CN109903433A - A kind of access control system and access control method based on recognition of face - Google Patents
A kind of access control system and access control method based on recognition of face Download PDFInfo
- Publication number
- CN109903433A CN109903433A CN201910097904.3A CN201910097904A CN109903433A CN 109903433 A CN109903433 A CN 109903433A CN 201910097904 A CN201910097904 A CN 201910097904A CN 109903433 A CN109903433 A CN 109903433A
- Authority
- CN
- China
- Prior art keywords
- face
- gate inhibition
- camera
- micro
- control unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Lock And Its Accessories (AREA)
- Telephonic Communication Services (AREA)
Abstract
The present invention provides a kind of access control system and access control method based on recognition of face, system includes: camera, after the first session key between acquisition and intelligent gateway, sends facial image to micro-control unit;Micro-control unit, for calculating face characteristic value based on the received facial image of institute;Face recognition command is sent to safety element;Safety element, for by face characteristic value in received recognition of face order be compared with the characteristic value in face database, face recognition result is obtained according to comparison result, face recognition result is returned into micro-control unit;Micro-control unit is also used to receive face recognition result, and sends gate inhibition's operational order to intelligent entrance guard;Intelligent entrance guard, for decrypting the received gate inhibition's operational order of institute with the second session key, and carry out gate inhibition's operation according to resulting face recognition result after obtaining the second session key.Using the embodiment of the present invention, the safety for improving access control system is realized.
Description
Technical field
The present invention relates to intelligent entrance guard fields more particularly to a kind of based on the access control system of recognition of face and access control side
Method.
Background technique
Access control system is suitable for a variety of places, such as residence district, office buildings, factory, bank, computer room etc., gate inhibition system
System can identify registration user and let pass that refusal nonregistered user enters.At present access control system mostly be using swipe the card, password or
The modes such as person's fingerprint carry out user identity identification, with the fast development of face recognition technology, need to propose a kind of relatively safety
Face recognition door control system.
Summary of the invention
It is an object of the invention to overcome the defect of the prior art, provide a kind of access control system based on recognition of face and
Access control method, to realize the safety for improving access control system.
The present invention is implemented as follows:
In a first aspect, the present invention provides a kind of access control system based on recognition of face, including intelligent gateway, camera and intelligence
It can gate inhibition, wherein the intelligent gateway includes micro-control unit and safety element,
The camera, after the first session key between acquisition and the intelligent gateway, Xiang Suoshu microcontroller
Unit sends facial image;
The micro-control unit, the facial image sent for receiving the camera, is calculated based on the facial image
Face characteristic value;And face recognition command is sent to the safety element;The recognition of face order includes the face characteristic
Value;
The safety element, for by face characteristic value and preset human face data in received recognition of face order
Characteristic value in library is compared, and obtains face recognition result according to comparison result, the face recognition result is returned to institute
State micro-control unit;
The micro-control unit is also used to receive the safety element and knows for the face that the recognition of face order returns
Other result;Gate inhibition's operational order is obtained, and sends gate inhibition's operational order to the intelligent entrance guard;Wherein, the gate inhibition behaviour
Make order be the face recognition result encrypt with the second session key it is resulting;Second session key is described
Session key between intelligent gateway and the intelligent entrance guard;
The intelligent entrance guard, for gate inhibition's operational order being received, with described second after obtaining the second session key
The received gate inhibition's operational order of session key decryption institute, obtains face recognition result, and carry out according to the face recognition result
Gate inhibition's operation.
Optionally, the micro-control unit is based on the facial image and calculates face characteristic value, specifically:
Face datection is carried out to the facial image;
If detecting one and only one human face region in the facial image, the facial image is cut, is obtained
To the face subgraph of pre-set dimension;Face characteristic value is calculated to the face subgraph.
Optionally, the micro-control unit terminates if being also used to detect have multiple human face regions in the facial image
It executes and face characteristic value is calculated based on the facial image;Alternatively, cutting to each human face region, default ruler is obtained
Very little each face subgraph;Face characteristic value is calculated to each face subgraph;
The safety element by face characteristic value and preset face database in received recognition of face order
Characteristic value be compared, specifically: if in recognition of face order include multiple face characteristic values, by each face characteristic value
Be compared with the characteristic value in preset face database, if there is one to compare successfully, determine comparison result for compare at
Otherwise function determines that comparison result is unsuccessful to compare.
Optionally, the face database is stored with the corresponding relationship between characteristic value and User ID, the safety element
Face recognition result is obtained according to comparison result, specifically:
If comparison result is to compare successfully, obtains and compared corresponding to successful object feature value with the face characteristic value
Target user ID searches target permission corresponding to target user ID described in preset authority list, by the target permission and
The comparison result is as face recognition result;
If comparison result is that comparison is unsuccessful, using the comparison result as face recognition result.
Optionally, camera is specifically used for obtaining the first session key between intelligent gateway in the following manner:
Camera random number is generated, Xiang Suoshu micro-control unit sends Gateway identity authentication command, and the Gateway identity is recognized
Card order includes the camera random number;
The response command that the micro-control unit returns is received, and with the response data in the response command to the intelligence
It can gateway progress authentication;
If it is determined that the intelligent gateway, by authentication, Xiang Suoshu micro-control unit sends camera authentication life
It enables, so that the micro-control unit is after determining the camera by authentication, camera public key encryption has been used in acquisition
First session key, and the first session key encrypted is sent to the camera;In the camera authentication order
Include camera public key;
With pre-stored camera private key to received the first session key encrypted be decrypted, obtain first
Session key.
Optionally, the response data includes gateway certificate, gateway random number and based on the camera generating random number
Camera random number signature value;The camera carries out body to the intelligent gateway with the response data in the response command
Part verifying, specifically:
Camera random number signature value, obtains the first validation value described in the intelligent gateway public key decryptions in gateway certificate,
If the camera random number is equal to first validation value, it is determined that gateway authentication result is that the intelligent gateway passes through identity
Verifying;Otherwise, it determines gateway authentication result is that the intelligent gateway does not pass through authentication.
Optionally, the micro-control unit is specifically used for obtaining in the following manner having used the first of camera public key encryption
Session key:
Based on the received camera authentication order of institute, Xiang Suoshu safety element sends verification command;Receive the peace
Full element is directed to the camera verification result that the verification command returns;If the camera verification result is logical for the camera
Authentication is crossed, the first session key for having used camera public key encryption that the safety element is sent is received.
Optionally, the intelligent entrance guard is also used to after executing gate inhibition's operation, is grasped with second session key to gate inhibition
It is encrypted as result, obtains gate inhibition and operate response command;The gate inhibition, which is sent, to the micro-control unit operates response command;
The micro-control unit is also used to receive the gate inhibition and operates response command, by safety element with described second
Session key operates response command to the gate inhibition and is decrypted, and obtains gate inhibition's decrypted result.
Optionally, the micro-control unit operates response command to gate inhibition with second session key by safety element
It is decrypted, obtains gate inhibition's decrypted result, specifically: Xiang Suoshu safety element, which is sent, operates response life for decrypting the gate inhibition
The decoding request of order;It receives the safety element and is directed to gate inhibition's decrypted result that the decoding request returns;Wherein, the decryption
Request operates the first command header and the first encrypted fields in response command comprising the gate inhibition;
The safety element, is also used to after receiving decoding request, with the encryption session in second session key
Key decrypts the first encrypted fields in the decoding request, obtains gate inhibition's operating result and the first MAC;And it is based on described first
Command header, gate inhibition's operating result and the first MAC carry out mac authentication, if mac authentication result be by mac authentication,
Using gate inhibition's operating result and mac authentication result as gate inhibition's decrypted result;If mac authentication result is not pass through mac authentication,
Then using mac authentication result as gate inhibition's decrypted result;Gate inhibition's decrypted result is returned into the micro-control unit.
Optionally, the micro-control unit is also used to:
If the received gate inhibition's decrypted result of institute is to remove the session key not by mac authentication, and by the intelligent door
The state of taboo is set as un-authenticated state;
To the intelligent entrance guard send ID authentication request so that the intelligent entrance guard for the ID authentication request to
The micro-control unit returns to Gateway identity authentication command.
Optionally, micro-control unit obtains gate inhibition's operational order, specifically: Xiang Suoshu safety element sends CIPHERING REQUEST,
It include the second command header and face recognition result in the CIPHERING REQUEST;The safety element is obtained to return for the CIPHERING REQUEST
The second encrypted fields returned constitute gate inhibition's operational order with second encrypted fields and second command header;
The safety element, is also used to after receiving CIPHERING REQUEST, close with the MAC session in second session key
Key carries out computations to the second command header and face recognition result, obtains the second ciphertext;It is determined based on resulting second ciphertext
2nd MAC;The face recognition result and the 2nd MAC are encrypted with the encrypted session key in second session key,
Obtain the second encrypted fields;Second encrypted fields are returned into the micro-control unit.
Optionally, the system also includes cloud platform, the micro-control unit is also used to: obtaining camera and intelligent entrance guard
Status information, and status information obtained is sent to cloud platform.
Optionally, the system is equipped with multiple gate inhibitions, and the intelligent entrance guard is that the multiple gate inhibition neutralizes the camera
Between with incidence relation gate inhibition.
Optionally, the incidence relation between camera and gate inhibition is pre-stored in equipment contingency table, the equipment association
Table is stored in the safety element, and the micro-control unit sends gate inhibition's operation requests to the intelligent entrance guard, specifically
Are as follows:
Search request is sent to safety element, includes the mark of the camera in the search request;So that the peace
Full element searches the equipment contingency table for the search request, obtains intelligent entrance guard associated by the mark of the camera
Target identification, resulting target identification is returned into the micro-control unit;
It receives the safety element and is directed to the target identification that the search request returns, to the intelligence with the target identification
It can gate inhibition's transmission gate inhibition's operation requests.
Optionally, the micro-control unit is also used to after detecting the user instruction for increasing facial image record,
Image, which is sent, to the camera obtains order;Wherein, it is to encrypt institute with first session key that described image, which obtains order,
It is resulting to state user instruction;It receives the camera and obtains the image to be increased that order is sent for described image;Based on described
Image to be increased calculates face characteristic value, and obtains the corresponding User ID of the image to be increased, and Xiang Suoshu safety element is sent
Increase order;It is described to increase the face characteristic value and its corresponding User ID that order includes the image to be increased;
The camera is also used to after receiving image and obtaining order, is received with first session key decryption
Image obtain order, obtain user instruction;Image to be increased is sent to the micro-control unit according to the user instruction;
The safety element is also used to after receiving increase order, by the image to be increased in the increase order
Face characteristic value and its corresponding User ID correspondence increase to the face database.
Optionally, whether the safety element is also used to send to the micro-control unit for prompting to increase successfully
Prompt information.
Optionally, the system also includes mobile terminal,
The mobile terminal, for after obtaining the third session key between the micro-control unit, to described micro-
Control unit sending device administration order;So that the micro-control unit after receiving the device management command, is based on institute
Device management command is stated, camera and/or intelligent entrance guard are managed.
Second aspect, the present invention provide a kind of access control method based on recognition of face, are applied to any of the above-described described
System, which comprises
The camera is after obtaining the first session key between the intelligent gateway, Xiang Suoshu micro-control unit hair
It makes a gift to someone face image;
The micro-control unit receives the facial image that the camera is sent, and it is special to calculate face based on the facial image
Value indicative;And face recognition command is sent to the safety element;The recognition of face order includes the face characteristic value;
The safety element by face characteristic value and preset face database in received recognition of face order
Characteristic value be compared, according to comparison result obtain face recognition result, the face recognition result is returned to described micro-
Control unit;
The micro-control unit receives the safety element and is directed to the face recognition result that the recognition of face order returns;
Gate inhibition's operational order is obtained, and sends gate inhibition's operational order to the intelligent entrance guard;Wherein, gate inhibition's operational order is
The face recognition result encrypt with the second session key resulting;Second session key is the intelligent gateway
With the session key between the intelligent entrance guard;
The intelligent entrance guard receives gate inhibition's operational order after obtaining the second session key, with second session
The received gate inhibition's operational order of key decryption institute, obtains face recognition result, and carry out gate inhibition according to the face recognition result
Operation.
The invention has the following advantages: using the embodiment of the present invention, can in intelligent gateway integrated security element,
And characteristic value can be carried out by safety element and is compared to obtain face recognition result, to improve the peace of face recognition result
Quan Xing, and camera and intelligent entrance guard are just carried out with intelligent gateway after obtaining the session key between intelligent gateway
Communication, improves the safety of entire recognition of face and gate inhibition's operating process.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is a kind of structural schematic diagram of the access control system based on recognition of face provided in an embodiment of the present invention;
Fig. 2 is a kind of flow diagram of the access control method based on recognition of face provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts all other
Embodiment shall fall within the protection scope of the present invention.
To solve prior art problem, the embodiment of the invention provides a kind of access control system based on recognition of face and gate inhibitions
Control method.
Referring to Fig. 1, Fig. 1 is a kind of access control system based on recognition of face provided in an embodiment of the present invention, including intelligent network
It closing, camera and intelligent entrance guard, wherein the intelligent gateway includes micro-control unit and safety element,
The camera, after the first session key between acquisition and the intelligent gateway, Xiang Suoshu microcontroller
Unit sends facial image;
The micro-control unit, the facial image sent for receiving the camera, is calculated based on the facial image
Face characteristic value;And face recognition command is sent to the safety element;The recognition of face order includes the face characteristic
Value;
The safety element, for by face characteristic value and preset human face data in received recognition of face order
Characteristic value in library is compared, and obtains face recognition result according to comparison result, the face recognition result is returned to institute
State micro-control unit;
The micro-control unit is also used to receive the safety element and knows for the face that the recognition of face order returns
Other result;Gate inhibition's operational order is obtained, and sends gate inhibition's operational order to the intelligent entrance guard;Wherein, the gate inhibition behaviour
Make order be the face recognition result encrypt with the second session key it is resulting;Second session key is described
Session key between intelligent gateway and the intelligent entrance guard;
The intelligent entrance guard, for gate inhibition's operational order being received, with described second after obtaining the second session key
The received gate inhibition's operational order of session key decryption institute, obtains face recognition result, and carry out according to the face recognition result
Gate inhibition's operation.
Facial image can be the image comprising face, can have one or more faces, the present invention couple in facial image
The format of facial image without limitation, such as can be jpeg format, bmp format etc..Camera can real-time or interval
Default fixed duration after can also be the request command for receiving micro-control unit transmission, sends face figure to micro-control unit
Picture.Can choose carry out facial image encrypted transmission, can also to facial image without encrypted transmission, the present invention to this not
It limits.
Using the embodiment of the present invention, can in intelligent gateway integrated security element, and can be carried out by safety element
Characteristic value compares to obtain face recognition result, to improve the safety of face recognition result, and camera and intelligence
Gate inhibition is just communicated with intelligent gateway after obtaining the session key between intelligent gateway, is improved entire face and is known
Other and gate inhibition's operating process safety.
In order to protect the safety of private data, face database be can store in the safety element of intelligent gateway.In order to
The speed of space utilisation and face alignment is improved, facial image can not be directly stored in face database, but stores people
Face image characteristic value.
In a kind of implementation, the micro-control unit is based on the facial image and calculates face characteristic value, specifically:
Face datection is carried out to the facial image;
If detecting one and only one human face region in the facial image, the facial image is cut, is obtained
To the face subgraph of pre-set dimension;Face characteristic value is calculated to the face subgraph.
Micro-control unit can use MTCNN (Joint Face Detection and Alignment using Multi-
Algorithm in this paper of task Cascaded Convolutional Networks), S3FD, SSD et al. face detection algorithm,
Face datection is carried out to the facial image received.
If detecting one and only one face in facial image, it is shown to be one man operation, and then can be to facial image
It is cut, obtains the face subgraph of pre-set dimension;And face subgraph can be calculated with Mobilefacenet, obtain face spy
Value indicative.Pre-set dimension can be previously set according to demand, include face in face subgraph.The people that safety element can will receive
Face characteristic value is compared one by one with the characteristic value in face database, if there is successful characteristic value is compared, then determines ratio
It is to compare successfully to result;Otherwise, it is determined that comparison result is that comparison is unsuccessful.Mobilefacenet is a kind of suitable for insertion
The deep learning method of formula environment can save the calculating time of characteristic value.
Face database can store the corresponding relationship between characteristic value and User ID, and the safety element is according to comparison
As a result face recognition result is obtained, specifically:
If comparison result is to compare successfully, obtains and compared corresponding to successful object feature value with the face characteristic value
Target user ID searches target permission corresponding to target user ID described in preset authority list, by the target permission and
The comparison result is as face recognition result;
If comparison result is that comparison is unsuccessful, using the comparison result as face recognition result.
Using example of the present invention, after comparing successfully, User ID (identification, mark) can also be returned.Root
The gate inhibition's operating right for searching the user in authority list according to User ID, as target permission, thus, in face recognition result
Target permission meets gate inhibition's operating right of identified user.In addition, carrying out recognition of face in safety element, it is ensured that people
The safety of the private datas such as face characteristic value and the accuracy of recognition result.In addition, storing face database in safety element
It can guarantee the safety of privacy of user data.Replace facial image with face characteristic value, can both reduce memory space, it can also be with
Reduce the time spent by recognition of face.
In another implementation, if detecting there are multiple human face regions in the facial image, micro-control unit can be with
It terminates to execute and face characteristic value is calculated based on the facial image;Alternatively, can be cut to each human face region, obtain
To each face subgraph of pre-set dimension;Face characteristic value is calculated to each face subgraph.
Correspondingly, safety element by face characteristic value in received recognition of face order and preset face database
In characteristic value be compared, specifically: if in recognition of face order include multiple face characteristic values, by each face characteristic
Value is compared with the characteristic value in preset face database, if there is one to compare successfully, determines comparison result to compare
Otherwise success determines that comparison result is unsuccessful to compare.
If safety element search resulting target permission have it is multiple, can be only minimum or randomly selected by permission highest
One target permission and the comparison result are as face recognition result;Alternatively, by resulting all target permissions and can also be somebody's turn to do
Comparison result is as face recognition result.
If the resulting face recognition result of intelligent entrance guard include multiple target permissions, can by permission highest or it is minimum or
A randomly selected target permission carries out gate inhibition's operation.
Camera, intelligent entrance guard can be regarded as the external equipment other than intelligent gateway, and system can also include Internet of Things
Other external equipments such as network termination, mobile terminal, cloud platform, external equipment and micro-control unit (Micro Controller
Unit, abbreviation MCU) order can be mutually sent, micro-control unit and safety element (Secure Element, abbreviation SE) can also
With mutual transmission order, order may include command header and data two parts, and the data in order can be encryption data, can also
To be clear data;The format of command header can be previously set according to demand, for example, command header may include command type,
The information such as command parameter, command counter, order length, length of the order length for specified the included data of order.Order
Counter can be safeguarded that the counting value returns after two-way authentication success are then every to send an encryption life by the sender ordered
It enables, count value is cumulative, so that realizing prevents Replay Attack.
Safety element can exist with chip form, and can have operational capability, in order to prevent other equipment malice
Parsing attack, protects data safety, can be equipped with encryption/decryption logic circuit in the chips, thus, safety element can be completed
Unsymmetrical key encryption and decryption and/or symmetric key encryption process, to improve communication security.In order to improve the safety of intelligent gateway
Property, safety element can be set in intelligent gateway.
Specifically, the external equipment can be communicated with the micro-control unit by wired or wireless mode.
External equipment can have it is multiple, the mode of wireless communication include WIFI (WIreless-Fidelity, Wireless Fidelity), bluetooth,
One of Zigbee (ZigBee protocol), NFC (near field communication, near-field communication) etc. or a variety of.Intelligence
The safety element of gateway can pass through SPI (Serial Peripheral Interface, Serial Peripheral Interface (SPI)) interface and micro-control
Unit processed is attached, and micro-control unit can do slave with hosted, safety element.
In order to improve the safety of communication, external equipment before sending data or order to intelligent gateway, can first to
The session key between intelligent gateway is obtained, it is close that the session key between camera and intelligent gateway is properly termed as the first session
Key;Session key between intelligent gateway and intelligent entrance guard is properly termed as the second session key;And so on.
Camera is specifically used for obtaining the first session key between intelligent gateway in the following manner:
Camera random number is generated, Xiang Suoshu micro-control unit sends Gateway identity authentication command, and the Gateway identity is recognized
Card order includes the camera random number;
The response command that the micro-control unit returns is received, and with the response data in the response command to the intelligence
It can gateway progress authentication;
If it is determined that the intelligent gateway, by authentication, Xiang Suoshu micro-control unit sends camera authentication life
It enables, so that the micro-control unit is after determining the camera by authentication, camera public key encryption has been used in acquisition
First session key, and the first session key encrypted is sent to the camera;In the camera authentication order
Include camera public key;
With pre-stored camera private key to received the first session key encrypted be decrypted, obtain first
Session key.
Camera random number can be what camera was generated using random function or hash function.The length of camera random number
Spending can preset, such as can be 16 bytes, 32 bytes etc..
Specifically, response data may include gateway certificate, gateway random number and based on the camera generating random number
Camera random number signature value.In order to which micro-control unit obtains safe and reliable response data, micro-control unit can be based on
The received Gateway identity authentication command of institute, sends to safety element and obtains order, the data portion for obtaining order, which may include, to be taken the photograph
As head random number;Obtaining order can be used for obtaining gateway certificate, gateway random number and camera random number label to safety element
The response datas such as name value.Safety element, can be based on the camera generating random number obtained in order after receiving acquisition order
Camera random number signature value obtains gateway certificate, and generates gateway random number, and the gateway certificate, the gateway is random
Data return to the micro-control unit to number in response with the camera random number signature value.
In turn, micro-control unit can generate response command based on the response data, be specifically as follows: obtain default life
Head is enabled, according to the content of response data filling command header, obtains the command header of response command;In response by response data
The data portion of order, to obtain response command.Specifically can be according to the content of response data filling command header
Existing mode, details are not described herein by the present invention.
In a kind of implementation, safety element generates camera random number signature value, is specifically as follows:
It is signed with pre-stored intelligent gateway private key to the camera random number, obtains camera random number signature
Value.
Intelligent gateway private key can be pre-stored in safety element, the present invention to specific signature scheme without limitation,
Either existing Digital Signature Algorithm, is also possible to the signature algorithm that designer designs according to demand.Alternatively, in its other party
In formula, Base64 coding or ASCII (American Standard Code for can also be carried out to external equipment random number
Information Interchange, ASCII) coding, to obtain camera random number signature value.
The length of safety element gateway random number generated and camera random number may be the same or different, raw
It can be at the mode of gateway random number are as follows: safety element generates gateway random number using preset random function or hash function.
The length of gateway random number can preassign, for example, can be 16 bytes, 32 bytes, 64 bytes etc..
Gateway certificate can be pre-stored in safety element, and safety element can directly obtain the gateway for being stored in itself
Certificate, alternatively, in other embodiments, gateway certificate is stored in the other equipment other than safety element, safety
Element can obtain gateway certificate from other equipment.In order to improve the safety of gateway certificate, it is preferred that gateway can be demonstrate,proved
Book can be pre-stored in safety element.The present invention to the specific format of gateway certificate without limitation, such as can be to use
X.509 the public key certificate of format, or SSL (Secure socket layer, security socket layer) certificate, or also
It can be the gateway certificate of user-defined format, gateway certificate may include intelligent gateway public key.
Other external equipments can be close using the session between intelligent gateway is obtained with the consistent mode of the above process
Key, for example, micro-control unit can receive the Gateway identity authentication command of intelligent entrance guard transmission, the Gateway identity authentication command
Data portion may include intelligent entrance guard intelligent entrance guard random number generated, and in turn, intelligent entrance guard passes through double with intelligent gateway
After the authentication of side, available the second session key for having used intelligent entrance guard public key encryption of intelligent entrance guard is finally decrypted
To the second session key.
Camera carries out authentication to the intelligent gateway with the response data in the response command, specifically can be with
Are as follows:
Camera random number signature value, obtains the first validation value described in the intelligent gateway public key decryptions in gateway certificate,
If the camera random number is equal to first validation value, it is determined that gateway authentication result is that the intelligent gateway passes through identity
Verifying;Otherwise, it determines gateway authentication result is that the intelligent gateway does not pass through authentication.
Using the embodiment of the present invention, can in intelligent gateway integrated security element, and can be obtained by safety element
Gateway certificate generates gateway random number and external equipment random number signature value, is supplied to outside so as to avoid intelligent gateway and sets
Standby response data is tampered, and improves the safety of intelligent gateway.
After determining that intelligent gateway does not pass through authentication, Gateway identity certification life can be sent to intelligent gateway again
It enables;
After determining intelligent gateway by authentication, camera authentication order can be sent to micro-control unit,
The data portion of the order may include camera certificate and gateway random number signature value.Wherein, it can wrap in camera certificate
Public key containing camera;Gateway random number signature value can be camera based on the gateway generating random number in response command, tool
Body can be with are as follows: and it is signed with pre-stored camera private key to gateway random number, obtains gateway random number signature value, alternatively,
Base64 coding or ASCII coding are carried out to gateway random number, to obtain gateway random number signature value.Or it can also use
Other rational methods generate gateway random number signature value.
Micro-control unit can be specifically used for obtaining in the following manner after receiving camera authentication order
With the first session key of camera public key encryption:
Based on the received camera authentication order of institute, Xiang Suoshu safety element sends verification command;Receive the peace
Full element is directed to the camera verification result that the verification command returns;If the camera verification result is logical for the camera
Authentication is crossed, the first session key for having used camera public key encryption that the safety element is sent is received.
Safety element can carry out identity to camera and test after receiving the verification command that the micro-control unit is sent
Card, Xiang Suoshu micro-control unit return to camera verification result.
If gateway random number signature value is obtained by being signed with pre-stored camera private key to gateway random number,
Safety element carries out authentication to camera, is specifically as follows:
Gateway random number signature value, obtains the second validation value described in the camera public key decryptions in camera certificate, if
The gateway random number is equal to second validation value, it is determined that camera verification result is that the camera is tested by identity
Card;Otherwise, it determines camera verification result is that the camera does not pass through authentication.
In another implementation, if gateway random number signature value be by gateway random number carry out Base64 coding or
Obtained by ASCII coding, safety element carries out authentication to camera, is specifically as follows:
The gateway random number signature value is decoded, the second validation value is obtained, if the gateway random number is equal to institute
State the second validation value, it is determined that camera verification result is that the camera passes through authentication;Otherwise, it determines camera is verified
As a result do not pass through authentication for the camera.
For the ease of subsequent secure communication, if the verification result is that the camera passes through authentication, the peace
Full element can also generate random number as the first session key;In order to avoid session key is tampered, safety element can be used
Camera public key in camera certificate encrypts the first session key, and encrypted first session key is returned to institute
State micro-control unit;To which micro-control unit can obtain the first session key for having used camera public key encryption, and to camera shooting
Hair send the first session key encrypted.
In order to further ensure that communication security, generated session key, including the first session key, the second session key
Deng, can only in an ession for telecommunication effectively.When communication either party request stop session, or for a long time do not carry out
Communication (specific duration can user customized), then another party can be determined that ession for telecommunication terminates, while the session key being arranged
For failure.Before request communication next time, that is, enters before ession for telecommunication next time, authentication can be re-started and generated
New session key.
Session key may include two parts content, be respectively as follows: encrypted session key and MAC (Message
Authentication code, message authentication code) session key, byte length shared by the two can be identical, can also not
Together, it is preferred that for the ease of simplified coded communication process, byte length shared by the two can be set can be identical, for example,
Session key has 32 bytes altogether, then 16 bytes of front can be encrypted session key, and rear 16 byte can be MAC session key.
It, can be by the authentication of other side, so that both sides can obtain together before camera is communicated with intelligent gateway
First session key of sample, first session key can be used for the communication between camera and intelligent gateway, according to demand may be used
To carry out without coded communication or with the coded communication of MAC.
Likewise, before intelligent entrance guard is communicated with intelligent gateway, it can be by the authentication of other side, so that both sides can
To obtain same second session key, which can be used for the communication between intelligent entrance guard and intelligent gateway,
No coded communication or the coded communication with MAC can be carried out according to demand.
Using the embodiment of the present invention, the bidirectional identity authentication between intelligent gateway and external equipment may be implemented, it is ensured that logical
Believe the reliability of both sides' identity;And session key can be generated, be conducive to logical by the subsequent encryption of authentication both sides progress
Letter, improves the safety of communication;And gateway certificate, intelligent gateway private key may be stored in safety element, it is ensured that
The storage safety of confidential data and private data;And random number is generated by safety element, carries out data encrypting and deciphering process and body
Part verifying, can be further improved safety.
After intelligent entrance guard and intelligent gateway pass through the authentication of other side, both sides can possess same second session
Key, and then coded communication can be carried out with the second session key, the gate inhibition behaviour of intelligent entrance guard is obtained for the ease of intelligent gateway
Make as a result, reinforce control to intelligent entrance guard, in a kind of implementation, intelligent entrance guard is also used to after executing gate inhibition's operation, uses
Second session key encrypts gate inhibition's operating result, obtains gate inhibition and operates response command;To the micro-control unit
It sends the gate inhibition and operates response command;
The micro-control unit is also used to receive the gate inhibition and operates response command, by safety element with described second
Session key operates response command to the gate inhibition and is decrypted, and obtains gate inhibition's decrypted result.
Micro-control unit can by safety element with second session key to the gate inhibition operate response command into
Since the security protection performance of safety element is high the safety of decrypting process can be improved, so that micro-control unit institute in row decryption
The gate inhibition's decrypted result obtained is more safe and reliable.If safety element determines that gate inhibition operates response command safety, gate inhibition decrypts knot
Fruit may include gate inhibition's operating result;Otherwise, gate inhibition's operating result can not included;Ensure micro-control unit door obtained
Prohibit the reliability and safety of operating result.
In other implementations, voluntarily the gate inhibition can also be operated with second session key with micro-control unit
Response command is decrypted, and obtains gate inhibition's decrypted result.
Gate inhibition's operation includes but is not limited to open gate inhibition, close gate inhibition etc..Gate inhibition's operating result include gate inhibition operation whether
Success.Gate inhibition, which operates response command, to be encrypted using the second session key, and needing to decrypt using the second session key can just look into
See gate inhibition's operating result, it is ensured that the safe transmission of gate inhibition's operating result improves the safety of communication.
Micro-control unit operates response command to gate inhibition with second session key by safety element and is decrypted, and obtains
To gate inhibition's decrypted result, it is specifically as follows:
The decoding request that response command is operated for decrypting the gate inhibition is sent to the safety element;Receive the safety
Element is directed to gate inhibition's decrypted result that the decoding request returns;Wherein, the decoding request includes that the gate inhibition operates response
The first command header and the first encrypted fields in order;
The safety element, is also used to after receiving decoding request, with the encryption session in second session key
Key decrypts the first encrypted fields in the decoding request, obtains gate inhibition's operating result and the first MAC;And it is based on described first
Command header, gate inhibition's operating result and the first MAC carry out mac authentication, if mac authentication result be by mac authentication,
Using gate inhibition's operating result and mac authentication result as gate inhibition's decrypted result;If mac authentication result is not pass through mac authentication,
Then using mac authentication result as gate inhibition's decrypted result;Gate inhibition's decrypted result is returned into the micro-control unit.
First command header and the first encrypted fields are command header and data portion in gate inhibition's operation response command respectively.It takes the photograph
As head can obtain the first command header according to the data content of gate inhibition's operating result filling pre-set commands head;Use session key
In MAC session key computations are carried out to the first command header and gate inhibition's operating result, and using resulting ciphertext as first
MAC.Using encrypted session key encryption gate inhibition's operating result and the first MAC in session key, using obtained ciphertext as
First encrypted fields;Response command is operated with the gate inhibition that the first command header and the first encrypted fields are constituted, and then can be by gate inhibition
Operation response command is sent to intelligent gateway, thus, micro-control unit can receive gate inhibition and operate response command.
Safety element is based on first command header, gate inhibition's operating result and the first MAC and carries out mac authentication,
Specifically:
First command header and gate inhibition's operating result are added with the MAC session key in the session key
Close calculating obtains the first ciphertext, and determines the first verifying message authentication code based on resulting first ciphertext, compares the first verifying and disappears
It ceases authentication code and whether the first MAC is identical;If they are the same, it is determined that mac authentication result is to pass through mac authentication;Otherwise, it determines MAC
Verification result is not pass through mac authentication.
Safety element can decrypt the first encrypted fields with encrypted session key, obtain gate inhibition's operating result and the first MAC;
Then computations are carried out to the first command header and gate inhibition's operating result with MAC session key, it is true based on the first obtained ciphertext
Fixed first verifying message authentication code, the first verifying message authentication code and the first MAC is compared, to realize verify data
Integrality, ensure that the reliability of data.The first verifying message authentication code is determined based on the first obtained ciphertext, it can be with are as follows:
Last 16 byte/32 bytes of first ciphertext are determined as the first verifying message authentication code.
If the first command header and the first encrypted fields show that gate inhibition received by micro-control unit grasps by mac authentication
It is reliable as response command, and then gate inhibition's operating result and mac authentication result can be decrypted as gate inhibition and be tied by safety element
Fruit, and it is sent to micro-control unit, so that micro-control unit can obtain gate inhibition's operating result;If the first command header and first adds
Close field does not pass through mac authentication, and showing that gate inhibition received by micro-control unit operates response command is insecure, Jin Eran
Mac authentication result only as gate inhibition's decrypted result and can be sent to micro-control unit by full element, avoid micro-control unit
Insecure gate inhibition's operating result is obtained, the confidence level of gate inhibition's operating result acquired in intelligent gateway is improved, is realized pair
The security management and control of intelligent entrance guard.
In order to further increase the safety of communication, the micro-control unit is also used to:
If the received gate inhibition's decrypted result of institute is to remove the session key not by mac authentication, and by the intelligent door
The state of taboo is set as un-authenticated state;
To the intelligent entrance guard send ID authentication request so that the intelligent entrance guard for the ID authentication request to
The micro-control unit returns to Gateway identity authentication command.
Using the embodiment of the present invention, for needing the order of data encryption and mac authentication, if intelligent gateway determines
Mac authentication does not pass through, and will remove session key, operates in next step so as to terminate, and by the state of intelligent entrance guard
It is set as un-authenticated state, to re-start the bidirectional identity authentication between intelligent gateway and intelligent entrance guard, is then regenerated
Second session key avoids the communication between insecure intelligent entrance guard, improves the safety of communication.
Gate inhibition's operational order of safety is obtained for the ease of micro-control unit, micro-control unit obtains gate inhibition's operational order,
Specifically: Xiang Suoshu safety element sends CIPHERING REQUEST, includes the second command header and face recognition result in the CIPHERING REQUEST;
It obtains the safety element and is directed to the second encrypted fields that the CIPHERING REQUEST returns, with second encrypted fields and described the
Two command headers constitute gate inhibition's operational order;
The safety element, is also used to after receiving CIPHERING REQUEST, close with the MAC session in second session key
Key carries out computations to the second command header and face recognition result, obtains the second ciphertext;It is determined based on resulting second ciphertext
2nd MAC;The face recognition result and the 2nd MAC are encrypted with the encrypted session key in second session key,
Obtain the second encrypted fields;Second encrypted fields are returned into the micro-control unit;
The present invention, such as can be with to determining the mode of the 2nd MAC based on resulting second ciphertext without limitation are as follows: by second
Last 16 byte/32 bytes of ciphertext are as the 2nd MAC.
Intelligent entrance guard can also be decrypted after obtaining gate inhibition's operational order with the encrypted session key in the second session key
Second encrypted fields, obtain face recognition result and the 2nd MAC;And it is based on second command header, the recognition of face
As a result mac authentication is carried out with the 2nd MAC, however, it is determined that by mac authentication, then can carry out according to the face recognition result
Gate inhibition's operation;If it is determined that mac authentication does not pass through, then the second session key can be removed, and can also be by the shape of intelligent gateway
State is set as un-authenticated state, to re-start the bidirectional identity authentication between intelligent gateway and external equipment, then gives birth to again
At the second session key, using the embodiment of the present invention, avoid intelligent entrance guard to do not pass through the face recognition result of mac authentication into
Row processing, improves the safety of communication.
CIPHERING REQUEST can be used for requesting obtaining the second encrypted fields, and intelligent entrance guard is based on second command header, described
Face recognition result and the 2nd MAC carry out mac authentication, are specifically as follows: with the MAC session key in the second session key
Computations are carried out to the second command header and face recognition result, the second verifying message authentication code is obtained, compares the second verifying and disappear
It ceases authentication code and whether the 2nd MAC is identical;If they are the same, it is determined that mac authentication result passes through mac authentication to be described;Otherwise, it determines
Mac authentication result is not pass through mac authentication.By the way that the second verifying message authentication code and the 2nd MAC to be compared, to verify
The integrality of data.
For the ease of carrying out unified monitoring to external equipment, the system also includes cloud platform, the micro-control unit is also
For: the status information of camera and intelligent entrance guard is obtained, and status information obtained is sent to cloud platform.
Cloud platform can first obtain the session key between intelligent gateway before communicating with micro-control unit, in turn,
Micro-control unit can be by equipment such as the external equipments in addition to cloud platform, such as camera, intelligent entrance guard and mobile terminal
Status information is sent to cloud platform, to realize that cloud platform carries out unified monitoring to external equipment.
System can have multiple cameras and multiple gate inhibitions, can be deployed to multiple positions respectively, each camera can
To execute technical solution of the present invention as procedure described above, camera can be associated with gate inhibition, and incidence relation can be 1:
1,1:M, N:1 etc..Intelligent entrance guard can be gate inhibition of the camera with incidence relation in multiple gate inhibitions with transmission facial image.
Such as camera includes camera 1.1, camera 12, camera 1.3;Gate inhibition includes gate inhibition 3.1, gate inhibition 3.2, gate inhibition 3.3;It takes the photograph
Picture head 1.1 is associated with gate inhibition 3.1, acquires facial image by camera 1.1, passes through the processing and recognition of face of intelligent gateway
Afterwards, it can control the unlatching of intelligent entrance guard 3.1.
For the ease of managing incidence relation, the incidence relation between camera and gate inhibition can be pre-stored within equipment and be associated with
In table, in order to improve the safety of equipment contingency table, the equipment contingency table be can store in the safety element, described micro-
Control unit sends gate inhibition's operational order to the intelligent entrance guard, specifically:
Search request is sent to safety element, includes the mark of the camera in the search request;So that the peace
Full element searches the equipment contingency table for the search request, obtains intelligent entrance guard associated by the mark of the camera
Target identification, resulting target identification is returned into the micro-control unit;
It receives the safety element and is directed to the target identification that the search request returns, to the intelligence with the target identification
It can gate inhibition's transmission gate inhibition's operational order.
The mark of camera is used for unique identification camera, and the mark of gate inhibition is used for unique identification gate inhibition.Equipment contingency table
Can preset according to demand, after setting, can also according to demand by micro-control unit or safety element to its into
Row modification, since the security performance of safety element is higher, equipment contingency table is stored in safety element, is avoided that by intelligent network
Other terminal devices malice other than pass is distorted, and the safety of equipment contingency table is improved.
For the ease of managing face database, the micro-control unit is also used to detecting for increasing facial image
After the user instruction of record, Xiang Suoshu camera sends image and obtains order;Wherein, it is with described that described image, which obtains order,
It is resulting that one session key encrypts the user instruction;The camera is received for described image acquisition order transmission wait increase
Add image;Face characteristic value is calculated based on the image to be increased, and obtains the corresponding User ID of the image to be increased, to institute
It states safety element and sends and increase order;It is described to increase the face characteristic value and its corresponding use that order includes the image to be increased
Family ID;
The camera is also used to after receiving image and obtaining order, is received with first session key decryption
Image obtain order, obtain user instruction;Image to be increased is sent to the micro-control unit according to the user instruction;
The safety element is also used to after receiving increase order, by the image to be increased in the increase order
Face characteristic value and its corresponding User ID correspondence increase to the face database.
Image acquisition order can be resulting with first session key encryption user instruction by safety element.Base
It is referred to aforementioned calculate face characteristic value based on facial image in the mode that the image to be increased calculates face characteristic value
Process, details are not described herein.
The present invention obtains the corresponding User ID of the image to be increased without limitation to micro-control unit, such as can be with are as follows:
Obtain the User ID that user is inputted by the human-computer interaction interface of micro-control unit;Alternatively, administrator pass through mobile terminal
The User ID of transmission.
Face database includes one of following field or combination: for the User ID of unique identification, face characteristic value,
The operating right distributed by administrator.Operating right default value is visitor's permission, and more operations can be then distributed by administrator
Permission.
When intelligent gateway receive for increase facial image record user instruction, can be by safety element in face number
According to corresponding record is increased in library, the management to face database is realized.
Safety element is also used to send to the micro-control unit for prompting whether increase successful prompt information.
In a kind of implementation, the system also includes mobile terminal,
The mobile terminal, for after obtaining the third session key between the micro-control unit, to described micro-
Control unit sending device administration order;So that the micro-control unit after receiving the device management command, is based on institute
Device management command is stated, camera and/or intelligent entrance guard are managed.
Mobile terminal includes mobile phone, plate, computer etc., and mobile terminal can also be logical with cloud platform wirelessly
Letter remotely accesses intelligent gateway by cloud platform, and passing through authentication and obtaining the mobile terminal of corresponding authority can check and take the photograph
As the state of head and/or intelligent entrance guard, add or delete equipment camera and/or intelligent entrance guard, setting camera and/or intelligence
The parameter of gate inhibition adds or deletes the record of face database in safety element, transmits data etc. to safe and intelligent gateway.
Corresponding to the above-mentioned access control system embodiment based on recognition of face, the embodiment of the invention provides one kind to be based on face
The access control method of identification, it is shown in Figure 2, applied to the above-mentioned access control system based on recognition of face, the method packet
It includes:
S101, the camera are after obtaining the first session key between the intelligent gateway, Xiang Suoshu microcontroller
Unit sends facial image;
S102, the micro-control unit receive the facial image that the camera is sent, and are calculated based on the facial image
Face characteristic value;And face recognition command is sent to the safety element;The recognition of face order includes the face characteristic
Value;
S103, the safety element by face characteristic value and preset human face data in received recognition of face order
Characteristic value in library is compared, and obtains face recognition result according to comparison result, the face recognition result is returned to institute
State micro-control unit;
S104, the micro-control unit receive the safety element and are directed to the recognition of face that the recognition of face order returns
As a result;Gate inhibition's operational order is obtained, and sends gate inhibition's operational order to the intelligent entrance guard;Wherein, gate inhibition's operation
Order be the face recognition result encrypt with the second session key it is resulting;Second session key is the intelligence
Session key between energy gateway and the intelligent entrance guard;
S105, the intelligent entrance guard receive gate inhibition's operational order, with described second after obtaining the second session key
The received gate inhibition's operational order of session key decryption institute, obtains face recognition result, and carry out according to the face recognition result
Gate inhibition's operation.
Using the embodiment of the present invention, can in intelligent gateway integrated security element, and can be carried out by safety element
Characteristic value compares to obtain face recognition result, to improve the safety of face recognition result, and camera and intelligence
Gate inhibition is just communicated with intelligent gateway after obtaining the session key between intelligent gateway, is improved entire face and is known
Other and gate inhibition's operating process safety.
Optionally, the micro-control unit is based on the facial image and calculates face characteristic value, comprising:
Face datection is carried out to the facial image;
If detecting one and only one human face region in the facial image, the facial image is cut, is obtained
To the face subgraph of pre-set dimension;Face characteristic value is calculated to the face subgraph.
Optionally, the method also includes:
If detecting there are multiple human face regions in the facial image, the micro-control unit, which terminates to execute, is based on the people
Face image calculates face characteristic value;Alternatively, cutting to each human face region, each face of pre-set dimension is obtained
Figure;Face characteristic value is calculated to each face subgraph;
The safety element by face characteristic value and preset face database in received recognition of face order
Characteristic value be compared, comprising: if in recognition of face order include multiple face characteristic values, by each face characteristic value with
Characteristic value in preset face database is compared, if there is one to compare successfully, determines comparison result to compare successfully,
Otherwise determine that comparison result is unsuccessful to compare.
Optionally, the face database is stored with the corresponding relationship between characteristic value and User ID, the safety element
Face recognition result is obtained according to comparison result, comprising:
If comparison result is to compare successfully, obtains and compared corresponding to successful object feature value with the face characteristic value
Target user ID searches target permission corresponding to target user ID described in preset authority list, by the target permission and
The comparison result is as face recognition result;
If comparison result is that comparison is unsuccessful, using the comparison result as face recognition result.
Optionally, camera obtains the first session key between intelligent gateway in the following manner:
Camera random number is generated, Xiang Suoshu micro-control unit sends Gateway identity authentication command, and the Gateway identity is recognized
Card order includes the camera random number;
The response command that the micro-control unit returns is received, and with the response data in the response command to the intelligence
It can gateway progress authentication;
If it is determined that the intelligent gateway, by authentication, Xiang Suoshu micro-control unit sends camera authentication life
It enables, so that the micro-control unit is after determining the camera by authentication, camera public key encryption has been used in acquisition
First session key, and the first session key encrypted is sent to the camera;In the camera authentication order
Include camera public key;
With pre-stored camera private key to received the first session key encrypted be decrypted, obtain first
Session key.
Optionally, the response data includes gateway certificate, gateway random number and based on the camera generating random number
Camera random number signature value;The camera carries out body to the intelligent gateway with the response data in the response command
Part verifying, comprising:
Camera random number signature value, obtains the first validation value described in the intelligent gateway public key decryptions in gateway certificate,
If the camera random number is equal to first validation value, it is determined that gateway authentication result is that the intelligent gateway passes through identity
Verifying;Otherwise, it determines gateway authentication result is that the intelligent gateway does not pass through authentication.
Optionally, the micro-control unit obtains in the following manner has used the first session of camera public key encryption close
Key:
Based on the received camera authentication order of institute, Xiang Suoshu safety element sends verification command;Receive the peace
Full element is directed to the camera verification result that the verification command returns;If the camera verification result is logical for the camera
Authentication is crossed, the first session key for having used camera public key encryption that the safety element is sent is received.
Optionally, the method also includes:
The intelligent entrance guard adds gate inhibition's operating result with second session key after executing gate inhibition's operation
It is close, it obtains gate inhibition and operates response command;The gate inhibition, which is sent, to the micro-control unit operates response command;
The micro-control unit receives the gate inhibition and operates response command, passes through safety element second session key
Response command is operated to the gate inhibition to be decrypted, and obtains gate inhibition's decrypted result.
Optionally, the micro-control unit operates response command to gate inhibition with second session key by safety element
It is decrypted, obtains gate inhibition's decrypted result, comprising: Xiang Suoshu safety element, which is sent, operates response command for decrypting the gate inhibition
Decoding request;It receives the safety element and is directed to gate inhibition's decrypted result that the decoding request returns;Wherein, the decryption is asked
Seek the first command header and the first encrypted fields operated in response command comprising the gate inhibition;
The method also includes: safety element is after receiving decoding request, with the encryption in second session key
Session key decrypts the first encrypted fields in the decoding request, obtains gate inhibition's operating result and the first MAC;And based on described
First command header, gate inhibition's operating result and the first MAC carry out mac authentication, if mac authentication result is to be tested by MAC
Card, then using gate inhibition's operating result and mac authentication result as gate inhibition's decrypted result;If mac authentication result is not pass through MAC
Verifying, then using mac authentication result as gate inhibition's decrypted result;Gate inhibition's decrypted result is returned into the micro-control unit.
Optionally.If the received gate inhibition's decrypted result of the micro-control unit institute is not by mac authentication, the method is also
Including,
The micro-control unit removes the session key, and sets unverified shape for the state of the intelligent entrance guard
State;
The micro-control unit sends ID authentication request to the intelligent entrance guard, so that the intelligent entrance guard is for described
ID authentication request returns to Gateway identity authentication command to the micro-control unit.
Optionally, micro-control unit obtains gate inhibition's operational order, specifically: Xiang Suoshu safety element sends CIPHERING REQUEST,
It include the second command header and face recognition result in the CIPHERING REQUEST;The safety element is obtained to return for the CIPHERING REQUEST
The second encrypted fields returned constitute gate inhibition's operational order with second encrypted fields and second command header;
The method also includes: the safety element is after receiving CIPHERING REQUEST, in second session key
MAC session key carries out computations to the second command header and face recognition result, obtains the second ciphertext;Based on resulting second
Ciphertext determines the 2nd MAC;The face recognition result and described is encrypted with the encrypted session key in second session key
2nd MAC obtains the second encrypted fields;Second encrypted fields are returned into the micro-control unit.
Optionally, the system also includes cloud platform, the method also includes:
Micro-control unit obtains the status information of camera and intelligent entrance guard, and status information obtained is sent to cloud
Platform.
Optionally, the system is equipped with multiple gate inhibitions, and the intelligent entrance guard is that the multiple gate inhibition neutralizes the camera
Between with incidence relation gate inhibition.
Optionally, the incidence relation between camera and gate inhibition is pre-stored in equipment contingency table, the equipment association
Table is stored in the safety element, and the micro-control unit sends gate inhibition's operation requests to the intelligent entrance guard, comprising:
Search request is sent to safety element, includes the mark of the camera in the search request;So that the peace
Full element searches the equipment contingency table for the search request, obtains intelligent entrance guard associated by the mark of the camera
Target identification, resulting target identification is returned into the micro-control unit;
It receives the safety element and is directed to the target identification that the search request returns, to the intelligence with the target identification
It can gate inhibition's transmission gate inhibition's operation requests.
Optionally, the method also includes:
The micro-control unit is after detecting the user instruction for increasing facial image record, to the camera shooting hair
Image is sent to obtain order;Wherein, described image, which obtains order, is encrypted obtained by the user instruction with first session key
's;It receives the camera and obtains the image to be increased that order is sent for described image;It is calculated based on the image to be increased
Face characteristic value, and the corresponding User ID of the image to be increased is obtained, Xiang Suoshu safety element, which is sent, increases order;The increasing
Adding order includes the face characteristic value and its corresponding User ID of the image to be increased;
The camera is obtained after receiving image and obtaining order with the received image of first session key decryption institute
Order is taken, user instruction is obtained;Image to be increased is sent to the micro-control unit according to the user instruction;
The safety element is after receiving increase order, by the face characteristic for increasing the image to be increased in order
Value and its corresponding User ID correspondence increase to the face database.
Optionally, the method also includes:
The safety element is sent to the micro-control unit for prompting whether increase successful prompt information.
Optionally, the system also includes mobile terminal, the method also includes:
The mobile terminal is after obtaining the third session key between the micro-control unit, Xiang Suoshu microcontroller list
First sending device administration order;So that the micro-control unit after receiving the device management command, is based on the equipment
Administration order is managed camera and/or intelligent entrance guard.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for method reality
For applying example, since it is substantially similar to system embodiment, so being described relatively simple, related place is referring to system embodiment
Part explanation.
The above is merely preferred embodiments of the present invention, be not intended to limit the invention, it is all in spirit of the invention and
Within principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.
Claims (18)
1. a kind of access control system based on recognition of face, including intelligent gateway, camera and intelligent entrance guard, wherein the intelligence
Gateway includes micro-control unit and safety element,
The camera, after the first session key between acquisition and the intelligent gateway, Xiang Suoshu micro-control unit
Send facial image;
The micro-control unit, the facial image sent for receiving the camera calculate face based on the facial image
Characteristic value;And face recognition command is sent to the safety element;The recognition of face order includes the face characteristic value;
The safety element, for by face characteristic value and preset face database in received recognition of face order
Characteristic value be compared, according to comparison result obtain face recognition result, the face recognition result is returned to described micro-
Control unit;
The micro-control unit is also used to receive the safety element and is directed to the recognition of face knot that the recognition of face order returns
Fruit;Gate inhibition's operational order is obtained, and sends gate inhibition's operational order to the intelligent entrance guard;Wherein, the gate inhibition operates life
Order be the face recognition result encrypt with the second session key it is resulting;Second session key is the intelligence
Session key between gateway and the intelligent entrance guard;
The intelligent entrance guard, for gate inhibition's operational order being received, with second session after obtaining the second session key
The received gate inhibition's operational order of key decryption institute, obtains face recognition result, and carry out gate inhibition according to the face recognition result
Operation.
2. system according to claim 1, which is characterized in that the micro-control unit is based on the facial image and calculates people
Face characteristic value, specifically:
Face datection is carried out to the facial image;
If detecting one and only one human face region in the facial image, the facial image is cut, is obtained pre-
If the face subgraph of size;Face characteristic value is calculated to the face subgraph.
3. system according to claim 2, which is characterized in that
The micro-control unit is terminated and is executed based on institute if being also used to detect have multiple human face regions in the facial image
It states facial image and calculates face characteristic value;Alternatively, cutting to each human face region, each individual of pre-set dimension is obtained
Face figure;Face characteristic value is calculated to each face subgraph;
The safety element by the face characteristic value in received recognition of face order and the spy in preset face database
Value indicative is compared, specifically: if in recognition of face order including multiple face characteristic values, by each face characteristic value and in advance
If face database in characteristic value be compared, if there is one to compare successfully, determine comparison result to compare successfully, it is no
It is unsuccessful to compare then to determine comparison result.
4. system according to claim 3, which is characterized in that the face database be stored with characteristic value and User ID it
Between corresponding relationship, the safety element according to comparison result obtain face recognition result, specifically:
If comparison result is to compare successfully, obtains and compare target corresponding to successful object feature value with the face characteristic value
User ID searches target permission corresponding to target user ID described in preset authority list, by the target permission and the ratio
To result as face recognition result;
If comparison result is that comparison is unsuccessful, using the comparison result as face recognition result.
5. system according to claim 1, which is characterized in that camera is specifically used for obtaining in the following manner and intelligence
The first session key between gateway:
Camera random number is generated, Xiang Suoshu micro-control unit sends Gateway identity authentication command, the Gateway identity certification life
Enabling includes the camera random number;
The response command that the micro-control unit returns is received, and with the response data in the response command to the intelligent network
Put row authentication into;
If it is determined that the intelligent gateway, by authentication, Xiang Suoshu micro-control unit sends camera authentication order, with
Make the micro-control unit after determining the camera by authentication, obtains the first meeting for having used camera public key encryption
Key is talked about, and sends the first session key encrypted to the camera;Comprising taking the photograph in the camera authentication order
As head public key;
With pre-stored camera private key to received the first session key encrypted be decrypted, obtain the first session
Key.
6. system according to claim 1, which is characterized in that the response data includes gateway certificate, gateway random number
With the camera random number signature value based on the camera generating random number;Sound of the camera in the response command
Data are answered to carry out authentication to the intelligent gateway, specifically:
Camera random number signature value, obtains the first validation value described in the intelligent gateway public key decryptions in gateway certificate, if institute
Camera random number is stated equal to first validation value, it is determined that gateway authentication result is that the intelligent gateway is tested by identity
Card;Otherwise, it determines gateway authentication result is that the intelligent gateway does not pass through authentication.
7. system according to claim 1, which is characterized in that the micro-control unit is specifically used for obtaining in the following manner
Obtain the first session key for having used camera public key encryption:
Based on the received camera authentication order of institute, Xiang Suoshu safety element sends verification command;Receive the safety member
Part is directed to the camera verification result that the verification command returns;If the camera verification result is that the camera passes through body
Part verifying receives the first session key for having used camera public key encryption that the safety element is sent.
8. system according to claim 1, which is characterized in that
The intelligent entrance guard is also used to after executing gate inhibition's operation, is carried out with second session key to gate inhibition's operating result
Encryption obtains gate inhibition and operates response command;The gate inhibition, which is sent, to the micro-control unit operates response command;
The micro-control unit is also used to receive the gate inhibition and operates response command, passes through safety element second session
Gate inhibition described in key pair operates response command and is decrypted, and obtains gate inhibition's decrypted result.
9. system according to claim 8, which is characterized in that
The micro-control unit operates response command to gate inhibition with second session key by safety element and is decrypted, and obtains
To gate inhibition's decrypted result, specifically: Xiang Suoshu safety element, which is sent, to be operated the decryption of response command for decrypting the gate inhibition and asks
It asks;It receives the safety element and is directed to gate inhibition's decrypted result that the decoding request returns;Wherein, the decoding request includes institute
State the first command header and the first encrypted fields in gate inhibition's operation response command;
The safety element, is also used to after receiving decoding request, with the encrypted session key in second session key
The first encrypted fields in the decoding request are decrypted, gate inhibition's operating result and the first MAC are obtained;And based on first order
Head, gate inhibition's operating result and the first MAC carry out mac authentication, if mac authentication result is by mac authentication, by institute
Gate inhibition's operating result and mac authentication result are stated as gate inhibition's decrypted result;If mac authentication result is not pass through mac authentication, will
Mac authentication result is as gate inhibition's decrypted result;Gate inhibition's decrypted result is returned into the micro-control unit.
10. system according to claim 9, which is characterized in that the micro-control unit is also used to:
If the received gate inhibition's decrypted result of institute is to remove the session key not by mac authentication, and by the intelligent entrance guard
State is set as un-authenticated state;
ID authentication request is sent to the intelligent entrance guard, so that the intelligent entrance guard is for the ID authentication request to described
Micro-control unit returns to Gateway identity authentication command.
11. system according to claim 1, which is characterized in that
Micro-control unit obtains gate inhibition's operational order, specifically: Xiang Suoshu safety element sends CIPHERING REQUEST, the CIPHERING REQUEST
In include the second command header and face recognition result;Obtain the second encryption that the safety element is returned for the CIPHERING REQUEST
Field constitutes gate inhibition's operational order with second encrypted fields and second command header;
The safety element, is also used to after receiving CIPHERING REQUEST, with the MAC session key pair in second session key
Second command header and face recognition result carry out computations, obtain the second ciphertext;Second is determined based on resulting second ciphertext
MAC;The face recognition result and the 2nd MAC are encrypted with the encrypted session key in second session key, is obtained
Second encrypted fields;Second encrypted fields are returned into the micro-control unit.
12. system according to claim 1, which is characterized in that the system also includes cloud platform, the micro-control unit
It is also used to: obtaining the status information of camera and intelligent entrance guard, and status information obtained is sent to cloud platform.
13. system according to claim 1, which is characterized in that the system is equipped with multiple gate inhibitions, and the intelligent entrance guard is
The multiple gate inhibition neutralizes the gate inhibition between the camera with incidence relation.
14. system according to claim 12, which is characterized in that the incidence relation between camera and gate inhibition is stored in advance
In equipment contingency table, the equipment contingency table is stored in the safety element, and the micro-control unit is to the intelligent door
Prohibit and send gate inhibition's operation requests, specifically:
Search request is sent to safety element, includes the mark of the camera in the search request;So that the safety member
Part searches the equipment contingency table for the search request, obtains the mesh of intelligent entrance guard associated by the mark of the camera
Mark mark, returns to the micro-control unit for resulting target identification;
It receives the safety element and is directed to the target identification that the search request returns, to the intelligent door with the target identification
Prohibit and sends gate inhibition's operation requests.
15. system according to claim 1, which is characterized in that
The micro-control unit is also used to after detecting the user instruction for increasing facial image record, to the camera shooting
Hair send image to obtain order;Wherein, it is to encrypt the user instruction with first session key that described image, which obtains order,
It is resulting;It receives the camera and obtains the image to be increased that order is sent for described image;Based on the image to be increased
Face characteristic value is calculated, and obtains the corresponding User ID of the image to be increased, Xiang Suoshu safety element, which is sent, increases order;Institute
State the face characteristic value and its corresponding User ID for increasing that order includes the image to be increased;
The camera is also used to after receiving image and obtaining order, with the received figure of first session key decryption institute
As obtaining order, user instruction is obtained;Image to be increased is sent to the micro-control unit according to the user instruction;
The safety element is also used to after receiving increase order, by the face for increasing the image to be increased in order
Characteristic value and its corresponding User ID correspondence increase to the face database.
16. system according to claim 14, which is characterized in that
The safety element is also used to send to the micro-control unit for prompting whether increase successful prompt information.
17. system according to claim 1, which is characterized in that the system also includes mobile terminal,
The mobile terminal, after the third session key between acquisition and the micro-control unit, Xiang Suoshu microcontroller
Unit sending device administration order;So that the micro-control unit after receiving the device management command, is set based on described
Standby administration order, is managed camera and/or intelligent entrance guard.
18. a kind of access control method based on recognition of face, which is characterized in that be applied to system described in claim 1, institute
The method of stating includes:
The camera is after obtaining the first session key between the intelligent gateway, Xiang Suoshu micro-control unit sender
Face image;
The micro-control unit receives the facial image that the camera is sent, and calculates face characteristic based on the facial image
Value;And face recognition command is sent to the safety element;The recognition of face order includes the face characteristic value;
The safety element by the face characteristic value in received recognition of face order and the spy in preset face database
Value indicative is compared, and obtains face recognition result according to comparison result, the face recognition result is returned to the microcontroller
Unit;
The micro-control unit receives the safety element and is directed to the face recognition result that the recognition of face order returns;It obtains
Gate inhibition's operational order, and gate inhibition's operational order is sent to the intelligent entrance guard;Wherein, gate inhibition's operational order is with
Two session keys encrypt to the face recognition result resulting;Second session key is the intelligent gateway and institute
State the session key between intelligent entrance guard;
The intelligent entrance guard receives gate inhibition's operational order after obtaining the second session key, with second session key
The received gate inhibition's operational order of decryption institute obtains face recognition result, and carries out gate inhibition's operation according to the face recognition result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910097904.3A CN109903433B (en) | 2019-01-31 | 2019-01-31 | Access control system and access control method based on face recognition |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910097904.3A CN109903433B (en) | 2019-01-31 | 2019-01-31 | Access control system and access control method based on face recognition |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109903433A true CN109903433A (en) | 2019-06-18 |
| CN109903433B CN109903433B (en) | 2022-02-11 |
Family
ID=66944531
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910097904.3A Active CN109903433B (en) | 2019-01-31 | 2019-01-31 | Access control system and access control method based on face recognition |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109903433B (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110609920A (en) * | 2019-08-05 | 2019-12-24 | 华中科技大学 | Pedestrian hybrid search method and system in video monitoring scene |
| CN110705357A (en) * | 2019-09-02 | 2020-01-17 | 深圳中兴网信科技有限公司 | Face recognition method and face recognition device |
| CN110796021A (en) * | 2019-10-08 | 2020-02-14 | 中国建设银行股份有限公司 | Identity authentication method and device applied to self-service equipment |
| CN110930574A (en) * | 2019-11-26 | 2020-03-27 | 深圳神目信息技术有限公司 | Access control method and system and intelligent device |
| CN111914637A (en) * | 2020-06-28 | 2020-11-10 | 普瑞达建设有限公司 | Intelligent face recognition integrated management method and system |
| CN112489282A (en) * | 2020-12-02 | 2021-03-12 | 杭州国辰机器人科技有限公司 | Entrance guard attendance checking method, system, computer equipment and storage medium |
| CN112738067A (en) * | 2020-12-25 | 2021-04-30 | 中国农业银行股份有限公司 | Face recognition method, device and equipment |
| CN113034769A (en) * | 2021-03-03 | 2021-06-25 | 唐山市就业服务中心 | Access control system and method based on face recognition |
| CN113869284A (en) * | 2021-11-09 | 2021-12-31 | 深圳市中讯网联科技有限公司 | Security image face privacy authority protection method and system |
| CN114495343A (en) * | 2021-12-31 | 2022-05-13 | 深圳亿达天下科技有限公司 | Access control management system and access control management method |
| CN114882630A (en) * | 2022-04-27 | 2022-08-09 | 广东职业技术学院 | Internet of things access control system and control method thereof |
| CN115331344A (en) * | 2021-05-11 | 2022-11-11 | 天地融科技股份有限公司 | Entrance guard authentication method, device and system for preventing privacy disclosure |
| WO2022237550A1 (en) * | 2021-05-11 | 2022-11-17 | 天地融科技股份有限公司 | Access control authentication method, apparatus and system for preventing privacy leak |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102945366A (en) * | 2012-11-23 | 2013-02-27 | 海信集团有限公司 | Method and device for face recognition |
| CN108053530A (en) * | 2017-12-17 | 2018-05-18 | 深圳禾思众成科技有限公司 | A kind of intelligent access control system of the Yun Jiaduan based on face recognition |
| CN108650219A (en) * | 2018-03-27 | 2018-10-12 | 王晓华 | A kind of method for identifying ID, relevant apparatus, equipment and system |
| CN108712246A (en) * | 2018-03-27 | 2018-10-26 | 王晓华 | A kind of smart home device and system and passwords of visitors acquisition methods |
| CN109118616A (en) * | 2018-07-09 | 2019-01-01 | 深圳市商汤科技有限公司 | access control method and access control device |
| CN109243029A (en) * | 2018-09-11 | 2019-01-18 | 河南省云乐科技有限公司 | A kind of intelligent access control system |
-
2019
- 2019-01-31 CN CN201910097904.3A patent/CN109903433B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102945366A (en) * | 2012-11-23 | 2013-02-27 | 海信集团有限公司 | Method and device for face recognition |
| CN108053530A (en) * | 2017-12-17 | 2018-05-18 | 深圳禾思众成科技有限公司 | A kind of intelligent access control system of the Yun Jiaduan based on face recognition |
| CN108650219A (en) * | 2018-03-27 | 2018-10-12 | 王晓华 | A kind of method for identifying ID, relevant apparatus, equipment and system |
| CN108712246A (en) * | 2018-03-27 | 2018-10-26 | 王晓华 | A kind of smart home device and system and passwords of visitors acquisition methods |
| CN109118616A (en) * | 2018-07-09 | 2019-01-01 | 深圳市商汤科技有限公司 | access control method and access control device |
| CN109243029A (en) * | 2018-09-11 | 2019-01-18 | 河南省云乐科技有限公司 | A kind of intelligent access control system |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110609920A (en) * | 2019-08-05 | 2019-12-24 | 华中科技大学 | Pedestrian hybrid search method and system in video monitoring scene |
| CN110705357A (en) * | 2019-09-02 | 2020-01-17 | 深圳中兴网信科技有限公司 | Face recognition method and face recognition device |
| CN110796021A (en) * | 2019-10-08 | 2020-02-14 | 中国建设银行股份有限公司 | Identity authentication method and device applied to self-service equipment |
| CN110930574A (en) * | 2019-11-26 | 2020-03-27 | 深圳神目信息技术有限公司 | Access control method and system and intelligent device |
| CN111914637A (en) * | 2020-06-28 | 2020-11-10 | 普瑞达建设有限公司 | Intelligent face recognition integrated management method and system |
| CN111914637B (en) * | 2020-06-28 | 2021-05-04 | 普瑞达建设有限公司 | Intelligent face recognition integrated management method and system |
| CN112489282A (en) * | 2020-12-02 | 2021-03-12 | 杭州国辰机器人科技有限公司 | Entrance guard attendance checking method, system, computer equipment and storage medium |
| CN112738067B (en) * | 2020-12-25 | 2023-03-24 | 中国农业银行股份有限公司 | Face recognition method, device and equipment |
| CN112738067A (en) * | 2020-12-25 | 2021-04-30 | 中国农业银行股份有限公司 | Face recognition method, device and equipment |
| CN113034769A (en) * | 2021-03-03 | 2021-06-25 | 唐山市就业服务中心 | Access control system and method based on face recognition |
| CN115331344A (en) * | 2021-05-11 | 2022-11-11 | 天地融科技股份有限公司 | Entrance guard authentication method, device and system for preventing privacy disclosure |
| WO2022237550A1 (en) * | 2021-05-11 | 2022-11-17 | 天地融科技股份有限公司 | Access control authentication method, apparatus and system for preventing privacy leak |
| CN113869284A (en) * | 2021-11-09 | 2021-12-31 | 深圳市中讯网联科技有限公司 | Security image face privacy authority protection method and system |
| CN114495343A (en) * | 2021-12-31 | 2022-05-13 | 深圳亿达天下科技有限公司 | Access control management system and access control management method |
| CN114495343B (en) * | 2021-12-31 | 2024-02-13 | 深圳亿达天下科技有限公司 | Entrance guard safety control management system and entrance guard safety control management method |
| CN114882630A (en) * | 2022-04-27 | 2022-08-09 | 广东职业技术学院 | Internet of things access control system and control method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109903433B (en) | 2022-02-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109903433A (en) | A kind of access control system and access control method based on recognition of face | |
| CN110462692B (en) | Safety communication method based on intelligent lock system and intelligent lock system thereof | |
| CN108270571B (en) | Internet of Things identity authorization system and its method based on block chain | |
| US9253162B2 (en) | Intelligent card secure communication method | |
| Liu et al. | A physically secure, lightweight three-factor and anonymous user authentication protocol for IoT | |
| KR101753859B1 (en) | Server and method for managing smart home environment thereby, method for joining smart home environment and method for connecting communication session with smart device | |
| CN108737104A (en) | Electronic device for Verification System | |
| CN109714360B (en) | Intelligent gateway and gateway communication processing method | |
| CN107404472A (en) | The migration of Client-initiated encryption key | |
| CN108418691A (en) | Dynamic network identity identifying method based on SGX | |
| CN103685323A (en) | Method for realizing intelligent home security networking based on intelligent cloud television gateway | |
| CN102546155A (en) | On-demand secure key generation | |
| JP2015504222A (en) | Data protection method and system | |
| CN110234111A (en) | A kind of two-factor authentication key agreement protocol suitable for multiple gateway wireless sensor network | |
| CN106789024B (en) | A kind of remote de-locking method, device and system | |
| CN109922047B (en) | Image transmission system and method | |
| CN104113839A (en) | Mobile data safety protection system and method based on SDN | |
| RU2645597C2 (en) | Method of authentication in data hidden terminal transmission channel | |
| KR20140046474A (en) | Communication method utilizing fingerprint information for authentication | |
| CN101789866A (en) | High-reliability safety isolation and information exchange method | |
| CN110147666A (en) | Lightweight NFC identity identifying method, Internet of Things communications platform under scenes of internet of things | |
| CN114398627A (en) | Zero-trust-based power scheduling quantum password cloud application system and method | |
| CN106230840B (en) | A kind of command identifying method of high security | |
| Wu et al. | Internet of Things Security | |
| CN109922022A (en) | Internet of Things communication means, platform, terminal and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |