CN109410406A - A kind of authorization method, device and system - Google Patents
A kind of authorization method, device and system Download PDFInfo
- Publication number
- CN109410406A CN109410406A CN201811352554.2A CN201811352554A CN109410406A CN 109410406 A CN109410406 A CN 109410406A CN 201811352554 A CN201811352554 A CN 201811352554A CN 109410406 A CN109410406 A CN 109410406A
- Authority
- CN
- China
- Prior art keywords
- door lock
- terminal
- authentication
- target door
- fingerprint information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 190
- 238000013475 authorization Methods 0.000 title claims abstract description 63
- 230000005540 biological transmission Effects 0.000 claims abstract description 68
- 238000004422 calculation algorithm Methods 0.000 claims description 173
- 230000008569 process Effects 0.000 claims description 62
- 230000002457 bidirectional effect Effects 0.000 claims description 35
- 238000012790 confirmation Methods 0.000 claims description 26
- 238000012795 verification Methods 0.000 claims description 16
- 238000001514 detection method Methods 0.000 claims description 11
- 230000004044 response Effects 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 12
- 230000001960 triggered effect Effects 0.000 description 6
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 102100039643 Rho-related GTP-binding protein Rho6 Human genes 0.000 description 2
- 101710199571 Rho-related GTP-binding protein Rho6 Proteins 0.000 description 2
- 102100039642 Rho-related GTP-binding protein RhoN Human genes 0.000 description 2
- 108050007497 Rho-related GTP-binding protein RhoN Proteins 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00563—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys using personal physical data of the operator, e.g. finger prints, retinal images, voicepatterns
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00817—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys where the code of the lock can be programmed
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00817—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys where the code of the lock can be programmed
- G07C2009/00825—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys where the code of the lock can be programmed remotely by lines or wireless communication
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Lock And Its Accessories (AREA)
Abstract
The present invention provides a kind of authorization methods, after getting the finger print information of user, establish the secure transmission tunnel between each target door lock, and safety certification is carried out with each target door lock respectively according to the secure transmission tunnel, it generates and locks the session key carried out data transmission with each target door, each session key encrypts finger print information, and the corresponding target door lock of the session key will be sent to by the finger print information of encryption, after target door interlocking receives the finger print information of encryption, the finger print information of the encryption is decrypted, authorize user's permission for opening the target door lock.Using authorization method provided in an embodiment of the present invention, it can guarantee the finger print information of user during being transferred to each target door lock, the safety and confidentiality of user fingerprints information, make the finger print information that other steal software or device can not parse encryption, ensure that the safety of the personal information of user.
Description
Technical Field
The invention relates to the technical field of Internet of things and intelligent home security, in particular to an authorization method, device and system.
Background
With the rapid development of the scientific society, the fingerprint identification technology is more and more mature, the application in daily life is more and more extensive, especially in the aspect of intelligent door lock, the unique fingerprint information of a user is set as the password of the intelligent door lock, and the door lock can be unlocked only by verifying the fingerprint of an individual by the user.
However, when a user needs to rent or buy a house, the user needs to open a plurality of doors to see the house, the user who visits temporarily cannot input fingerprints into each room to be checked in advance, if the user informs the door lock passwords of each room to the tenant, the passwords need to be changed after the user visits the house, and even if the personal fingerprints of the tenant are input into each door lock, the problem of leakage of personal fingerprint information of the user cannot be safely guaranteed. There is therefore a need for a secure authorization method to unlock a user's fingerprint.
Disclosure of Invention
In view of this, the technical problem to be solved by the present invention is to provide an authorization method, which can ensure that the fingerprint information of the user is encrypted under the requirement of the user, realize remote distribution of the encrypted fingerprint information, and prevent the fingerprint information from being illegally intercepted in the transmission process.
The invention also provides an authorization device for ensuring the realization and the application of the method in practice.
An authorization method, the method is applied to a control terminal, and the method comprises the following steps:
determining each target door lock to be unlocked, and acquiring fingerprint information of a user;
establishing a secure transmission channel with each target door lock, and respectively performing secure authentication with each target door lock according to the secure transmission channel to generate a session key for performing data transmission with each target door lock;
and encrypting the fingerprint information according to each session key, and sending the encrypted fingerprint information to a target door lock corresponding to the session key so as to grant the user the opening authority of the target door lock after the encrypted fingerprint information is decrypted by the target door lock.
In the above method, preferably, the establishing a secure transmission channel with each target door lock includes:
sending an identity authentication request to an established cloud platform, triggering the cloud platform and the control terminal to perform bidirectional identity authentication, and triggering the cloud platform to perform bidirectional identity authentication with each target door lock respectively;
when the bidirectional identity authentication between the cloud platform and the control terminal passes and the bidirectional identity authentication between the cloud platform and each target door lock passes, a safe transmission channel for data transmission between the control terminal and each target door lock through the cloud platform is established.
Preferably, the method for performing security authentication with a target door lock includes:
calling a door lock public key in a door lock public and private key pair prestored in the cloud platform, and encrypting the generated terminal random number according to the door lock public key;
sending an algorithm confirmation request and the encrypted terminal random number to the target door lock, and receiving the encrypted door lock random number corresponding to the algorithm confirmation request fed back by the target door lock;
encrypting the generated shared main secret key according to the door lock public key, and generating a digest random number according to the terminal random number and the door lock random number obtained by decryption;
calling a preset abstract algorithm, and carrying out abstract operation on the abstract random number to obtain a first abstract value;
applying a terminal private key in a pre-generated terminal public and private key pair to perform signature operation on the first digest value to obtain a signature value;
sending the signature value and the encrypted shared master key to the target door lock for verification;
when receiving a door lock authentication message which is fed back by the target door lock and successfully verified in response, authenticating the door lock authentication message, generating a terminal authentication message corresponding to the door lock authentication message when the authentication is passed, and sending the terminal authentication message to the target door lock for authentication;
and when receiving the authentication passing message sent by the target door lock, realizing the safety authentication with the target door lock.
In the above method, preferably, the authenticating the door lock authentication message includes:
connecting according to the terminal random number, the door lock random number, the signature value and the encrypted shared master key to obtain a first connection value;
calling the preset abstract algorithm, and carrying out abstract operation on the first connecting value to obtain a second abstract value;
connecting the second abstract value with a preset door lock ASCII code to obtain a second connection value;
calling a preset hash algorithm, and carrying out hash operation on the second connection value and the shared master key to obtain a first authentication message;
and comparing the first authentication message with the door lock authentication message, and when the first authentication message is consistent with the door lock authentication message, authenticating the door lock authentication message.
In the above method, preferably, the generating a session key for data transmission with each target door lock includes:
and calling a preset hash algorithm, and carrying out hash operation on the shared master key, the terminal random number, the door lock random number and a preset ASCII (American standard code for information interchange) key to obtain the session key.
An authorization apparatus, comprising:
the first acquisition unit is used for determining each target door lock to be unlocked and acquiring fingerprint information of a user;
the authentication unit is used for establishing a secure transmission channel with each target door lock, performing secure authentication with each target door lock according to the secure transmission channel, and generating a session key for performing data transmission with each target door lock;
and the authorization unit is used for encrypting the fingerprint information according to each session key and sending the encrypted fingerprint information to a target door lock corresponding to the session key so as to grant the user the opening authority of the target door lock after the encrypted fingerprint information is decrypted by the target door lock.
An authorization method, the method being applied to a door lock, the method comprising:
when an opening instruction of a target door lock by a user is received, acquiring fingerprint information of the user contained in the opening instruction;
comparing the fingerprint information with authorized fingerprint information obtained by decryption in advance;
when the comparison is consistent, the target door lock is opened;
wherein: the process of obtaining authorized fingerprint information includes:
when receiving encrypted user fingerprint information sent by a control terminal which passes the security authentication through an established cloud platform, decrypting the encrypted user fingerprint information according to a session key generated in the security authentication process to obtain the authorized fingerprint information.
The method described above, preferably, the process of security authentication includes:
when an algorithm confirmation request and an encrypted terminal random number sent by the control terminal are received, confirming an algorithm contained in the control terminal;
when the confirmation is passed, calling a terminal public key in a terminal public and private key pair prestored in the cloud platform, encrypting the generated door lock random number, and sending the encrypted door lock random number to the control terminal;
receiving a signature value and an encrypted shared master key sent by the control terminal;
verifying the signature value according to the terminal public key, decrypting the encrypted shared master key when the signature value passes the verification to obtain the shared master key, and generating a door lock authentication message;
sending the door lock authentication message to the control terminal for authentication;
and when receiving a terminal authentication message corresponding to the door lock authentication message fed back by the control terminal, authenticating the terminal authentication message, and when the authentication is passed, realizing the safety authentication with the control terminal.
Preferably, the method for authenticating the terminal authentication message includes:
connecting according to the terminal random number, the door lock random number, the signature value and the encrypted shared master key to obtain a first connection value;
calling the preset abstract algorithm, and carrying out abstract operation on the first connecting value to obtain a second abstract value;
connecting the second abstract value with a preset door lock ASCII code to obtain a third connecting value;
calling a preset hash algorithm, and carrying out hash operation on the third connection value and the shared master key to obtain a second authentication message;
and comparing the second authentication message with the terminal authentication message, and if the second authentication message is consistent with the terminal authentication message, authenticating the terminal authentication message.
An authorization apparatus, comprising:
the second acquisition unit is used for acquiring fingerprint information of a user contained in an opening instruction when the opening instruction of the target door lock by the user is received;
the comparison unit is used for comparing the fingerprint information with authorized fingerprint information obtained by decryption in advance;
and the unlocking unit is used for unlocking the target door lock when the comparison is consistent.
An authorization system, comprising:
the system comprises a fingerprint management terminal, a cloud platform and at least one door lock;
the fingerprint management terminal comprises:
the first acquisition module is used for acquiring a user fingerprint;
the first fingerprint detection control module is used for converting the acquired user fingerprint into fingerprint information;
the terminal chip is used for executing the authorization method according to any one of claims 1-5 when receiving the fingerprint information sent by the first fingerprint detection control module;
the door lock includes:
the second acquisition module is used for acquiring the user fingerprint;
the second fingerprint detection control module is used for converting the acquired user fingerprint into fingerprint information;
a door lock chip for performing the authorization method of any one of claims 7 to 9;
the cloud platform is used for performing bidirectional identity authentication with the fingerprint management terminal and performing bidirectional identity authentication with each door lock when receiving an identity authentication request sent by the fingerprint management terminal; when the fingerprint management terminal and each door lock perform security authentication, data and information in the security authentication process are distributed and transferred; and after the security authentication is passed, receiving the fingerprint information encrypted by the fingerprint management terminal, and distributing the encrypted fingerprint information to each door lock.
Compared with the prior art, the invention has the following advantages:
the invention provides an authorization method, which comprises the steps of establishing a secure transmission channel between each target door lock after fingerprint information of a user is obtained, respectively carrying out secure authentication with each target door lock according to the secure transmission channel, generating a session key for carrying out data transmission with each target door lock, encrypting the fingerprint information by each session key, sending the encrypted fingerprint information to the target door lock corresponding to the session key, decrypting the encrypted fingerprint information after the target door lock receives the encrypted fingerprint information, and granting the user the right to open the target door lock. By applying the authorization method provided by the embodiment of the invention, the security and confidentiality of the user fingerprint information can be ensured in the process of transmitting the fingerprint information of the user to each target door lock, so that other stealing software or devices cannot analyze the encrypted fingerprint information, and the security of the personal information of the user is ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flow chart of a method of authorization provided by the present invention;
FIG. 2 is a diagram illustrating an authorization method according to an embodiment of the present invention;
FIG. 3 is a diagram of another example of an authorization method provided by the present invention;
FIG. 4 is a diagram of another example of an authorization method provided by the present invention;
FIG. 5 is a diagram of another example of an authorization method provided by the present invention;
FIG. 6 is a schematic structural diagram of an authorization apparatus provided in the present invention;
FIG. 7 is a flow chart of another method of an authorization method provided by the present invention;
FIG. 8 is a diagram illustrating an authorization method according to another embodiment of the present invention;
FIG. 9 is a schematic view of another structure of an authorization apparatus provided in the present invention;
FIG. 10 is a schematic structural diagram of an authorization system provided in the present invention;
FIG. 11 is a diagram of an exemplary authorization system provided by the present invention;
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In this application, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions, and the terms "comprises", "comprising", or any other variation thereof are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The invention can be used in a plurality of devices or configurations which need to encrypt or decrypt data information. For example: the fingerprint intelligent door lock, the voice control door lock, the palm print door lock and the like comprise any device or equipment, environment and equipment which need to encrypt and transmit personal identity data information and the like.
The embodiment of the invention provides an authorization method, which can be applied to various intelligent door locks, wherein an execution main body is a control terminal, the control terminal is a fingerprint management terminal, the fingerprint management terminal can be a mobile phone, a PC (personal computer) or any mobile terminal, and a flow chart of the method is shown in figure 1, and the method specifically comprises the following steps:
s101: determining each target door lock to be unlocked, and acquiring fingerprint information of a user;
in the method provided by the embodiment of the invention, the information of the target door lock which needs to be opened by a user is determined on the control terminal, the fingerprint of the user is input, and the fingerprint information of the user is acquired according to the fingerprint of the user and is stored.
It should be noted that the control terminal is actually a fingerprint management terminal, and the control terminal may be a mobile phone, a PC, or any mobile terminal; the target door lock is at least one intelligent door lock, and the user can select the number of the target door locks to be unlocked.
S102: establishing a secure transmission channel with each target door lock, and respectively performing secure authentication with each target door lock according to the secure transmission channel to generate a session key for performing data transmission with each target door lock;
in the method provided by the embodiment of the invention, after the fingerprint information of the user is acquired, the control terminal triggers and establishes a secure transmission channel with each target door lock, the secure transmission channel carries out secure authentication on each target door lock, and after the secure authentication is passed, a session key for carrying out data transmission with each target door lock is generated.
S103: and encrypting the fingerprint information according to each session key, and sending the encrypted fingerprint information to a target door lock corresponding to the session key so as to grant the user the opening authority of the target door lock after the encrypted fingerprint information is decrypted by the target door lock.
In the method provided by the embodiment of the invention, after the control terminal determines the session key of the transmission data information between the control terminal and each target door lock, the control terminal encrypts the fingerprint information by using the session key, sends the encrypted fingerprint information to the target door lock corresponding to the session key according to the information of the target door lock to be unlocked which is determined in advance, and grants the user the authority to unlock the target door lock after the target door lock decrypts the encrypted fingerprint information.
In the method provided by the embodiment of the invention, after each target door lock needing to be opened by a user is determined in a control terminal, fingerprint information of the user is obtained, a security transmission channel is triggered to be established with the target door lock according to the fingerprint information of the user, security authentication is performed with each target door lock according to the security transmission channel, a security connection channel with each target door lock is established according to security authentication information in a security authentication process, and a session key for data transmission with each door lock is generated after the security authentication is completed. Encrypting the fingerprint information of the user according to the session key, and correspondingly sending the encrypted fingerprint information to a target door lock corresponding to the session key; and after the encrypted fingerprint information is decrypted according to the target door lock, the user is granted the opening authority of the target door lock. By applying the authorization method provided by the invention, after the security authentication is carried out between the control terminal and the target door lock, the session key is generated to encrypt the fingerprint information, and the encrypted fingerprint information is sent to the target door lock by the control terminal through the security connection channel established according to the security authentication, so that the security and confidentiality of the user fingerprint information in the transmission process are ensured.
It should be noted that the secure transmission channel is established by the control terminal and the cloud platform passing through the bidirectional identity authentication, and the cloud platform and the target door lock passing through the bidirectional identity authentication, and according to the established secure transmission channel, the control terminal performs the secure authentication with the target door lock through the cloud platform.
In the authorization method provided in the embodiment of the present invention, the performing security authentication with the target door lock includes the following steps, as shown in fig. 2, specifically:
s201: calling a door lock public key in a door lock public and private key pair prestored in the cloud platform, and encrypting the generated terminal random number according to the door lock public key;
in the method provided by the embodiment of the invention, after the secure transmission channel between the control terminal and each target door lock is established, the control terminal calls the door lock public key in the door lock public and private key pair stored in the cloud platform in advance to encrypt the terminal random number which is originally generated by the control terminal.
It should be noted that the door lock public key in the door lock public and private key pair pre-stored in the cloud platform is the one in which the target door lock is pre-stored in the cloud platform; after a control terminal establishes a secure transmission channel with each target door lock through the cloud platform, each target door lock generates a door lock public and private key pair, and a door lock public key in the door lock public and private key pair is stored in the cloud platform; the door lock public and private key pair is generated by a door lock security chip in the target door lock according to a preset asymmetric algorithm and comprises a door lock public key and a door lock private key, and the door lock private key can only be stored in the door lock security chip after being generated and cannot be exported. A terminal security chip in the control terminal also generates a terminal public and private key pair according to an asymmetric algorithm preset in the terminal, wherein the terminal public and private key pair comprises a terminal public key and a terminal private key, and the terminal private key can only be stored in the control terminal security chip after being generated; the asymmetric algorithm can be set to RSA1024/2048, SM2 and other algorithms.
In the process, the example of presetting a unique asymmetric algorithm to generate a public and private key pair in advance is taken as an example for description, in practical application, a door lock and a control terminal can generate a plurality of corresponding public and private key pairs by using different asymmetric algorithms, a plurality of generated public keys are transmitted to a platform for storage, and when the terminal calls a door lock public key stored in advance in a cloud platform, the public key calling the corresponding algorithm is appointed.
S202: sending an algorithm confirmation request and the encrypted terminal random number to the target door lock, and receiving the encrypted door lock random number corresponding to the algorithm confirmation request fed back by the target door lock;
in the method provided by the embodiment of the invention, when the control terminal acquires the fingerprint information of a user and encrypts the terminal random number, each preset algorithm in the control terminal is determined, an algorithm determination request and the encrypted terminal random number are sent to each target door lock, and then the encrypted door lock random number fed back by the target door lock is received.
It should be noted that the algorithm confirmation request is identification information of a preset algorithm in the control terminal, after receiving the identification information of the preset algorithm, the target door lock judges whether to support the preset algorithm in the control terminal, and if so, and a door lock preset algorithm consistent with the preset algorithm of the control terminal exists, the algorithm confirmation request is confirmed. And the encrypted door lock random number is obtained by calling a terminal public key in a terminal public and private key pair stored in the cloud platform in advance after the target door lock generates the door lock random number and encrypting the door lock random number.
S203: encrypting the generated shared main secret key according to the door lock public key, and generating a digest random number according to the terminal random number and the door lock random number obtained by decryption;
in the method provided by the embodiment of the invention, the control terminal encrypts the generated shared main secret key in the control terminal through the door lock public key obtained by the cloud platform, and generates the abstract random number according to the terminal random number and the decrypted door lock random number.
The summary random number is generated by the terminal random number and the door lock random number, and the control terminal decrypts the encrypted door lock random number by using a terminal private key generated in advance by the control terminal after receiving the encrypted door lock random number fed back by the target door lock, so as to obtain the door lock random number; at the same time, a random number of 16 bytes is randomly generated, and the random number of 16 bytes is set as a shared master key. The process of encrypting the preset shared main secret key in the control terminal is to encrypt the shared main secret key by using a door lock public key and calling a preset asymmetric algorithm.
S204: calling a preset abstract algorithm, and carrying out abstract operation on the abstract random number to obtain a first abstract value;
in the method provided by the embodiment of the invention, after the abstract random number is generated, a preset abstract algorithm is called, and the abstract random number is calculated through abstract operation to obtain a first abstract value.
It should be noted that the digest algorithm is one of hash algorithms, the hash algorithm is an algorithm preset by the control terminal, and the hash algorithm may also be set to SHA1/256/384/512, SM3, and other algorithms.
S205: applying a terminal private key in a pre-generated terminal public and private key pair to perform signature operation on the first digest value to obtain a signature value;
in the method provided by the embodiment of the invention, after the first digest value is obtained, the control terminal utilizes a terminal private key in the terminal public and private key pair to perform signature operation on the first digest value to obtain a signature value.
It should be noted that the signature algorithm of the signature operation is an algorithm preset by the control terminal, and the signature value is obtained by encrypting the signature of the first digest value through the signature algorithm and a terminal private key; the terminal public and private key pair is generated by the control terminal according to a preset asymmetric algorithm and comprises a terminal public key and a terminal private key; the asymmetric algorithm can be set to RSA1024/2048, SM2 and other algorithms.
S206: sending the signature value and the encrypted shared master key to the target door lock for verification;
in the method provided by the embodiment of the invention, the control terminal sends the signature value and the encrypted shared master key to the target door lock, so that the target door lock verifies the signature value.
S207: when receiving a door lock authentication message which is fed back by the target door lock and successfully verified in response, authenticating the door lock authentication message, generating a terminal authentication message corresponding to the door lock authentication message when the authentication is passed, and sending the terminal authentication message to the target door lock for authentication;
in the method provided by the embodiment of the invention, when a door lock authentication message which is fed back by a target door lock and successfully responds to verification is received, a control terminal authenticates the target door lock authentication message, when the generation process of the control terminal authentication door lock authentication message is consistent with the process of generating the door lock authentication message according to a preset safety authentication message algorithm, the authentication is passed, meanwhile, the preset safety authentication message algorithm is applied to generate the terminal authentication message corresponding to the door lock authentication message, and the terminal authentication message is sent to the door lock for authentication.
It should be noted that the generation process of the terminal authentication message is generated according to a preset security authentication message algorithm; the preset safety authentication message algorithm is as follows: connecting the terminal random number, the door lock random number, the signature value and the encrypted shared master key to obtain a first connection value; and performing digest operation on the connection value by using a preset digest algorithm to obtain a second digest value, connecting the second digest value with the ASCII code, performing hash operation on the second digest value and the shared master key according to a preset hash algorithm, and finally generating the security authentication message, wherein the hash algorithm can also be set to SHA1/256/384/512, SM3 and other algorithms.
S208: and when receiving the authentication passing message sent by the target door lock, realizing the safety authentication with the target door lock.
In the method provided by the embodiment of the invention, when the message that the authentication is passed and fed back by the target door lock is received, the control terminal and the target door lock realize the safety authentication and establish a safety connection channel.
In the authorization method provided by the embodiment of the invention, when a control terminal receives fingerprint information of a user, identification information of a preset algorithm and an encrypted terminal random number are sent to a target door lock, and the target door lock is requested to confirm the preset algorithm; and after receiving the encrypted door lock random number fed back by the target door lock, calling a door lock public key in a door lock public and private key pair stored in the cloud platform for encryption. The door lock public and private key pair is generated by calling a preset asymmetric algorithm by a door lock, and the asymmetric algorithm can be set to be RSA1024/2048, SM2 and other algorithms. The control terminal calls the door lock public key from the cloud platform, encrypts the preset shared master key, generates a summary random number from the terminal random number and the decrypted door lock random number, performs summary operation to generate a first summary value, and performs signature operation on the first summary value according to a terminal private key in a terminal public and private key pair to finally obtain a signature value. And sending the signature value and the encrypted shared master key to the target door lock, and enabling the target door lock to verify the signature value. When receiving a door lock authentication message which is fed back by the target door lock and successfully responds to verification, authenticating the door lock authentication message according to a preset safety authentication message algorithm; and after the authentication is successful, generating a terminal authentication message corresponding to the door lock authentication message according to a preset safety authentication message algorithm, and sending the terminal authentication message to the target door lock. And when receiving the authentication success message fed back by the target door lock, realizing the safety authentication between the control terminal and each target door lock, and establishing a safety connection channel between the control terminal and the target door lock. Meanwhile, after the security authentication is completed, a session key which needs to encrypt the fingerprint information is generated.
In the method provided by the embodiment of the present invention, the following description is made of an implementation manner of a specific embodiment corresponding to the method:
after the control terminal acquires the fingerprint information of a user, calling a door lock public key in a door lock public and private key pair prestored in a cloud platform, and encrypting a generated terminal random number r1 according to the door lock public key;
the control terminal sends identification information A1 of a preset algorithm and an encrypted terminal random number r1 to each target door lock to request the target door lock to confirm the preset algorithm;
when receiving the encrypted door lock random number r2 corresponding to the algorithm confirmation request fed back by the target door lock;
the control terminal randomly generates a random number of 16 bytes, the random number of 16 bytes is set as a shared master key M1, and the shared master key M1 is encrypted by a door lock public key through a preset asymmetric algorithm to generate E1;
generating a digest random number r3 according to the terminal random number r1 and the decrypted door lock random number r 2;
the algorithm of the abstract random number is as follows:
r1+r2=r3;
performing digest operation on the random digest number r3 through a preset digest algorithm on r3 to obtain a first digest value H1;
carrying out signature operation on the first digest value H1 through a terminal private key in a terminal public and private key pair to finally obtain a signature value S1;
sending the signed S1 and the encrypted shared master key E1 to the target door lock for verification;
when a door lock authentication message F1 fed back after successful verification is received, generating a first authentication message F1 'by applying a preset safety authentication message algorithm to the door lock authentication message F1, and comparing the first authentication message F1' with the F1;
when the alignment is consistent. If the authentication is successful, generating a terminal authentication message F2 by using the preset security authentication message algorithm, and sending the terminal authentication message F2 to the targets for authentication;
when receiving the authentication passing message sent by the target door lock, realizing the safety authentication between the control terminal and each target door lock;
after the security authentication is successful, calculating and generating a session key X according to a preset hash algorithm, wherein the process of generating the session key X is as follows:
and calling a preset hash algorithm, and carrying out hash operation on the shared master key M1, the terminal random number r1, the door lock random number r2 and a preset key ASCII code to obtain the session key.
According to the generation process of the calculation session key, the formula of the session key X is as follows:
X=HASH(M1,Key_label||r1||r2);
the Key _ label is a secret ASCII code 'SESSIONKEY'.
Based on the method provided by the above embodiment, the process of generating the first authentication message F1' by the control terminal using the preset secure authentication message algorithm is as follows:
to the first connection value T1 connecting the terminal random number r1, the door lock random number r2, the signature value S1 and the encrypted shared master key E1,
wherein,
T1=r1||r2||S1||E1;
performing a digest operation on the first connection value T1 according to a preset digest algorithm to obtain a second digest value H2;
connecting the preset door lock ASCII code with a second abstract value H2 to obtain a second connection value D2;
finally, the second connection value D2 and the shared master key M1 are subjected to a preset hash algorithm, and a first authentication message F1' is finally generated.
When the first authentication message F1' generated by the control terminal is consistent with the received door lock authentication message F1, the control terminal also applies a preset security authentication message algorithm to generate a terminal authentication message F2, which includes the following steps:
to the first connection value T1 connecting the terminal random number r1, the door lock random number r2, the signature value S1 and the encrypted shared master key E1,
wherein,
T1=r1||r2||S1||E1;
performing a digest operation on the first connection value T1 according to a preset digest algorithm to obtain a second digest value H2;
connecting the preset terminal ASCII code with the second abstract value H2 to obtain a third connecting value D3;
and finally, the third connection value D3 and the shared master key M1 are subjected to a preset hash algorithm, and a terminal authentication message F2 is finally generated.
The method according to the above embodiment, wherein the door lock ASCII code is "locked"; the TERMINAL ASCII code is "term".
In the method provided by the embodiment of the present invention, after receiving fingerprint information of a user, the fingerprint information is encrypted by using a session key generated in a security authentication process, and the encrypted fingerprint information is sent to a target door lock corresponding to the session key, and the specific method is as follows:
and sending the encrypted fingerprint information to a cloud platform passing through bidirectional identity authentication, and triggering the cloud platform to send the encrypted fingerprint information to a target door lock corresponding to the session key.
In the authorization method provided by the embodiment of the invention, when a control terminal sends encrypted fingerprint information and information of a target door lock to be unlocked selected by a user to the target door lock, the encrypted fingerprint information is sent to a cloud platform which passes bidirectional identity authentication in advance, and the cloud platform sends the encrypted fingerprint information to the target door lock corresponding to a session key respectively according to the information of the target door lock.
The target door lock is an intelligent door lock selected by at least one user; the cloud platform is a cloud platform server and is responsible for distributing and receiving data information, and after the cloud platform receives the encrypted fingerprint information, the encrypted fingerprint information is distributed to the target door locks according to the target door locks to be unlocked selected by a user, so that the cloud platform does not have the function of encrypting or decrypting the fingerprint information and does not store the encrypted fingerprint information, and after the bidirectional identity authentication is passed, the cloud platform can receive a public key sent by the control terminal and the target door locks and store the public key. The terminal or the door lock public and private key pair can be that the control terminal and the target door lock are temporarily generated in the security authentication process and the cloud platform forwards the terminal or the door lock public key; or the terminal and the door lock public key are generated after a safe transmission channel is established, the generated terminal and the door lock public key are sent to the cloud platform to be stored, and the terminal and the door lock public key are directly called from the cloud platform in the process of safety certification. The bidirectional identity authentication comprises the steps that a control terminal initiates an identity authentication request to a cloud platform, the cloud platform responds to the identity authentication request of the control terminal and simultaneously initiates an identity authentication request to the control terminal, and when the identity authentication between the control terminal and the cloud platform passes, a safe transmission channel between the cloud platform and the control terminal is connected. The cloud platform also initiates identity authentication to the target door lock, the target door lock responds to an authentication request of the cloud platform, meanwhile, an identity authentication request is also initiated to the cloud platform, and when the identity authentication between the target door lock and the cloud platform passes, a safe transmission channel between the cloud platform and the target door lock is connected.
By applying the method provided by the embodiment of the invention, the control terminal transfers and distributes the encrypted fingerprint information through the cloud platform before sending the encrypted fingerprint information to each target door lock, the control terminal, the target door lock and the cloud platform pass identity authentication before sending the encrypted fingerprint information to determine a safe transmission channel, and even if the encrypted fingerprint information is illegally intercepted, the password of the encrypted fingerprint information cannot be cracked from the cloud platform, so that the safety of personal information of a user is ensured, and the safety and confidentiality of the fingerprint information in the transmission process are ensured.
In the method provided in the embodiment of the present invention, when the control terminal needs to send the encrypted fingerprint information to the target door lock, the control terminal performs transfer and distribution through the cloud platform, wherein before the transfer of the distribution, bidirectional identity authentication is performed with the cloud platform, and a secure transmission channel is established with each target door lock, as shown in fig. 3, the specific establishment process includes:
s301: sending an identity authentication request to an established cloud platform, triggering the cloud platform and the control terminal to perform bidirectional identity authentication, and triggering the cloud platform to perform bidirectional identity authentication with each target door lock respectively;
s302: when the bidirectional identity authentication between the cloud platform and the control terminal passes and the bidirectional identity authentication between the cloud platform and each target door lock passes, a safe transmission channel for data transmission between the control terminal and each target door lock through the cloud platform is established.
The identity authentication process is specifically explained by applying the method provided by the embodiment of the invention:
when fingerprint information of a user is acquired, calling a preset identity authentication algorithm to generate first identity authentication information, sending the first identity authentication information to the cloud platform, and meanwhile, receiving second identity authentication information which is sent by the cloud platform and generated through the preset identity authentication algorithm;
and authenticating the second identity authentication message, and realizing bidirectional identity authentication with the cloud platform when the second identity authentication message passes the authentication and receives a notification message which is sent by the cloud platform and passes the authentication of the first identity authentication message.
In the authorization method provided by the embodiment of the invention, before the control terminal sends the encrypted fingerprint information to each target door lock through the cloud platform, bidirectional identity authentication with the cloud platform is required, after the control terminal obtains the fingerprint information of a user, a preset identity authentication algorithm is called to generate a first identity authentication message, and the first identity authentication message is sent to the cloud platform. The cloud platform also calls the identity authentication algorithm to generate a second identity authentication message, and the second identity authentication message is sent to the control terminal for authentication; and when the first identity authentication message and the second identity authentication message are both passed, realizing the bidirectional equipment authentication between the control terminal and the cloud platform.
Based on the method provided by the embodiment of the invention, taking the example that the cloud platform initiates message authentication to the control terminal, the specific implementation manner of the identity authentication algorithm is shown in fig. 4, and the specific implementation steps are as follows:
s401: the cloud platform initiates identity authentication to the control terminal;
s402: the control terminal calls a first function to acquire a random number of the cloud platform from the cloud platform;
s403: the control terminal fills the random number of the cloud platform by adopting 0x00, and when the random number of the cloud platform is filled to the block length of a cryptographic algorithm, data of the cloud platform is formed;
s404: the control terminal calls a second function, encrypts data of the cloud platform according to an authentication key generated by a preset key algorithm, and generates a first encryption result;
s405: sending the first encryption result to the cloud platform for authentication;
s406: if the authentication is correct, the cloud platform passes the identity authentication of the control terminal;
s407: if the authentication is not correct, the authentication process of steps S402 to S405 is executed again.
It should be noted that the first identity authentication message is identity authentication initiated by the control terminal to the cloud platform, and after the control terminal acquires fingerprint information of a user, the control terminal is triggered to perform identity authentication between the cloud platforms. The second identity authentication message is identity authentication initiated by the cloud platform to the control terminal, after the cloud platform receives a first identity authentication message card initiated by the control terminal, the cloud platform is also triggered to perform identity authentication on the control terminal, and when the first identity authentication message and the second identity authentication message both pass, a secure transmission channel between the control terminal and the cloud platform is established. The first function is a GetRandom function; the second function is an Encrypted function; the cryptographic algorithm is a symmetric cryptographic algorithm; the symmetric cipher algorithm can be set to 3DES/AES/SM1/SM4, etc. Before identity authentication, authentication times can be preset, when the authentication is incorrect, the authentication times are reduced by 1 after re-authentication is carried out again, and the next identity message authentication can not be carried out again until the set authentication times are finished.
In the method provided by the embodiment of the present invention, the preset identity authentication algorithm is called to perform bidirectional identity authentication between the control terminal and the cloud platform, and the same identity authentication algorithm is also used to implement bidirectional authentication between the cloud platform and each target door lock, as shown in fig. 5, the specific implementation process is as follows:
the control terminal or the target door lock initiates identity authentication on the cloud platform;
the cloud platform calls a GetRandom function to acquire a random number RND1 from the control terminal or the target door lock;
filling the random number RND1 to the block length of a symmetric cryptographic algorithm by adopting 0x00 to form data D-RND 1;
calling a first authentication key generated by a key algorithm, and encrypting the data D-RND1 to obtain an encryption result EN-D1;
sending the encryption result EN-D1 to the control terminal or the target door lock for authentication;
when the control terminal or the target door lock passes the authentication, the identity authentication of the cloud platform is passed; if the authentication is not passed, the identity authentication process is repeated.
Corresponding to the message authentication process of the control terminal or the target door lock on the cloud platform, the following identity authentication process of the cloud platform on the control terminal or the target door lock is also carried out:
the cloud platform initiates identity authentication of the control terminal or the target door lock;
the control terminal or the target door lock calls a GetRandom function, and a random number RND2 is obtained from the control terminal or the target door lock;
filling the random number RND2 to the block length of a symmetric cryptographic algorithm by adopting 0x00 to form data D-RND 2;
calling a second authentication key generated by a key algorithm, and encrypting the data D-RND2 to obtain an encryption result EN-D2;
sending the encryption result EN-D2 to the cloud platform for authentication;
when the cloud platform passes the authentication, the identity authentication of the control terminal or the target door lock is passed; if the authentication is not passed, the identity authentication process is repeated.
And when the control terminal or the target door lock initiates identity authentication on the cloud platform and the cloud platform initiates identity authentication on the control terminal or the target door lock to pass, establishing a safe transmission channel from the control terminal to the cloud platform and then to the target door lock.
By applying the method provided by the embodiment of the invention, the control terminal and the cloud platform are subjected to identity authentication, and the identity authentication between the cloud platform and the target door lock is also carried out, so that the safety of a transmission channel from the control terminal to the cloud platform and from the cloud platform to the control terminal is ensured, an external invading hacker can be prevented from intercepting data information in the transmission process, and the safety of personal information of a user is ensured.
In the authorization method provided in the embodiment of the present invention, when the encrypted fingerprint information is transmitted to the target door lock, the sending the encrypted fingerprint information to the target door lock corresponding to the session key through the cloud platform may specifically include:
acquiring the door lock identification information of the target door lock;
triggering the cloud platform, and sending the encrypted fingerprint information to the target door lock according to the door lock identification information.
In the method provided by the embodiment of the invention, in the process of sending the encrypted fingerprint information to the target door lock, in order to determine each target door lock to be unlocked, door lock identification information of the target door lock, such as a number plate, a room number or a sign, is acquired in advance. When the control terminal sends the encrypted fingerprint information according to the target door lock identification information, the cloud platform is triggered to send the encrypted fingerprint information and the door lock identification information to the cloud platform, and the cloud platform sends the encrypted fingerprint information to the corresponding target door lock according to the door lock identification information.
By applying the method provided by the embodiment of the invention, the door lock identification information corresponding to the target door lock is obtained aiming at each target door lock appointed by the user, so that the encrypted fingerprint information is ensured not to be sent to other unselected door locks by mistake, and the session key corresponding to the door lock identification information can be set according to each different door lock identification information, thereby ensuring the safety of personal information of the user.
In the authorization method provided in the embodiment of the present invention, after the target door lock decrypts the encrypted fingerprint information and grants the user an opening right to the target door lock, the method specifically includes:
and after the user opens the target door lock, if the user does not send a notification message for re-opening the target door lock, canceling the fingerprint information of the user in the target door lock.
In the method provided by the embodiment of the invention, after the control terminal grants the user the right to open the target door lock, when the user accesses the room corresponding to the target door lock, the target door lock is opened by using the personal fingerprint information, and if the control terminal does not receive the notification message sent by the user to open the target door lock again after the user finishes accessing, the control terminal or the cloud platform cancels the fingerprint information of the user in the target door lock.
By applying the method provided by the embodiment of the invention, when the control terminal does not receive the message of re-opening the target door lock fed back by the user, the fingerprint information of the user on the target door lock is cancelled, so that the safety of the personal information of the user is ensured.
Corresponding to the method described in fig. 1, an embodiment of the present invention further provides an authorization apparatus, which is used for specifically implementing the method in fig. 1, and the authorization apparatus provided in the embodiment of the present invention may be applied to a device that can perform fingerprint authentication and encryption, such as a mobile phone, a PC, and various mobile terminals, and a schematic structural diagram of the authorization apparatus is shown in fig. 6, and specifically includes:
601: the first acquisition unit is used for determining each target door lock to be unlocked and acquiring fingerprint information of a user;
602: the authentication unit is used for establishing a secure transmission channel with each target door lock, performing secure authentication with each target door lock according to the secure transmission channel, and generating a session key for performing data transmission with each target door lock;
603: and the authorization unit is used for encrypting the fingerprint information according to each session key and sending the encrypted fingerprint information to a target door lock corresponding to the session key so as to grant the user the opening authority of the target door lock after the encrypted fingerprint information is decrypted by the target door lock.
In the authorization method provided by the embodiment of the invention, each target door lock to be unlocked is determined by the first acquisition unit, and the fingerprint information of the user is acquired at the same time. After the first acquisition unit acquires the fingerprint information of the user, an authentication process of an authentication unit on a control terminal and target door locks is triggered, after a safe transmission channel is established with each target door lock, the control terminal respectively carries out safe authentication with each target door lock, and a session key for carrying out data transmission with each target door lock is generated. And finally, encrypting the fingerprint information according to the session key generated after the authentication unit starts through the authorization unit, and sending the encrypted fingerprint information to the target door lock corresponding to the session key. And after the encrypted fingerprint information is decrypted by the target door lock, the user is granted the authority to open the target door lock.
By applying the device provided by the invention, the authentication unit can trigger the control terminal to perform security authentication with the target door lock, the fingerprint information is encrypted according to the session key generated after the security authentication is completed, and the encrypted fingerprint information is sent to the target door lock by the control terminal, so that the security and confidentiality of the user fingerprint information in the transmission process are ensured.
The embodiment of the invention provides an authorization method, which can be applied to various intelligent door locks, wherein an execution subject is a door lock, or equipment or a device capable of decrypting encrypted fingerprint information, and a flow chart of the method is shown in fig. 7, and specifically comprises the following steps:
s701: when an opening instruction of a target door lock by a user is received, acquiring fingerprint information of the user contained in the opening instruction;
in the method provided by the embodiment of the invention, when a user inputs the fingerprint of the user in the determined target door lock to be unlocked, the opening instruction of the target door is triggered, and the fingerprint information of the user is acquired.
S702: comparing the fingerprint information with authorized fingerprint information obtained by decryption in advance;
in the method provided by the embodiment of the invention, after the target door lock acquires the fingerprint information of the user, the fingerprint information is compared with the authorized fingerprint information acquired by decryption in the target door lock in advance, and whether the fingerprint information is consistent with the authorized fingerprint information is judged.
It should be noted that the authorized fingerprint information is fingerprint information that is previously entered by a user in a control terminal, and after the control terminal acquires the fingerprint information of the user, the fingerprint information is encrypted and then sent to the target door lock, and the encrypted fingerprint information is decrypted by the target door lock.
S703: and when the comparison is consistent, the target door lock is opened.
In the method provided by the embodiment of the invention, when the fingerprint information is compared with the authorized fingerprint information to be consistent, the target door lock is unlocked according to the unlocking instruction of the user to the target door lock.
According to the method provided by the embodiment of the invention, when the target door lock receives the opening instruction of the user, the fingerprint information of the user is acquired. The fingerprint information of the user is contained in the opening instruction, the target door lock compares the authorized fingerprint information obtained by decryption in advance according to the acquired fingerprint information, and when the fingerprint information is consistent with the authorized fingerprint information, the target door lock is opened. By applying the method provided by the embodiment of the invention, whether the fingerprint information of the user is consistent with the preset authorized fingerprint information or not is determined, and the safety of the identity of the user sending the target door lock opening instruction is ensured.
In the authorization method provided by the embodiment of the present invention, when acquiring fingerprint information in a user opening instruction, the fingerprint information is compared with authorization fingerprint information, wherein the acquisition process of the authorization fingerprint information specifically includes:
when receiving encrypted user fingerprint information sent by a control terminal which passes the security authentication through an established cloud platform, decrypting the encrypted user fingerprint information according to a session key generated in the security authentication process to obtain the authorized fingerprint information.
In the method provided by the embodiment of the invention, encrypted user fingerprint information sent by a control terminal is received, and after the encrypted user fingerprint information passes security authentication with the control terminal and the establishment of the security authentication is completed, the user fingerprint information is encrypted according to a generated session key. After the target door lock acquires the encrypted fingerprint information, the target door lock is also a session key generated after the security authentication is completed, and the encrypted user fingerprint information sent by the control terminal is decrypted by using the session key generated by the target door lock, so that the authorized fingerprint information is finally acquired. And the target door lock stores the authorized fingerprint information, acquires the fingerprint information of the user in the opening instruction after receiving the opening instruction of the user, compares the fingerprint information with the authorized fingerprint information acquired in advance, and opens the target door lock if the comparison is consistent.
By applying the method provided by the embodiment of the invention, the encrypted fingerprint information is acquired in advance by the target door lock, and the encrypted fingerprint information is decrypted and stored, so that when a user sends an opening instruction to the target door lock, the encrypted fingerprint information can be compared with the fingerprint information contained in the opening instruction, whether the target user is the same user or not is determined, the safety of personal information of the user is ensured, and the safety of the target door lock in the opening process is also ensured.
In the authorization method provided in the embodiment of the present invention, when obtaining authorized fingerprint information, a process of performing security authentication with a control terminal in advance, and generating a session key for encrypting the fingerprint information according to the security authentication process, where the process of security authentication, as shown in fig. 8, specifically includes:
s801: when an algorithm confirmation request and an encrypted terminal random number sent by the control terminal are received, confirming an algorithm contained in the control terminal;
in the method provided by the embodiment of the invention, when the target door lock receives the algorithm confirmation request sent by the control terminal and the encrypted terminal random number, the preset algorithm information in the algorithm confirmation request message sent by the control terminal is confirmed.
It should be noted that the algorithm confirmation message sent by the control terminal includes an asymmetric algorithm, a hash algorithm, and the like, and if the algorithm preset in the target door lock has the asymmetric algorithm and the hash algorithm, the algorithm is confirmed to pass; the asymmetric algorithm can be set to RSA1024/2048, SM2 and other algorithms; the hash algorithm can be set to SHA1/256/384/512, SM3, etc.
S802: when the confirmation is passed, calling a terminal public key in a terminal public and private key pair prestored in the cloud platform, encrypting the generated door lock random number, and sending the encrypted door lock random number to the control terminal;
in the method provided by the embodiment of the invention, when the algorithm preset in the target door lock has the algorithm sent by the control terminal, the algorithm is confirmed to pass, and the terminal public key in the terminal public and private key pair stored in the cloud platform in advance is called, so that the door lock random number generated in advance by the target door lock is encrypted, and the encrypted door lock random number corresponding to the algorithm confirmation is sent to the control terminal.
It should be noted that the terminal public key in the terminal public and private key pair pre-stored in the cloud platform is generated after the control terminal performs bidirectional identity authentication with the cloud platform and sends the terminal public key to the cloud platform for storage, or the control terminal temporarily generates the terminal public and private key pair in the process of performing security authentication with the target door lock and sends the terminal public key in the terminal public key to the cloud platform and the cloud platform sends the terminal public key to the target door lock.
S803: receiving a signature value and an encrypted shared master key sent by the control terminal;
in the method provided by the embodiment of the invention, after the target door lock sends the encrypted door lock random number to the control terminal, the signature value fed back by the control terminal and the encrypted shared master key are obtained.
The signature value is obtained by the control terminal decrypting the encrypted door lock random number to generate a door lock random number, generating a summary random number according to the terminal random number and the door lock random number, performing summary operation and signature operation through a terminal private key; the encrypted shared master key is used as a shared master key according to a 16-byte random number generated by the control terminal, and the door lock public key is used for encrypting the shared master key to obtain the encrypted shared master key.
S804: verifying the signature value according to the terminal public key, decrypting the encrypted shared master key when the signature value passes the verification to obtain the shared master key, and generating a door lock authentication message;
in the method provided by the embodiment of the invention, the target door lock verifies the signature value by using the terminal public key acquired from the cloud platform, when the signature value passes the verification, the encrypted shared master key is decrypted to obtain the shared master key, and the door lock authentication message is generated according to the preset security authentication message algorithm.
It should be noted that, the secure authentication message algorithm is as follows: connecting the terminal random number, the door lock random number, the signature value and the encrypted shared master key to obtain a first connection value; and then, performing digest operation on the connection value by using a preset digest algorithm to obtain a second digest value, connecting the second digest value with the ASCII code, and performing hash operation on the second digest value and the shared main key according to a preset hash algorithm to finally generate the security authentication message. The hash algorithm can be set to SHA1/256/384/512, SM3 and other algorithms.
S805: sending the door lock authentication message to the control terminal for authentication;
in the method provided by the embodiment of the invention, after the door lock authentication message is generated according to the preset authentication message algorithm, the door lock authentication message is sent to the control terminal for authentication.
It should be noted that, when the control terminal authenticates the door lock authentication message, the control terminal authenticates by using a security authentication message algorithm preset by the control terminal.
S806: and when receiving a terminal authentication message corresponding to the door lock authentication message fed back by the control terminal, authenticating the terminal authentication message, and when the authentication is passed, realizing the safety authentication with the control terminal.
In the method provided by the embodiment of the invention, when the control terminal passes the authentication of the door lock authentication message, the same preset safety authentication message algorithm is used to generate a terminal authentication message and send the terminal authentication message to the door lock, and when the door lock receives the terminal authentication message, the preset safety authentication message algorithm of the door lock is used to perform authentication.
It should be noted that, in the generation process of the terminal authentication message, a security authentication message algorithm with the same algorithm as that in the generation process of the door lock authentication message is also used, wherein when the security authentication message algorithm is applied in the generation process of the terminal authentication message, the ASCII code in the authentication message algorithm is the terminal ASCII code: "TERMINAL".
In the method provided by the embodiment of the invention, when a target door lock receives an algorithm confirmation request sent by control and an encrypted terminal random number, the algorithm contained in the control terminal is confirmed according to each algorithm preset in the target door lock, and when the confirmation passes, the encrypted door lock random number is sent to the control terminal. And when the signature value fed back by the control terminal and the encrypted shared master key are received, verifying the signature value by using the terminal public key, and decrypting the encrypted shared master key to obtain the shared master key if the verification is passed. And then generating a door lock authentication message according to a preset security authentication message algorithm, sending the door lock authentication message to the control terminal for authentication, when receiving a terminal authentication message needing authentication fed back by the control terminal, indicating that the control terminal passes the authentication of the target door lock authentication message, authenticating the terminal authentication message by the target door lock by using the preset security authentication message algorithm, and realizing the security authentication between the target door lock and the control terminal if the authentication passes, so as to establish a security connection channel between the control terminal and the target door lock.
In the method provided by the embodiment of the present invention, the following description is made of an implementation manner of a specific embodiment corresponding to the method:
when a target door lock receives an algorithm identification A1 and an encrypted terminal random number of a control terminal algorithm confirmation request, the target door lock confirms whether an algorithm consistent with a preset algorithm in a control terminal exists or not, and a preset door lock private key is called to decrypt the encrypted terminal random number to obtain a terminal random number r 1;
when the target door lock preset algorithm is consistent with the control terminal preset algorithm, generating a door lock random number r2, calling a terminal public key stored in the cloud platform in advance to encrypt the door lock random number, and sending the encrypted door lock random number to the control terminal;
when receiving the signature value S1 sent by the control terminal and the encrypted shared master key E1, verifying the signature value S1 by using a signature value generation algorithm, and if the verification is passed, decrypting the encrypted shared master key E1 by using the terminal public key to obtain a shared master key M1;
generating a door lock authentication message F1 according to a preset safety authentication message algorithm;
the target door lock sends the door lock authentication message F1 to the control terminal for authentication;
when receiving a terminal authentication message F2 authentication message which is sent by the control terminal and passes the authentication with the door lock authentication message F1, generating a second authentication message F2 'by using the preset security authentication message algorithm, and comparing the second authentication message F2' with the terminal authentication message F2;
when the second authentication message F2' is compared with the terminal authentication message F2 to be consistent, the authentication is passed, and the safety authentication between the target door lock and the control terminal is realized;
after the security authentication is successful, a session key X is calculated according to a preset hash algorithm, and the process of generating the session key by the target door lock is as follows:
and calling a preset hash algorithm, and carrying out hash operation on the shared master key, the terminal random number, the door lock random number and a preset ASCII (American standard code for information interchange) key to obtain the session key.
Wherein, the formula of the session key X is as follows:
X=HASH(M1,Key_label||r1||r2);
the Key _ label is a secret Key ASCII code 'SESSIONKEY';
based on the method provided by the above embodiment, when the door lock successfully verifies the signature value S1 and decrypts to obtain M1, a preset security authentication message algorithm is invoked to generate a door lock authentication message F1, which includes the following steps:
to the first connection value T1 connecting the terminal random number r1, the door lock random number r2, the signature value S1 and the encrypted shared master key E1,
wherein,
T1=r1||r2||S1||E1;
performing a digest operation on the first connection value T1 according to a preset digest algorithm to obtain a second digest value H2;
connecting the preset door lock ASCII code with a second abstract value H2 to obtain a second connection value D2;
and finally, the second connection value D2 and the shared master key M1 are subjected to a preset hash algorithm, and finally, a door lock authentication message F1 is generated.
When the door lock sends the door lock authentication message F1 to the terminal and receives a terminal authentication message F2 fed back by the terminal, the same security authentication message algorithm is called to generate a second authentication message F2', and the generation process is as follows:
to the first connection value T1 connecting the terminal random number r1, the door lock random number r2, the signature value S1 and the encrypted shared master key E1,
wherein,
T1=r1||r2||S1||E1;
performing a digest operation on the first connection value T1 according to a preset digest algorithm to obtain a second digest value H2;
connecting the preset terminal ASCII code with the second abstract value H2 to obtain a third connecting value D3;
and finally, the third connection value D3 and the shared master key M1 are subjected to a preset hash algorithm, and a terminal authentication message F2' is finally generated.
The method according to the above embodiment, wherein the door lock ASCII code is "locked"; the TERMINAL ASCII code is "term".
It should be noted that the second authentication message F2' is generated by the door lock, and the generation process of the second authentication message is consistent with the generation process of the terminal authentication message; and after the door lock generates a second authentication message F2', comparing the second authentication message with the received terminal authentication message F2, and if the comparison result is consistent, the door lock passes the authentication of the terminal authentication message.
By applying the method provided by the embodiment of the invention, after the target door lock and the control terminal successfully establish the security authentication, the encrypted user fingerprint information sent by the control terminal is decrypted according to the session key generated in the security authentication process, so that the possibility that the encrypted user fingerprint information is stolen in the transmission process of the user personal information is prevented, and the security of the user personal fingerprint information is ensured.
The authorization method provided by the embodiment of the invention can be applied to an intelligent door lock needing to be unlocked by using a fingerprint, and can also be applied to an intelligent door lock adopting a face recognition technology or an intelligent door lock adopting a palm print recognition technology. The above specific implementations and the derivation processes of the implementations are all within the scope of the present invention.
Corresponding to the method described in fig. 6, an embodiment of the present invention further provides an authorization apparatus for implementing the method in fig. 6, where the authorization apparatus provided in the embodiment of the present invention may be applied to an intelligent door lock or various devices that need to perform fingerprint authentication and decryption, and a schematic structural diagram of the authorization apparatus is shown in fig. 9, and specifically includes:
901: the second acquisition unit is used for acquiring fingerprint information of a user contained in an opening instruction when the opening instruction of the target door lock by the user is received;
902: the comparison unit is used for comparing the fingerprint information with authorized fingerprint information obtained by decryption in advance;
903: and the unlocking unit is used for unlocking the target door lock when the comparison is consistent.
When the second obtaining unit receives an opening instruction of a user on the target door lock, the fingerprint information of the user in the opening instruction can be obtained, the obtained fingerprint information is compared by the comparing unit according to the authorized fingerprint information obtained by decryption in advance, and when the fingerprint information of the user is consistent with the authorized fingerprint information, the target door lock is opened by the opening unit.
The present invention also provides an authorization system, a system block diagram of which is shown in fig. 10, and the system block diagram specifically includes:
the system comprises a fingerprint management terminal 100, a cloud platform 300 and at least one door lock 200;
the fingerprint management terminal 100 includes:
a first collecting module 110, configured to collect a user fingerprint;
a first fingerprint detection control module 120, configured to convert an acquired user fingerprint into fingerprint information;
the terminal chip 130 is configured to, when receiving the fingerprint information sent by the first fingerprint detection control module, execute any one of the following authorization methods:
determining each target door lock to be unlocked, and acquiring fingerprint information of a user;
establishing a secure transmission channel with each target door lock, and respectively performing secure authentication with each target door lock according to the secure transmission channel to generate a session key for performing data transmission with each target door lock;
and encrypting the fingerprint information according to each session key, and sending the encrypted fingerprint information to a target door lock corresponding to the session key so as to grant the user the opening authority of the target door lock after the encrypted fingerprint information is decrypted by the target door lock.
In the above method, preferably, the establishing a secure transmission channel with each target door lock includes:
sending an identity authentication request to an established cloud platform, triggering the cloud platform and the control terminal to perform bidirectional identity authentication, and triggering the cloud platform to perform bidirectional identity authentication with each target door lock respectively;
when the bidirectional identity authentication between the cloud platform and the control terminal passes and the bidirectional identity authentication between the cloud platform and each target door lock passes, a safe transmission channel for data transmission between the control terminal and each target door lock through the cloud platform is established.
Preferably, the method for performing security authentication with a target door lock includes:
calling a door lock public key in a door lock public and private key pair prestored in the cloud platform, and encrypting the generated terminal random number according to the door lock public key;
sending an algorithm confirmation request and the encrypted terminal random number to the target door lock, and receiving the encrypted door lock random number corresponding to the algorithm confirmation request fed back by the target door lock;
encrypting the generated shared main secret key according to the door lock public key, and generating a digest random number according to the terminal random number and the door lock random number obtained by decryption;
calling a preset abstract algorithm, and carrying out abstract operation on the abstract random number to obtain a first abstract value;
applying a terminal private key in a pre-generated terminal public and private key pair to perform signature operation on the first digest value to obtain a signature value;
sending the signature value and the encrypted shared master key to the target door lock for verification;
when receiving a door lock authentication message which is fed back by the target door lock and successfully verified in response, authenticating the door lock authentication message, generating a terminal authentication message corresponding to the door lock authentication message when the authentication is passed, and sending the terminal authentication message to the target door lock for authentication;
and when receiving the authentication passing message sent by the target door lock, realizing the safety authentication with the target door lock.
In the above method, preferably, the authenticating the door lock authentication message includes:
connecting according to the terminal random number, the door lock random number, the signature value and the encrypted shared master key to obtain a first connection value;
calling the preset abstract algorithm, and carrying out abstract operation on the first connecting value to obtain a second abstract value;
connecting the second abstract value with a preset door lock ASCII code to obtain a second connection value;
calling a preset hash algorithm, and carrying out hash operation on the second connection value and the shared master key to obtain a first authentication message;
and comparing the first authentication message with the door lock authentication message, and when the first authentication message is consistent with the door lock authentication message, authenticating the door lock authentication message.
In the above method, preferably, the generating a session key for data transmission with each target door lock includes:
and calling a preset hash algorithm, and carrying out hash operation on the shared master key, the terminal random number, the door lock random number and a preset ASCII (American standard code for information interchange) key to obtain the session key.
The door lock 200 includes:
a second collecting module 210, configured to collect a user fingerprint;
a second fingerprint detection control module 220, configured to convert the acquired user fingerprint into fingerprint information;
a door lock chip 230, configured to perform any one of the following authorization methods:
when an opening instruction of a target door lock by a user is received, acquiring fingerprint information of the user contained in the opening instruction;
comparing the fingerprint information with authorized fingerprint information obtained by decryption in advance;
when the comparison is consistent, the target door lock is opened;
wherein: the process of obtaining authorized fingerprint information includes:
when receiving encrypted user fingerprint information sent by a control terminal which passes the security authentication through an established cloud platform, decrypting the encrypted user fingerprint information according to a session key generated in the security authentication process to obtain the authorized fingerprint information.
The method described above, preferably, the process of security authentication includes:
when an algorithm confirmation request and an encrypted terminal random number sent by the control terminal are received, confirming an algorithm contained in the control terminal;
when the confirmation is passed, calling a terminal public key in a terminal public and private key pair prestored in the cloud platform, encrypting the generated door lock random number, and sending the encrypted door lock random number to the control terminal;
receiving a signature value and an encrypted shared master key sent by the control terminal;
verifying the signature value according to the terminal public key, decrypting the encrypted shared master key when the signature value passes the verification to obtain the shared master key, and generating a door lock authentication message;
sending the door lock authentication message to the control terminal for authentication;
and when receiving a terminal authentication message corresponding to the door lock authentication message fed back by the control terminal, authenticating the terminal authentication message, and when the authentication is passed, realizing the safety authentication with the control terminal.
Preferably, the method for authenticating the terminal authentication message includes:
connecting according to the terminal random number, the door lock random number, the signature value and the encrypted shared master key to obtain a first connection value;
calling the preset abstract algorithm, and carrying out abstract operation on the first connecting value to obtain a second abstract value;
connecting the second abstract value with a preset door lock ASCII code to obtain a third connecting value;
calling a preset hash algorithm, and carrying out hash operation on the third connection value and the shared master key to obtain a second authentication message;
and comparing the second authentication message with the terminal authentication message, and if the second authentication message is consistent with the terminal authentication message, authenticating the terminal authentication message.
A cloud platform 300;
the cloud platform 300 is configured to perform bidirectional identity authentication with the fingerprint management terminal and perform bidirectional identity authentication with each door lock simultaneously when receiving an identity authentication request sent by the fingerprint management terminal; when the fingerprint management terminal and each door lock perform security authentication, data and information in the security authentication process are distributed and transferred; and after the security authentication is passed, receiving the fingerprint information encrypted by the fingerprint management terminal, and distributing the encrypted fingerprint information to each door lock.
In the system provided by the embodiment of the invention, the fingerprint management terminal collects the fingerprint of the user through the first collection module, and then converts the collected fingerprint into fingerprint information through the first fingerprint detection control module. After receiving the fingerprint information of the user, the terminal chip carries out an encryption process on the fingerprint information and a process of carrying out security authentication on the cloud platform and the door lock. The door lock with fingerprint management terminal carries out the safety certification back, deciphers received fingerprint information through encrypting by door lock core piece, acquires user's fingerprint information and preserves as authorized fingerprint information, works as when user's fingerprint is gathered to the second collection module, will again through second fingerprint detection control module user's fingerprint turns into fingerprint information, at last by the door lock chip is right the received fingerprint information of lock compares with the authorized fingerprint information of preserving in advance, compares unanimously and then opens the lock.
It should be noted that the terminal chip includes various kinds of algorithm information and function information for implementing various kinds of authentication processes and encryption processes, and the door lock core also includes various kinds of algorithm information and function information for implementing various kinds of authentication processes and decryption processes.
Based on the system provided in the above embodiment of the present invention, the specific security authentication process between the fingerprint management terminal 100 and the door lock 200, as shown in fig. 11, specifically includes:
the fingerprint management terminal sets algorithm identification information A1 and generates a terminal random number r1, and acquires a pre-stored door lock public key from the cloud platform to encrypt the terminal random number r 1;
sending algorithm identification information and an encrypted terminal random number to the door lock;
after receiving the algorithm identification A1 and the encrypted terminal random number, the door lock checks whether the terminal algorithm is supported;
if the terminal algorithm is supported, decrypting the encrypted terminal random number by using a door lock private key preset by the door lock to obtain a terminal random number r1, generating a door lock random number r2, and acquiring a pre-stored terminal public key from a cloud platform to encrypt the door lock random number;
sending the encrypted door lock random number to the fingerprint management terminal;
the fingerprint management terminal receives the encrypted door lock random number, calls a preset terminal private key to decrypt the encrypted door lock random number to obtain a door lock random number r2, generates a random number of 16 bytes as a shared master key M1, and encrypts the shared master key M1 by using the door lock public key to obtain an encrypted shared master key E1;
connecting the terminal random number r1 with the door lock random number r2, and finally obtaining a signature value S1 after digest operation and signature operation;
sending the signature value S1 and the encrypted shared master key E1 to the door lock;
the door lock verifies the signature value S1 by using the terminal public key, decrypts the encrypted shared master key E1 by using the door lock private key after the verification is successful to obtain a shared master key M1, and generates a door lock authentication message F1 after the decryption;
sending the door lock authentication message F1 to the fingerprint management terminal;
the fingerprint management terminal authenticates the door lock authentication message F1, if the fingerprint management terminal passes the authentication, a terminal authentication message F2 is generated, and the terminal authentication message F2 is sent to the door lock;
the door lock receives and authenticates the terminal authentication message F2, after the authentication is passed, the security authentication between the door lock and the fingerprint management terminal is realized, and a session key is calculated and generated;
and the fingerprint management terminal also calculates and generates a session key.
It should be noted that, the processes of security authentication of the fingerprint management terminal and the door lock are all completed by the cloud platform. In the system provided by the embodiment of the invention, the terminal chip and the door lock chip are the terminal security chip and the door lock security chip in the embodiment of the method.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, the system or system embodiments are substantially similar to the method embodiments and therefore are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described system and system embodiments are only illustrative, wherein the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (11)
1. An authorization method, wherein the method is applied to a control terminal, and the method comprises:
determining each target door lock to be unlocked, and acquiring fingerprint information of a user;
establishing a secure transmission channel with each target door lock, and respectively performing secure authentication with each target door lock according to the secure transmission channel to generate a session key for performing data transmission with each target door lock;
and encrypting the fingerprint information according to each session key, and sending the encrypted fingerprint information to a target door lock corresponding to the session key so as to grant the user the opening authority of the target door lock after the encrypted fingerprint information is decrypted by the target door lock.
2. The method of claim 1, wherein said establishing a secure transmission channel with each of said target door locks comprises:
sending an identity authentication request to an established cloud platform, triggering the cloud platform and the control terminal to perform bidirectional identity authentication, and triggering the cloud platform to perform bidirectional identity authentication with each target door lock respectively;
when the bidirectional identity authentication between the cloud platform and the control terminal passes and the bidirectional identity authentication between the cloud platform and each target door lock passes, a safe transmission channel for data transmission between the control terminal and each target door lock through the cloud platform is established.
3. The method of claim 2, wherein the securely authenticating with the target door lock comprises:
calling a door lock public key in a door lock public and private key pair prestored in the cloud platform, and encrypting the generated terminal random number according to the door lock public key;
sending an algorithm confirmation request and the encrypted terminal random number to the target door lock, and receiving the encrypted door lock random number corresponding to the algorithm confirmation request fed back by the target door lock;
encrypting the generated shared main secret key according to the door lock public key, and generating a digest random number according to the terminal random number and the door lock random number obtained by decryption;
calling a preset abstract algorithm, and carrying out abstract operation on the abstract random number to obtain a first abstract value;
applying a terminal private key in a pre-generated terminal public and private key pair to perform signature operation on the first digest value to obtain a signature value;
sending the signature value and the encrypted shared master key to the target door lock for verification;
when receiving a door lock authentication message which is fed back by the target door lock and successfully verified in response, authenticating the door lock authentication message, generating a terminal authentication message corresponding to the door lock authentication message when the authentication is passed, and sending the terminal authentication message to the target door lock for authentication;
and when receiving the authentication passing message sent by the target door lock, realizing the safety authentication with the target door lock.
4. The method of claim 3, wherein authenticating the door lock authentication message comprises:
connecting according to the terminal random number, the door lock random number, the signature value and the encrypted shared master key to obtain a first connection value;
calling the preset abstract algorithm, and carrying out abstract operation on the first connecting value to obtain a second abstract value;
connecting the second abstract value with a preset door lock ASCII code to obtain a second connection value;
calling a preset hash algorithm, and carrying out hash operation on the second connection value and the shared master key to obtain a first authentication message;
and comparing the first authentication message with the door lock authentication message, and when the first authentication message is consistent with the door lock authentication message, authenticating the door lock authentication message.
5. The method of claim 3, wherein the generating a session key for data transmission with each of the target door locks comprises:
and calling a preset hash algorithm, and carrying out hash operation on the shared master key, the terminal random number, the door lock random number and a preset ASCII (American standard code for information interchange) key to obtain the session key.
6. An authorization device, comprising:
the first acquisition unit is used for determining each target door lock to be unlocked and acquiring fingerprint information of a user;
the authentication unit is used for establishing a secure transmission channel with each target door lock, performing secure authentication with each target door lock according to the secure transmission channel, and generating a session key for performing data transmission with each target door lock;
and the authorization unit is used for encrypting the fingerprint information according to each session key and sending the encrypted fingerprint information to a target door lock corresponding to the session key so as to grant the user the opening authority of the target door lock after the encrypted fingerprint information is decrypted by the target door lock.
7. An authorization method, wherein the method is applied to a door lock, and the method comprises:
when an opening instruction of a target door lock by a user is received, acquiring fingerprint information of the user contained in the opening instruction;
comparing the fingerprint information with authorized fingerprint information obtained by decryption in advance;
when the comparison is consistent, the target door lock is opened;
wherein: the process of obtaining authorized fingerprint information includes:
when receiving encrypted user fingerprint information sent by a control terminal which passes the security authentication through an established cloud platform, decrypting the encrypted user fingerprint information according to a session key generated in the security authentication process to obtain the authorized fingerprint information.
8. The method of claim 7, wherein the process of secure authentication comprises:
when an algorithm confirmation request and an encrypted terminal random number sent by the control terminal are received, confirming an algorithm contained in the control terminal;
when the confirmation is passed, calling a terminal public key in a terminal public and private key pair prestored in the cloud platform, encrypting the generated door lock random number, and sending the encrypted door lock random number to the control terminal;
receiving a signature value and an encrypted shared master key sent by the control terminal;
verifying the signature value according to the terminal public key, decrypting the encrypted shared master key when the signature value passes the verification to obtain the shared master key, and generating a door lock authentication message;
sending the door lock authentication message to the control terminal for authentication;
and when receiving a terminal authentication message corresponding to the door lock authentication message fed back by the control terminal, authenticating the terminal authentication message, and when the authentication is passed, realizing the safety authentication with the control terminal.
9. The method of claim 8, wherein authenticating the terminal authentication message comprises:
connecting according to the terminal random number, the door lock random number, the signature value and the encrypted shared master key to obtain a first connection value;
calling the preset abstract algorithm, and carrying out abstract operation on the first connecting value to obtain a second abstract value;
connecting the second abstract value with a preset terminal ASCII code to obtain a third connecting value;
calling a preset hash algorithm, and carrying out hash operation on the third connection value and the shared master key to obtain a second authentication message;
and comparing the second authentication message with the terminal authentication message, and if the second authentication message is consistent with the terminal authentication message, authenticating the terminal authentication message.
10. An authorization device, comprising:
the second acquisition unit is used for acquiring fingerprint information of a user contained in an opening instruction when the opening instruction of the target door lock by the user is received;
the comparison unit is used for comparing the fingerprint information with authorized fingerprint information obtained by decryption in advance;
and the unlocking unit is used for unlocking the target door lock when the comparison is consistent.
11. An authorization system, comprising:
the system comprises a fingerprint management terminal, a cloud platform and at least one door lock;
the fingerprint management terminal comprises:
the first acquisition module is used for acquiring a user fingerprint;
the first fingerprint detection control module is used for converting the acquired user fingerprint into fingerprint information;
the terminal chip is used for executing the authorization method according to any one of claims 1-5 when receiving the fingerprint information sent by the first fingerprint detection control module;
the door lock includes:
the second acquisition module is used for acquiring the user fingerprint;
the second fingerprint detection control module is used for converting the acquired user fingerprint into fingerprint information;
a door lock chip for performing the authorization method of any one of claims 7 to 9;
the cloud platform is used for performing bidirectional identity authentication with the fingerprint management terminal and performing bidirectional identity authentication with each door lock when receiving an identity authentication request sent by the fingerprint management terminal; when the fingerprint management terminal and each door lock perform security authentication, data and information in the security authentication process are distributed and transferred; and after the security authentication is passed, receiving the fingerprint information encrypted by the fingerprint management terminal, and distributing the encrypted fingerprint information to each door lock.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811352554.2A CN109410406B (en) | 2018-11-14 | 2018-11-14 | Authorization method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811352554.2A CN109410406B (en) | 2018-11-14 | 2018-11-14 | Authorization method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109410406A true CN109410406A (en) | 2019-03-01 |
| CN109410406B CN109410406B (en) | 2021-11-16 |
Family
ID=65473278
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811352554.2A Active CN109410406B (en) | 2018-11-14 | 2018-11-14 | Authorization method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109410406B (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110276870A (en) * | 2019-06-25 | 2019-09-24 | 北京智宝云科科技有限公司 | A kind of finger prints processing method and system |
| CN110290144A (en) * | 2019-07-01 | 2019-09-27 | 深圳市元征科技股份有限公司 | A kind of user right information update method, system, storage medium and electronic equipment |
| CN110474898A (en) * | 2019-08-07 | 2019-11-19 | 北京明朝万达科技股份有限公司 | Data encrypting and deciphering and key location mode, device, equipment and readable storage medium storing program for executing |
| CN110816089A (en) * | 2019-10-15 | 2020-02-21 | 佛山普瑞威尔科技有限公司 | Safe burning method of printing program, chip and printing consumable |
| CN111554014A (en) * | 2020-05-30 | 2020-08-18 | 德施曼机电(中国)有限公司 | Face recognition door lock system |
| CN111583459A (en) * | 2020-04-28 | 2020-08-25 | 德施曼机电(中国)有限公司 | Intelligent door lock system based on iris detection |
| CN111614638A (en) * | 2020-05-08 | 2020-09-01 | 快猪侠信息技术(杭州)有限公司 | Face recognition data distribution system and method based on big data platform |
| CN111815817A (en) * | 2020-06-22 | 2020-10-23 | 北京智辉空间科技有限责任公司 | Access control safety control method and system |
| CN112102524A (en) * | 2019-06-18 | 2020-12-18 | 杭州萤石软件有限公司 | Unlocking method and unlocking system |
| CN112152963A (en) * | 2019-06-26 | 2020-12-29 | 国民技术股份有限公司 | Intelligent lock, security platform and authentication method thereof |
| CN112260987A (en) * | 2020-09-10 | 2021-01-22 | 西安电子科技大学 | Bidirectional security authentication method and system in digital content protection system |
| CN112466010A (en) * | 2020-11-26 | 2021-03-09 | 汤泽金 | Intelligent rescue door lock |
| CN112507313A (en) * | 2021-01-05 | 2021-03-16 | 晶晨半导体(深圳)有限公司 | Fingerprint verification method, chip and intelligent door lock |
| CN113487766A (en) * | 2021-06-17 | 2021-10-08 | 珠海汇金科技股份有限公司 | Unlocking method and system |
| CN115705762A (en) * | 2021-08-16 | 2023-02-17 | 中国移动通信有限公司研究院 | Vehicle control method, device, equipment, terminal and medium |
| CN116052307A (en) * | 2022-12-28 | 2023-05-02 | 广州河东科技有限公司 | Unlocking method, unlocking system, intelligent door lock and storage medium |
Citations (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1404543A (en) * | 2000-11-22 | 2003-03-19 | 翟晓明 | An intelligent Lock that can set a key code by itself, A key which can be used for many locks and a setting tool thereof |
| US20090067686A1 (en) * | 2007-09-07 | 2009-03-12 | Authentec, Inc. | Finger sensing apparatus using hybrid matching and associated methods |
| CN102682506A (en) * | 2012-05-25 | 2012-09-19 | 北京华大信安科技有限公司 | Intelligent Bluetooth door access control method and device based on symmetric cryptographic technique |
| CN102800141A (en) * | 2012-07-24 | 2012-11-28 | 东信和平科技股份有限公司 | Entrance guard controlling method and system based on bidirectional authentication |
| CN102984127A (en) * | 2012-11-05 | 2013-03-20 | 武汉大学 | User-centered mobile internet identity managing and identifying method |
| CN103942688A (en) * | 2014-04-25 | 2014-07-23 | 天地融科技股份有限公司 | Data security interactive system |
| CN104282062A (en) * | 2014-08-21 | 2015-01-14 | 厦门华数电力科技有限公司 | Locking and unlocking method based on safe and intelligent lock system |
| CN104851159A (en) * | 2014-12-01 | 2015-08-19 | 讯美电子科技有限公司 | Network-type door access control system |
| CN105551118A (en) * | 2015-10-31 | 2016-05-04 | 东莞酷派软件技术有限公司 | Electronic key opening access control method, and apparatus and system thereof |
| CN105991776A (en) * | 2016-06-29 | 2016-10-05 | 北京三快在线科技有限公司 | Method, device and system for cipher lock control |
| CN106411533A (en) * | 2016-11-10 | 2017-02-15 | 西安电子科技大学 | On-line fingerprint authentication system and method based on bidirectional privacy protection |
| US20170372540A1 (en) * | 2014-12-09 | 2017-12-28 | Sony Corporation | Information processing apparatus, information processing method, program, and information processing system |
| CN107578513A (en) * | 2017-09-19 | 2018-01-12 | 天津职业技术师范大学 | A kind of intelligent unlocking system based on optic communication |
| CN207458165U (en) * | 2017-11-29 | 2018-06-05 | 上海梓澜物联网科技有限公司 | A kind of public affairs based on Internet of Things are rented a house intelligent iris recognition door-locking system |
| CN207553776U (en) * | 2017-11-29 | 2018-06-29 | 上海梓澜物联网科技有限公司 | A kind of public affairs based on Internet of Things rent a house intelligent fingerprint identification door-locking system |
| CN108400962A (en) * | 2017-02-08 | 2018-08-14 | 上海格尔软件股份有限公司 | A kind of Authentication and Key Agreement method under multiserver framework |
| CN108537929A (en) * | 2018-04-12 | 2018-09-14 | 京东方科技集团股份有限公司 | Remote de-locking system and remote de-locking method |
| US20180286159A1 (en) * | 2017-03-31 | 2018-10-04 | National Taipei University Of Technology | Method for householder of mansion to manage entrance by smart phone |
| CN108683674A (en) * | 2018-05-22 | 2018-10-19 | 深圳中泰智丰物联网科技有限公司 | Verification method, device, terminal and the computer readable storage medium of door lock communication |
-
2018
- 2018-11-14 CN CN201811352554.2A patent/CN109410406B/en active Active
Patent Citations (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1404543A (en) * | 2000-11-22 | 2003-03-19 | 翟晓明 | An intelligent Lock that can set a key code by itself, A key which can be used for many locks and a setting tool thereof |
| US20090067686A1 (en) * | 2007-09-07 | 2009-03-12 | Authentec, Inc. | Finger sensing apparatus using hybrid matching and associated methods |
| CN102682506A (en) * | 2012-05-25 | 2012-09-19 | 北京华大信安科技有限公司 | Intelligent Bluetooth door access control method and device based on symmetric cryptographic technique |
| CN102800141A (en) * | 2012-07-24 | 2012-11-28 | 东信和平科技股份有限公司 | Entrance guard controlling method and system based on bidirectional authentication |
| CN102984127A (en) * | 2012-11-05 | 2013-03-20 | 武汉大学 | User-centered mobile internet identity managing and identifying method |
| CN103942688A (en) * | 2014-04-25 | 2014-07-23 | 天地融科技股份有限公司 | Data security interactive system |
| CN104282062A (en) * | 2014-08-21 | 2015-01-14 | 厦门华数电力科技有限公司 | Locking and unlocking method based on safe and intelligent lock system |
| CN104851159A (en) * | 2014-12-01 | 2015-08-19 | 讯美电子科技有限公司 | Network-type door access control system |
| US20170372540A1 (en) * | 2014-12-09 | 2017-12-28 | Sony Corporation | Information processing apparatus, information processing method, program, and information processing system |
| CN105551118A (en) * | 2015-10-31 | 2016-05-04 | 东莞酷派软件技术有限公司 | Electronic key opening access control method, and apparatus and system thereof |
| CN105991776A (en) * | 2016-06-29 | 2016-10-05 | 北京三快在线科技有限公司 | Method, device and system for cipher lock control |
| CN106411533A (en) * | 2016-11-10 | 2017-02-15 | 西安电子科技大学 | On-line fingerprint authentication system and method based on bidirectional privacy protection |
| CN108400962A (en) * | 2017-02-08 | 2018-08-14 | 上海格尔软件股份有限公司 | A kind of Authentication and Key Agreement method under multiserver framework |
| US20180286159A1 (en) * | 2017-03-31 | 2018-10-04 | National Taipei University Of Technology | Method for householder of mansion to manage entrance by smart phone |
| CN107578513A (en) * | 2017-09-19 | 2018-01-12 | 天津职业技术师范大学 | A kind of intelligent unlocking system based on optic communication |
| CN207458165U (en) * | 2017-11-29 | 2018-06-05 | 上海梓澜物联网科技有限公司 | A kind of public affairs based on Internet of Things are rented a house intelligent iris recognition door-locking system |
| CN207553776U (en) * | 2017-11-29 | 2018-06-29 | 上海梓澜物联网科技有限公司 | A kind of public affairs based on Internet of Things rent a house intelligent fingerprint identification door-locking system |
| CN108537929A (en) * | 2018-04-12 | 2018-09-14 | 京东方科技集团股份有限公司 | Remote de-locking system and remote de-locking method |
| CN108683674A (en) * | 2018-05-22 | 2018-10-19 | 深圳中泰智丰物联网科技有限公司 | Verification method, device, terminal and the computer readable storage medium of door lock communication |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112102524A (en) * | 2019-06-18 | 2020-12-18 | 杭州萤石软件有限公司 | Unlocking method and unlocking system |
| CN110276870A (en) * | 2019-06-25 | 2019-09-24 | 北京智宝云科科技有限公司 | A kind of finger prints processing method and system |
| CN112152963A (en) * | 2019-06-26 | 2020-12-29 | 国民技术股份有限公司 | Intelligent lock, security platform and authentication method thereof |
| CN112152963B (en) * | 2019-06-26 | 2024-04-09 | 国民技术股份有限公司 | Intelligent lock, security platform and authentication method thereof |
| WO2020259397A1 (en) * | 2019-06-26 | 2020-12-30 | 国民技术股份有限公司 | Smart lock, security platform and authentication method therefor |
| CN110290144A (en) * | 2019-07-01 | 2019-09-27 | 深圳市元征科技股份有限公司 | A kind of user right information update method, system, storage medium and electronic equipment |
| CN110474898A (en) * | 2019-08-07 | 2019-11-19 | 北京明朝万达科技股份有限公司 | Data encrypting and deciphering and key location mode, device, equipment and readable storage medium storing program for executing |
| CN110474898B (en) * | 2019-08-07 | 2021-06-22 | 北京明朝万达科技股份有限公司 | Data encryption and decryption and key distribution method, device, equipment and readable storage medium |
| CN110816089A (en) * | 2019-10-15 | 2020-02-21 | 佛山普瑞威尔科技有限公司 | Safe burning method of printing program, chip and printing consumable |
| CN111583459A (en) * | 2020-04-28 | 2020-08-25 | 德施曼机电(中国)有限公司 | Intelligent door lock system based on iris detection |
| CN111614638A (en) * | 2020-05-08 | 2020-09-01 | 快猪侠信息技术(杭州)有限公司 | Face recognition data distribution system and method based on big data platform |
| CN111554014A (en) * | 2020-05-30 | 2020-08-18 | 德施曼机电(中国)有限公司 | Face recognition door lock system |
| CN111815817A (en) * | 2020-06-22 | 2020-10-23 | 北京智辉空间科技有限责任公司 | Access control safety control method and system |
| CN112260987A (en) * | 2020-09-10 | 2021-01-22 | 西安电子科技大学 | Bidirectional security authentication method and system in digital content protection system |
| CN112466010A (en) * | 2020-11-26 | 2021-03-09 | 汤泽金 | Intelligent rescue door lock |
| CN112466010B (en) * | 2020-11-26 | 2022-06-17 | 汤泽金 | Intelligent rescue door lock |
| CN112507313A (en) * | 2021-01-05 | 2021-03-16 | 晶晨半导体(深圳)有限公司 | Fingerprint verification method, chip and intelligent door lock |
| CN113487766A (en) * | 2021-06-17 | 2021-10-08 | 珠海汇金科技股份有限公司 | Unlocking method and system |
| CN115705762A (en) * | 2021-08-16 | 2023-02-17 | 中国移动通信有限公司研究院 | Vehicle control method, device, equipment, terminal and medium |
| CN116052307A (en) * | 2022-12-28 | 2023-05-02 | 广州河东科技有限公司 | Unlocking method, unlocking system, intelligent door lock and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109410406B (en) | 2021-11-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109410406B (en) | Authorization method, device and system | |
| US10929524B2 (en) | Method and system for verifying an access request | |
| CN110334503B (en) | Method for unlocking one device by using the other device | |
| US9654468B2 (en) | System and method for secure remote biometric authentication | |
| US8930700B2 (en) | Remote device secure data file storage system and method | |
| WO2017071496A1 (en) | Method and device for realizing session identifier synchronization | |
| CN109076090B (en) | Updating biometric data templates | |
| CN109448197A (en) | A kind of cloud intelligent lock system and key management method based on multi-enciphering mode | |
| KR102477000B1 (en) | Trusted Key Server | |
| CN102217277A (en) | Method and system for token-based authentication | |
| CN109618334B (en) | Control method and related equipment | |
| CN105553666B (en) | Intelligent power terminal safety authentication system and method | |
| CN111159684B (en) | Safety protection system and method based on browser | |
| CN113242238B (en) | Secure communication method, device and system | |
| CN111224784B (en) | Role separation distributed authentication and authorization method based on hardware trusted root | |
| WO2017000356A1 (en) | Permission management method, terminal, device and system | |
| JP6723422B1 (en) | Authentication system | |
| JP5295999B2 (en) | Terminal initial setting method and initial setting device | |
| WO2001011817A2 (en) | Network user authentication protocol | |
| JP7017477B2 (en) | User authority authentication system | |
| KR20170130963A (en) | Apparatus for authenticating user in association with user-identification-registration and local-authentication and method for using the same | |
| KR101298216B1 (en) | Authentication system and method using multiple category | |
| US20220086631A1 (en) | Verfahren zur Nutzungsfreigabe sowie Funktionsfreigabeeinrichtung hierzu | |
| CN108243156B (en) | Method and system for network authentication based on fingerprint key | |
| KR20040092031A (en) | Method and apparatus for maintaining the security of contents |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |