, it returns verification success information. 3.根据权利要求1所述的基于门禁的安全增强方法,其特征在于,在所述步骤9之后,所述方法还包括以下步骤:3. The access control-based security enhancement method according to claim 1, characterized in that after step 9, the method further comprises the following steps: 所述门禁读卡设备发送门禁成功打开信息给所述移动终端后,更新本地的同步密钥指针到下一个指针;After the access control card reader sends access control successful opening information to the mobile terminal, the local synchronization key pointer is updated to the next pointer; 在所述移动终端接收到所述门禁成功打开信息后,更新本地的同步密钥指针到下一个指针,以使所述门禁读卡设备更新后的同步密钥指针与所述移动终端更新后的同步密钥指针保持一致。After the mobile terminal receives the access control successful opening information, it updates the local synchronization key pointer to the next pointer, so that the synchronization key pointer updated by the access control card reader device is consistent with the synchronization key pointer updated by the mobile terminal. 4.根据权利要求1所述的基于门禁的安全增强方法,其特征在于,所述同步密钥指针呈现钟表状,且所述移动终端与所述门禁读卡设备的初始指针位置相同;预设指针数量为m个,m个指针分别对应不同的派生密钥,且m小于等于n,m个指针周期性轮询n个派生密钥。4. According to the access control-based security enhancement method of claim 1, it is characterized in that the synchronization key pointer is in the shape of a clock, and the initial pointer position of the mobile terminal is the same as that of the access control card reader device; the preset number of pointers is m, the m pointers correspond to different derived keys respectively, and m is less than or equal to n, and the m pointers periodically poll the n derived keys. 5.根据权利要求1所述的基于门禁的安全增强方法,其特征在于,所述步骤9,还包括以下步骤:5. The access control-based security enhancement method according to claim 1, characterized in that the step 9 further comprises the following steps: 如果判定对应的种子密钥超出有效时间,则反馈门禁失效信息给所述移动终端。If it is determined that the corresponding seed key exceeds the validity period, access control expiration information is fed back to the mobile terminal. 6.一种基于门禁的安全增强系统,其特征在于,包括移动终端、门禁读卡设备以及云平台,所述移动终端、所述门禁读卡设备分别与所述云平台进行网络通信,所述移动终端与所述门禁读卡设备进行近端通信;6. A security enhancement system based on access control, characterized in that it includes a mobile terminal, an access control card reader and a cloud platform, wherein the mobile terminal and the access control card reader respectively perform network communication with the cloud platform, and the mobile terminal performs proximal communication with the access control card reader; 所述移动终端,用于下载安装门禁APP,并通过门禁APP向云平台注册登记用户信息;The mobile terminal is used to download and install the access control APP, and register user information with the cloud platform through the access control APP; 所述云平台,用于建立所述用户信息与所述门禁读卡设备的设备标识信息之间的绑定关系,并基于绑定关系生成AID和PIN码,并将所述AID和所述PIN码分别发送给所述移动终端的门禁APP和所述门禁读卡设备,由所述移动终端的门禁APP基于AID生成卡应用,并将PIN码存储在卡应用中;还用于生成种子密钥,并根据管理需求设定所述种子密钥的有效时间,同时拟定同步密钥指针;还用于将所述种子密钥、所述种子密钥的有效时间和所述同步密钥指针发送给所述门禁读卡设备,并将所述种子密钥和所述同步密钥指针发送给所述移动终端的卡应用;以使移动终端的门禁APP和门禁读卡设备分别基于相同的种子密钥和相同的密钥派生算法,产生n个派生密钥,并进行本地存储;The cloud platform is used to establish a binding relationship between the user information and the device identification information of the access control card reader, and to generate an AID and a PIN code based on the binding relationship, and to send the AID and the PIN code to the access control APP of the mobile terminal and the access control card reader respectively, so that the access control APP of the mobile terminal generates a card application based on the AID and stores the PIN code in the card application; it is also used to generate a seed key, and to set the validity period of the seed key according to management requirements, and to formulate a synchronization key pointer; it is also used to send the seed key, the validity period of the seed key and the synchronization key pointer to the access control card reader, and to send the seed key and the synchronization key pointer to the card application of the mobile terminal; so that the access control APP of the mobile terminal and the access control card reader respectively generate n derived keys based on the same seed key and the same key derivation algorithm, and store them locally; 所述移动终端的门禁APP,用于根据所述同步密钥指针从卡应用中的n个派生密钥中提取出一个派生密钥作为第二实时开锁密钥,采用第二实时开锁密钥解密来自所述门禁读卡设备的密文信息,得到明文信息并经NFC通信链路返回给门禁读卡设备;The access control APP of the mobile terminal is used to extract a derived key from the n derived keys in the card application as the second real-time unlocking key according to the synchronization key pointer, and use the second real-time unlocking key to decrypt the ciphertext information from the access control card reader device to obtain the plaintext information and return it to the access control card reader device via the NFC communication link; 所述门禁读卡设备,用于向所述云平台登记自身的设备标识信息;还用于当所述移动终端靠近时,与所述移动终端基于相同的AID和PIN码建立NFC通信链路;还用于根据所述同步密钥指针从本地的n个派生密钥中提取出一个派生密钥作为第一实时开锁密钥,产生随机数,并采用第一实时开锁密钥加密所述随机数得到密文信息,然后将所述密文信息通过所述NFC通信链路发送给所述移动终端的门禁APP;还用于比对来自所述移动终端的明文信息是否与所述随机数一致,如一致,则继续判断对应的种子密钥是否超出有效时间,如果否,则执行打开门禁操作。The access control card reader device is used to register its own device identification information with the cloud platform; it is also used to establish an NFC communication link with the mobile terminal based on the same AID and PIN code when the mobile terminal approaches; it is also used to extract a derived key from the local n derived keys as the first real-time unlocking key according to the synchronization key pointer, generate a random number, and use the first real-time unlocking key to encrypt the random number to obtain ciphertext information, and then send the ciphertext information to the access control APP of the mobile terminal through the NFC communication link; it is also used to compare whether the plaintext information from the mobile terminal is consistent with the random number. If they are consistent, it continues to determine whether the corresponding seed key exceeds the validity period. If not, it performs the access control opening operation. 7.根据权利要求6所述的基于门禁的安全增强系统,其特征在于,在所述门禁读卡设备与移动终端基于AID和PIN码建立NFC通信链路时,7. The access control-based security enhancement system according to claim 6 is characterized in that when the access control card reader device and the mobile terminal establish an NFC communication link based on the AID and PIN code, 所述门禁读卡设备,具体用于:基于AID生成适配请求信息,并传输至所述移动终端;在接收到所述移动终端找寻到对应卡应用的响应消息后,向所述移动终端发送PIN验证指令;The access control card reader device is specifically used to: generate adaptation request information based on the AID and transmit it to the mobile terminal; after receiving a response message from the mobile terminal that the corresponding card application has been found, send a PIN verification instruction to the mobile terminal; 所述移动终端,具体用于:遍历本地卡包,找寻与适配请求信息中的AID相一致的卡应用;在移动终端对应卡应用接收到PIN验证指令后,比对所述PIN验证指令中的PIN码与预存的PIN码是否一致,如果一致,则返回验证通过信息。The mobile terminal is specifically used to: traverse the local card package to find the card application consistent with the AID in the adaptation request information; after the mobile terminal corresponding to the card application receives the PIN verification instruction, compare the PIN code in the PIN verification instruction with the pre-stored PIN code to see if they are consistent, and if they are consistent, return the verification pass information. 8.根据权利要求6所述的基于门禁的安全增强系统,其特征在于,在执行打开门禁操作之后,8. The door access control-based security enhancement system according to claim 6, characterized in that after performing the door access control operation, 所述门禁读卡设备,还用于:发送门禁成功打开信息给移动终端,并更新本地的同步密钥指针到下一个指针;The access control card reader device is also used to: send access control successful opening information to the mobile terminal, and update the local synchronization key pointer to the next pointer; 所述移动终端,还用于:在接收到所述门禁成功打开信息后,更新本地的同步密钥指针到下一个指针,以使所述门禁读卡设备更新后的同步密钥指针与所述移动终端更新后的同步密钥指针保持一致。The mobile terminal is also used to: after receiving the access control successful opening information, update the local synchronization key pointer to the next pointer, so that the synchronization key pointer updated by the access control card reader device is consistent with the synchronization key pointer updated by the mobile terminal. 9.根据权利要求6所述的基于门禁的安全增强系统,其特征在于,所述同步密钥指针呈现钟表状,且移动终端与门禁读卡设备的初始指针位置相同;预设指针数量为m个,m个指针分别对应不同的派生密钥,且m小于等于n,m个指针周期性轮询n个派生密钥。9. According to the access control-based security enhancement system of claim 6, it is characterized in that the synchronization key pointer is in the shape of a clock, and the initial pointer position of the mobile terminal and the access control card reader device is the same; the preset number of pointers is m, the m pointers correspond to different derived keys respectively, and m is less than or equal to n, and the m pointers periodically poll the n derived keys.
CN202210527673.7A 2022-05-16 2022-05-16 Security enhancement method and system based on entrance guard Active CN115085911B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210527673.7A CN115085911B (en) 2022-05-16 2022-05-16 Security enhancement method and system based on entrance guard

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210527673.7A CN115085911B (en) 2022-05-16 2022-05-16 Security enhancement method and system based on entrance guard

Publications (2)

Publication Number Publication Date
CN115085911A CN115085911A (en) 2022-09-20
CN115085911B true CN115085911B (en) 2025-01-14

Family

ID=83248155

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210527673.7A Active CN115085911B (en) 2022-05-16 2022-05-16 Security enhancement method and system based on entrance guard

Country Status (1)

Country Link
CN (1) CN115085911B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116994364B (en) * 2023-08-29 2024-06-28 深圳市亲邻科技有限公司 Entrance guard card-free data loading interaction method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102415103A (en) * 2009-02-24 2012-04-11 超越宽带技术有限公司 Cable television safety communication system for one-way limited access
CA3122951A1 (en) * 2020-06-18 2021-12-18 Royal Bank Of Canada System and method for electronic credential tokenization

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109643473A (en) * 2017-07-13 2019-04-16 深圳市汇顶科技股份有限公司 A kind of method, apparatus and system of identity legitimacy verifying
CN109272609A (en) * 2018-08-19 2019-01-25 天津新泰基业电子股份有限公司 A kind of CPU safety door inhibition control method and system
CN113821835B (en) * 2021-11-24 2022-02-08 飞腾信息技术有限公司 Key management method, key management device and computing equipment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102415103A (en) * 2009-02-24 2012-04-11 超越宽带技术有限公司 Cable television safety communication system for one-way limited access
CA3122951A1 (en) * 2020-06-18 2021-12-18 Royal Bank Of Canada System and method for electronic credential tokenization

Also Published As

Publication number Publication date
CN115085911A (en) 2022-09-20

Similar Documents

Publication Publication Date Title
US11070364B2 (en) Secure communication method and smart lock system based thereof
CN109272606B (en) Intelligent lock supervision equipment and method based on block chain and storage medium
US7114178B2 (en) Security system
US8559642B2 (en) Cryptographic communication with mobile devices
CN102262793B (en) Entrance guard control method and entrance guard control system
CN108055235A (en) A kind of control method of smart lock, relevant device and system
CN110462691A (en) Method for unlocking, mobile terminal, intelligent door lock and the Cloud Server of intelligent door lock
CN109448197A (en) A kind of cloud intelligent lock system and key management method based on multi-enciphering mode
US20180359635A1 (en) Securitization of Temporal Digital Communications Via Authentication and Validation for Wireless User and Access Devices
CN105279832A (en) Intelligent door lock system and control method thereof
CN106504391A (en) A control method, device and system for intelligent access control
CN105099690A (en) OTP and user behavior-based certification and authorization method in mobile cloud computing environment
CN111243133A (en) Bluetooth door lock system based on dynamic password generation and matching and unlocking method
CN113129525A (en) Method and apparatus for authenticating a user of a storage compartment device
CN109035515A (en) The control method and door-locking system of smart lock
CN104539420A (en) General intelligent hardware safe secret key management method
CN110598469A (en) Information processing method and device and computer storage medium
CN115085911B (en) Security enhancement method and system based on entrance guard
CN114170709B (en) Cash box management method and system based on Internet of Things
JP2000184448A (en) Personal communication system and its communicating method
CN114783091B (en) Temporary password generation method, device, equipment and storage medium
CN113593088A (en) Intelligent unlocking method, intelligent lock, mobile terminal and server
KR101745482B1 (en) Communication method and apparatus in smart-home system
CN116563977B (en) Identity authentication management method, electronic device, smart lock and related devices
CN110113153A (en) NFC secret key updating method, terminal and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant