[go: up one dir, main page]

CN106603484A - Virtual key method and device, background system and user terminal applying the method - Google Patents

Virtual key method and device, background system and user terminal applying the method Download PDF

Info

Publication number
CN106603484A
CN106603484A CN201610932849.1A CN201610932849A CN106603484A CN 106603484 A CN106603484 A CN 106603484A CN 201610932849 A CN201610932849 A CN 201610932849A CN 106603484 A CN106603484 A CN 106603484A
Authority
CN
China
Prior art keywords
key
data
virtual key
virtual
access control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610932849.1A
Other languages
Chinese (zh)
Other versions
CN106603484B (en
Inventor
雷飏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Xiangyunmen Advertising Co ltd
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN202010308850.3A priority Critical patent/CN111478918B/en
Priority to CN202010308849.0A priority patent/CN111464556B/en
Priority to CN201610932849.1A priority patent/CN106603484B/en
Priority to CN202010308848.6A priority patent/CN111478917B/en
Publication of CN106603484A publication Critical patent/CN106603484A/en
Application granted granted Critical
Publication of CN106603484B publication Critical patent/CN106603484B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Lock And Its Accessories (AREA)

Abstract

A virtual key method, a corresponding device, a background system and a user terminal are provided. The technical scheme of the invention overcomes the defects of safety, reliability, expandability, scale, universality and flexibility of the prior art. The main design idea is that a background system generates a virtual lock cylinder corresponding to each virtual key of each access control device aiming at each access control device and stores the virtual lock cylinder in the access control device, the virtual lock cylinder can be opened and read only by the combination of the corresponding virtual key and a virtual key patch, and the virtual key patch are generated by the background system and transmitted to a user terminal of an authorized user for storage; the user terminal transmits the virtual key and the virtual key affix to the access control device in a specially designed mode to complete operations of pairing, unlocking and detailed information comparison with the virtual lock cylinder. The whole processing process has the capabilities of preventing falsification, brute force and cracking, information leakage and counterfeiting, and the flexibility and the expandability of lock control are kept.

Description

虚拟钥匙方法及应用该方法的装置、后台系统、用户终端Virtual key method and device, background system and user terminal applying the method

技术领域technical field

本发明涉及一种操作访问控制装置的技术,特别是涉及安全地操作具有联网功能的智能访问控制装置的技术及后台系统和终端。The invention relates to a technology for operating an access control device, in particular to a technology for safely operating an intelligent access control device with a networking function, a background system and a terminal.

背景技术Background technique

目前现有的访问控制装置使用的技术包括:实体钥匙、密码输入、ID/IC卡识别、RFID卡识别、磁卡识别、二维码识别、蓝牙识别、NFC识别、生物特征识别(如人脸、指纹、虹膜、掌纹等)等。除生物特征识别外,实体钥匙、密码输入、ID/IC卡识别、RFID卡识别、磁卡识别几种技术已经应用多年,但存在管理麻烦(特别是人员流动性较高时),保密性不强,容易被破解或复制,丢失后不好作废等缺点;二维码、蓝牙和NFC随着近几年智能手机的普及而用的得到推广,但现有用智能手机使用这几种技术实现操作访问控制装置的产品或技术都在安全性、可靠性、灵活性、可扩展性、可规模化、通用性方面存在不足。The technologies currently used by existing access control devices include: physical keys, password input, ID/IC card identification, RFID card identification, magnetic card identification, two-dimensional code identification, Bluetooth identification, NFC identification, biometric identification (such as face, Fingerprint, iris, palm print, etc.) etc. In addition to biometric identification, physical keys, password input, ID/IC card identification, RFID card identification, and magnetic card identification have been used for many years, but there are management problems (especially when personnel mobility is high) and confidentiality is not strong. , easy to be cracked or copied, and not easy to be invalidated after being lost; two-dimensional codes, Bluetooth and NFC have been promoted with the popularity of smart phones in recent years, but existing smart phones use these technologies to achieve operation access The products or technologies of control devices all have deficiencies in safety, reliability, flexibility, scalability, scalability, and versatility.

在先前的专利申请201610914471.2中,公开了基于虚拟钥匙和虚拟钥匙包技术的物体访问权限管理方法及相应的后台系统、访问控制装置和用户终端。但是已公开的技术方案只是一个通用虚拟钥匙技术基础框架,并未涉及虚拟钥匙的安全性方案。In the previous patent application 201610914471.2, an object access authority management method based on virtual key and virtual key bag technology and the corresponding background system, access control device and user terminal are disclosed. However, the disclosed technical solution is only a general virtual key technology basic framework, and does not involve the security solution of the virtual key.

发明内容Contents of the invention

本发明的第一个目的是提供一种安全可靠而且灵活的虚拟钥匙操作访问控制装置进行锁命令操作的方法及应用该方法的装置、后台系统和用户终端。The first object of the present invention is to provide a safe, reliable and flexible method for operating an access control device with a virtual key to perform lock command operation, and a device for applying the method, a background system and a user terminal.

该方法具体包括:The method specifically includes:

由后台系统为访问控制装置生成和保存访问控制装置的装置公钥和装置私钥,并将装置公钥交给访问控制装置保存,同时返回和保存的还包括项目域密钥;The background system generates and saves the device public key and device private key of the access control device for the access control device, and hands the device public key to the access control device for storage, and returns and saves the project domain key at the same time;

由后台系统在用户终端注册新用户时生成和保存用户的公钥和私钥,并将用户公钥交给用户终端保存;The background system generates and saves the user's public key and private key when the user terminal registers a new user, and hands the user public key to the user terminal for storage;

后台系统在用户的虚拟钥匙包中为需要生成虚拟钥匙的访问控制装置生成虚拟钥匙缀,虚拟钥匙缀由使用对应访问控制装置的装置公钥对用户私钥加密而成;The background system generates a virtual key affix in the user's virtual key bag for the access control device that needs to generate a virtual key, and the virtual key affix is encrypted by using the device public key of the corresponding access control device to encrypt the user's private key;

后台系统传给用户终端的虚拟钥匙包数据中包括一个或多个(装置标识、虚拟钥匙缀)元素组;The virtual key bag data sent by the background system to the user terminal includes one or more (device identification, virtual key affixes) element groups;

访问控制装置从短距离输入模块识别到用户终端靠近并接收来自用户终端的虚拟钥匙相关数据并完成虚拟钥匙的锁命令操作,其具体步骤包括:The access control device recognizes that the user terminal is approaching from the short-distance input module and receives data related to the virtual key from the user terminal and completes the lock command operation of the virtual key. The specific steps include:

S1、用户终端靠近访问控制装置的短距离输入模块,访问控制装置确认并开始接收输入;S1. The user terminal approaches the short-distance input module of the access control device, and the access control device confirms and starts to receive input;

S2、用户终端向访问控制装置发送用户标识;S2. The user terminal sends the user identification to the access control device;

S3、访问控制装置收到用户标识后在本地检索是否有该用户标识的钥匙权限记录,如果没有则操作终止;S3. After receiving the user ID, the access control device searches locally whether there is a key authority record of the user ID, and if not, the operation is terminated;

S4、访问控制装置向用户终端发送包括装置标识、项目域密钥、第一时间戳数据,以进行认证;S4. The access control device sends data including the device identification, the project domain key, and the first timestamp to the user terminal for authentication;

S5、用户终端收到认证所需的包括装置标识、项目域密钥、第一时间戳数据,在用户的虚拟钥匙包中找到对应的虚拟钥匙缀和虚拟钥匙记录,所述虚拟钥匙记录加上命令类型形成第一钥匙,其中命令类型包括:开锁、上锁、反锁;S5. The user terminal receives the data required for authentication including the device identification, the project domain key, and the first timestamp data, and finds the corresponding virtual key affix and virtual key record in the user's virtual key bag, and the virtual key record adds The command type forms the first key, wherein the command type includes: unlocking, locking, and anti-locking;

S6、向访问控制装置返回认证响应,响应参数中包括:虚拟钥匙缀、第一加密虚拟钥匙数据、第一签名数据,其中返回响应前的步骤包括: 步骤S6-1通过散列算法对(第一时间戳、装置标识、项目域密钥、用户标识)计算得出第一对称密钥,步骤S6-2用第一对称密钥对第一钥匙使用对称加密算法加密出第一加密虚拟钥匙数据,步骤S6-3计算第一签名;S6. Return an authentication response to the access control device. The response parameters include: the virtual key affix, the first encrypted virtual key data, and the first signature data. The steps before returning the response include: Step S6-1 through the hash algorithm pair (No. A time stamp, device identification, project domain key, user identification) to calculate the first symmetric key, step S6-2 uses the first symmetric key to encrypt the first key using a symmetric encryption algorithm to obtain the first encrypted virtual key data , step S6-3 calculates the first signature;

S7访问控制装置收到认证响应后,执行以下步骤:After receiving the authentication response, the S7 access control device performs the following steps:

S7-1校验第一签名数据,如果签名数据不符,则操作终止;S7-1 verifies the first signature data, if the signature data does not match, the operation is terminated;

S7-2使用装置私钥解密出虚拟钥匙缀中的用户私钥,如果解密失败则操作终止;S7-2 uses the device private key to decrypt the user private key in the virtual key affix, and if the decryption fails, the operation is terminated;

S7-3使用解密出的用户私钥解密钥匙权限记录中的虚拟锁芯数据,得到第一锁芯数据,如果解密失败则操作终止;S7-3 uses the decrypted user private key to decrypt the virtual lock cylinder data in the key authority record to obtain the first lock cylinder data, and if the decryption fails, the operation is terminated;

S7-4根据包括虚拟钥匙相关数据在内的数据计算出第一对称密钥;S7-4 calculates the first symmetric key according to data including virtual key related data;

S7-5使用第一对称密钥解密第一加密虚拟钥匙数据,得到第一钥匙数据,如果解密失败则操作终止;S7-5 uses the first symmetric key to decrypt the first encrypted virtual key data to obtain the first key data, and if the decryption fails, the operation is terminated;

S7-6对第一锁芯数据和第一钥匙数据中的具体参数进行核对,如果核对不正确则操作终止;S7-6 checks the specific parameters in the first lock cylinder data and the first key data, and if the check is incorrect, the operation is terminated;

S7-7核对全部正确后,根据第一钥匙数据中的命令类型参数向电锁控制接口发送相应的锁命令,如果没有命令类型参数默认发送开锁命令。After S7-7 checks that all are correct, according to the command type parameter in the first key data, the corresponding lock command is sent to the electric lock control interface, if there is no command type parameter, the unlock command is sent by default.

该方法对使用NFC近场通讯和低功耗蓝牙通讯的用户终端都适用,只要使用对应的通讯协议和消息处理流程即可,具体可以参看具体实施方式中的实施例。对于使用其它短距离无线通讯网络或点对点无线通讯方式,也可以用同样的方法来实现。This method is applicable to both user terminals using NFC near-field communication and Bluetooth low-power communication, as long as the corresponding communication protocol and message processing flow are used. For details, please refer to the examples in the specific implementation modes. The same method can also be used for other short-distance wireless communication networks or point-to-point wireless communication methods.

该方法不但适用于普通的智能门禁类访问控制装置,也适用于带有联网功能的智能锁装置。在一些实施例中,可以将访问控制装置与车辆控制系统进行连接通讯,实现对车辆的开门与开锁启动控制,从而实现安全、灵活和方便的车辆租用管理。对于其它可以移动的物体,如保管箱、保险箱等物体上的智能锁装置也一样适用。另外,该方法还可以操作访问控制装置执行反锁功能。This method is not only applicable to ordinary intelligent access control access control devices, but also applicable to intelligent lock devices with networking functions. In some embodiments, the access control device can be connected and communicated with the vehicle control system to realize the control of opening and unlocking the vehicle, thereby realizing safe, flexible and convenient vehicle rental management. It is also applicable to other movable objects, such as smart lock devices on objects such as safe deposit boxes and safes. In addition, the method can also operate the access control device to perform the anti-lock function.

该技术方案的设计思想是由后台系统针对每个访问控制装置生成其每把虚拟钥匙对应的虚拟锁芯,并保存在访问控制装置内,该虚拟锁芯只能由对应的虚拟钥匙加虚拟钥匙缀的组合才能打开读取,而虚拟钥匙和虚拟钥匙缀由后台系统生成并传给授权使用的用户的用户终端保存;用户终端通过特别设计的方式将虚拟钥匙和虚拟钥匙缀传递给访问控制装置完成与虚拟锁芯的配对、解锁、详细信息对比的操作。整个处理过程中数据具有防篡改、防暴力破解、防信息泄露、防伪造的能力。同时,保持了锁控制信息的灵活性。另外,在访问控制装置临时断网的情况下,用户终端和访问控制装置也可以完成开锁、上锁或反锁操作,不受断网的影响。而且访问控制装置内的数据不保存用户的私人敏感信息,也不用担心数据泄露和被篡改、伪造的风险。The design concept of this technical solution is that the background system generates a virtual lock core corresponding to each virtual key for each access control device, and stores it in the access control device. The virtual lock core can only be combined with the corresponding virtual key plus the virtual key The combination of the suffix can be opened and read, and the virtual key and the virtual key suffix are generated by the background system and transmitted to the user terminal of the authorized user for storage; the user terminal passes the virtual key and the virtual key suffix to the access control device in a specially designed way Complete the operations of pairing, unlocking, and detailed information comparison with the virtual lock cylinder. During the entire processing process, the data has the ability to prevent tampering, brute force cracking, information leakage, and forgery. At the same time, the flexibility of lock control information is maintained. In addition, when the access control device is temporarily disconnected from the network, the user terminal and the access control device can also complete the unlocking, locking or unlocking operations without being affected by the network disconnection. Moreover, the data in the access control device does not save the user's private and sensitive information, and there is no need to worry about the risks of data leakage, tampering, and forgery.

访问控制装置只在后台系统有针对本装置的虚拟钥匙有更新时才会从后台系统接收到虚拟钥匙更新消息,以保持装置内的数据与后台系统数据的一致性。后台系统在用户的虚拟钥匙包中的虚拟钥匙有变化时,会向对应访问控制装置发送虚拟钥匙更新消息,虚拟钥匙记录中包括:授权者、被授权者、虚拟锁芯数据;访问控制装置收到虚拟钥匙更新消息后对保存在装置中的虚拟钥匙数据进行更新。The access control device will receive a virtual key update message from the background system only when the background system has an update for the virtual key of the device, so as to maintain the consistency between the data in the device and the background system data. When the virtual key in the user's virtual key bag changes, the background system will send a virtual key update message to the corresponding access control device. The virtual key record includes: authorizer, authorized person, virtual lock cylinder data; access control device receives Update the virtual key data stored in the device after receiving the virtual key update message.

为了加强用户终端和访问控制装置之间传递虚拟钥匙和虚拟钥匙缀的安全性,该方案中使用了动态时间戳来要求用户终端用来加密和签名,以确保高级别的防攻击和防信息泄露能力。时间戳也可以使用伪随机数方式来替代,效果等同。In order to strengthen the security of transferring virtual keys and virtual key affixes between user terminals and access control devices, dynamic time stamps are used in this scheme to require user terminals to use encryption and signature to ensure high-level attack prevention and information leakage prevention ability. Timestamps can also be replaced by pseudo-random numbers, with the same effect.

为增加加密强度和匹配精度,技术方案中还设计了项目域密钥的使用。同一个项目域中部署的同类访问控制装置均有同样的项目域描述,项目域描述中包括了项目域密钥,该密钥由后台系统生成并发给访问控制装置保存使用。它可以增强数据传递时的数据安全性也便于用户终端管理虚拟钥匙包。在不同的实施例中,特定格式的项目域描述还可以被用于指示使用不同的加解密算法、公私钥对强度以及散列算法,凸显了此方案的可扩展性。In order to increase the encryption strength and matching accuracy, the use of project domain keys is also designed in the technical solution. The same type of access control devices deployed in the same project domain have the same project domain description, which includes the project domain key, which is generated by the background system and sent to the access control device for storage and use. It can enhance the data security during data transmission and facilitate the user terminal to manage the virtual key bag. In different embodiments, the project field description in a specific format can also be used to indicate the use of different encryption and decryption algorithms, public-private key pair strengths, and hash algorithms, highlighting the scalability of this solution.

本发明并没有限制使用何种非对称加解密算法和密钥强度,只要是支持公私钥对的非对称加解密算法,且满足应用场景的安全和性能要求即可。一般而言,可以使用RSA、ECC、SM2。The present invention does not limit which asymmetric encryption and decryption algorithm and key strength to use, as long as it is an asymmetric encryption and decryption algorithm that supports public-private key pairs and meets the security and performance requirements of the application scenario. In general, RSA, ECC, SM2 can be used.

实施中,散列算法也可以根据需要,在MD5、SHA1、SHA256、SM3等常用算法中选择合适的。签名算法则可以直接用散列算法,或者是在要求不高的场景下,使用CRC32甚至CRC16即可。During implementation, the hash algorithm can also be selected from commonly used algorithms such as MD5, SHA1, SHA256, and SM3 according to needs. The signature algorithm can directly use the hash algorithm, or use CRC32 or even CRC16 in less demanding scenarios.

实施中,对称加密算法推荐使用AES-128、AES-192或者AES-256这类算法。In implementation, it is recommended to use algorithms such as AES-128, AES-192 or AES-256 as symmetric encryption algorithms.

在上述步骤S7-6中,第一锁芯数据和第一钥匙数据中都包括:有效期、类型,类型包括:不限次数、仅限一次、有效期内每天一次。这正是虚拟钥匙技术比实体钥匙或实体卡片要灵活、便利和可扩展的地方。实施中可以设计出更灵活便利的授权方式以满足用户和市场的需要,也可以增加更多字段数据和后续处理来增强安全性。In the above step S7-6, both the first lock cylinder data and the first key data include: validity period and type, and the type includes: unlimited times, only once, and once a day within the validity period. This is where virtual key technology is more flexible, convenient and scalable than physical keys or physical cards. In implementation, more flexible and convenient authorization methods can be designed to meet the needs of users and the market, and more field data and subsequent processing can be added to enhance security.

对于仅限使用一次类型的虚拟钥匙,则在开锁完成后,访问控制装置将此条记录从钥匙权限表中去除并发送第一通知消息给后台系统,消息参数中包括装置标识、用户标识、时间。后台系统收到来自访问控制装置的第一通知消息,记录在日志中,并更新用户的虚拟钥匙包中对应虚拟钥匙的状态数据,然后将更新后的虚拟钥匙数据以第二通知消息发送给用户终端。用户终端接收到来自后台系统的第二通知消息,更新本地存储的虚拟钥匙数据。For a virtual key that can only be used once, after the unlocking is completed, the access control device removes this record from the key authority table and sends the first notification message to the background system. The message parameters include device identification, user identification, time . The background system receives the first notification message from the access control device, records it in the log, and updates the state data of the corresponding virtual key in the user's virtual key bag, and then sends the updated virtual key data to the user as a second notification message terminal. The user terminal receives the second notification message from the background system, and updates the locally stored virtual key data.

在不同的实施例中,用户终端可以是具有不同通讯模块、显示方式和交互方式的智能设备,如智能手机、平板电脑、智能手表、车载设备、智能眼镜、智能机器人等。In different embodiments, the user terminal may be a smart device with different communication modules, display methods and interaction methods, such as smart phones, tablet computers, smart watches, vehicle-mounted devices, smart glasses, and smart robots.

本发明的第二个目的是提供一种可使用蓝牙附件装置作为虚拟钥匙解锁介质的方法,以及应用该方法的访问控制装置、后台系统和用户终端。具体方法包括:The second object of the present invention is to provide a method that can use a Bluetooth accessory device as a virtual key unlocking medium, as well as an access control device, a background system and a user terminal applying the method. Specific methods include:

带有低功耗蓝牙模块的访问控制装置还包括附件权限表,记载可用于访问控制装置开启电锁的附件列表,每条记录内容包括:附件标识、第二时间戳、使用对称加密算法加密的虚拟附件锁芯数据、第二签名数据,接收到后台系统发来的虚拟钥匙更新消息方式发送给访问控制装置并保存;访问控制装置通过蓝牙无线连接与接近所述访问控制装置的蓝牙附件装置通讯后得到蓝牙附件装置的蓝牙地址标识;对于收到的所述蓝牙地址标识,在附件权限表中进行核对,步骤包括:The access control device with a low-power bluetooth module also includes an accessory permission table, which records a list of accessories that can be used for the access control device to open the electric lock. The virtual accessory lock cylinder data and the second signature data are sent to the access control device in the form of a virtual key update message received from the background system and saved; the access control device communicates with the Bluetooth accessory device close to the access control device through a Bluetooth wireless connection Obtain the bluetooth address identification of bluetooth accessory device after; For the described bluetooth address identification of receiving, check in the attachment permission table, the steps include:

B1、把蓝牙地址标识转换为附件标识;B1, converting the Bluetooth address identifier into an accessory identifier;

B2、用附件标识在附件权限表中检索是否有对应附件权限记录,如果没有则核对终止;B2. Use the attachment identifier to search whether there is a corresponding attachment authorization record in the attachment authorization table, and if not, check and terminate;

B3、取出附件权限记录中的第二时间戳;B3. Take out the second time stamp in the attachment permission record;

B4、用数据指纹算法计算出装置私钥指纹;B4. Use the data fingerprint algorithm to calculate the device private key fingerprint;

B5、使用散列算法对(第二时间戳、装置标识、附件标识、项目域密钥、装置私钥指纹)计算出第二对称密钥;B5. Calculate the second symmetric key using the hash algorithm pair (second timestamp, device ID, accessory ID, item domain key, and device private key fingerprint);

B6、使用第二对称密钥对附件权限记录中的虚拟附件锁芯数据进行解密,得到附件锁芯数据;B6. Use the second symmetric key to decrypt the virtual accessory lock cylinder data in the accessory authority record to obtain the accessory lock cylinder data;

B7、根据(第二时间戳、装置标识、附件标识、附件锁芯数据、项目域密钥、装置私钥指纹)数据进行签名计算,得到的第二校验签名;B7. Perform signature calculation according to (second time stamp, device identification, accessory identification, accessory lock cylinder data, project domain key, device private key fingerprint) data to obtain the second verification signature;

B8、第二校验签名与附件权限记录中的第二签名数据进行核对,如果核对不符则终止;B8. Check the second verification signature with the second signature data in the attachment rights record, and terminate if the check does not match;

B9、核对附件锁芯数据中的有效期时间和状态,状态包括:有效、失效;B9. Check the valid time and status in the accessory lock cylinder data, the status includes: valid, invalid;

B10、如果在有效期内且状态为有效,则核对成功,向电锁控制接口发送开锁命令;如果附件锁芯数据中的类型为仅限一次类型则开锁完成后,访问控制装置将此条附件权限记录从附件权限表中去除并发送第一通知消息给后台系统,消息参数中包括装置标识、用户标识、时间。B10. If it is within the validity period and the status is valid, then the verification is successful, and an unlock command is sent to the electric lock control interface; if the type in the accessory lock cylinder data is only one-time type, after the unlocking is completed, the access control device will set this accessory permission The record is removed from the attachment authority table and a first notification message is sent to the background system, and the message parameters include device identification, user identification, and time.

后台系统生成附件装置所需的虚拟钥匙更新消息的方法是:虚拟钥匙记录中的被授权者信息包括用户在用户终端绑定的短距离无线附件装置的标识信息,即附件标识,虚拟钥匙更新消息中还包括第二时间戳、使用对称加密算法加密的虚拟附件锁芯数据、第二签名数据;第二时间戳由后台系统动态生成;虚拟附件锁芯数据由第二对称密钥加密而成,第二对称密钥由散列算法对(第二时间戳、访问控制装置标识、附件标识、项目域密钥、装置私钥指纹)计算得出;第二签名数据根据(第二时间戳、装置标识、附件标识、附件锁芯数据、项目域密钥、装置私钥指纹)数据进行签名算法计算得出。装置私钥指纹即装置私钥的载荷数据的散列计算值。该算法解决了蓝牙附件装置无法保存和传输加过密的用户私钥之问题,同时又具备较高的安全。The method for the background system to generate the virtual key update message required by the accessory device is: the authorized person information in the virtual key record includes the identification information of the short-distance wireless accessory device bound by the user on the user terminal, that is, the accessory ID, and the virtual key update message It also includes the second timestamp, the virtual accessory lock cylinder data encrypted using a symmetric encryption algorithm, and the second signature data; the second timestamp is dynamically generated by the background system; the virtual accessory lock cylinder data is encrypted by the second symmetric key, The second symmetric key is calculated by the hash algorithm pair (second timestamp, access control device identifier, accessory identifier, project domain key, device private key fingerprint); the second signature data is based on (second timestamp, device ID, accessory ID, accessory lock cylinder data, project domain key, device private key fingerprint) data are calculated by signature algorithm. The device private key fingerprint is the hash calculation value of the payload data of the device private key. This algorithm solves the problem that the bluetooth accessory device cannot save and transmit the encrypted user private key, and at the same time has high security.

对于访问控制装置收到虚拟钥匙更新消息,如果收到的虚拟钥匙的授权者是虚拟钥匙使用者本人时,虚拟钥匙记录中的被授权者信息包括用户在用户终端绑定的短距离无线附件装置的标识信息,即附件标识,同时虚拟钥匙更新消息中还包括第二时间戳、使用对称加密算法加密的虚拟附件锁芯数据、第二签名数据;访问控制装置收到上述类型的虚拟钥匙更新消息时,将相关数据更新至附件权限表。When the access control device receives a virtual key update message, if the authorized person of the received virtual key is the virtual key user himself, the authorized person information in the virtual key record includes the short-distance wireless accessory device bound by the user on the user terminal The identification information, that is, the accessory identification, and the virtual key update message also includes the second timestamp, the virtual accessory lock cylinder data encrypted using a symmetric encryption algorithm, and the second signature data; the access control device receives the above-mentioned type of virtual key update message , update the relevant data to the attachment permissions table.

此技术方案解决了用户可能因为临时没有携带手机,却佩戴了预先绑定授权的蓝牙可穿戴装置,如手环、手表等随身携带的装置。但是通常这些蓝牙装置不能进行再编程以实现本发明前一个技术方案中的通讯方法(动态传递虚拟钥匙和虚拟钥匙缀并做校验的方法),作为折中,此技术方案选择了将蓝牙附件装置的蓝牙地址转换为附件标识并为它生成对应的虚拟附件锁芯数据的方法。该方法虽然没有使用非对称加解密算法,安全性稍低,但对用户而言简便易行且成本低。This technical solution solves the problem that the user may wear a pre-bound and authorized Bluetooth wearable device, such as a wristband, watch and other portable devices, because the user does not carry a mobile phone temporarily. But usually these Bluetooth devices cannot be reprogrammed to realize the communication method in the previous technical solution of the present invention (the method of dynamically passing the virtual key and the virtual key affixed and doing verification), as a compromise, this technical solution has selected the Bluetooth accessory A method for converting the Bluetooth address of a device into an accessory identifier and generating corresponding virtual accessory lock cylinder data for it. Although this method does not use an asymmetric encryption and decryption algorithm, the security is slightly lower, but it is simple and easy for users and the cost is low.

具体实施中,此技术方案也可以用于将现有通用格式的NFC兼容格式ID卡与用户账号进行绑定,但不建议这么做,毕竟有管理麻烦、易被复制的问题和风险。In specific implementation, this technical solution can also be used to bind the existing general-format NFC-compatible format ID card with the user account, but it is not recommended to do so, after all, there are problems and risks such as troublesome management and easy duplication.

总体而言,本发明提供了一个安全、可靠、方便、智能化和可大规模推广的虚拟钥匙技术方案。Generally speaking, the present invention provides a safe, reliable, convenient, intelligent and scalable virtual key technical solution.

附图说明Description of drawings

附图用来提供对本发明技术方案的进一步理解,并且构成说明书的一部分,与本发明的实施例一起用于解释本发明的技术方案,并不构成对本发明技术方案的限制。The accompanying drawings are used to provide a further understanding of the technical solution of the present invention, and constitute a part of the description, and are used together with the embodiments of the present invention to explain the technical solution of the present invention, and do not constitute a limitation to the technical solution of the present invention.

图1 是一种实施例中后台系统的系统框图;Fig. 1 is a system block diagram of the background system in an embodiment;

图2 是一种实施例中访问控制装置的系统框图;Fig. 2 is a system block diagram of an access control device in an embodiment;

图3 是一种实施例中用户终端的系统框图;Fig. 3 is a system block diagram of a user terminal in an embodiment;

图4 是一种实施例中后台系统生成虚拟锁芯、虚拟钥匙缀的处理示意图;Fig. 4 is a schematic diagram of the process of generating a virtual lock cylinder and a virtual key affixed by the background system in an embodiment;

图5 是一种实施例中访问控制装置和用户终端间通过NFC或蓝牙通讯完成开锁操作时数据处理的示意图(注:忽略了签名校验处理);Fig. 5 is a schematic diagram of data processing when the unlocking operation is completed through NFC or Bluetooth communication between the access control device and the user terminal in an embodiment (note: signature verification processing is ignored);

图6 是一种实施例中后台系统生成成套第二虚拟锁芯、第二签名的处理示意图;Fig. 6 is a schematic diagram of the process of generating a complete set of second virtual lock cylinder and second signature by the background system in an embodiment;

图7 是一种实施例中是一种实施例中访问控制装置和用户终端间通过蓝牙附件装置完成开锁操作的数据处理示意图;Fig. 7 is a schematic diagram of data processing between the access control device and the user terminal to complete the unlocking operation through the Bluetooth accessory device in an embodiment;

图8 是一种实施例中用户终端通过NFC完成对访问控制装置开锁操作的时序图;Fig. 8 is a sequence diagram in which the user terminal completes the unlocking operation of the access control device through NFC in an embodiment;

图9 是一种实施例中用户终端通过蓝牙完成对访问控制装置开锁操作的时序图。Fig. 9 is a sequence diagram of the user terminal unlocking the access control device through Bluetooth in an embodiment.

具体实施方式detailed description

下面的描述被给出以使本领域技术人员能够实现并使用实施例,并且下面的描述是在特定的应用及其要求的情况下提供的。对所公开的实施例的各种修改对本领域技术人员来说应当是显而易见的,并且本文所定义的一般原理在不脱离本公开内容的精神和范围的情况下可以应用于其他实施例和应用。因而,本发明并不限于所示出的实施例,而是应当符合与本文所公开的原理和特征一致的最广泛的范围。The following description is given to enable those skilled in the art to make and use the embodiments, and is provided in the context of a particular application and its requirements. Various modifications to the disclosed embodiments should be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments and applications without departing from the spirit and scope of the present disclosure. Thus, the present invention is not limited to the embodiments shown, but is to be accorded the widest scope consistent with the principles and features disclosed herein.

在具体实施方式部分所描述的数据结构和代码通常存储于计算机可读存储介质上,该存储介质可以是能够存储由计算机系统使用的代码和/或数据的任意器件或介质。计算机可读存储介质包括,但不限于,易失性存储器、非易失性存储器、磁存储器件和光存储器件(例如,盘驱动器、磁带、CD(光盘)、DVD(数字通用盘或数字视频盘)或者现在已知的或以后开发的能够存储代码和/或数据的其他介质。The data structures and code described in the Detailed Description section are typically stored on a computer readable storage medium, which may be any device or medium that can store code and/or data for use by a computer system. Computer-readable storage media include, but are not limited to, volatile memory, nonvolatile memory, magnetic storage devices, and optical storage devices (such as disk drives, magnetic tape, CDs (Compact Disks), DVDs (Digital Versatile Disks, or Digital Video Disks) ) or other media now known or later developed capable of storing code and/or data.

在具体实施方式部分所描述的方法和处理能够被实现为代码和/或数据,该代码和/或数据能够存储于以上所描述的计算机可读存储介质内。当计算机系统读取并执行存储于计算机可读存储介质上的代码和/或数据时,计算机系统执行被实现为数据结构和代码并被存储于计算机可读存储介质内的方法和处理。The methods and processes described in the detailed description can be implemented as code and/or data that can be stored in the computer-readable storage medium described above. When a computer system reads and executes the code and/or data stored on the computer-readable storage medium, the computer system performs the methods and processes implemented as data structures and code and stored within the computer-readable storage medium.

而且,本文所描述的方法和处理能够包含于硬件模块或装置内。这些模块或装置可以包括,但不限于,专用集成电路(ASIC)芯片、场可编程门阵列(FPGA)、在特定的时间执行特定的软件模块或一段代码的专用的或共用的处理器、和/或现在已知的或以后开发的其他可编程逻辑器件。当硬件模块或装置被激活时,它们执行包含于它们之内的方法和处理。Furthermore, the methods and processes described herein can be embodied within hardware modules or devices. These modules or devices may include, but are not limited to, application-specific integrated circuit (ASIC) chips, field-programmable gate arrays (FPGAs), dedicated or shared processors that execute specific software modules or a piece of code at a specific time, and and/or other programmable logic devices now known or later developed. When the hardware modules or devices are activated, they perform the methods and processes contained within them.

图1示出了根据一种实施例的后台系统100。后台系统100可以对应于服务器、集群、运行于虚拟机上的服务程序、运行于云系统容器中的服务程序,其中的各模块也可以是服务器、集群、运行于虚拟机上的服务程序、运行于云系统容器中的服务程序。参照图1,用户服务模块101处理来自用户终端300的请求:登录请求处理133、注册请求处理132、和虚拟钥匙相关请求处理131。当虚拟钥匙数据有更新时通过消息处理模块105发送虚拟钥匙更新消息给访问控制装置200,新的虚拟钥匙数据也被返回给用户终端300。用户服务模块101通过全局物体访问服务111接口访问物体访问权限表125和项目域信息访问服务110接口访问访问控制装置表122。用户的虚拟钥匙包和虚拟钥匙数据保存在用户钥匙包126数据库中,而用户账户数据库127只保存用于用户登录相关的数据;所有针对用户账户和虚拟钥匙包、虚拟钥匙的操作都被记录在数据库用户访问日志128中。系统管理模块104管理和监视后台系统100系统范围的运行状态,特别是,系统管理模块104管理多个项目域管理模块102的实例的启动、运行,而这些实例之间是隔离和独立的,互不干扰和影响,而且各实例间的数据库也是隔离和独立的。各项目域管理人员通过项目域管理人员用终端199登录项目域的后台管理130以完成物体所有者信息120、物体信息121和访问控制装置表122的录入和编辑管理。访问控制装置表中的信息包括:区域编号、装置编号、装置硬件标识、装置类型、关联装置列表、装置安装信息,该表应该在安装和配置访问控制装置时录入完成。全局项目域信息汇总136服务用于将不同项目域管理模块102的实例中数据进行自动汇总,汇总的结果保存在物体访问权限表125中。Fig. 1 shows a background system 100 according to an embodiment. The background system 100 may correspond to servers, clusters, service programs running on virtual machines, and service programs running in cloud system containers, and each module therein may also be servers, clusters, service programs running on virtual machines, running The service program in the cloud system container. Referring to FIG. 1 , the user service module 101 processes requests from the user terminal 300 : login request processing 133 , registration request processing 132 , and virtual key related request processing 131 . When the virtual key data is updated, the message processing module 105 sends a virtual key update message to the access control device 200 , and the new virtual key data is also returned to the user terminal 300 . The user service module 101 accesses the object access authority table 125 through the global object access service 111 interface and accesses the access control device table 122 through the project domain information access service 110 interface. The user's virtual key bag and virtual key data are stored in the user key bag 126 database, while the user account database 127 only saves data related to user login; all operations for user accounts, virtual key bags, and virtual keys are recorded in Database user access log 128. The system management module 104 manages and monitors the system-wide running status of the background system 100. In particular, the system management module 104 manages the startup and operation of multiple instances of the project domain management module 102, and these instances are isolated and independent from each other. There is no interference and influence, and the databases between each instance are also isolated and independent. Each project domain manager logs into the background management 130 of the project domain through the terminal 199 used by the project domain manager to complete the entry and editing management of the object owner information 120 , object information 121 and access control device table 122 . The information in the access control device table includes: area number, device number, device hardware identifier, device type, associated device list, and device installation information. This table should be entered when the access control device is installed and configured. The global project domain information summary 136 service is used to automatically summarize data in instances of different project domain management modules 102 , and the summary results are stored in the object access authority table 125 .

全局物体访问服务模块103中,还包括装置公私钥表129,记录所有服务控制装置的公钥和私钥,这些公钥和私钥在装置成功注册后由后台系统生成,并把装置私钥返回给访问控制装置。全局物体访问服务111为后台系统其它模块提供对包括装置公私钥表129的访问操作。The global object access service module 103 also includes a device public and private key table 129, which records the public keys and private keys of all service control devices. These public keys and private keys are generated by the background system after the device is successfully registered, and the device private key is returned. Give access control device. The global object access service 111 provides other modules of the background system with access operations including the device public and private key table 129 .

用户账户127还被用于保存用户的公钥和私钥,这些公钥和私钥在用户注册时由后台系统生成,并将用户公钥返回给用户终端。The user account 127 is also used to save the user's public key and private key. These public keys and private keys are generated by the background system when the user registers, and the user's public key is returned to the user terminal.

如图1所示的实施例中,后台系统100的系统管理员使用系统管理员用终端198登录系统管理模块104进行系统层面的管理和维护。In the embodiment shown in FIG. 1 , the system administrator of the background system 100 uses the system administrator terminal 198 to log in to the system management module 104 to perform system-level management and maintenance.

在一些实施例中,小区物业服务公司的管理人员在小区对应后台管理操作界面中录入好小区的房屋信息、业主信息、楼栋信息、门禁设备信息。In some embodiments, the management staff of the community property service company enters the housing information, owner information, building information, and access control equipment information of the community in the background management operation interface corresponding to the community.

在一些实施例中,服务公寓的管理人员在公寓项目对应后台管理操作界面中录入好公寓的房屋信息、楼层信息、智能锁装置信息。In some embodiments, the management personnel of the service apartment enter the building information, floor information, and smart lock device information of the apartment in the background management operation interface corresponding to the apartment project.

在一些实施例中,租车公司的管理人员在公司对应后台管理操作界面中录入好车辆信息、智能车锁装置信息。In some embodiments, the management personnel of the car rental company have entered the vehicle information and the smart car lock device information in the company's corresponding background management operation interface.

在一些实施例中,项目域管理模块还实现了装置、管理人员监控137。各项目域管理人员通过项目域管理人员用终端199登录项目域的后台管理130可以完成对管理人员识别信息123和物体分区编号列表124的录入和编辑管理。这些信息也会被自动汇总至物体访问权限表125中。In some embodiments, the project domain management module also implements device, manager monitoring 137 . Each project domain manager logs into the background management 130 of the project domain through the project domain manager's terminal 199 to complete the entry and editing management of the manager's identification information 123 and object partition number list 124 . This information will also be automatically aggregated into the object access rights table 125 .

在一些实施例中,小区物业服务公司的管理人员还在小区对应后台管理操作界面中录入好小区的物业服务人员信息、楼栋分区信息、物业服务人员分区服务信息。In some embodiments, the management staff of the community property service company also enters the property service personnel information, building zoning information, and property service personnel zoning service information of the community in the background management operation interface corresponding to the community.

在一些实施例中,服务公寓的管理人员在公寓项目对应后台管理操作界面中录入好公寓的管理和服务人员信息、分区权限等信息。In some embodiments, the management staff of the service apartment enters the management and service personnel information, partition authority and other information of the apartment in the background management operation interface corresponding to the apartment project.

在一些实施例中,虚拟钥匙记录中包括:授权者、被授权者、授权有效期、授权类型、授权访问的访问控制装置信息。根据不同应用场景的实施例,可以设计更丰富的虚拟钥匙记录信息,以满足应用场景的要求。比如,在一些实施例中,单个访问控制装置可以管理和控制一组多个保管箱,这种情况下只要在虚拟钥匙记录中添加上子箱的编号做核对就可以控制具体的子保管箱的开启。In some embodiments, the virtual key record includes: authorizer, authorized person, authorization validity period, authorization type, and access control device information for authorized access. According to the embodiments of different application scenarios, richer virtual key record information can be designed to meet the requirements of the application scenarios. For example, in some embodiments, a single access control device can manage and control a group of multiple safe deposit boxes. In this case, as long as the number of the sub-box is added to the virtual key record for checking, the access control of the specific child safe deposit box can be controlled. open.

图2示出了根据一种实施例的访问控制装置200。访问控制装置200可以实现为各种门禁设备、各种智能锁、各种出入闸。参照图2,中央处理单元212负责控制和管理处理器201所有处理单元的工作。网络模块204用于访问控制装置200连接后台系统100,通过登录注册处理单元204完成对后台系统100的登录后,就可以访问后台系统100的服务,并接收来自后台系统100的虚拟钥匙更新消息。如果接收到来自后台系统100的虚拟钥匙更新消息,消息处理单元213将消息交由虚拟钥匙处理单元210进行处理,虚拟钥匙处理单元210先对消息进行校验,校验成功后更新到装置本地存储器202加密保存的虚拟钥匙库中。输入模块203接收来自用户终端300的虚拟钥匙相关数据,接收的虚拟钥匙相关数据交给输入识别处理单元211来处理,识别和处理完成后由虚拟钥匙处理单元210进行进一步的校验和处理。如果收到的虚拟钥匙相关数据核验通过,中央处理单元212向电锁控制接口205发送锁命令,驱动电锁299进行锁命令操作。Fig. 2 shows an access control device 200 according to an embodiment. The access control device 200 can be implemented as various access control devices, various smart locks, and various entry and exit gates. Referring to FIG. 2 , the central processing unit 212 is responsible for controlling and managing the work of all processing units of the processor 201 . The network module 204 is used for the access control device 200 to connect to the background system 100. After logging in to the background system 100 through the login registration processing unit 204, the service of the background system 100 can be accessed and the virtual key update message from the background system 100 can be received. If a virtual key update message from the background system 100 is received, the message processing unit 213 will hand over the message to the virtual key processing unit 210 for processing, and the virtual key processing unit 210 will first verify the message, and update it to the local memory of the device after the verification is successful 202 encryption in the virtual key vault. The input module 203 receives the virtual key-related data from the user terminal 300, and the received virtual key-related data is handed over to the input recognition processing unit 211 for processing. After the recognition and processing are completed, the virtual key processing unit 210 performs further verification and processing. If the received data related to the virtual key passes the verification, the central processing unit 212 sends a lock command to the electric lock control interface 205, and drives the electric lock 299 to perform the lock command operation.

在一些实施例中,输入模块包括:NFC近场通讯单元、低功耗蓝牙通讯单元、二维码扫描单元。In some embodiments, the input module includes: an NFC near field communication unit, a Bluetooth low energy communication unit, and a two-dimensional code scanning unit.

图3示出了根据一种实施例的用户终端300。用户终端300可以为各种移动终端、智能手机、平板电脑、笔记本电脑、智能手表、智能眼镜、车载电脑等。参照图3,中央处理单元313负责控制和管理处理器301所有处理单元的工作。网络模块303用于用户终端300连接后台系统100,通过登录注册处理单元316完成对后台系统100的登录后,就可以访问后台系统100的服务,并接收来自后台系统100的虚拟钥匙更新消息。如果接收到来自后台系统100的虚拟钥匙更新消息,消息处理单元314将消息交由虚拟钥匙处理单元311进行处理,虚拟钥匙处理单元311先对消息进行校验,校验成功后更新到装置本地存储器302加密保存的虚拟钥匙库中。输入模块305接收用户的操作输入,输出模块304将反馈输出给用户,用户交互处理单元315通过输入模块305和输出模块304完成与用户的交互,比如虚拟钥匙包的选择和查看、成员管理、虚拟钥匙的管理和添加授权等交互操作,再经虚拟钥匙处理单元311、虚拟钥匙请求单元312、网络连接处理单元317、网络模块303向后台系统100发送虚拟钥匙请求。登录后台系统100后从本地存储器302中解密保存的虚拟钥匙包数据,如果没有找到,就向后台系统100发送获取虚拟钥匙包请求。通过短距通讯模块306,可以把虚拟钥匙数据发送给访问控制装置200,进行锁命令操作。Fig. 3 shows a user terminal 300 according to an embodiment. The user terminal 300 may be various mobile terminals, smart phones, tablet computers, notebook computers, smart watches, smart glasses, vehicle-mounted computers, and the like. Referring to FIG. 3 , the central processing unit 313 is responsible for controlling and managing the work of all processing units of the processor 301 . The network module 303 is used for the user terminal 300 to connect to the background system 100. After completing the login to the background system 100 through the login registration processing unit 316, the service of the background system 100 can be accessed and the virtual key update message from the background system 100 can be received. If a virtual key update message from the background system 100 is received, the message processing unit 314 will hand over the message to the virtual key processing unit 311 for processing, and the virtual key processing unit 311 will first verify the message, and update it to the local memory of the device after the verification is successful 302 encrypted storage in the virtual key vault. The input module 305 receives the user's operation input, and the output module 304 outputs feedback to the user. The user interaction processing unit 315 completes the interaction with the user through the input module 305 and the output module 304, such as the selection and viewing of the virtual key bag, member management, virtual After interactive operations such as key management and adding authorization, the virtual key request is sent to the background system 100 via the virtual key processing unit 311 , virtual key request unit 312 , network connection processing unit 317 , and network module 303 . After logging into the background system 100, decrypt the stored virtual key package data from the local memory 302, if not found, send a request to the background system 100 to acquire the virtual key package. Through the short-distance communication module 306, the virtual key data can be sent to the access control device 200 for lock command operation.

在一些实施例中,短距通讯模块306包括NFC近场通讯单元、低功耗蓝牙通讯单元。短距通讯处理单元319负责处理这些短距通讯的连接、通讯。In some embodiments, the short-range communication module 306 includes an NFC near-field communication unit and a Bluetooth low-power communication unit. The short-distance communication processing unit 319 is responsible for processing the connection and communication of these short-distance communication.

在一些实施例中,可以通过用户交互处理单元315、附件处理单元310和短距通讯模块306完成与短距离无线附件装置399的绑定,然后通过虚拟钥匙单元311、虚拟钥匙请求单元312向后台系统100发送添加虚拟钥匙请求,授权该短距离无线附件装置可以进行虚拟钥匙开锁操作。In some embodiments, the binding with the short-distance wireless accessory device 399 can be completed through the user interaction processing unit 315, the accessory processing unit 310 and the short-distance communication module 306, and then through the virtual key unit 311 and the virtual key request unit 312 to the background The system 100 sends a request to add a virtual key to authorize the short-range wireless accessory device to perform virtual key unlocking operations.

在一些实施例中,虚拟钥匙可以以二维码的形式经输出模块304输出到显示屏幕上,供访问控制装置200的二维码识别单元识别或者摄像头单元拍摄后识别。In some embodiments, the virtual key can be output to the display screen in the form of a two-dimensional code via the output module 304 for recognition by the two-dimensional code recognition unit of the access control device 200 or after being photographed by the camera unit.

图4给出了用于例示根据一种实施例的后台系统生成虚拟锁芯、虚拟钥匙缀的处理示意图。Fig. 4 is a schematic diagram illustrating the process of generating a virtual lock cylinder and a virtual key ring by a background system according to an embodiment.

首先,对于已经存在的虚拟钥匙记录,取出其中用于校验核对所用的项目,这些项目包括(有效期、类型),形成第一锁芯(步骤400)。然后使用虚拟钥匙记录中的被授权者信息在用户账户127数据库中进行检索,取得被授权使用该虚拟钥匙用户的用户公钥和用户私钥(步骤402)。接着用刚获得的用户公钥作为密钥,使用非对称加密算法对第一锁芯数据进行加密(步骤404)。加密结果形成虚拟锁芯(步骤406)。Firstly, for the existing virtual key record, take out the items used for checking and checking, these items include (validity period, type), and form the first lock cylinder (step 400). Then use the authorized person information in the virtual key record to search in the user account 127 database to obtain the user public key and user private key of the user authorized to use the virtual key (step 402 ). Then use the newly obtained user public key as a key, and use an asymmetric encryption algorithm to encrypt the data of the first lock cylinder (step 404 ). The encrypted result forms a virtual lock cylinder (step 406).

继续,使用虚拟钥匙记录中的装置信息,调用全局物体访问服务111(步骤410),取得装置公钥(步骤412)。使用刚获得的装置公钥作为密钥,对在步骤402获得的用户私钥用非对称加密算法进行加密(步骤414)。加密结果形成虚拟钥匙缀(步骤416)。Continue, use the device information in the virtual key record, call the global object access service 111 (step 410), and obtain the device public key (step 412). Using the device public key just obtained as a key, the user private key obtained in step 402 is encrypted with an asymmetric encryption algorithm (step 414 ). The encrypted result forms a virtual keychain (step 416).

每次后台系统里的虚拟钥匙记录有变化时,都需要重新生成虚拟锁芯和虚拟钥匙缀(如果装置信息有变化)。更新后的虚拟锁芯数据被后台系统100以虚拟钥匙更新消息方式发送给访问控制装置200。虚拟钥匙缀一般作为用户虚拟钥匙包的一部分,在用户终端300向后台系统100发送获取虚拟钥匙包请求时返回给用户终端300。Every time there is a change in the virtual key record in the background system, the virtual lock cylinder and virtual key affixes need to be regenerated (if the device information changes). The updated virtual lock cylinder data is sent to the access control device 200 by the background system 100 in the form of a virtual key update message. The virtual key affix is generally used as a part of the user's virtual key bag, and is returned to the user terminal 300 when the user terminal 300 sends a request to the background system 100 to obtain the virtual key bag.

图5给出了用于例示根据一种实施例访问控制装置和用户终端间通过NFC或蓝牙通讯完成开锁操作时数据处理的示意图(注:忽略了签名校验处理,因为其实NFC、蓝牙通讯时本身带校验,实施时用普通的CRC16或者CRC32算法计算出一个简单的校验值即可,可以节约用户终端对NFC命令的响应时间)。参照图5:Fig. 5 shows a schematic diagram for illustrating the data processing when the unlocking operation is completed through NFC or Bluetooth communication between the access control device and the user terminal according to an embodiment (note: signature verification processing is ignored, because in fact, when NFC and Bluetooth communication It has a checksum itself, and it is enough to calculate a simple checksum value with the common CRC16 or CRC32 algorithm during implementation, which can save the response time of the user terminal to the NFC command). Referring to Figure 5:

步骤S1、用户终端靠近访问控制装置的短距离输入模块,访问控制装置确认并开始接收输入;Step S1, the user terminal approaches the short-distance input module of the access control device, and the access control device confirms and starts to receive input;

步骤S2、用户终端向访问控制装置发送用户标识;Step S2, the user terminal sends the user identification to the access control device;

步骤S3、访问控制装置收到用户标识后在本地检索是否有该用户标识的钥匙权限记录,如果没有则操作终止;Step S3, after receiving the user ID, the access control device searches locally whether there is a key authority record of the user ID, and if not, the operation is terminated;

步骤S4、访问控制装置向用户终端发送包括装置标识、项目域密钥、第一时间戳数据,以进行认证;Step S4, the access control device sends data including device identification, item domain key, and first time stamp to the user terminal for authentication;

步骤S5、用户终端收到认证所需的包括装置标识、项目域密钥、第一时间戳数据,在用户的虚拟钥匙包中找到对应的虚拟钥匙缀和虚拟钥匙记录,所述虚拟钥匙记录加上命令类型形成第一钥匙,其中命令类型包括:开锁、上锁、反锁;Step S5, the user terminal receives the data required for authentication including the device identification, the project domain key, and the first time stamp, and finds the corresponding virtual key affix and virtual key record in the user's virtual key bag, and the virtual key record adds The above command type forms the first key, wherein the command type includes: unlock, lock, and reverse lock;

步骤S6、向访问控制装置返回认证响应,响应参数中包括:虚拟钥匙缀、第一加密虚拟钥匙数据、第一签名数据,其中返回响应前的步骤包括: 步骤S6-1通过散列算法对(第一时间戳、装置标识、项目域密钥、用户标识)计算得出第一对称密钥,步骤S6-2用第一对称密钥对第一钥匙使用对称加密算法加密出第一加密虚拟钥匙数据;步骤S6-3计算第一签名;Step S6, return the authentication response to the access control device, the response parameters include: the virtual key prefix, the first encrypted virtual key data, and the first signature data, wherein the steps before returning the response include: Step S6-1 through the hash algorithm to ( First time stamp, device identification, project domain key, user identification) to calculate the first symmetric key, step S6-2 use the first symmetric key to encrypt the first key using a symmetric encryption algorithm to obtain the first encrypted virtual key data; Step S6-3 calculates the first signature;

步骤S7、访问控制装置收到认证响应后,执行以下步骤:Step S7. After receiving the authentication response, the access control device performs the following steps:

步骤S7-1、校验第一签名数据,如果签名数据不符,则操作终止(图中未展示该步骤);Step S7-1, verifying the first signature data, if the signature data does not match, the operation is terminated (this step is not shown in the figure);

步骤S7-2、使用装置私钥解密出虚拟钥匙缀中的用户私钥,如果解密失败则操作终止;Step S7-2, using the device private key to decrypt the user private key in the virtual key affix, and if the decryption fails, the operation is terminated;

步骤S7-3、使用解密出的用户私钥解密钥匙权限记录中的虚拟锁芯数据,得到第一锁芯数据,如果解密失败则操作终止;Step S7-3, using the decrypted user private key to decrypt the virtual lock cylinder data in the key authority record to obtain the first lock cylinder data, if the decryption fails, the operation is terminated;

步骤S7-4、根据包括虚拟钥匙相关数据在内的数据计算出第一对称密钥;Step S7-4, calculating the first symmetric key according to the data including the data related to the virtual key;

步骤S7-5、使用第一对称密钥解密第一加密虚拟钥匙数据,得到第一钥匙数据,如果解密失败则操作终止;Step S7-5. Use the first symmetric key to decrypt the first encrypted virtual key data to obtain the first key data. If the decryption fails, the operation is terminated;

步骤S7-6、对第一锁芯数据和第一钥匙数据中的具体参数进行核对,如果核对不正确则操作终止;Step S7-6, check the specific parameters in the first lock cylinder data and the first key data, and if the check is incorrect, the operation is terminated;

步骤S7-7、核对全部正确后,根据第一钥匙数据中的命令类型参数向电锁控制接口发送相应的锁命令,如果没有命令类型参数默认发送开锁命令。Step S7-7: After checking that all are correct, send the corresponding lock command to the electric lock control interface according to the command type parameter in the first key data, and send the unlock command by default if there is no command type parameter.

在一些实施例中,可以在步骤S5中所述第一钥匙中不加命令类型,这样就只能做开锁操作。在一些实施例中,用户终端300上的交互操作界面可以指定下一步用户终端300靠近访问控制装置200时是要做开锁还是上锁或反锁。In some embodiments, no command type can be added to the first key in step S5, so that only the unlocking operation can be performed. In some embodiments, the interactive operation interface on the user terminal 300 can specify whether to unlock, lock or unlock when the user terminal 300 approaches the access control device 200 in the next step.

图6给出了用于例示根据一种实施例的后台系统为蓝牙附件装置生成虚拟附件锁芯和第二签名的处理示意图。Fig. 6 is a schematic diagram for illustrating the process of generating a virtual accessory key cylinder and a second signature for a Bluetooth accessory device by the background system according to an embodiment.

首先,对于已经存在的虚拟钥匙记录,取出其中用于校验核对所用的项目,这些项目包括(有效期、类型),形成附件锁芯(步骤600)。然后生成第二时间戳(步骤602)。接下来使用数据指纹算法计算装置私钥的指纹,得到装置私钥指纹(步骤604)。然后在步骤606,计算(第二时间戳、装置标识、附件标识项目域密钥、装置私钥指纹)的散列值,其中的附件标识从虚拟钥匙中被授权者信息中得到。步骤606的计算结果就是第二对称密钥(步骤608)。以第二对称密钥为密钥,用对称加密算法对附件锁芯数据进行加密(步骤610)。加密结果就形成了虚拟附件锁芯(步骤612)。然后是计算签名数据,在步骤614,对(第二时间戳、装置标识、附件标识、附件锁芯、项目域密钥、装置私钥指纹)进行签名计算。计算结果得到第二签名(步骤616)。First, for the existing virtual key record, take out the items used for verification and checking, these items include (validity period, type), and form an accessory lock cylinder (step 600). A second timestamp is then generated (step 602). Next, the fingerprint of the device private key is calculated using the data fingerprint algorithm to obtain the fingerprint of the device private key (step 604 ). Then in step 606, calculate the hash value of (the second time stamp, the device ID, the accessory ID item domain key, and the fingerprint of the device private key), where the accessory ID is obtained from the authorized person information in the virtual key. The calculation result of step 606 is the second symmetric key (step 608). Using the second symmetric key as a key, use a symmetric encryption algorithm to encrypt the data of the lock cylinder of the accessory (step 610). The encrypted result forms a virtual accessory lock cylinder (step 612). Then the signature data is calculated. In step 614, signature calculation is performed on (second time stamp, device ID, accessory ID, accessory lock cylinder, project domain key, device private key fingerprint). A second signature is obtained as a result of the calculation (step 616).

图7给出了用于例示根据一种实施例的访问控制装置,接收用户使用蓝牙附件装置进行开锁操作的处理示意图。首先,访问控制装置发现有蓝牙附件装置靠近,当进入一定的距离范围后,访问控制装置进行如下的处理步骤:Fig. 7 is a schematic diagram for illustrating an access control device according to an embodiment, which receives a user's unlocking operation using a Bluetooth accessory device. First, the access control device finds that there is a Bluetooth accessory device approaching, and when it enters a certain distance range, the access control device performs the following processing steps:

B1、把蓝牙附件装置的蓝牙地址标识转换为附件标识;B1, converting the Bluetooth address identifier of the Bluetooth accessory device into an accessory identifier;

B2、用附件标识在附件权限表中检索是否有对应附件权限记录,如果没有则核对终止;B2. Use the attachment identifier to search whether there is a corresponding attachment authorization record in the attachment authorization table, and if not, check and terminate;

B3、取出附件权限记录中的第二时间戳;B3. Take out the second time stamp in the attachment permission record;

B4、用数据指纹算法计算出装置私钥指纹;B4. Use the data fingerprint algorithm to calculate the device private key fingerprint;

B5、使用散列算法对(第二时间戳、装置标识、附件标识、项目域密钥、装置私钥指纹)计算出第二对称密钥;B5. Calculate the second symmetric key using the hash algorithm pair (second timestamp, device ID, accessory ID, item domain key, and device private key fingerprint);

B6、使用第二对称密钥对附件权限记录中的虚拟附件锁芯数据进行解密,得到附件锁芯数据;B6. Use the second symmetric key to decrypt the virtual accessory lock cylinder data in the accessory authority record to obtain the accessory lock cylinder data;

B7、根据(第二时间戳、装置标识、附件标识、附件锁芯数据、项目域密钥、装置私钥指纹)数据进行签名计算,得到的第二校验签名;B7. Perform signature calculation according to (second time stamp, device identification, accessory identification, accessory lock cylinder data, project domain key, device private key fingerprint) data to obtain the second verification signature;

B8、第二校验签名与对应记录中的第二签名数据进行核对,如果核对不符则终止;B8. Check the second verification signature with the second signature data in the corresponding record, and terminate if the check does not match;

B9、核对附件锁芯数据中的有效期时间和状态,状态包括:有效、失效;B9. Check the valid time and status in the accessory lock cylinder data, the status includes: valid, invalid;

B10、如果在有效期内且状态为有效,则核对成功,向电锁控制接口发送开锁命令;如果附件锁芯数据中的类型为仅限一次类型则开锁完成后,所述装置将此条记录从附件权限表中去除并发送第一通知消息给后台系统,消息参数中包括装置标识、用户标识、时间。B10. If it is within the validity period and the status is valid, then the verification is successful, and an unlock command is sent to the electric lock control interface; if the type in the accessory lock cylinder data is only one time type, after the unlocking is completed, the device will record this record from The attachment permission table is removed and the first notification message is sent to the background system, and the message parameters include device identification, user identification, and time.

图8给出了用于例示根据一种实施例的访问控制装置,与用户终端通过NFC通讯进行开锁操作的处理示意图。参照图8,其中的步骤与图5中的步骤可以对照来看。区别主要在于图5是基于数据结构的处理流程,而图8则是具体使用NFC通讯时的处理流程。Fig. 8 is a schematic diagram for illustrating the processing of an access control device and a user terminal performing an unlocking operation through NFC communication according to an embodiment. Referring to FIG. 8 , the steps therein can be compared with those in FIG. 5 . The main difference is that Fig. 5 is the processing flow based on the data structure, while Fig. 8 is the processing flow when NFC communication is used specifically.

首先,访问控制装置200启动后,输入识别单元211找到输入模块203中有NFC通讯单元,就启用NFC HCE模式的读卡器模式,等待识别做了NFC卡仿真的用户终端300靠近。当发现有NFC卡仿真的用户终端300靠近访问控制装置200后,向用户终端300发送SELECTFILE APDU的NFC命令。注意:相关NFC的APDU命令请参看ISO-IEC-7816-4规范,有关NFC HCE模式,请参看ISO 14443-4规范。First of all, after the access control device 200 is started, the input recognition unit 211 finds that there is an NFC communication unit in the input module 203, and then enables the card reader mode of the NFC HCE mode, waiting for the identification of the user terminal 300 that has emulated the NFC card to approach. When it is found that the user terminal 300 emulated by the NFC card approaches the access control device 200 , an NFC command of SELECTFILE APDU is sent to the user terminal 300 . Note: For related NFC APDU commands, please refer to the ISO-IEC-7816-4 specification, and for the NFC HCE mode, please refer to the ISO 14443-4 specification.

在用户终端300这边,短距通讯处理单元319中有NFC卡仿真处理程序,对从短距通讯模块306中NFC通讯单元接收到的NFC命令进行处理。在实施例中,只处理了来自访问控制终端200的SELECT FILE和INTERNAL AUTHENTICATE命令。On the side of the user terminal 300 , there is an NFC card emulation processing program in the short-distance communication processing unit 319 , which processes the NFC commands received from the NFC communication unit in the short-distance communication module 306 . In an embodiment, only the SELECT FILE and INTERNAL AUTHENTICATE commands from the access control terminal 200 are processed.

用户终端300执行完步骤S6后,访问控制终端200就开始步骤S7的各子步骤。After the user terminal 300 completes step S6, the access control terminal 200 starts each sub-step of step S7.

图9给出了用于例示根据一种实施例的访问控制装置,与用户终端通过蓝牙通讯进行开锁操作的处理示意图。参照图9,其中的步骤与图5中的步骤可以对照来看。区别主要在于图5是基于数据结构的处理流程,而图9则是具体使用蓝牙通讯时的处理流程。Fig. 9 is a schematic diagram for illustrating the processing of an unlocking operation performed by an access control device and a user terminal through Bluetooth communication according to an embodiment. Referring to FIG. 9 , the steps therein can be compared with those in FIG. 5 . The main difference is that Fig. 5 is the processing flow based on the data structure, while Fig. 9 is the processing flow when Bluetooth communication is used.

首先,访问控制装置200启动后,输入识别单元211找到输入模块203中有低功耗蓝牙通讯单元,就启用蓝牙的外设模式等待也使用蓝牙通讯的用户终端300靠近并连接。用户靠近访问控制装置200后,打开用户终端300,在通过交互操作开始进行蓝牙开锁。用户终端300中的短距通讯处理单元319中的蓝牙处理程序先搜索附近是否有指定类型的蓝牙外设(访问控制装置200所带),搜索到后查询是否有自定义蓝牙虚拟钥匙开锁服务(步骤S1),如果有就连接成功。这里的自定义蓝牙虚拟钥匙开锁服务是实施例自己定义的蓝牙服务,提供一系列的自定义的属性的读/写服务。然后,,用户终端300发送写用户标识属性的命令(步骤S2)。访问控制装置200收到用户标识后检查是否存在此用户标识的记录(步骤S3),如果没有,就返回错误响应,否则返回成功响应。用户终端300收到成功响应后,向访问控制装置200发送读认证凭证属性命令(步骤S4);访问控制装置200随后计算出时间戳,并返回用户终端300请求的属性数据(装置标识、项目域密钥、时间戳);后续的步骤就与图5中的处理流程基本一致,只是通讯用了蓝牙的写属性方式来实现。Firstly, after the access control device 200 is started, the input identification unit 211 finds that there is a Bluetooth low energy communication unit in the input module 203, and then activates the Bluetooth peripheral mode and waits for the user terminal 300 that also uses Bluetooth communication to approach and connect. After the user gets close to the access control device 200, he turns on the user terminal 300, and starts unlocking via Bluetooth through an interactive operation. The Bluetooth processing program in the short-distance communication processing unit 319 in the user terminal 300 first searches whether there is a specified type of Bluetooth peripheral (carried by the access control device 200) in the vicinity, and then inquires whether there is a custom Bluetooth virtual key unlocking service ( Step S1), if there is, the connection is successful. The custom bluetooth virtual key unlocking service here is a bluetooth service defined by the embodiment itself, which provides a series of read/write services of custom attributes. Then, the user terminal 300 sends a command to write user identification attributes (step S2). After receiving the user ID, the access control device 200 checks whether there is a record of the user ID (step S3), if not, returns an error response, otherwise returns a success response. After the user terminal 300 receives a successful response, it sends the command to read the attributes of the authentication credential to the access control device 200 (step S4); the access control device 200 then calculates the time stamp and returns the attribute data requested by the user terminal 300 (device identification, item field key, time stamp); the subsequent steps are basically the same as the processing flow in Figure 5, except that the communication is realized by using the bluetooth method of writing attributes.

本领域的技术人员应该明白,上述的本发明实施例所提供的装置的各组成部分,以及方法中的各步骤,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上。可选地,它们可以用计算装置可执行的程序代码来实现。从而,可以将它们存储在存储装置中由计算装置来执行,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。Those skilled in the art should understand that the various components of the device provided by the above-mentioned embodiments of the present invention, as well as the various steps in the method, they can be concentrated on a single computing device, or distributed in multiple computing devices. online. Alternatively, they may be implemented in program code executable by a computing device. Therefore, they can be stored in a storage device to be executed by a computing device, or they can be fabricated into individual integrated circuit modules, or multiple modules or steps can be fabricated into a single integrated circuit module for implementation. As such, the present invention is not limited to any specific combination of hardware and software.

以上仅为本发明之较佳实施例,但其并不限制本发明的实施范围,即不偏离本发明的权利要求所作之等同变化与修饰,仍应属于本发明之保护范围。The above are only preferred embodiments of the present invention, but they do not limit the implementation scope of the present invention, that is, equivalent changes and modifications made without departing from the claims of the present invention should still belong to the protection scope of the present invention.

Claims (29)

1. a kind of management method of virtual key, makes virtual key be used for the lock command operation of access control apparatus, it is characterized in that,
It is the device public key and device private key that access control apparatus generated and preserved access control apparatus by background system, and will dress Put public key give access control apparatus preservation, while return and preserve also include item domains describe, item domains describe include Project domain key;
The public key and private key of user are generated and preserved by background systems when user terminal registers new user, and client public key is handed over Preserve to user terminal;
Background system is to need the access control apparatus for generating virtual key to generate virtual key in the virtual key case of user Sew, virtual key sew by using correspondence access control apparatus device public key to private key for user encryption form;
Background system passes to the virtual key bag data of user terminal includes one or more(Device identification, virtual key are sewed) Element group;
Access control apparatus from short distance input module recognize user terminal near and receive come user terminal virtual key Spoon related data carries out the lock command operation of virtual key.
2. method according to claim 1, wherein, user terminal carries out the lock order of virtual key near access control apparatus The step of operation, includes:
The short distance input module of S1, user terminal near access control apparatus, access control apparatus confirm and start to receive defeated Enter;
S2, user terminal send ID to access control apparatus;
Whether S3, access control apparatus have the key authority records of the ID in local retrieval after receiving ID, such as Then operation does not terminate fruit;
S4, access control apparatus are sent to user terminal includes device identification, project domain key, very first time stamp data, to enter Row certification;
S5, user terminal receive needed for certification including device identification, project domain key, the very first time stamp data, user's Find corresponding virtual key to sew and virtual key record in virtual key case, the virtual key record is plus command type shape Into the first key, wherein command type includes:Unlock, lock, lock;
S6, respond to access control apparatus return authentication, response parameter includes:Virtual key is sewed, the first encrypted virtual key Data, the first signed data, wherein the step returned before response includes:Step S6-1 passes through hashing algorithm pair(The very first time Stamp, device identification, project domain key, ID)Calculate the first symmetric key, step S6-2 is with the first symmetric key pair First key encrypts the first encrypted virtual key data using symmetric encipherment algorithm, and step S6-3 calculates first and signs;
After S7 access control apparatus receive authentication response, following steps are performed:
S7-1 verifies the first signed data, if signed data is not inconsistent, operation terminates;
S7-2 use device private keys decrypt the private key for user during virtual key is sewed, and the operation if decryption failure terminates;
S7-3 obtains the first lock core number using the virtual lock core data in the private key for user decryption key authority records for decrypting According to the operation if decryption failure terminates;
S7-4 calculates the first symmetric key according to including the data including virtual key related data;
S7-5 uses first symmetric key decryption the first encrypted virtual key data, obtains the first key data, if decryption is lost Lose then operation to terminate;
S7-6 is checked to the first lock core data and the design parameter in the first key data, is operated if verification is incorrect Terminate;
After S7-7 verifications are all correct, send corresponding to electric lock control interface according to the command type parameter in the first key data Lock order, if no command type parameter acquiescence send unlock order.
3. method according to claim 2, wherein, the method for calibration in step S7-6 is:To described to the first lock core number It is compared and verifies according to effect duration in first key data and type;In first lock core data and the first key data All include:Effect duration, type, type include:Do not limit number of times, only limit once, in effect duration once a day.
4. method according to claim 3, wherein, if the type in the first lock core data is only to limit one in step S7-7 After the completion of secondary type is then unlocked, this record is removed from key authority list and sends the first notification message to rear by described device Platform system, message parameter include device identification, ID, time.
5. method according to claim 1, wherein, short-distance wireless communication mode includes low-power consumption bluetooth communication, NFC near fields Communication.
6. according to claim 1 or 2 or 3 or 4 or 5 methods describeds, wherein, void of the background system in the virtual key case of user When plan key is changed, virtual key new information can be sent to correspondence access control apparatus, message parameter include virtual key The authorized person of spoon, grantee, virtual lock core data;Access control apparatus are received after virtual key new information to being stored in dress Virtual key data in putting is updated.
7. method according to claim 6, wherein, when authorized person is virtual key user, virtual key record In grantee's information include the identification information of short-distance wireless accessories apparatus that user is bound in user terminal, i.e. adnexa mark Know, while the virtual adnexa lock core for also including the second timestamp, being encrypted using symmetric encipherment algorithm in virtual key new information Data, the second signed data;When access control apparatus receive the virtual key new information of the above-mentioned type, related data is updated To adnexa authority list.
8. method according to claim 1, wherein, the access control apparatus with low-power consumption bluetooth module are also weighed including adnexa Limit table, record can be used for the accessories list of access control apparatus unlocking, and every recorded content includes:Accessory identification, the second time Stamp, the virtual adnexa lock core data using symmetric encipherment algorithm encryption, the second signed data, receive the void that background system is sent Intend key new information mode to be sent to access control apparatus and preserve;Access control apparatus are wirelessly connected and are close to by bluetooth The Bluetooth address mark of bluetooth accessory device is obtained after the bluetooth accessory device communication of the access control apparatus;For what is received The Bluetooth address mark, is checked in adnexa authority list, and step includes:
B1, Bluetooth address mark be converted to accessory identification;
B2, retrieve whether there are corresponding adnexa authority records in adnexa authority list with accessory identification, the verification if not terminates;
B3, the second timestamp taken out in adnexa authority records;
B4, device private key fingerprint is calculated with data fingerprint algorithm;
B5, using hashing algorithm pair(Second timestamp, described device mark, the accessory identification, project domain key, device are private Key fingerprint)Calculate the second symmetric key;
B6, using the second symmetric key to adnexa authority records in virtual adnexa lock core data be decrypted, obtain adnexa lock Core data;
B7, basis(Second timestamp, device identification, accessory identification, adnexa lock core data, project domain key, device private key refer to Stricture of vagina)Data carry out signature calculation, the second signature verification for obtaining;
The second signed data in B8, the second signature verification and adnexa authority records is checked, and is terminated if verification is not inconsistent;
Time effect duration and state in B9, verification adnexa lock core data, state includes:Effectively, fail;
If B10, before the deadline and state is effective, check successfully, order of unlocking is sent to electric lock control interface;If After the completion of type in adnexa lock core data is for only type of limit is then unlocked, described device is by this record from adnexa authority list Middle removal simultaneously sends the first notification message to background system, and message parameter includes device identification, ID, time.
9. according to claim 2 or 8 methods describeds, wherein, the very first time stamp and the second timestamp can be with dynamic generations Pseudo random number replace, effect equivalent.
10. a kind of device with access control function, is characterized in that, including:
Described device is generated and returned by background system by network after background system registration the device private key of described device;
Key authority list, records the corresponding virtual lock core of virtual key that described device can be used for unlocking, every recorded content Including:ID, the virtual lock core data encrypted using client public key;
Input module, for receiving the virtual key related data for carrying out user terminal, the virtual key related data includes: ID, virtual key are sewed(The private key for user of described device public key encryption is used by background system), the first encrypted virtual key Spoon data(The virtual key data encrypted using symmetric encipherment algorithm by user terminal), the first signed data;
Processor, carries out the verification of virtual key and virtual lock core after being configured to receive virtual key related data;
After electric lock control interface, virtual key and virtual lock core audit process success, electric lock is controlled if receiving order of unlocking Unlock, electric lock is controlled if receiving order of locking and locked, controlled electric lock and lock if receiving and locking order;
Processor is additionally configured to process the virtual key new information from background system, updates key power according to message parameter Limit table.
11. devices according to claim 10, wherein, the checking step of virtual key and virtual lock core includes:
1. whether there are the key authority records of corresponding ID in key authority list, if not then terminate verification;
2. the first signed data is verified, terminates verification if verification failure;
3. virtual key is sewed to be decrypted using described device private key and draws private key for user, terminate core if decryption failure It is right;
4. the virtual lock core data in being decrypted by key authority records using the private key for user for decrypting, obtain the first lock core number According to the termination verification if decryption failure;
5. the first symmetric key is calculated according to including the data including virtual key related data, and be used for decrypting the first encryption Virtual key data, obtains the first key data, if decryption failure terminates verification;
6. the first lock core data and the design parameter in the first key data are checked, terminates core if verification is incorrect It is right, corresponding lock order is sent to electric lock control interface according to the command type parameter in the first key data after verification success, Transmission unlocking order is given tacit consent to if no command type parameter.
12. according to claim 11 described device, wherein, input module includes short-distance wireless communication unit, the short distance Wireless telecommunications include low-power consumption bluetooth communication, NFC.
13. according to claim 11 described device, wherein, after background system succeeds in registration, also receive from background system described The item domains of device are described and are saved, and all devices for being deployed in same project domain with described device have identical item domains Description, the item domains description include project domain key.
14. according to claim 11 described device, wherein, all include in the first lock core data and the first key data:Have Effect phase, type, type include:Do not limit number of times, only limit once, in effect duration once a day;To the first lock core number when being checked It is compared and verifies according to effect duration in the first key data and type.
15. according to claim 14 described device, wherein, if verification passes through and the type in the first lock core data is only to limit one After the completion of secondary type is then unlocked, this record is removed from key authority list and sends the first notification message to rear by described device Platform system, message parameter include device identification, ID, time.
16. devices according to claim 10, wherein, receive after the virtual key new information of background system, first root Judge if the virtual key new information of adnexa just updates adnexa authority list according to message parameter.
17. according to claim 11 or 12 or 13 or 14 or 15 described devices, wherein, the short-distance wireless communication unit is During NFC unit, NFC unit is sensed using the user terminal of nfc card copying after, is sent First APDU orders are to user terminal;Then receive the ID of user terminal return;If ID is in key authority In table, continue to send the 2nd APDU orders to user terminal, command parameter includes:Device identification, project domain key, first when Between stab;Then the response message of user terminal return is received, response message includes:Virtual key is sewed, the first encrypted virtual key Spoon data, the first signed data, wherein the first encrypted virtual key data can use symmetric encipherment algorithm by the first symmetric key Decrypt, the first symmetric key passes through hashing algorithm pair(Very first time stamp, device identification, project domain key, ID) Calculate;After receiving response message, perform claim requires the step of 2. step starts in method described in 11.
18. according to claim 11 or 12 or 13 or 14 or 15 described devices, wherein, the short-distance wireless communication unit is low During power consumption bluetooth communication unit, low-power consumption bluetooth communication unit provides self-defining Bluetooth virtual key unlocking service;The company of receiving The user for writing ID attribute command, obtaining user terminal that the user terminal of Bluetooth virtual key unlocking service is sent is met Mark;If ID in key authority list, does not return errored response, success response is otherwise returned;Send successfully After response, the reading Service Ticket attribute command that user terminal is sent is received, calculate very first time stamp, return tunnel &drop shaft, including: Device identification, project domain key, timestamp;Receive that user terminal sends writes return tunnel &drop shaft order, obtain returning with Card data, Credential data include:Virtual key is sewed, the first encrypted virtual key data, the first signed data, wherein first adds Close virtual key data can be decrypted using symmetric encipherment algorithm by the first symmetric key, and the first symmetric key is calculated by hashing Method pair(Very first time stamp, device identification, project domain key, ID)Calculate, after obtaining the Credential data for returning, hold The step of 2. step starts in row claim 11 methods described.
19. according to claim 12 or 13 or 14 or 15 or 16 described devices, wherein, the short-distance wireless communication unit is low During power consumption bluetooth communication unit, also including adnexa authority list, record can be used for the accessories list that described device opens electric lock, per bar Recorded content includes:Accessory identification, the second timestamp, using symmetric encipherment algorithm encrypt virtual adnexa lock core data, second Signed data, is sent to access control apparatus with third notice message mode and is preserved by background system;The low-power consumption bluetooth Module, wirelessly can obtain bluetooth accessory device after connection is communicated with the bluetooth accessory device for being close to described device by bluetooth Bluetooth address is identified;For the Bluetooth address mark for receiving, checked in adnexa authority list, checking step is according to power During profit requires 8 methods describeds, step B1 ~ B10 is carried out.
20. according to claim 17 or 18 described devices, wherein, the very first time stamp can use what described device dynamic was generated Pseudo random number replaces, effect equivalent.
A kind of 21. background systems that network service is provided for access control apparatus and user terminal, is characterized in that, take including user Business module, item domains management module;Item domains management module, be disparity items domain service, include back-stage management interface for Access control apparatus mounting arrangements information in management personnel's typing item domains, for the access control apparatus registered generate the dress Special device public key and device private key are put, is preserved in data base, and device private key is returned to access control apparatus;User takes Business module, processes the request for carrying out user terminal, including:
User's registration is asked, and after succeeding in registration, is that user generates the special client public key of the user and private key for user, is stored in number According to storehouse, and client public key is returned to into user terminal;
Virtual key case request of data is obtained, the whole of logged-in user is returned according to required parameter or virtual key case number is specified According to virtual key bag data includes one or more(Device identification, virtual key are sewed)Element group, device identification are according to void Intend the device identification of key package informatin access control apparatus of access control apparatus table matching in item domains management module, virtually It is private key for user to be encrypted using the device public key of the access control apparatus of corresponding intrument mark to form that key is sewed.
22. according to claim 21 background system, wherein, background system after access control apparatus succeed in registration, to visit Ask that control device returns item domains description, there are the same device in same project domain identical item domains to describe, item domains description Include project domain key.
23. according to claim 21 or 22 background system, wherein, also including messaging interface, for processing message Receive and send;When virtual key in the virtual key case of user is changed, can send empty to correspondence access control apparatus Intend key new information, virtual key record includes:Authorized person, grantee, authorize effect duration, authorization type, authorize into The access control apparatus information for entering.
24. according to claim 23 background system, wherein, also process the first notification message from access control apparatus, Record in daily record, and update the status data of the virtual key of correspondence in the virtual key case of user, then by the void after renewal Intend key data and the user terminal related to this virtual key is sent to second notification message.
25. according to claim 23 background system, wherein, when authorized person is virtual key user, virtual key Grantee's information in spoon record includes the identification information of the short-distance wireless accessories apparatus that user is bound in user terminal, i.e., Accessory identification, at the same also include in virtual key new information the second timestamp, using symmetric encipherment algorithm encrypt it is virtual attached Part lock core data, the second signed data;Second timestamp is generated by background system dynamic;Virtual adnexa lock core data are by second pair Claim key to be encrypted adnexa lock core to form, the second symmetric key is by hashing algorithm pair(Second timestamp, access control apparatus The device private key fingerprint of mark, the accessory identification, project domain key, access control apparatus)Calculate;Second signed data According to(Second timestamp, access control apparatus marks, accessory identification, adnexa lock core, project domain key, access control apparatus Device private key fingerprint)Data carry out signature algorithm and calculate.
A kind of 26. portable user terminals, is characterized in that, including processor, processor is configured to process:
Register user request is sent to background system, after succeeding in registration, the returned data for receiving includes that the user of user is public Key;
Send to background system and obtain virtual key case request of data, ask the virtual key bag data for returning include one or It is multiple(Device identification, virtual key are sewed)Element group, it is encrypted using the device public key of corresponding intrument mark that virtual key is sewed Private key for user.
27. user terminals according to claim 26, wherein, also including NFC module, processor is configured to process:
User terminal is emulated into into nfc card, so that the NFC unit of access control apparatus is capable of identify that and leads to therewith News;
The APDU orders that access control apparatus are sent are received, and ID are returned to access control apparatus;
The 2nd APDU orders that access control apparatus are sent are received, command parameter includes:Device identification, project domain key, One timestamp, finds corresponding virtual key record in the virtual key case of user according to device identification, returns Credential data, Credential data includes:Virtual key is sewed, the first encrypted virtual key data, the first signed data, wherein the first encrypted virtual Key data is formed using symmetric encipherment algorithm encryption by the first symmetric key, and the first symmetric key passes through hashing algorithm pair(The One timestamp, device identification, project domain key, ID)Calculate.
28. user terminals according to claim 26, wherein, also including low-power consumption bluetooth module, processor is configured to Process:
It was found that and being connected to the self-defined Bluetooth virtual key unlocking service that access control apparatus are provided;
Bluetooth is sent to access control apparatus and writes ID attribute command, command parameter includes ID;
Bluetooth is sent to access control apparatus and reads Service Ticket attribute command, the parameter obtained after success includes:Device identification, item Mesh domain key, very first time stamp, find corresponding virtual key record in the virtual key case of user according to device identification;
Bluetooth is sent to access control apparatus and writes return tunnel &drop shaft order, command parameter includes:Virtual key is sewed, first adds Close virtual key data, the first signed data, wherein the first encrypted virtual key data can be by the first symmetric key using symmetrical AES is decrypted, and the first symmetric key passes through hashing algorithm pair(Very first time stamp, device identification, project domain key, use Family identifies)Calculate.
29. user terminals according to claim 26, wherein, processor is additionally configured to process:Receive from backstage The second notification message of system, updates locally stored virtual key data.
CN201610932849.1A 2016-10-25 2016-10-25 Virtual key method, device applying same, background system and user terminal Active CN106603484B (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
CN202010308850.3A CN111478918B (en) 2016-10-25 2016-10-25 Device with access control function
CN202010308849.0A CN111464556B (en) 2016-10-25 2016-10-25 Portable user terminal
CN201610932849.1A CN106603484B (en) 2016-10-25 2016-10-25 Virtual key method, device applying same, background system and user terminal
CN202010308848.6A CN111478917B (en) 2016-10-25 2016-10-25 Background system for providing network service for access control device and user terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610932849.1A CN106603484B (en) 2016-10-25 2016-10-25 Virtual key method, device applying same, background system and user terminal

Related Child Applications (3)

Application Number Title Priority Date Filing Date
CN202010308848.6A Division CN111478917B (en) 2016-10-25 2016-10-25 Background system for providing network service for access control device and user terminal
CN202010308849.0A Division CN111464556B (en) 2016-10-25 2016-10-25 Portable user terminal
CN202010308850.3A Division CN111478918B (en) 2016-10-25 2016-10-25 Device with access control function

Publications (2)

Publication Number Publication Date
CN106603484A true CN106603484A (en) 2017-04-26
CN106603484B CN106603484B (en) 2020-09-25

Family

ID=58556360

Family Applications (4)

Application Number Title Priority Date Filing Date
CN201610932849.1A Active CN106603484B (en) 2016-10-25 2016-10-25 Virtual key method, device applying same, background system and user terminal
CN202010308848.6A Expired - Fee Related CN111478917B (en) 2016-10-25 2016-10-25 Background system for providing network service for access control device and user terminal
CN202010308849.0A Expired - Fee Related CN111464556B (en) 2016-10-25 2016-10-25 Portable user terminal
CN202010308850.3A Active CN111478918B (en) 2016-10-25 2016-10-25 Device with access control function

Family Applications After (3)

Application Number Title Priority Date Filing Date
CN202010308848.6A Expired - Fee Related CN111478917B (en) 2016-10-25 2016-10-25 Background system for providing network service for access control device and user terminal
CN202010308849.0A Expired - Fee Related CN111464556B (en) 2016-10-25 2016-10-25 Portable user terminal
CN202010308850.3A Active CN111478918B (en) 2016-10-25 2016-10-25 Device with access control function

Country Status (1)

Country Link
CN (4) CN106603484B (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107103227A (en) * 2017-06-02 2017-08-29 广东汇泰龙科技有限公司 A kind of method and its system of the pattern unblock checking locked based on cloud
CN107370733A (en) * 2017-07-18 2017-11-21 电子科技大学 A kind of intelligent lock management method based on Rijndael and ECC Hybrid Encryptions
CN107426178A (en) * 2017-06-13 2017-12-01 上海奥宜电子科技有限公司 A kind of data managing method and system of virtual key
CN108055124A (en) * 2017-11-15 2018-05-18 吕锋 Lock administration system and lock management method
CN108985977A (en) * 2018-07-18 2018-12-11 石伟男 A kind of property intelligent supervision management system
CN109936833A (en) * 2017-12-15 2019-06-25 蔚来汽车有限公司 Vehicle virtual key generation and use method, system and user terminal
CN111478918A (en) * 2016-10-25 2020-07-31 雷飏 Device with access control function
CN111599041A (en) * 2020-03-31 2020-08-28 杭州龙纪科技有限公司 Safe unlocking method and system of intelligent door lock
CN111784883A (en) * 2020-07-20 2020-10-16 深圳可信物联科技有限公司 Intelligent lock configuration method and system
CN111815811A (en) * 2020-06-22 2020-10-23 北京智辉空间科技有限责任公司 Electronic lock safety system
CN111935302A (en) * 2020-08-20 2020-11-13 捷德(中国)科技有限公司 Key management device, method and apparatus
CN112102529A (en) * 2020-09-25 2020-12-18 无锡职业技术学院 Power facility protection system based on passive intelligent lock and execution process thereof
CN113781682A (en) * 2021-10-22 2021-12-10 上海瓶钵信息科技有限公司 Reliable failure method and system for off-line digital key
CN113920625A (en) * 2021-10-18 2022-01-11 安徽江淮汽车集团股份有限公司 Vehicle NFC key authentication method
CN117014151A (en) * 2023-08-02 2023-11-07 重庆交通开投科技发展有限公司 Anonymous accommodation verification method based on digital identity authentication

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112396735B (en) * 2020-11-27 2022-09-02 昕培科技(北京)有限公司 Internet automobile digital key safety authentication method and device
CN112554663A (en) * 2020-12-23 2021-03-26 广州亿房通物联科技有限公司 Apartment intelligent lock control system and control method thereof
CN113823018A (en) * 2021-09-30 2021-12-21 重庆长安汽车股份有限公司 Method and system for unlocking and starting vehicle based on external voice system
CN117609965B (en) * 2024-01-19 2024-06-25 深圳前海深蕾半导体有限公司 Upgrade data packet acquisition method of intelligent device, intelligent device and storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013071858A1 (en) * 2011-11-15 2013-05-23 中国银联股份有限公司 Payment secret key system of intelligent tv and payment method based on intelligent tv
US20130303125A1 (en) * 2008-12-19 2013-11-14 Tecore Intelligent network access control
CN103914901A (en) * 2014-03-27 2014-07-09 惠州Tcl移动通信有限公司 Unlocking method and unlocking system
US20150067792A1 (en) * 2013-08-27 2015-03-05 Qualcomm Incorporated Owner access point to control the unlocking of an entry
CN104933793A (en) * 2015-06-11 2015-09-23 宁波飞拓电器有限公司 Two-dimension code electronic key implementation method based on digital signature
CN104966336A (en) * 2015-05-29 2015-10-07 深圳光启智能光子技术有限公司 Intelligent lock, intelligent lock authorization management method, and intelligent lock authorization management apparatus
US20150339870A1 (en) * 2014-05-20 2015-11-26 Tyco Safety Products Canada Ltd. Dual Access Level Security System and Method
CN105871874A (en) * 2016-04-27 2016-08-17 武汉市国扬科技有限公司 Mobile Internet virtual key authorizing system and hardware door lock control method thereof

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI20002255A7 (en) * 2000-10-13 2002-04-14 Nokia Corp Method for managing and controlling locks
CN201037941Y (en) * 2007-03-20 2008-03-19 上海鼎松信息技术有限公司 Electronic lock system by using public key system to verify digital signature
CN101465728A (en) * 2008-12-17 2009-06-24 成都市华为赛门铁克科技有限公司 Method, system and device for distributing cipher key
CN101944996B (en) * 2010-07-09 2012-11-21 北京海泰方圆科技有限公司 Button type ekey and method for prefabricating certificate for ekey
KR20120129140A (en) * 2011-05-19 2012-11-28 나예룡 System for managing entrance of room using virtual key and method therefor
DE112011105869B4 (en) * 2011-11-22 2016-10-06 Mitsubishi Electric Corporation Electronic key system and lock-side terminal and portable terminal used in same
AT513016B1 (en) * 2012-06-05 2014-09-15 Phactum Softwareentwicklung Gmbh Method and device for controlling a locking mechanism with a mobile terminal
CN104574593B (en) * 2014-12-24 2017-02-22 浙江银江研究院有限公司 Virtual key based on Bluetooth communication as well as anti-theft lock system and application method thereof
CN105069876B (en) * 2015-08-04 2018-06-22 珠海格力电器股份有限公司 Intelligent access control method and system
CN105389870A (en) * 2015-10-28 2016-03-09 广州畅联信息科技有限公司 Entrance guard management method and system
CN105488887A (en) * 2015-12-28 2016-04-13 慧锐通智能科技股份有限公司 Entrance guard access control method
CN105788047B (en) * 2016-03-30 2018-12-14 北京千丁互联科技有限公司 A kind of control of bluetooth access equipment, control of bluetooth access management system and method
CN105915344B (en) * 2016-04-15 2019-03-22 重庆金瓯科技发展有限责任公司 A kind of electron key shared service system for house lease
CN106603484B (en) * 2016-10-25 2020-09-25 北京祥云门广告有限公司 Virtual key method, device applying same, background system and user terminal

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130303125A1 (en) * 2008-12-19 2013-11-14 Tecore Intelligent network access control
WO2013071858A1 (en) * 2011-11-15 2013-05-23 中国银联股份有限公司 Payment secret key system of intelligent tv and payment method based on intelligent tv
US20150067792A1 (en) * 2013-08-27 2015-03-05 Qualcomm Incorporated Owner access point to control the unlocking of an entry
CN103914901A (en) * 2014-03-27 2014-07-09 惠州Tcl移动通信有限公司 Unlocking method and unlocking system
US20150339870A1 (en) * 2014-05-20 2015-11-26 Tyco Safety Products Canada Ltd. Dual Access Level Security System and Method
CN104966336A (en) * 2015-05-29 2015-10-07 深圳光启智能光子技术有限公司 Intelligent lock, intelligent lock authorization management method, and intelligent lock authorization management apparatus
CN104933793A (en) * 2015-06-11 2015-09-23 宁波飞拓电器有限公司 Two-dimension code electronic key implementation method based on digital signature
CN105871874A (en) * 2016-04-27 2016-08-17 武汉市国扬科技有限公司 Mobile Internet virtual key authorizing system and hardware door lock control method thereof

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
熊良林: "基于Android手机NFC应用系统的开发", 《中国优秀硕士学位论文全文数据库信息科技辑》 *

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111478918B (en) * 2016-10-25 2022-04-12 中用科技有限公司 Device with access control function
CN111478918A (en) * 2016-10-25 2020-07-31 雷飏 Device with access control function
CN107103227A (en) * 2017-06-02 2017-08-29 广东汇泰龙科技有限公司 A kind of method and its system of the pattern unblock checking locked based on cloud
CN107426178A (en) * 2017-06-13 2017-12-01 上海奥宜电子科技有限公司 A kind of data managing method and system of virtual key
CN107370733A (en) * 2017-07-18 2017-11-21 电子科技大学 A kind of intelligent lock management method based on Rijndael and ECC Hybrid Encryptions
CN108055124A (en) * 2017-11-15 2018-05-18 吕锋 Lock administration system and lock management method
CN109936833B (en) * 2017-12-15 2021-08-13 蔚来(安徽)控股有限公司 Vehicle virtual key generation and use method, system and user terminal
CN109936833A (en) * 2017-12-15 2019-06-25 蔚来汽车有限公司 Vehicle virtual key generation and use method, system and user terminal
CN108985977B (en) * 2018-07-18 2022-02-11 石伟男 A property intelligent supervision and management system
CN108985977A (en) * 2018-07-18 2018-12-11 石伟男 A kind of property intelligent supervision management system
CN111599041A (en) * 2020-03-31 2020-08-28 杭州龙纪科技有限公司 Safe unlocking method and system of intelligent door lock
CN111599041B (en) * 2020-03-31 2022-03-08 杭州龙纪科技有限公司 Safe unlocking method and system of intelligent door lock
CN111815811A (en) * 2020-06-22 2020-10-23 北京智辉空间科技有限责任公司 Electronic lock safety system
CN111784883A (en) * 2020-07-20 2020-10-16 深圳可信物联科技有限公司 Intelligent lock configuration method and system
CN111935302A (en) * 2020-08-20 2020-11-13 捷德(中国)科技有限公司 Key management device, method and apparatus
CN111935302B (en) * 2020-08-20 2023-01-31 捷德(中国)科技有限公司 Key management device, method and equipment
CN112102529A (en) * 2020-09-25 2020-12-18 无锡职业技术学院 Power facility protection system based on passive intelligent lock and execution process thereof
CN112102529B (en) * 2020-09-25 2022-05-20 无锡职业技术学院 Power facility protection system based on passive intelligent lock and execution process thereof
CN113920625A (en) * 2021-10-18 2022-01-11 安徽江淮汽车集团股份有限公司 Vehicle NFC key authentication method
CN113781682A (en) * 2021-10-22 2021-12-10 上海瓶钵信息科技有限公司 Reliable failure method and system for off-line digital key
CN117014151A (en) * 2023-08-02 2023-11-07 重庆交通开投科技发展有限公司 Anonymous accommodation verification method based on digital identity authentication

Also Published As

Publication number Publication date
CN111464556A (en) 2020-07-28
CN106603484B (en) 2020-09-25
CN111478918A (en) 2020-07-31
CN111478917A (en) 2020-07-31
CN111464556B (en) 2022-12-30
CN111478917B (en) 2022-04-15
CN111478918B (en) 2022-04-12

Similar Documents

Publication Publication Date Title
CN111464556B (en) Portable user terminal
US11888594B2 (en) System access using a mobile device
KR102308846B1 (en) System for accessing data from multiple devices
CA3227615A1 (en) Techniques and systems to perform authentication and payment operations with a contactless card to provide items and services
US8931689B2 (en) Systems and methods for anti-counterfeit authentication through communication networks
US9858401B2 (en) Securing transactions against cyberattacks
US20140365781A1 (en) Receiving a Delegated Token, Issuing a Delegated Token, Authenticating a Delegated User, and Issuing a User-Specific Token for a Resource
US20120008769A1 (en) Method and System For Managing A Distributed Identity
TR201902104T4 (en) Systems and methods for secure communication.
JP2004013744A (en) Digital content issuing system and method
US11184172B2 (en) Protection device and dongle and method for using the same
CN106936588B (en) Hosting method, device and system of hardware control lock
CN110290134A (en) A kind of identity identifying method, device, storage medium and processor
WO2011076102A1 (en) Implementing method, system of universal card system and smart card
US20130061051A1 (en) Method for authenticating electronic transaction, server, and terminal
US11182777B2 (en) Systems and methods using a primary account number to represent identity attributes
CN106572098B (en) Two-dimensional code type virtual key method
JP2011012511A (en) Electric lock control system
KR20080087917A (en) One-time password generation method, key issuance system and one-time password authentication system
JP2025509632A (en) Using identity credentials as a key to securely control locks connected to a wireless network
WO2025260534A1 (en) Entity identity authentication method for quantum access control system
KR20130082845A (en) Automatic teller machine for generating a master key and method employing the same
CN120874067A (en) Data sharing method, device and system
WO2023178724A1 (en) Anti-piracy method and system for smart doorbell, smart doorbell and computer-readable storage medium
HK40107660A (en) Techniques and systems to perform authentication and payment operations with a contactless card to provide items and services

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20200713

Address after: Room 2301, 21 / F, building 4, yard 8, Dongdaqiao Road, Chaoyang District, Beijing 100020

Applicant after: BEIJING XIANGYUNMEN ADVERTISING Co.,Ltd.

Address before: 100029 Beijing city Chaoyang District North Shaoyaoju shi'ao B International Center No. 101 block 2109

Applicant before: Lei Yang

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant