CN110086809B - Permission operation on nearby target facilities through mobile equipment - Google Patents
Permission operation on nearby target facilities through mobile equipment Download PDFInfo
- Publication number
- CN110086809B CN110086809B CN201910352716.0A CN201910352716A CN110086809B CN 110086809 B CN110086809 B CN 110086809B CN 201910352716 A CN201910352716 A CN 201910352716A CN 110086809 B CN110086809 B CN 110086809B
- Authority
- CN
- China
- Prior art keywords
- target facility
- mobile device
- authority
- permission
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/30—Individual registration on entry or exit not involving the use of a pass
- G07C9/32—Individual registration on entry or exit not involving the use of a pass in combination with an identity check
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Abstract
The invention discloses a method for carrying out authority operation on nearby target facilities through mobile equipment, which comprises the following steps: the target facility broadcasts a message about the rights; receiving a message from a target facility regarding an authority when a mobile device approaches the target facility; based on the received message about the rights from the target facility, the mobile device sends identity information and a request for rights to the target facility to a server; the server processes the identity information and the permission request to generate a permission response, and transmits the permission response to the mobile equipment; based on the permission response, the mobile device interacts with the target facility, whereby the target facility verifies the permissions of the mobile device, thereby enabling the mobile device to operate the target facility with the corresponding permissions. The invention is suitable for short-range communication authority authentication of which the authority relationship can be changed at any time by multiple users and multiple targets, and is particularly suitable for authority operation on non-networked target facilities.
Description
The application is a divisional application of a Chinese patent application with the application date of 2016, 7 and 13, the application number of 201610547626.3 and the name of 'authority operation on nearby target facilities through mobile equipment'.
Technical Field
The invention relates to acquisition and authentication of rights, and more particularly to performing rights operations on nearby target facilities through a mobile device.
Background
In the existing devices requiring permission to operate, if the devices are not deployed and used in only one place, but are distributed to a plurality of places for use, namely multipoint and multi-region coverage, and actual physical actions related to permissions are required, networking is necessary to authenticate the permissions of operators.
For example, in a scenario of using a door lock, if the door locks with rights management function are distributed in multiple places, such as door locks of many offices or buildings, entrance locks of cells, etc., it must be networked, because its rights information needs to be synchronized from a server through a network.
For example, the stakes of public bicycle, although supporting the code scanning authority authentication, the networking (module) of the stakes is also essential because the information that the code scanning authority authentication passes is sent to the stakes through the network. Similarly, there are charging pile and card-swiping time-sharing leasing management systems, such as electric vehicle time-sharing leasing.
In the above application, if multiple users are required to perform authority operation at multiple points, the target device must be networked to interact with the server so as to complete authentication of authority of each user at each point. This is quite cumbersome to deploy and complicated to maintain for the target device. In particular, in remote areas, the networking conditions are sometimes not good or not good, which causes great troubles in deployment and maintenance, and finally causes poor equipment use experience.
In the existing devices, there are also implementations that are not networked. Although not networked, such devices have previously stored identity information of a plurality of users in their own memories so as to authenticate the users at any time. There is also a device that does not store user identity information itself but stores a decryption algorithm, and a message like a key is sent by a user having authority to operate, and the device executes the decryption algorithm based on the message to identify whether the user has authority to operate. The above-described approach is clearly at great risk because it is a static authentication. For example, a third party may steal user identity information directly from device memory, or intercept the user's key information. In a word, the current non-networking equipment cannot solve the problem of safety, is actually equal to a traditional door lock, even has a larger potential safety hazard of revealing user identity information, and is particularly not suitable for an application scene of multiple users and multiple deployment sites.
Therefore, there is a need for a technique for short-range communication authorization authentication that allows multiple users and multiple targets to change authorization relationships at any time, and is particularly suitable for authorization operations on non-networked target facilities.
Disclosure of Invention
The invention aims to provide a technology for short-range communication authority authentication, which enables multiple users and multiple targets to change authority relationship at any time and is particularly suitable for authority operation on non-networked target facilities.
According to a first aspect of the present invention, there is provided a method for acquiring rights of a nearby target facility by a mobile device, comprising: the target facility broadcasts a message about the rights; receiving a message from a target facility regarding an authority when a mobile device approaches the target facility; based on the received message about the rights from the target facility, the mobile device sends identity information and a request for rights to the target facility to a server; the server processes the identity information and the permission request to generate a permission response, and transmits the permission response to the mobile equipment; based on the permission response, the mobile device interacts with the target facility, whereby the target facility verifies the permissions of the mobile device, thereby enabling the mobile device to operate the target facility with the corresponding permissions.
Preferably, the broadcasting of the target facility and the interaction of the mobile device with the target facility are performed by a bluetooth communication protocol.
Preferably, the identity information comprises at least one of: a mobile phone number, an IMEI code, a user ID of the mobile device, a website or service ID.
Preferably, the target facility is one of: entrance guard, automatic vending machine, deposit a packet cabinet, fill electric pile, automatic lock, toll station, self-service bank.
Preferably, the interacting of the mobile device with the target facility based on the permission response further comprises: based on the permission response, the mobile device initiates an encrypted action message to the target facility; the target facility verifies the action message using the inherent cryptographic algorithm and, if the verification is successful, allows the mobile device to operate the target facility with the corresponding rights.
Preferably, the interacting of the mobile device with the target facility based on the permission response further comprises: the target facility initiates a secondary authentication dynamic message to the mobile equipment; the mobile equipment initiates a secondary authentication request to a server based on a secondary authentication dynamic message initiated by the target facility; the server verifies the secondary authentication request and transmits a secondary authentication response to the mobile equipment; and the mobile equipment sends the secondary authentication response to the target facility for verification, and if the verification is successful, the target facility allows the mobile equipment to operate the target facility with corresponding authority.
Preferably, the permission response is a one-time message or a message with an effective time limit.
Preferably, the secondary authentication response is a one-time message or a message with a validity time limit.
Preferably, the server processes the identity information and the permission request to generate a permission response, and transmitting the permission response to the mobile device further includes:
1) the server receiving identity information and a permission request from the mobile device;
2) the server determines whether the mobile device has the authority required by the authority request for a plurality of target facilities based on a plurality of identity information stored in a memory of the server and authority relations between the identity information and the target facilities;
3) if the mobile device is determined to possess the required permission of the permission request for the target facility, directly executing step 5);
4) if the mobile device is determined not to have the authority required by the authority request for the target facility, the server establishes the authority relationship required by the authority request between the identity information and the target facility and stores the authority relationship in a memory;
5) the server transmits the corresponding permission license as a permission response to the mobile device.
According to a second aspect of the present invention, there is provided a mobile device comprising: a memory for storing identity information; a controller to cause the mobile device to: receiving a message from the target facility regarding the permission when the mobile device approaches the target facility; transmitting the identity information stored in the memory and a request for the right to the target facility to the server based on the received message on the right from the target facility; and receiving the permission response from the server, and interacting with the target facility based on the permission response, so that the permission is verified by the target facility, and the target facility can be operated with the corresponding permission.
According to a third aspect of the present invention, there is provided a server comprising: the storage is used for storing a plurality of identity information and authority relations between the identity information and a plurality of target facilities; a controller to cause the server to: 1) receiving identity information and a request for permission to a target facility in proximity thereto from a mobile device; 2) determining whether the mobile device possesses the authority required by the authority request for a plurality of target facilities based on a plurality of identity information stored in a memory and authority relationships between the identity information and the target facilities; 3) if the mobile device is determined to possess the required permission of the permission request for the target facility, directly executing step 5); 4) if the mobile device is determined not to have the authority required by the authority request for the target facility, the server establishes the authority relationship required by the authority request between the identity information and the target facility and stores the authority relationship in a memory; 5) sending a corresponding permission to the mobile device as a permission response to enable the mobile device to interact with the target facility, whereby the target facility verifies the permissions of the mobile device to enable the mobile device to operate the target facility with the corresponding permissions.
According to a fourth aspect of the present invention, there is provided a target facility comprising: a memory storing messages regarding permissions; a controller to cause the target appliance to perform the following: broadcasting a message about the rights stored in the memory so that a proximate mobile device makes a request for the rights to a server according to the message and its identity information; and interacting with the mobile equipment, and verifying the authority of the mobile equipment based on the authority response obtained by the mobile equipment from the server, so that the mobile equipment can operate the mobile equipment by the corresponding authority.
The invention is particularly suitable for such application scenarios: the target facilities are widely distributed in a plurality of physical places, a plurality of users have the operation authority of the target facilities in unspecified physical places, therefore, the users do not have any preset or stored information and contact with the target facilities before, and sometime and someplace, a user has one-time operation needs for the facilities, such as a vending machine, a bag storage cabinet, a charging pile and the like.
The invention is suitable for performing authority operation on non-networked target facilities, and only the target facilities have short-range communication capability, such as Bluetooth, Near Field Communication (NFC), infrared, WiFi or WLAN, so that information interaction can be performed with mobile equipment of a user, and therefore, the goal that multiple users and multiple targets can authenticate the authority relationship at any time can be realized.
Drawings
The invention is described below with reference to the embodiments with reference to the drawings. In the drawings:
FIG. 1 is a schematic diagram illustrating a scenario in which rights to a nearby target facility are obtained through a mobile device according to an embodiment of the present invention.
Fig. 2 is a basic schematic diagram illustrating a mobile device according to the present invention.
Fig. 3 is a flow chart illustrating a method performed by a controller of a mobile device according to the present invention.
Fig. 4 is a basic schematic diagram illustrating a server according to the present invention.
Fig. 5 is a flow chart illustrating a method performed by a controller of a server according to the present invention.
Fig. 6 is a basic schematic diagram illustrating a target facility according to the present invention.
FIG. 7 is a flow chart illustrating a method performed by a controller of a target facility in accordance with the present invention.
FIG. 8 is a flow diagram illustrating a method of acquiring rights to a nearby target facility through a mobile device in accordance with an embodiment of the present invention.
Fig. 9 is a signal flow diagram illustrating a method of communicating from an access facility via a mobile device in accordance with a specific embodiment of the present invention.
Fig. 10 is a signal flow diagram illustrating a method of picking items from a vending machine via a mobile device in accordance with a specific embodiment of the present invention.
Detailed Description
Specific embodiments of the present invention will be explained in detail below with reference to the accompanying drawings.
FIG. 1 is a schematic diagram illustrating a scenario in which rights to a nearby target facility are obtained through a mobile device according to an embodiment of the present invention.
As shown in fig. 1, a user moves the mobile device 100 to a vicinity of a target facility 300 that requires a corresponding right to operate. In the present invention, the target facility 300 may be various unattended facilities such as an entrance guard, a vending machine, a bag locker, a charging pile, an automatic lock, a toll booth, an automated banking, etc., and the target facility 300 may be distributed at a plurality of places to meet the needs of users in different regions. A user holding the mobile device 100 may approach a certain target facility 300. The mobile device 100 or user has not previously contacted or exchanged information with the site-specific target facility 300, but the user or mobile device 100 itself may have permission to operate the non-specific (e.g., any non-site-specific) target facility 300. Or the user or the mobile device 100 does not have the rights itself, but can obtain the rights instantly through various transaction means such as purchase, exchange, gifting, etc. Since the mobile device 100 or user has no prior contact or information exchange with the target facility 300, the unspecified target facility 300 does not know whether the mobile device 100 or user, which is also unspecified, has the corresponding right to operate the target facility 300. In this case, the user of the mobile device 100 needs to perform authentication or acquisition of the right if he wants to operate the target facility 300; if the target facility is not networked, the verification or acquisition of the authority needs to be requested from the cloud server 200 through the mobile device 100. Prior to this request, the mobile device 100 receives the broadcast message of the target facility 300 (if close enough). The broadcast message is a message regarding the rights. Based on the message, the mobile device 100 performs permission verification to the cloud server 200, so as to verify the own permission or obtain the corresponding permission, and interacts with the target facility 300 by using the permission, thereby achieving the purpose of operation.
Fig. 2 is a basic schematic diagram illustrating a mobile device according to the present invention. As shown in fig. 2, the mobile device 100 includes a memory 101 and a controller 102. It should be understood by those skilled in the art that the mobile device 100 also comprises other functional modules, however, in order not to obscure the invention with other prior art, only the modules and functions associated with the solution of the invention in the mobile device are described herein. Memory 101 of mobile device 100 may store identity information. When the mobile device 100 is a mobile phone, the identity information may be a mobile phone number (e.g., an 11-digit mobile phone number used in china). Further, the identity information of the mobile device 100 may be an IMEI code. Further, identity information may also be a user ID of the mobile device in a conventional sense (e.g., an identification number, bank account number or other certificate, number of ticket, such as a coupon, loyalty card, membership card, etc.). Today, users are likely to have many more virtual identities, such as the IDs of some websites or services. With these identities enumerated above, the user may have previously purchased or obtained some operating rights for the target facility at an unspecified location. And the credentials to purchase or obtain these rights are identity information. Or the user or the mobile device 100 does not currently have the right, but the corresponding right can be instantly obtained online through various transaction means such as purchase, exchange, gift, and the like. Therefore, in the present invention, the identity information stored in the memory 101 of the mobile device 100 is used to verify whether the user or the mobile device 100 has the corresponding right to operate the target facility 300 or obtain the identity information of the corresponding right.
Fig. 3 is a flow chart illustrating a method performed by a controller of a mobile device according to the present invention. Specifically, as shown in fig. 3, in the method S100, the controller 102 of the mobile device 100 causes the mobile device 100 to perform the following operations. The method S100 begins at step S101 by receiving a message from the target facility 300 regarding rights when the mobile device 100 approaches the target facility 300. In step S103, the identity information stored in the memory 102 and the authority request to the target facility 300 are transmitted to the server 200 based on the received message on the authority from the target facility 300. In step S105, an authority response, which is a verification of the authority of the mobile device 100 or the user to operate the target facility 300, is received from the server 200. The controller 102 of the mobile device 100, based on the permission response, causes the mobile device 100 to interact with the target facility 300, thereby causing the permissions to be verified by the target facility 300, thereby enabling operation of the target facility 300 with the corresponding permissions. Subsequently, the method S100 ends.
Fig. 4 is a basic schematic diagram illustrating a server according to the present invention. As shown in fig. 4, the cloud server 200 includes a memory 201 and a controller 202. It should be understood by those skilled in the art that the server 200 also includes other functional modules, however, in order not to obscure the present invention with other prior art, only the modules and functions associated with the technical solution of the present invention in the server are described herein. The memory 201 of the server 200 may store a plurality of identity information and their authority relationships with a plurality of target facilities. For example, a plurality of identity information and their authority relationships with a plurality of target facilities may be stored as a mapping table, wherein one identity information may correspond to a plurality of different target facilities or to a plurality of the same target facilities physically located at different locations.
Fig. 5 is a flow chart illustrating a method performed by a controller of a server according to the present invention. Specifically, as shown in fig. 5, in the method S200, the controller 202 of the cloud server 200 causes the server 200 to perform the following operations. The method S200 begins at step S201 by receiving identity information and a request for permission to its proximate target facility 300 from the mobile device 100. In step S203, it is determined whether the mobile device 100 possesses the authority required by the authority request for the target facility 300 based on the plurality of identity information stored in the memory and the authority relationship between the plurality of identity information and the plurality of target facilities. If it is determined that the mobile device 100 has the rights required by the rights request for the target facility 300, that is, if the determination result of step S203 is yes, step S207 is directly performed, and a corresponding rights permission is sent to the mobile device 100 as a rights response, so that the mobile device 100 can interact with the target facility 300, and thus the target facility 300 verifies the rights of the mobile device 100, so that the mobile device 100 can operate the target facility with the corresponding rights. On the other hand, if it is determined that the mobile device 100 does not have the authority required by the authority request to the target facility 300, that is, if the determination result of step S203 is "no", step S205 is performed, and the server establishes the authority relationship required by the authority request between the identity information and the target facility and stores the authority relationship in the memory 201. Next, the method S200 proceeds to step S207, and as mentioned before, a corresponding permission for permission is sent to the mobile device 100 as a permission response to enable the mobile device 100 to interact with the target facility 300, whereby the target facility 300 verifies the permission of the mobile device 100 to enable the mobile device 100 to operate the target facility 300 with the corresponding permission.
Fig. 6 is a basic schematic diagram illustrating a target facility according to the present invention. As shown in fig. 6, the target facility 300 includes a memory 301 and a controller 302. It should be understood by those skilled in the art that the target facility 300 also includes other functional modules, however, in order not to obscure the present invention with other prior art, only the modules and functions associated with the technical solution of the present invention in the target facility are described herein. The memory 301 of the target facility 300 may store messages regarding rights. Here, the message regarding the authority means: first, the target facility 300 declares through this message that the mobile device 100 must have certain rights to operate itself; secondly, the target device 300 may give its own specific identifier (e.g. MAC address or other special ID) in the message, so that the mobile device 100 itself determines, verifies or determines, through the server 200, whether or not it has the operation right for the target device with the specific identifier; in addition, the message about the rights also includes a list of rights, how to obtain the corresponding rights, or the corresponding price or transaction means of the respective rights, and so on. For example, the mobile device 100 sends a message (target facility identification) about the rights and identity information (user identity) to the server 200, the server 200 may query whether the user has a mapping with the target facility and what rights relationship exists, if there is no existing rights relationship, the corresponding rights may be obtained through a transaction such as purchase, and then such rights relationship is established.
FIG. 7 is a flow chart illustrating a method performed by a controller of a target facility in accordance with the present invention. Specifically, as shown in fig. 7, in the method S300, the controller 302 of the target facility 300 causes the target facility 300 to perform the following operations. The method S300 starts at step S301 with broadcasting a message about rights stored in the memory 302 to cause a proximate mobile device 100 to make a request for rights to the server 200 based on the message and its identity information. In step S303, interacting with the mobile device 100, and verifying the authority of the mobile device 100 based on the authority response obtained by the mobile device 100 from the server 200, so that the mobile device 100 can operate itself with the corresponding authority. Subsequently, the method S300 ends.
The method and preferred embodiment of the present invention are described in detail below with reference to fig. 8 and 9.
FIG. 8 is a flow diagram illustrating a method of acquiring rights to a nearby target facility through a mobile device in accordance with an embodiment of the present invention.
As shown in fig. 8, a method S800 of acquiring rights of a nearby target facility by a mobile device begins at step S801, where the target facility 300 broadcasts a message regarding the rights. As described above, here, the message regarding the authority refers to: first, the target facility 300 declares through this message that the mobile device 100 must have certain rights to operate itself; secondly, the target device 300 may give its own specific identifier in the message, so that the mobile device 100 itself determines, verifies or determines, through the server 200, whether or not it has an operation right for the target device with the specific identifier; in addition, the message about the rights also includes a list of rights, how to obtain the corresponding rights, or the corresponding price or transaction means of the respective rights, and so on.
In a preferred embodiment of the present invention, the target facility 300 is equipped with a bluetooth module that can communicate with the mobile device 100 via bluetooth. Here, the target facility 300 broadcasts a message about the authority through bluetooth. It will be appreciated by those skilled in the art that the broadcasting of the target facility 300 may also be accomplished by other short-range wireless communication protocols, such as Near Field Communication (NFC), infrared, WiFi, or WLAN.
In step S803, when the mobile device 100 approaches the target facility 300, a message about the authority is received from the target facility 300. As described above, the target facility 300 broadcasts the message regarding the authority through the bluetooth, and when the mobile device 100 comes within a range capable of receiving the bluetooth broadcast, that is, approaches the target facility 300, the message regarding the authority may be received, whereby the mobile device 100 is informed that there is a target facility 300 nearby and the target facility 300 requires the authority to operate. If the user of the mobile device 100 does need to operate this target facility 300, the user may manipulate the mobile device 100 to continue the following process. Otherwise, the user may also ignore bluetooth broadcasts if not interested in such a target facility 300.
Based on the received message on the authority from the target facility 300, the mobile device 100 transmits identity information and an authority request to the target facility 300 to the server 200 at step S805. As described above, the identity information includes at least one of: a mobile phone number, an IMEI code, a user ID of the mobile device, a website or service ID.
In step S807, the server 200 processes the identity information and the permission request to generate a permission response, and transmits the permission response to the mobile device 100. Here, the server 200 performs the authority verification through the identity information and the authority request. For example, as previously described, the memory 201 of the server 200 may store a plurality of identity information and their authority relationships with a plurality of target facilities. For example, a plurality of identity information and their authority relationships with a plurality of target facilities may be stored as a mapping table, wherein one identity information may correspond to a plurality of different target facilities or to a plurality of the same target facilities physically located at different locations. By retrieving in the memory 201, the server 200 can complete the work of the authority verification.
On the other hand, if the mobile device 100 does not have the rights required by the rights request to the target facility 300, the server 200 may establish the rights relationship required by the rights request between the identity information and the target facility and store the rights relationship in the memory 201 of the server 200. The server 200 then transmits the corresponding rights permissions to the mobile device 100 as a rights response.
Based on the permission response, the mobile device 100 interacts with the target facility 300, whereby the target facility 300 verifies the permission of the mobile device 100, thereby enabling the mobile device 100 to operate the target facility 300 with the corresponding permission at step S809. Similarly, the interaction of the mobile device with the target facility may be via a Bluetooth communication protocol, or may be via other short-range wireless communication protocols, such as Near Field Communication (NFC), infrared, WiFi, or WLAN.
In addition, as for the permission response, it is preferable that the permission response is a one-time message or a message having an effective time limit. That is, each permission response generated by the server 200 is limited to the permission request of the mobile device 100 at this time; the mobile device 100 can also be used only once after receiving the permission response, i.e., whether the permission response has permission or no permission (or different levels or functions of permission) with the final permission, the permission response is invalidated after interacting with the target facility 300. Alternatively, the permission response has a certain validation time, and if the mobile device 100 is not used as soon as possible and misses the validation time, the permission response is invalid, and the mobile device 100 must make a permission request again to the server 200 for the target facility 300 to obtain a new permission response.
Specifically, at step S809, the interaction of the mobile device 100 with the target facility 300 may include: based on the permission response, the mobile device 100 initiates an encrypted action message to the target appliance 300; the target appliance 300 verifies the action message using the inherent encryption algorithm and, if the verification is successful, allows the mobile device 100 to operate the target appliance 300 with the corresponding rights.
For further security, secondary authentication may also be considered. For example, the target appliance 300 initiates a secondary authentication dynamic message to the mobile device 100. The mobile device 100 initiates a secondary authentication request to the server 200 based on the secondary authentication dynamic message initiated by the target facility 300. The server 200 verifies the secondary authentication request and transmits a secondary authentication response to the mobile device 100. The mobile device 100 sends the secondary authentication response to the target facility 300 for verification. Only if the verification of the secondary authentication is successful, the target appliance 300 allows the mobile device 100 to operate the target appliance 300 with the corresponding rights. Similarly, the secondary authentication response may also be a one-time message or a message with a validity time limit.
In a preferred embodiment of the present invention, the target facility 300 is a gate facility, and thus, the mobile device 100 operating the gate facility 300 with the corresponding authority includes allowing the user of the mobile device 100 to pass through the gate facility 300 and prohibiting the user of the mobile device 100 to pass through the gate facility 300. This scenario will be explained in more detail in the following description in conjunction with fig. 9.
In a preferred embodiment of the present invention, the target facility 300 may also be a vending machine, and thus, operating the vending machine 300 with the mobile device 100 in the respective rights includes allowing a user of the mobile device 100 to obtain goods in the vending machine and prohibiting the obtaining of goods. This scenario will be explained in more detail in the following description in conjunction with fig. 10.
Following step S809, method S800 may end.
Fig. 9 is a signal flow diagram illustrating a method of communicating from an access facility via a mobile device in accordance with a specific embodiment of the present invention.
As shown in fig. 9, the mobile device may be a mobile phone and the target facility may be an access facility. The bluetooth communication module is installed in the access facility, so that, in use, the access facility may broadcast via bluetooth continuously, periodically, or according to a certain rule or principle, as shown in step S901 of method S900.
When a user carries the mobile phone to move to the receiving range of the Bluetooth broadcast, the mobile phone can receive the broadcast sent by the entrance guard facility through the Bluetooth module of the mobile phone, so that the situation that the entrance guard facility exists and the entrance guard can be passed only by the permission is known.
In a preferred embodiment of the present invention, since the access control facility may be an off-network facility, it may not have the ability to independently query whether a cell phone (or its user) that wants to pass through the access control has the right to pass through. Such inquiry and authentication needs to be accomplished through information exchange between the handset and the server.
Based on the received bluetooth broadcast, the handset transmits its own identity information to the server along with a release request at step S902. And the server judges and verifies whether the identity information corresponds to the right of passing the access control. In this regard, operations on the handset may actually be accomplished through a handset application (app). For example, the mobile app automatically recognizes the bluetooth broadcast, and then generates and sends request information (identity information and permission request) to the server for a message regarding the permission.
The cloud server retrieves, determines, and verifies the relationship between the identity information and the access permission in step S903. If the identity information sent by the mobile phone has the right of passing the entrance guard, the server sends a permission to the mobile phone in step S904. As previously described, the clearance may be a one-time message or a message with an effective time limit.
The mobile phone sends the received permission to the entrance guard in step S905 to request passage. The entrance guard verifies the permission in step S906 to verify the security, integrity, etc., so as to preliminarily determine that the mobile phone has the right of passage. For example, the mobile phone may receive the clearance through the app and also send the clearance to the door control through the app. In other words, the interaction between the mobile phone and the access control and the server can be scheduled and completed through the mobile phone app.
However, for further security, the door entry issues a secondary authentication dynamic message to the handset at step S907. The handset needs to be verified again with the cloud server to obtain a secondary authentication response. Specifically, based on the secondary authentication dynamic message, the handset transmits a secondary authentication request to the server in step S908. In step S909, the server calculates the secondary authentication request to obtain a secondary authentication response. The handset receives a secondary authentication response from the server at subsequent step S910. The mobile phone forwards the secondary authentication response to the entrance guard at step S911 so that the entrance guard can be verified at step S912. After verification, the entrance guard formally confirms that the mobile phone (actually, the user of the mobile phone) has the right of passage and can pass through the entrance guard.
Thus, in step S913, the entrance explicitly gives a clear notification to the mobile phone. And (the user of) the mobile phone can pass the door access in step S914. That is to say, the mobile phone operates the access control with corresponding authority. For example, in an embodiment, after the user interacts with the access control through the mobile phone and obtains the right, the access control can be released for the user, and the user passes through the access control. Here, the interaction between the mobile phone and the access control and server can still be scheduled and completed through the mobile phone app.
It should be noted here that although in the above example, the secondary authentication is performed after the message passing of the release request/release permission, the two are not actually in strict chronological order. For example, the secondary authentication may be performed while the request/grant message is being released. Specifically, at the time of bluetooth broadcasting, in addition to broadcasting a message about authority, dynamic information (secondary authentication) can be transmitted using a bluetooth name.
Fig. 10 is a signal flow diagram illustrating a method of picking items from a vending machine via a mobile device in accordance with a specific embodiment of the present invention.
As shown in fig. 10, the mobile device may be a cell phone and the target facility may be a vending machine. The vending machine is installed with a bluetooth communication module, so that the vending machine can broadcast via bluetooth continuously, periodically, or according to a certain rule or principle when in use, as shown in step S1001 of method S1000.
When a user carries the mobile phone to move to a receiving range of the Bluetooth broadcast, the mobile phone can receive the broadcast sent by the vending machine through the Bluetooth module of the mobile phone, so that the situation that the vending machine exists and the user needs permission to take goods from the vending machine is known.
In a preferred embodiment of the invention, since the vending machine may be an off-network facility, it may not have the ability to query independently whether the cell phone (or its user) that wants to pick up has the right to pick up. Such inquiry and authentication, and even transaction, needs to be accomplished through information exchange between the mobile phone and the server.
In step S1002, based on the received bluetooth broadcast, the mobile phone sends its own identity information to the server together with the pickup request. And judging and verifying whether the identity information corresponds to the authority of taking goods specifically by the server. In this regard, operations on the handset may actually be accomplished through a handset application (app). For example, the mobile app automatically recognizes the bluetooth broadcast, and then generates and sends request information (identity information and permission request) to the server for a message regarding the permission.
The cloud server retrieves, determines, and verifies the relationship between the identity information and the access permission in step S1003.
There are two cases. The first situation is that the user of the mobile phone has previously obtained the right to pick up a certain commodity, for example, by means of a game link, a preference of a merchant, a gift of a friend, an online purchase, and the like. Such a pickup right can be stored or recorded in a memory on the cloud server, that is, the cloud server stores a right relation between the identity information and the pickup right, and the user can verify on the server by the identity information and then pick up the goods online (the vending machine). The second case is that the user of the handset has not previously taken rights. Through the broadcast of the vending machine, the user of the mobile phone knows the list of the goods in the vending machine and the corresponding price or the obtaining mode. By using the mobile phone app, a user of the mobile phone can make purchases or other transactions for goods to obtain access to specific goods. Specifically, the user can send the own identity information and a purchase request for a specific commodity to the server through the mobile phone (for example, by operating a mobile phone app); the server can search the memory of the server, and if the authority relationship between the identity information and the goods taking authority of the specific goods does not exist, the server performs purchase processing (for example, bank transaction and the like, which is not within the protection range required by the invention and is not described herein again) according to the purchase request, and then establishes the authority relationship in the memory; next, the user is equal to obtaining the corresponding picking right, so that the verification picking operation can be performed.
That is, in the first case, if the identification information transmitted from the mobile phone has the right to pick up goods, the server transmits a shipping permission to the mobile phone at step S1004. In the second case, the transaction is carried out through the identity information sent by the mobile phone, so that the goods taking authority is obtained; the cloud server may establish an authority relationship for the specific commodity between the identity information and the pickup authority in the memory, and then the server sends a shipping permission to the mobile phone in step S1004. As previously mentioned, the shipping permit may be a one-time message or a message with an effective time limit.
The mobile phone transmits the received delivery license to the vending machine in step S1005 in anticipation of delivery. The vending machine verifies the delivery approval in step S1006 to verify its security, integrity, etc., thereby preliminarily determining that the mobile phone has the right to pick up the goods. For example, the cell phone may receive the shipping license through the app and also send the shipping license to the vending machine through the app. In other words, the interaction between the mobile phone and the vending machine and the server can be scheduled to be completed through the mobile phone app.
However, for further security, the vending machine issues a secondary authentication dynamic message to the handset in step S1007. The handset needs to be verified again with the cloud server to obtain a secondary authentication response. Specifically, based on the secondary authentication dynamic message, the handset transmits a secondary authentication request to the server at step S1008. In step S1009, the server calculates the secondary authentication request to obtain a secondary authentication response. The handset receives a secondary authentication response from the server at subsequent step S1010. The handset forwards the secondary authentication response to the vending machine at step S1011 so that the vending machine can perform verification at step S1012. After verification, the vending machine formally confirms that the mobile phone (actually, the user of the mobile phone) has the goods taking authority, and the goods can be taken through the vending machine.
Thus, in step S1013, the vending machine delivers the product to the mobile phone user, that is, the mobile phone user can operate the vending machine to obtain the desired product. For example, in an embodiment, after the user interacts with the vending machine with a mobile phone and obtains the right, the vending machine may be made to deliver goods for the user, and the user may obtain the goods. Here, the interaction between the mobile phone and the vending machine and the server can still be scheduled and completed through the mobile phone app, and can also be completed through both the mobile phone app and the interaction tool of the vending machine.
It should be noted here that although in the above example, the secondary authentication is performed after the delivery of the pickup request/shipping permit message, the two are not actually in strict chronological order. For example, the secondary authentication may be performed while the pickup request/shipping permit message is being communicated. Specifically, at the time of bluetooth broadcasting, in addition to broadcasting a message about authority, dynamic information (secondary authentication) can be transmitted using a bluetooth name.
In the present invention, the target facility may be an unconnected facility. To implement the present invention, it is only necessary that the target appliance have a bluetooth communication module or other short-range communication module or communication capability.
The invention is particularly suitable for such application scenarios: the target facilities are widely distributed in a plurality of physical places, a plurality of users or identities have operation authority on the target facilities in unspecified physical places, therefore, the users and the target facilities do not have any preset or stored information and contact before, and sometime and someplace, a user has one-time operation requirement on the facilities in somewhere, such as entrance guard, automatic vending machine, bag storage cabinet, charging pile, automatic lock, toll station (for example, highway toll station for realizing ETC), self-service bank (for example, ATM realizes cardless withdrawal without ATM machine networking, or even networking, as another verification mode), which is the case. Meanwhile, the target facility does not store data related to specific authority and identity information in advance, so that the possibility of data loss or stealing or counterfeiting does not exist, and the safety of the data and the authority is facilitated.
In addition, in the interactive communication between the mobile equipment and the target facility, except for the initial broadcast message, the message is an encrypted or dynamically generated message, a one-time message or a time-efficient message, so that other equipment is prevented from intercepting the communication content, and the safety of communication and authority is ensured.
Various embodiments and implementations of the present invention have been described above. However, the spirit and scope of the present invention is not limited thereto. Those skilled in the art will be able to devise many more applications in accordance with the teachings of the present invention which are within the scope of the present invention.
Claims (8)
1. A method of performing operations on rights to a nearby target facility through a mobile device, comprising:
the target facility broadcasts a message about the authority, wherein the message about the authority comprises the identification of the target facility, an authority list and how to obtain the corresponding authority;
receiving a message about an authority broadcast by a target facility when a mobile device approaches the target facility;
based on the received information about the authority broadcasted by the target facility, the mobile device sends identity information and an authority request of the target facility to a server, wherein the authority request is used for requesting to obtain specific authority in an authority list of the target facility;
the server processes the identity information and the permission request to generate a permission response, and transmits the permission response to the mobile equipment, and the method comprises the following steps:
1) the server receives identity information and a permission request from the mobile device,
2) the server determines whether the mobile device possesses specific rights required by the rights request for a plurality of target facilities based on a plurality of identity information stored in a memory of the server and rights relationships between the identity information and the target facilities,
3) if it is determined that the mobile device possesses the specific rights required by the rights request for the target appliance, step 5) is performed directly,
4) if the mobile device is determined not to have the specific authority required by the authority request for the target facility, the server performs processing for enabling the mobile device to obtain the corresponding authority according to the request of the specific authority, establishes an authority relation required by the authority request between the identity information and the target facility, and stores the authority relation in a memory,
5) the server transmits the corresponding permission as a permission response to the mobile device;
based on the permission response, the mobile device interacts with the target facility, whereby the target facility verifies the permissions of the mobile device, thereby enabling the mobile device to operate the target facility with the corresponding permissions.
2. The method of claim 1, wherein the broadcasting of the target facility, the interaction of the mobile device with the target facility are all via a bluetooth communication protocol.
3. The method of claim 1, wherein the identity information comprises at least one of: a mobile phone number, an IMEI code, a user ID of the mobile device, a website or service ID.
4. The method of claim 1, wherein the target facility is one of: entrance guard, automatic vending machine, deposit a packet cabinet, fill electric pile, automatic lock, toll station, self-service bank.
5. The method of claim 1, wherein interacting with the target facility by the mobile device based on the permission response further comprises:
based on the permission response, the mobile device initiates an encrypted action message to the target facility;
the target facility verifies the action message using the inherent cryptographic algorithm and, if the verification is successful, allows the mobile device to operate the target facility with the corresponding rights.
6. The method of claim 1, wherein the permission response is a one-time message or a message with an effective time limit.
7. A mobile device, comprising:
a memory for storing identity information;
a controller to cause the mobile device to:
receiving a message about rights broadcasted by a target facility when a mobile device approaches the target facility, wherein the message about rights comprises an identification of the target facility, a list of rights, how to obtain the corresponding rights;
transmitting the identity information stored in the memory and a permission request to a server for a target facility based on the received information about the permission broadcasted by the target facility, wherein the permission request is used for requesting to obtain a specific permission in a permission list of the target facility;
receiving the permission response from the server, and interacting with the target facility based on the permission response, thereby enabling the permission to be verified by the target facility, so as to be able to operate the target facility with the corresponding permission,
wherein the permission response is generated by:
1) the server receiving identity information and a permission request from the mobile device;
2) the server determines whether the mobile device has specific authority required by the authority request for a plurality of target facilities based on a plurality of identity information stored in a memory of the server and authority relations between the identity information and the target facilities;
3) if it is determined that the mobile device possesses the specific rights required by the rights request for the target facility, directly performing step 5);
4) if the mobile equipment is determined not to have the specific authority required by the authority request for the target facility, the server performs processing for enabling the mobile equipment to obtain the corresponding authority according to the request of the specific authority, establishes an authority relation required by the authority request between the identity information and the target facility, and stores the authority relation in a memory;
5) the server transmits the corresponding permission license as a permission response to the mobile device.
8. A server, comprising:
the storage is used for storing a plurality of identity information and authority relations between the identity information and a plurality of target facilities;
a controller to cause the server to:
1) receiving identity information and a permission request of a target facility approaching the identity information from a mobile device, wherein the permission request is used for requesting to obtain specific permission in a permission list of the target facility, and receiving a message about permission broadcasted by the target facility when the mobile device approaches the target facility, wherein the message about permission comprises an identification of the target facility, the permission list and how to obtain the corresponding permission;
2) determining whether the mobile device possesses specific rights required by the rights request for a plurality of target facilities based on a plurality of identity information stored in a memory and rights relationships between the identity information and the target facilities;
3) if it is determined that the mobile device possesses the specific rights required by the rights request for the target facility, directly performing step 5);
4) if the mobile equipment is determined not to have the specific authority required by the authority request for the target facility, the server performs processing for enabling the mobile equipment to obtain the corresponding authority according to the request of the specific authority, establishes an authority relation required by the authority request between the identity information and the target facility, and stores the authority relation in a memory;
5) sending a corresponding permission to the mobile device as a permission response to enable the mobile device to interact with the target facility, whereby the target facility verifies the permissions of the mobile device to enable the mobile device to operate the target facility with the corresponding permissions.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910352716.0A CN110086809B (en) | 2016-07-13 | 2016-07-13 | Permission operation on nearby target facilities through mobile equipment |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610547626.3A CN106131015B (en) | 2016-07-13 | 2016-07-13 | Permission operation is carried out to neighbouring target facility by mobile device |
| CN201910352716.0A CN110086809B (en) | 2016-07-13 | 2016-07-13 | Permission operation on nearby target facilities through mobile equipment |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610547626.3A Division CN106131015B (en) | 2016-07-13 | 2016-07-13 | Permission operation is carried out to neighbouring target facility by mobile device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110086809A CN110086809A (en) | 2019-08-02 |
| CN110086809B true CN110086809B (en) | 2022-03-15 |
Family
ID=57283206
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610547626.3A Active CN106131015B (en) | 2016-07-13 | 2016-07-13 | Permission operation is carried out to neighbouring target facility by mobile device |
| CN201910352716.0A Active CN110086809B (en) | 2016-07-13 | 2016-07-13 | Permission operation on nearby target facilities through mobile equipment |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610547626.3A Active CN106131015B (en) | 2016-07-13 | 2016-07-13 | Permission operation is carried out to neighbouring target facility by mobile device |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN106131015B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108122307A (en) * | 2016-11-29 | 2018-06-05 | 上海慧流云计算科技有限公司 | Access control management method, apparatus and system |
| CN106506341B (en) * | 2016-12-01 | 2019-11-05 | 特斯联(北京)科技有限公司 | A kind of community's social contact method and system based on the current product in community |
| CN109410372A (en) * | 2017-08-17 | 2019-03-01 | 深圳市德科物联技术有限公司 | A kind of intelligent access control system and door opening method based on mobile phone NFC payment function |
| CN107508619B (en) * | 2017-08-29 | 2018-11-09 | 重庆壹元电科技有限公司 | Mobile power based on Bluetooth technology rents self-help serving system |
| CN107888310A (en) * | 2017-11-30 | 2018-04-06 | 湖南康通电子股份有限公司 | The control method and device of broadcast terminal |
| CN114679916A (en) * | 2019-05-21 | 2022-06-28 | Hid环球公司 | Physical access control system and method |
| CN110853157B (en) * | 2019-11-12 | 2022-01-04 | 南京猫酷科技股份有限公司 | Parking lot entrance and exit payment management system and method |
| CN110969738A (en) * | 2020-01-16 | 2020-04-07 | 河南国立信息科技有限公司 | Control system and method of intelligent security entrance guard based on 5G architecture |
| CN112836538A (en) * | 2021-02-02 | 2021-05-25 | 青岛海尔空调器有限总公司 | Control method of household appliance and household appliance |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103971435A (en) * | 2014-05-22 | 2014-08-06 | 广东欧珀移动通信有限公司 | Unlocking method, server, mobile terminal, electronic lock and unlocking system |
| CN104063932A (en) * | 2014-06-18 | 2014-09-24 | 大连智慧城科技有限公司 | Non-networking access system based on mobile terminal and implementation method |
| CN105023334A (en) * | 2015-08-10 | 2015-11-04 | 广东文城科技发展有限公司 | Unlocking and locking control method based on cloud platform and mobile phone APP |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2724297C (en) * | 2010-12-14 | 2013-11-12 | Xtreme Mobility Inc. | System and method for authenticating transactions through a mobile device |
| CN103679885B (en) * | 2013-12-02 | 2017-02-15 | 大连智慧城科技有限公司 | Door control identity recognition system and method based on mobile terminal |
| US20150228134A1 (en) * | 2014-02-12 | 2015-08-13 | Viking Access Systems, Llc | Movable barrier operator configured for remote actuation |
-
2016
- 2016-07-13 CN CN201610547626.3A patent/CN106131015B/en active Active
- 2016-07-13 CN CN201910352716.0A patent/CN110086809B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103971435A (en) * | 2014-05-22 | 2014-08-06 | 广东欧珀移动通信有限公司 | Unlocking method, server, mobile terminal, electronic lock and unlocking system |
| CN104063932A (en) * | 2014-06-18 | 2014-09-24 | 大连智慧城科技有限公司 | Non-networking access system based on mobile terminal and implementation method |
| CN105023334A (en) * | 2015-08-10 | 2015-11-04 | 广东文城科技发展有限公司 | Unlocking and locking control method based on cloud platform and mobile phone APP |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110086809A (en) | 2019-08-02 |
| CN106131015A (en) | 2016-11-16 |
| CN106131015B (en) | 2019-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110086809B (en) | Permission operation on nearby target facilities through mobile equipment | |
| CN113169971B (en) | Secure extended range application data exchange | |
| EP3496054B1 (en) | Secure seamless access control | |
| US7350230B2 (en) | Wireless security module | |
| CN102314576B (en) | The method performing safety applications in NFC device | |
| EP3234893B1 (en) | Securing contactless payment performed by a mobile device | |
| CN109219951B (en) | Multi-level communication encryption | |
| US11039293B2 (en) | Method and devices for transmitting a secured data package to a communication device | |
| WO2011094869A1 (en) | Secure authentication system and method | |
| US20180075446A1 (en) | Data transmission method for mobile near field payment and user equipment | |
| CN104915829A (en) | Application interaction method and application interaction device based on NFC technology | |
| CA2800939C (en) | A method of authorizing a person, an authorizing architecture and a computer program product | |
| KR20200089562A (en) | Method and apparatus for managing a shared digital key | |
| KR101772358B1 (en) | Method for Automatic Identifying Other Companies Application for Registration of Payment Means | |
| US11450160B2 (en) | Wireless access control using an electromagnet | |
| EP2960844A1 (en) | Transaction management | |
| KR20190048482A (en) | Method for providing offline payment service, and machine device and user terminal using the method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |