CN112152810B - Safety control method, device and system - Google Patents

Safety control method, device and system Download PDF

Info

Publication number
CN112152810B
CN112152810B CN201910560952.1A CN201910560952A CN112152810B CN 112152810 B CN112152810 B CN 112152810B CN 201910560952 A CN201910560952 A CN 201910560952A CN 112152810 B CN112152810 B CN 112152810B
Authority
CN
China
Prior art keywords
authentication factor
authentication
user equipment
office
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910560952.1A
Other languages
Chinese (zh)
Other versions
CN112152810A (en
Inventor
李东声
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tendyron Corp
Original Assignee
Tendyron Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tendyron Corp filed Critical Tendyron Corp
Priority to CN201910560952.1A priority Critical patent/CN112152810B/en
Priority to PCT/CN2020/093218 priority patent/WO2020259203A1/en
Publication of CN112152810A publication Critical patent/CN112152810A/en
Application granted granted Critical
Publication of CN112152810B publication Critical patent/CN112152810B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/14Direct-mode setup

Abstract

The invention provides a safety control method, a safety control device and a safety control system, wherein the method comprises the following steps: step 1, establishing communication connection; step 2, negotiating an authentication factor; step 3, monitoring an authentication factor rolling period and an authentication scanning period; step 4, when the authentication factor rolling period is reached, taking the next authentication factor as the current first authentication factor of the office equipment; step 5, when reaching the authentication scanning period, scanning a second authentication factor; step 6, scanning a second authentication factor, judging whether the second authentication factor is consistent with the first authentication factor, if so, step 3, otherwise, step 9; step 7, judging whether the time interval from the last scanning to the second authentication factor exceeds a first preset time or not if the time interval is not scanned, if so, step 9, otherwise, step 8; step 8, waiting for a second preset time, scanning a second authentication factor sent by the user equipment, and scanning, step 6, wherein the second authentication factor is not scanned, and step 7; and 9, executing a first safety control operation.

Description

Safety control method, device and system
Technical Field
The present invention relates to the field of electronic technologies, and in particular, to a method, an apparatus, and a system for security control.
Background
At present, in order to ensure the security of an office system, a traditional solution is that when a user logs in the office system for the first time, the user inputs a user name and a password or a password, the system authenticates the user name and the password or the password input by the user, after the authentication is passed, the user can use the office system until the user manually logs out of a login state or manually locks a screen, and authentication needs to be performed again when the user uses the office system again.
By adopting the safety control means, the use state of the user cannot be monitored in real time after the user passes the authentication, and under the condition that the user does not have the manual log-out state or the manual screen locking state, the safety control cannot be executed no matter whether the user is on the spot or not.
Disclosure of Invention
The present invention is intended to solve the above-mentioned technical problems.
The invention mainly aims to provide a safety control method.
Another object of the present invention is to provide a safety control device.
It is a further object of the present invention to provide a safety control system.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
one aspect of the present invention provides a safety control method, including: step 1, office equipment and user equipment establish close range wireless communication connection; step 2, the office equipment and the user equipment carry out authentication factor negotiation to at least obtain an initial authentication factor, and the initial authentication factor is used as a current first authentication factor of the office equipment; step 3, the office equipment monitors whether a preset authentication factor rolling period and an authentication scanning period are reached, if so, step 4 is executed, and if so, step 5 is executed; step 4, acquiring a next authentication factor of the current first authentication factor of the office equipment according to an authentication factor rolling mode appointed by the user equipment, taking the next authentication factor as the current first authentication factor of the office equipment, and returning to the step 3; step 5, the office equipment sends a scanning instruction to the user equipment, scans a second authentication factor sent by the user equipment, executes step 6 under the condition that the second authentication factor sent by the user equipment is scanned, and executes step 7 under the condition that the second authentication factor sent by the user equipment is not scanned; step 6, the office equipment judges whether the scanned second authentication factor is consistent with the current first authentication factor of the office equipment, if so, the step 3 is returned, otherwise, the step 9 is executed; step 7, the office equipment judges whether the time interval from the last scanning of the current distance to the second authentication factor sent by the user equipment exceeds a first preset time, if so, step 9 is executed, otherwise, step 8 is executed; step 8, after waiting for a second preset time, the office equipment sends a scanning instruction to the user equipment, scans a second authentication factor sent by the user equipment, executes step 6 under the condition that the second authentication factor sent by the user equipment is scanned, and executes step 7 under the condition that the second authentication factor sent by the user equipment is not scanned, wherein the second preset time is less than the first preset time; and 9, the office equipment executes corresponding first security control operation according to a preset security policy.
Optionally, the step 3 further includes: the office equipment monitors whether a preset key event occurs or not, and executes the step 10 under the condition that the key event occurs; and step 10, the office equipment starts a camera device to collect the face data of the user, whether the collected face data is matched with the authentication face data stored in the office equipment is judged, if yes, the step 3 is returned, and if not, the step 9 is executed.
Optionally, the predetermined key event comprises at least one of: the office equipment and the user equipment negotiate authentication factors and complete, the office equipment receives an encryption input instruction, and the office equipment receives a password input instruction.
Optionally, acquiring a next authentication factor of the current first authentication factor of the office device according to an authentication factor scrolling manner agreed with the user device, including: the office equipment selects a next authentication factor of a current first authentication factor of the office equipment from an authentication factor pool according to a preset strategy, wherein the authentication factor pool comprises a plurality of authentication factors including the initial authentication factor; or the office equipment calculates the current first authentication factor of the office equipment or the preset parameter for generating the current first authentication factor of the office equipment according to an authentication factor algorithm negotiated with the user equipment to obtain the next authentication factor of the current first authentication factor of the office equipment; or the office equipment reads the current value of the authentication factor calculator, and the current value of the authentication factor calculator is used as the next authentication factor of the current first authentication factor of the office equipment.
Optionally, after the office device performs the corresponding first security control operation according to the predetermined security policy, the method further includes: and the office equipment deletes all the authentication factors stored locally.
Optionally, after the office device performs authentication factor negotiation with the user device, the method further includes: the user equipment enters a dormant state, is awakened once every preset awakening period, and broadcasts the current second authentication factor of the user equipment during the awakening period.
Optionally, after the office device performs authentication factor negotiation with the user device, the method further includes: -the user equipment judges whether a scanning authentication instruction sent by the office equipment is received within the first preset time, if so, the user equipment sends a current second authentication factor of the user equipment, otherwise, the user equipment deletes all second authentication factors stored locally.
Optionally, in the step 5, in a case that the second authentication factor sent by the user equipment is not scanned, before performing step 7, the method further includes: and the office equipment judges whether the time interval from the last scanning of the current distance to the second authentication factor sent by the user equipment exceeds a preset threshold, if not, the step 3 is returned, if yes, the corresponding second security control operation is executed according to a preset security policy, and then the step 7 is executed.
Another aspect of the present invention provides a security control apparatus, located in an office device, including: the communication establishing module is used for establishing short-distance wireless communication connection with the user equipment; the authentication factor negotiation module is used for performing mutual authentication with the user equipment and negotiating authentication factors to at least obtain an initial authentication factor, and the initial authentication factor is used as a current first authentication factor of the office equipment; the period monitoring module is used for monitoring whether a preset authentication factor rolling period or an authentication scanning period is reached, triggering the authentication factor rolling module under the condition that the authentication factor rolling period is reached, and triggering the heartbeat detection module under the condition that the authentication scanning period is reached; the authentication factor rolling module is configured to obtain a next authentication factor of the current first authentication factor of the office device according to an authentication factor rolling manner agreed with the user device, and trigger the period monitoring module by using the next authentication factor as the current first authentication factor of the office device; the heartbeat detection module is used for sending a scanning authentication instruction to the user equipment, scanning a second authentication factor sent by the user equipment, triggering an authentication factor verification module under the condition that the second authentication factor sent by the user equipment is scanned, and triggering a back connection verification module under the condition that the second authentication factor sent by the user equipment is not scanned; the authentication factor verification module is used for judging whether the scanned second authentication factor is consistent with the current first authentication factor of the office equipment or not, and triggering the period monitoring module under the condition of consistency, otherwise, triggering the safety control module; the reconnection verification module is used for judging whether the time interval from the last scanning of the current distance to the second authentication factor broadcasted by the user equipment exceeds a first preset time, if so, triggering the safety control module, and otherwise, triggering the reconnection data monitoring module; the reconnection data monitoring module is used for sending a scanning instruction to the user equipment after waiting for second preset time, scanning a second authentication factor sent by the user equipment, triggering the authentication factor verification module under the condition that the second authentication factor sent by the user equipment is scanned, and triggering the reconnection verification module under the condition that the second authentication factor sent by the user equipment is not scanned, wherein the second preset time is less than the first preset time; and the safety control module is used for executing corresponding first safety control operation according to a preset safety strategy.
Optionally, the method further comprises: a face verification module; the period monitoring module is also used for judging whether a preset key event occurs or not, and triggering the face verification module under the condition that the key event occurs is monitored; the face verification module is used for starting the camera device to collect face data of a user, judging whether the collected face data is matched with the authentication face data stored in the office equipment or not, if so, triggering the period monitoring module, otherwise, triggering the safety control module.
Optionally, the authentication factor scrolling module obtains the next authentication factor of the current first authentication factor of the office equipment according to the following manner: selecting a next authentication factor of the current first authentication factor of the office equipment from an authentication factor pool according to a preset strategy, wherein the authentication factor pool comprises a plurality of authentication factors including the initial authentication factor; or, according to an authentication factor algorithm negotiated with the user equipment, calculating a current first authentication factor of the office equipment or a preset parameter for generating the current first authentication factor of the office equipment to obtain a next authentication factor of the current first authentication factor of the office equipment; or reading the current value of the authentication factor calculator, and taking the current value of the authentication factor calculator as the next authentication factor of the current first authentication factor of the office equipment.
Optionally, the method further comprises: and the key clearing module is used for deleting all the authentication factors stored in the office equipment after the security control module executes the first security control operation.
Optionally, the method further comprises: a threshold detection module, configured to, when the heartbeat detection module does not scan the second authentication factor sent by the user equipment, before triggering the reconnection verification module, determine whether a time interval between the current time and the last time when the second authentication factor sent by the user equipment is scanned exceeds a predetermined threshold, if not, trigger the period monitoring module, otherwise, execute a corresponding second security control operation according to a predetermined security policy, and then trigger the reconnection verification module.
The invention further provides a safety control system, which comprises office equipment and user equipment, wherein the office equipment comprises the safety control device; the user equipment is configured to: establishing a close range wireless communication connection with the office equipment; carrying out authentication factor negotiation with the user equipment to obtain an initial authentication factor, and taking the initial authentication factor as a current second authentication factor of the user equipment; receiving a scanning authentication instruction sent by the office equipment, and sending a current second authentication factor of the user equipment; and when the authentication factor rolling period is monitored to be reached, acquiring a next second authentication factor of the current second authentication factor of the user equipment according to an authentication factor rolling mode appointed by the office equipment, and taking the next second authentication factor as the current second authentication factor of the user equipment.
Optionally, the user equipment is further configured to delete all the second authentication factors stored locally when the scanning authentication instruction sent by the office equipment is not received within a predetermined time period.
Optionally, the ue further enters a sleep state after performing authentication factor negotiation with the ue, wakes up once every predetermined wake-up period, and broadcasts a current second authentication factor of the ue during the wake-up period.
As can be seen from the technical scheme provided by the invention, the invention provides a safety control scheme, in the technical scheme provided by the invention, the office equipment and the user equipment establish close-range wireless communication connection, negotiate the authentication factor, update the authentication factor according to the preset authentication factor rolling period, scan the authentication factor sent by the user equipment according to the preset authentication scanning period, in case that the authentication factor transmitted by the user equipment is not scanned within a predetermined time interval, performing a security control operation, therefore, whether the user leaves the office equipment or not can be monitored in real time after the user logs in, and the safety control operation is executed under the condition that the user leaves the office equipment for more than the preset time, so that the user is prevented from leaving the office equipment, other users illegally use the office system, which causes the problems of information leakage or illegal attack on the office system and the like.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a safety control system according to embodiment 1 of the present invention;
fig. 2 is a flowchart of a safety control method according to embodiment 2 of the present invention;
fig. 3 is a schematic structural diagram of a safety control device according to embodiment 3 of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present invention, it is to be understood that the terms "center", "longitudinal", "lateral", "up", "down", "front", "back", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", and the like, indicate orientations or positional relationships based on those shown in the drawings, and are used only for convenience in describing the present invention and for simplicity in description, and do not indicate or imply that the referenced devices or elements must have a particular orientation, be constructed and operated in a particular orientation, and thus, are not to be construed as limiting the present invention. Furthermore, the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or quantity or location.
In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Embodiments of the present invention will be described in further detail below with reference to the accompanying drawings.
Example 1
The present embodiment provides a safety control system.
Fig. 1 is a schematic structural diagram of a safety control system provided in this embodiment, and as shown in fig. 1, the safety control system mainly includes: office equipment 10 and user equipment 20. In this embodiment, the office equipment 10 may be a computer, or may be a peripheral device with certain processing capability, such as a security keyboard. The user device 20 may be an electronic device that is convenient for the user to carry around, such as a mobile phone, or a smart card, and the user device 20 may store a unique user identifier, such as a user ID, and the identity of the user may be determined through the user device 20.
In the present embodiment, the office apparatus 10 establishes a short-range wireless communication connection with the user apparatus 20. In a specific application, the office device 10 and the user device 20 may establish wireless communication through bluetooth, WIFI, or the like, and this embodiment is not limited in this embodiment.
In a specific application, before the wireless communication connection is established between the office equipment 10 and the user equipment 20, the user equipment 20 may perform identity authentication by swiping a card, scanning a code, and the like. For example, a card reading module is arranged on the office equipment 10, when a user needs to log in an office system, the user equipment 20 (which may be a smart card) is placed at the card reading module of the office equipment 10 for swiping a card, the office equipment 10 reads identity authentication information stored in the user equipment 20, where the identity authentication information may be a user name, a password, and the like, then the office equipment 10 performs identity authentication on the read identity authentication information, and after the identity authentication passes, secure login is completed.
When the wireless communication connection is established between the office device 10 and the user device 20, device information of both parties may be exchanged between the office device 10 and the user device 20, and the wireless communication connection is established through the exchanged device information, for example, if a bluetooth connection is established between the office device 10 and the user device 20, bluetooth connection information may be exchanged between the office device 10 and the user device 20, and bluetooth pairing is performed, thereby completing the bluetooth connection.
After the near field wireless communication connection is established, the office device 10 and the user device 20 perform authentication factor negotiation to obtain at least an initial authentication factor, and the office device 10 and the user device 20 respectively use the initial authentication factor as a current first authentication factor of the office device 10 and a current second authentication factor of the user device 20. In a specific application, after the office device 10 passes the identity authentication of the user device 20, the office device 10 negotiates an authentication factor with the user device 20.
In an alternative implementation of the embodiment of the present invention, the authentication factor may be a key. For example, when the office device 10 and the user device 20 negotiate the authentication factor, the office device 10 and the user device 20 may establish a secure channel, and then the office device 10 and the user device 20 negotiate and generate an initial transmission key, and use the transmission key as the authentication factor.
In a specific application, in order to ensure the security of the transmission key, when the office equipment 10 and the user equipment 20 establish a secure channel, mutual authentication may be performed by a public and private key pair of the office equipment 10 and the user equipment 20, for example, office device 10 may generate a random number, sign the random number using a private key of office device 10, send the signature data and random number to user device 20, user device 20 uses a public key of office device 10, and the received signature data is checked, if the check is passed, the identity of the office equipment 10 is confirmed, the user device 20 may sign the received random number by using its own private key, and send signature data obtained by the signature to the office device 10, and the office device 10 checks the received signature data by using the public key of the user device 20, and if the signature passes, the identity of the user device 20 is confirmed. Of course, in practical applications, the office device 10 and the user device 20 may perform mutual identity authentication in other manners, and the embodiment is not limited in this embodiment.
In another optional implementation of the embodiment of the present invention, the authentication factor may also be a time value of a local clock of the office equipment 10 and the user equipment 20. In this alternative embodiment, the office device 10 and the user device 20 perform time synchronization when negotiating the authentication factor, and after the time synchronization, the office device 10 and the user device 20 each use the current value of the local clock as the initial authentication factor.
Alternatively, in another optional implementation manner of the embodiment of the present invention, the authentication factor may also be a value of a local counter of the office device 10 and the user device 20. In this alternative embodiment, the office device 10 and the user device 20 determine that the initial values of the local counters of each other are the same when negotiating the authentication factor, and then the office device 10 and the user device 20 each use the current value of the local counter as the initial authentication factor. In a specific application, the local counters of the office device 10 and the user device 20 are used for recording the number of times of the same event, for example, the number of scrolling times of the local authentication factor may be recorded, that is, each time the current value of the first authentication factor of the office device 10 changes once, the value of the local counter of the office device 10 is incremented by 1, and similarly, each time the current value of the second authentication factor of the user device 20 changes once, the value of the local counter on the side of the user device 20 is incremented by 1, so that the values of the counters of the office device 10 and the user device 20 may be ensured to be consistent.
In the embodiment of the present invention, after the office device 10 completes the authentication factor negotiation with the user device 20, the office device 10 monitors whether the predetermined authentication factor rolling period and the predetermined authentication scanning period are reached:
(1) under the condition that the monitoring reaches the authentication factor rolling period, acquiring the next authentication factor of the current first authentication factor of the office equipment 10 according to the authentication factor rolling mode appointed by the user equipment 20, taking the next authentication factor as the current first authentication factor of the office equipment 10, and then continuously monitoring whether the preset authentication factor rolling period and the authentication scanning period are reached.
(2) Under the condition that the authentication scanning period is monitored to be reached, the office equipment 10 sends a scanning instruction to the user equipment 20, a second authentication factor sent by the user equipment 20 is scanned, under the condition that the second authentication factor sent by the user equipment 20 is scanned, whether the scanned second authentication factor is consistent with a current first authentication factor of the office equipment 10 is judged, under the condition that the scanned second authentication factor is consistent with the current first authentication factor, whether a preset authentication factor rolling period and an authentication scanning period are continuously monitored, and under the condition that the scanned second authentication factor is inconsistent with the current first authentication factor, the office equipment 10 executes corresponding first safety control operation according to a preset safety strategy; under the condition that a second authentication factor sent by the user equipment 20 is not scanned, the office equipment 10 judges whether the time interval between the current time and the last time when the second authentication factor sent by the user equipment 20 is scanned exceeds a first preset time, if so, the office equipment 10 executes corresponding first safety control operation according to a preset safety strategy, otherwise, after the office equipment 10 waits for the second preset time, the office equipment 10 sends a scanning instruction to the user equipment 20 to scan the second authentication factor sent by the user equipment 20, under the condition that the second authentication factor sent by the user equipment 20 is scanned, whether the scanned second authentication factor is consistent with the current first authentication factor of the office equipment 10 is judged, under the consistent condition, whether a preset authentication factor rolling period and an authentication scanning period are reached is continuously monitored, under the inconsistent condition, the office equipment 10 executes corresponding first safety control operation according to the preset safety strategy, in the case where the second authentication factor transmitted by the user equipment 20 is not scanned, the office equipment 10 returns to perform an operation of determining whether or not the time interval from the last scanning of the second authentication factor transmitted by the user equipment 20 at the present time exceeds a first predetermined time, where the second predetermined time is less than the first predetermined time.
In this embodiment of the present invention, the duration of the second predetermined time may be less than the duration of the authentication scanning period, that is, in this embodiment of the present invention, when the office device 10 arrives at a certain authentication scanning period, if the second authentication factor sent by the user device 20 is not scanned, the office device 10 may shorten the scanning period, and scan the second authentication factor sent by the user device 20, so as to authenticate the second authentication factor of the user device 20 in time.
Through the security control system provided by the embodiment of the invention, the office equipment 10 establishes a short-distance wireless communication connection with the user equipment 20, negotiates an authentication factor, updates the authentication factor according to a preset authentication factor rolling period, scans the authentication factor sent by the user equipment according to a preset authentication scanning period, and executes a first security control operation under the condition that the authentication factor sent by the user equipment is not scanned within a preset time interval, so that whether the user leaves the office equipment or not can be monitored in real time after the user logs in, and the security control operation is executed under the condition that the user leaves the office equipment for more than a preset time, thereby avoiding the problems that information is leaked or the office system is illegally attacked and the like because other users illegally use the office system during the user leaving period.
In an optional implementation manner of the embodiment of the present invention, in a case that the second authentication factor sent by the user equipment 20 is not scanned, before determining whether a time interval from the last scanning of the office equipment 10 to the second authentication factor sent by the user equipment 20 exceeds a first preset time, it may first determine whether the time interval from the last scanning of the office equipment 10 to the second authentication factor sent by the user equipment 20 exceeds a predetermined threshold, if so, first perform a corresponding second security control operation according to a predetermined security policy, and then determine whether the time interval from the last scanning of the office equipment 10 to the second authentication factor sent by the user equipment 20 exceeds the first preset time. Wherein the time value indicated by the predetermined threshold is smaller than the time value indicated by the first preset time.
In the above alternative embodiment, the first safety control operation and the second safety control operation are different safety operations, and in a specific application, the first safety control operation may be a more strict safety control operation than the second safety control operation, for example, the first safety control operation may include: an instruction to log out of the system is sent to the main processor of the office apparatus 10 and/or a shutdown instruction is sent to the main processor of the office apparatus 10. And the second safety control operation may include: send a screen lock instruction to the main processor of the office equipment 10 and/or send an alarm instruction to the alarm of the office equipment 10, etc. With this alternative embodiment, a hierarchical security control policy may be implemented, for example, in a specific application, the predetermined threshold may be set to 5 minutes, the first preset time may be set to 10 minutes, the office device 10 does not scan the second authentication factor sent by the user device 20 within 5 minutes, then a second security control operation is implemented, a screen locking instruction is sent to the main processor of the office device 10 and/or an alarm instruction is sent to the alarm of the office device 10, the main processor locks the screen and/or the alarm alarms, but the office device 10 maintains the scrolling of the authentication factors, if the second authentication factor sent by the user device 20 is received between 5 minutes and 10 minutes, then the received second authentication factor is authenticated, after the authentication is passed, the authentication factor scrolling is continuously maintained, and the second authentication factor sent by the user device 20 is periodically scanned, if the second authentication factor sent by the user equipment 20 is not received within 10 minutes, a first security control operation is executed, an instruction for logging out of the system is sent to the main processor of the office equipment 10 and/or a shutdown instruction is sent to the main processor of the office equipment 10, after the main processor of the office equipment 10 receives the instruction, a corresponding operation is executed, the office equipment 10 exits from the current flow, and authentication factor scrolling and regular scanning of the authentication factors are not executed any more.
In an optional implementation manner of the embodiment of the present invention, in order to ensure the safety of some key operations, after the office device 10 completes the authentication factor negotiation with the user device 20, it is simultaneously monitored whether a predetermined key event occurs, and when the occurrence of the key event is monitored, the office device 10 starts a camera device to collect face data of a user, and determines whether the collected face data matches with authenticated face data stored in the office device 10, if so, the monitoring is continued, otherwise, a first safety control operation is executed. In this alternative embodiment, the authenticated face data stored in the office device 10 may be input by the user at the time of registration, or may be input at other times, for example, before the user needs to activate some specific functions, which is not limited in this embodiment. Through the optional embodiment, the office device 10 can verify the face of the current operator before performing some key operations, further ensure the identity of the current user, and avoid the account number of the user being stolen.
In the above alternative embodiment, the predetermined key event includes, but is not limited to, at least one of:
(1) the office equipment 10 and the user equipment 20 negotiate the authentication factor to complete; that is, after negotiating the authentication factor with the user device 20, the office device 10 collects face information of the user and authenticates the collected face information. With this alternative embodiment, the office appliance 10 can start the authentication factor scrolling and the authentication scan after ensuring the identity of the user, which can save the process.
(2) The office equipment 10 receives the encryption input instruction; in this alternative embodiment, the office system is provided with an encryption input function, that is, information input by the user through the keyboard is encrypted information, and when the user inputs an encryption input instruction, the function is started, and when the user starts the function, the office device 10 collects face information of the user and authenticates the collected face information. With this alternative embodiment, the office device 10 can turn on the encryption input function with the identity of the user ensured.
(3) The office equipment 10 receives the password input instruction. That is, in this alternative embodiment, when a password (for example, a PIN code or the like) needs to be input to the office system, the office device 10 first acquires face information of the user and authenticates the acquired face information. With this alternative embodiment, the office device 10 can ensure the security of the password by allowing the user to input the password while ensuring the identity of the user.
In the embodiment of the present invention, when the office device 10 and the user device 20 perform authentication factor scrolling, the authentication factor scrolling may be performed in different manners according to different types of authentication factors used specifically, which is described below by taking the office device 10 as an example, and for the user device 20, the authentication factor scrolling is performed in a manner corresponding to the office device 10.
In an alternative implementation of the embodiment of the present invention, the office device 10 may perform authentication factor scrolling in one of the following ways:
(1) selecting a next authentication factor of a current first authentication factor of the office equipment 10 from an authentication factor pool according to a preset strategy, wherein the authentication factor pool comprises a plurality of authentication factors including the initial authentication factor; that is, in this embodiment, a same authentication factor pool is set in each of the office device 10 and the user device 20, and the authentication factor scrolling manner is agreed in the preset policy, for example, according to the sorting, the circular sequence scrolling, or the circular scrolling with an interval of one authentication factor in the authentication factor pool, the office device 10 and the user device 20 can obtain the next authentication factor of the current authentication factor according to the preset policy.
For example, assuming that the authentication factors stored in the pool of authentication factors are shown in table 1, the preset strategy for authentication factor scrolling is to cyclically scroll by one authentication factor. If the current authentication factor is M2, the next authentication factor of the current authentication factor is M4. If the current authentication factor is M8, the next authentication factor of the current authentication factor is M1.
TABLE 1 authentication factor pool
Serial number 1 2 3 4 5 6 7 8 9
Authentication factor M1 M2 M3 M4 M5 M6 M7 M8 M9
In this embodiment, each authentication factor in the authentication factor pool may be negotiated when the office device 10 and the user device 20 perform authentication factor negotiation, that is, taking table 1 as an example, 9 authentication factors are negotiated when the office device 10 and the user device 20 perform authentication factor negotiation, where M1 is an initial authentication factor. Alternatively, the office device 10 and the user device 20 may also negotiate only an initial authentication factor when performing authentication factor negotiation, and then the office device 10 and the user device 20 calculate other authentication factors in the authentication factor pool according to the same algorithm, and which manner is specifically adopted may be determined according to actual applications, which is not limited in this embodiment.
(2) The office equipment 10 calculates a current first authentication factor of the office equipment 10 or a preset parameter for generating the current first authentication factor of the office equipment 10 according to an authentication factor algorithm negotiated with the user equipment 20 to obtain a next authentication factor of the current first authentication factor of the office equipment 10; that is, in this embodiment, the office device 10 and the user device 20 update the currently used authentication factor every authentication factor scroll cycle to obtain a new authentication factor, and use the new authentication factor as the current authentication factor. In a specific application, the office device 10 may calculate the current first authentication factor to obtain a next authentication factor of the current first authentication factor, for example, perform a MAC operation on the current first authentication factor, or perform a MAC operation on the current first authentication factor + the current time. Alternatively, the office equipment 10 may calculate a preset parameter for generating the current first authentication factor of the office equipment 10, for example, assuming that the current first authentication factor Mi ═ f (xi) of the office equipment 10, xi is a preset parameter, and when the authentication factor rolling period arrives, the preset parameter is updated, xi ═ g (xi) may be set, and then a new authentication factor may be calculated using the updated xi, so as to obtain a next authentication factor of the current first authentication factor.
(3) The office equipment 10 reads the current value of the authentication factor calculator as the next authentication factor to the current first authentication factor of the office equipment 10. In this optional implementation, the authentication factor calculator may be a timer, a counter, or the like, and the embodiment is not limited in this embodiment. The office device 10 and the user device 20 may record the same start time or the same value in the counter when performing the authentication factor negotiation, and in the case that the authentication factor calculator is the counter, the counter of the office device 10 and the user device 20 is used to record the number of times of the same event occurrence, for example, the authentication factor rolling number.
In the above alternative embodiment, the timer may be a local clock of the office device 10 and a local clock of the user device 20, in which case, the office device 10 and the user device 20 may perform clock synchronization when performing authentication factor negotiation; alternatively, the timer may be set specifically for the office device 10 and the user device 20 to record the value of the current authentication factor, in which case, when the office device 10 and the user device 20 perform authentication factor negotiation, the start time of the timer used by both the office device 10 and the user device 20 to record the current authentication factor may be set to be the same value.
In the embodiment of the present invention, when the office device 10 does not scan the second authentication factor sent by the user device 20 within the first predetermined time, it indicates that the time when the user device 20 is far from the office device 10 exceeds the first predetermined time, and since the user device 20 is carried around the user, it can be determined that the user is far from the office device 10, therefore, in the embodiment of the present invention, the office device 10 executes the corresponding first security control operation according to the predetermined security policy, so that it can be ensured that the first security policy is executed after the user is far from the office device 10 for a certain time, and thus the problem that the office system is illegally used by other people can be avoided. In an optional implementation manner of the embodiment of the present invention, in order to facilitate the next use by the user, after the office device 10 performs the corresponding first security control operation according to the predetermined security policy, the office device 10 may delete all the authentication factors stored locally, so as to facilitate the subsequent use of the office device 10.
In the embodiment of the present invention, the user equipment 20 may broadcast the current second authentication factor of the user equipment 20 in case of receiving the scanning instruction sent by the office equipment 10. Or, in an optional implementation manner of the embodiment of the present invention, in order to save the power of the user equipment 20, after performing authentication factor negotiation with the office equipment 10, the user equipment 20 may enter a sleep state, and then wake up once every predetermined wake-up period, and during the wake-up period, broadcast the current second authentication factor of the user equipment 20. With this alternative embodiment, power of the user equipment 20 may be saved, increasing the lifetime of the battery of the user equipment 20.
In an optional implementation manner of the embodiment of the present invention, the user equipment 20 may also determine whether the user is far away from the office equipment 10, in this optional implementation manner, after the office equipment 10 performs authentication factor negotiation with the user equipment 20, the user equipment 20 may determine whether a scanning authentication instruction sent by the office equipment 10 is received within a predetermined time period, if so, the user equipment 20 sends a current second authentication factor of the user equipment 20, otherwise, the user equipment 20 deletes all second authentication factors stored locally. In this alternative embodiment, the duration of the predetermined time period may be the same as the duration of the first preset time determined by the office equipment 10, so that the user equipment 20 side may be consistent with the office equipment 10 side, and certainly, the duration of the predetermined time period does not have to be consistent with the duration of the first preset time, as long as the difference between the two is not large.
In practical applications, the user may leave temporarily during the process of using the office system, the leaving time may be less than a first predetermined time, in order to ensure the safety of the office system during this time, a predetermined threshold may be further set, the duration of the predetermined threshold is less than the duration of the first predetermined time, for example, the duration of the first predetermined time is 5 minutes, and the duration of the predetermined threshold is 1 minute, and in case that the user leaves beyond the predetermined threshold, in order to ensure the safety of the office system, the user equipment 10 may perform a second safety control operation, for example, locking the screen, etc. Therefore, in an optional implementation manner of the embodiment of the present invention, in a case that the office device 10 does not scan the second authentication factor sent by the user device 20, before determining whether the time interval from the last scanning to the second authentication factor sent by the user device 20 exceeds the first predetermined time, the office device 10 first determines whether the time interval from the last scanning to the second authentication factor sent by the user device 20 exceeds a predetermined threshold, if not, continues to monitor whether the next authentication scanning period is reached, otherwise, executes a corresponding second security control operation according to a predetermined security policy, then determines whether the time interval from the last scanning to the second authentication factor sent by the user device 20 exceeds the first predetermined time, and executes a corresponding operation according to the determination result. In this embodiment, the second security control operation is different from the first security control operation, so that different security control policies can be set according to different time periods when the user leaves, and multi-level security control can be performed, so as to provide convenience for the user while ensuring security.
Example 2
The embodiment of the invention provides a safety control method, which can be realized by the safety control system described in the embodiment 1.
Fig. 2 is a flowchart of a safety control method according to an embodiment of the present invention, and as shown in fig. 2, the method mainly includes the following steps:
step 201, the office equipment establishes a short-range wireless communication connection with the user equipment.
In a specific application, wireless communication may be established between the office device and the user device through bluetooth, WIFI, or the like, which is not limited in this embodiment.
In a specific application, before the wireless communication connection is established between the office equipment and the user equipment, the user equipment can perform identity authentication in a card swiping mode, a code scanning mode and the like. For example, a card reading module is arranged on office equipment, when a user needs to log in an office system, user equipment (which may be a smart card) is placed at the card reading module of the office equipment for swiping a card, the office equipment reads identity authentication information stored in the user equipment, the identity authentication information may be a user name, a password and the like, then the office equipment performs identity authentication on the read identity authentication information, and after the identity authentication passes, secure login is completed.
When the wireless communication connection is established between the office equipment and the user equipment, the office equipment and the user equipment can exchange equipment information of both parties, and the wireless communication connection is established through the exchanged equipment information, for example, if the Bluetooth connection is established between the office equipment and the user equipment, the Bluetooth connection information can be exchanged between the office equipment and the user equipment, the Bluetooth pairing is carried out, and the Bluetooth connection is completed, wherein, the device information of the user device can be stored in the user device, the office device reads from the user device through the card reading module of the office device, and then establishes wireless communication connection with the user device, or, the user may also open both the wireless communication functions of the user equipment and the office equipment, the user equipment broadcasts the equipment information thereof, and the office equipment establishes a wireless connection with the user equipment after scanning the equipment information, and the specific manner is not limited in this embodiment.
Step 202, the office equipment and the user equipment perform authentication factor negotiation to obtain at least an initial authentication factor, and the initial authentication factor is used as a current first authentication factor of the office equipment.
In a specific application, the office equipment and the user equipment perform authentication factor negotiation, the office equipment and the user equipment at least obtain an initial authentication factor, and the office equipment and the user equipment respectively use the initial authentication factor as a current first authentication factor of the office equipment and a current second authentication factor of the user equipment. In a specific application, after the office device passes the identity authentication of the user device, the office device and the user device may negotiate an authentication factor.
In an alternative implementation of the embodiment of the present invention, the authentication factor may be a key. For example, when the office device and the user device negotiate the authentication factor, the office device and the user device may establish a secure channel first, and then the office device and the user device negotiate and generate an initial transmission key, and use the transmission key as the authentication factor.
In a specific application, in order to ensure the security of a transmission key, when the office equipment and the user equipment establish a security channel, mutual identity authentication can be performed through public and private key pairs of the office equipment and the user equipment, for example, the office equipment can generate a random number, the random number is signed by using a private key of the office equipment, signature data and the random number are sent to the user equipment, the user equipment uses a public key of the office equipment to check and sign the received signature data, the identity of the office equipment is confirmed if the check and sign pass, the user equipment can sign the received random number by using a private key of the user equipment, the signature data obtained by signature is sent to the office equipment, the office equipment uses the public key of the user equipment to check and sign the received signature data, and the identity of the user equipment is confirmed if the check and sign pass. Of course, in practical application, the office device and the user device may also perform mutual identity authentication in other manners, and the specific embodiment is not limited in this embodiment.
In another optional implementation manner of the embodiment of the present invention, the authentication factor may also be a time value of a local clock of the office equipment and the user equipment. In this optional embodiment, the office device and the user device perform time synchronization when negotiating the authentication factor, and after the time synchronization, the office device and the user device each use a current value of the local clock as an initial authentication factor.
Alternatively, in another optional implementation manner of the embodiment of the present invention, the authentication factor may also be a value of a local counter of the office device and the user device. In this alternative embodiment, when negotiating the authentication factor, the office device and the user device determine that the initial values of the local counters of each other are the same, and then the office device and the user device use the current values of the local counters as the initial authentication factors. In a specific application, the local counters of the office device and the user device are used for recording the number of times of the same event, for example, the number of scrolling times of the local authentication factor may be recorded, that is, each time the current value of the first authentication factor of the office device changes once, the value of the local counter of the office device is incremented by 1, and similarly, each time the current value of the second authentication factor of the user device changes once, the value of the local counter of the user device side is incremented by 1, so that the values of the counters of the office device and the user device may be ensured to be consistent.
In step 203, the office equipment monitors whether a preset authentication factor rolling period and an authentication scanning period are reached, and if the preset authentication factor rolling period is monitored, step 204 is executed, and if the preset authentication factor rolling period is monitored, step 205 is executed.
In a specific application, the office device and the user device may agree in advance on the authentication factor rolling period, and monitor whether the authentication factor rolling period and the authentication scanning period are reached, for the office device, in the case that the authentication factor rolling period is monitored, step 204 is executed, and in the case that the authentication scanning period is monitored, step 205 is executed.
In an optional implementation manner of the embodiment of the present invention, in order to ensure the safety of some key operations, after the office equipment completes authentication factor negotiation with the user equipment, it is simultaneously monitored whether a predetermined key event occurs, and when the occurrence of the key event is monitored, the office equipment starts the camera device to collect face data of the user, and determines whether the collected face data matches with authenticated face data stored in the office equipment, if so, the monitoring is continued, otherwise, a first safety control operation is executed. In this optional embodiment, the authenticated face data stored in the office device may be input by the user at the time of registration, or may be input at other times, for example, before the user needs to activate some specific functions, which is not limited in this embodiment. Through the optional implementation mode, the office equipment can verify the face of the current operator before certain key operations are executed, so that the identity of the current user is further ensured, and the account number of the user is prevented from being stolen.
In the above alternative embodiment, the predetermined key event includes, but is not limited to, at least one of:
(1) the office equipment and the user equipment negotiate an authentication factor to complete; that is, after the office equipment negotiates with the user equipment for the authentication factor, the office equipment acquires the face information of the user and authenticates the acquired face information. Through the optional implementation mode, the office equipment can start the authentication factor scrolling and the authentication scanning after the identity of the user is ensured, and the process can be saved.
(2) The office equipment receives an encryption input instruction; in this optional embodiment, the office system is provided with an encryption input function, that is, information input by a user through a keyboard is encrypted information, when the user inputs an encryption input instruction, the function is started, and when the user starts the function, the office equipment collects face information of the user and authenticates the collected face information. With this alternative embodiment, the office equipment can turn on the encryption input function with the identity of the user ensured.
(3) The office equipment receives the password input instruction. That is, in this optional embodiment, when the office device needs to input a password (for example, a PIN code or the like) to the office system, the face information of the user is collected first, and the collected face information is authenticated. Through the optional implementation mode, the office equipment can ensure the security of the password by enabling the user to input the password under the condition of ensuring the identity of the user.
Step 204, obtaining the next authentication factor of the current first authentication factor of the office equipment according to the authentication factor rolling mode appointed by the user equipment, taking the next authentication factor as the current first authentication factor of the office equipment, and returning to step 203.
Similarly, after the user equipment completes the negotiation with the office equipment authentication factor, the initial authentication factor obtained by the negotiation is used as the current second authentication factor of the user equipment, whether the preset authentication factor rolling period is reached is monitored, when the authentication factor rolling period is reached, the next second authentication factor of the current second authentication factor of the user equipment is obtained according to the authentication factor rolling mode appointed with the office equipment, and the next second authentication factor is used as the current second authentication factor of the user equipment, so that the second authentication factor at the user equipment side is ensured to be synchronous with the first authentication factor at the office equipment side.
In the embodiment of the present invention, when the office device and the user device perform authentication factor scrolling, the authentication factor scrolling may be performed in different manners according to different types of authentication factors used specifically, which is described below by taking the office device as an example, and for the user device, the authentication factor scrolling is performed in a manner corresponding to the office device.
In an alternative implementation of the embodiment of the present invention, the office equipment may perform authentication factor scrolling in one of the following ways:
(1) selecting a next authentication factor of a current first authentication factor of office equipment from an authentication factor pool according to a preset strategy, wherein the authentication factor pool comprises a plurality of authentication factors including the initial authentication factor; that is, in this embodiment, a same authentication factor pool is set in each of the office device and the user device, and the authentication factor scrolling manner is agreed in the preset policy, for example, according to the sorting, the circular sequence scrolling, or the circular scrolling with an interval of one authentication factor in the authentication factor pool, the office device and the user device can obtain the next authentication factor of the current authentication factor according to the preset policy.
For example, assuming that the authentication factors stored in the pool of authentication factors are shown in table 1, the preset strategy for authentication factor scrolling is to cyclically scroll by one authentication factor. If the current authentication factor is M2, the next authentication factor of the current authentication factor is M4. If the current authentication factor is M8, the next authentication factor of the current authentication factor is M1.
TABLE 1 authentication factor pool
Serial number 1 2 3 4 5 6 7 8 9
Authentication factor M1 M2 M3 M4 M5 M6 M7 M8 M9
In this embodiment, each authentication factor in the authentication factor pool may be negotiated when the office device and the user equipment perform authentication factor negotiation, that is, taking table 1 as an example, 9 authentication factors are negotiated when the office device and the user equipment perform authentication factor negotiation, where M1 is an initial authentication factor. Or, the office device and the user device may also negotiate only an initial authentication factor when performing authentication factor negotiation, and then the office device and the user device calculate other authentication factors in the authentication factor pool according to the same algorithm, which manner is specifically adopted may be determined according to actual application, and the embodiment is not limited in this embodiment.
(2) The office equipment calculates a current first authentication factor of the office equipment or preset parameters for generating the current first authentication factor of the office equipment according to an authentication factor algorithm negotiated with the user equipment to obtain a next authentication factor of the current first authentication factor of the office equipment; that is, in this embodiment, the office device and the user device update the currently used authentication factor every authentication factor rolling period to obtain a new authentication factor, and use the new authentication factor as the current authentication factor. In a specific application, the office device may calculate the current first authentication factor to obtain a next authentication factor of the current first authentication factor, for example, perform MAC operation on the current first authentication factor, or perform MAC operation on the current first authentication factor + the current time. Alternatively, the office device may calculate a preset parameter for generating the current first authentication factor of the office device, for example, assuming that the current first authentication factor Mi ═ f (xi) of the office device, xi is a preset parameter, and when the authentication factor rolling period arrives, the preset parameter is updated, xi ═ g (xi) may be set, and then a new authentication factor may be calculated using the updated xi, so as to obtain a next authentication factor of the current first authentication factor.
(3) The office equipment reads the current value of the authentication factor calculator, and the current value of the authentication factor calculator is used as the next authentication factor of the current first authentication factor of the office equipment. In this optional implementation, the authentication factor calculator may be a timer, a counter, or the like, and the embodiment is not limited in this embodiment. The office device and the user device may record the same start time or the same value as the counter when performing authentication factor negotiation, and in the case that the authentication factor calculator is the counter, the counters of the office device and the user device are used for recording the number of times of occurrence of the same event, for example, the number of times of rolling of the authentication factor.
In the above optional embodiment, the timer may be a local clock of the office device and a local clock of the user equipment, in which case, when the office device and the user equipment perform authentication factor negotiation, clock synchronization may be performed; or, the timer may also be specially set for the authentication factor by the office device and the user device, and is used to record the value of the current authentication factor, in this case, when the office device and the user device perform the authentication factor negotiation, the start time of the timer used by both the office device and the user device to record the current authentication factor may be set to be the same value.
Step 205, the office equipment sends a scanning instruction to the user equipment, scans the second authentication factor sent by the user equipment, executes step 206 if the second authentication factor sent by the user equipment is scanned, and executes step 207 if the second authentication factor sent by the user equipment is not scanned.
In the embodiment of the present invention, the user equipment may send the current second authentication factor of the user equipment when receiving the scanning authentication instruction sent by the office equipment. Or, in an optional implementation manner of the embodiment of the present invention, in order to save the power of the user equipment, the user equipment may enter a sleep state after performing authentication factor negotiation with the office equipment, and then wake up once every predetermined wake-up period, and during the wake-up period, broadcast the current second authentication factor of the user equipment. Through the optional implementation mode, the electric energy of the user equipment can be saved, and the service time of a battery of the user equipment is prolonged.
In step 206, the office equipment determines whether the scanned second authentication factor is consistent with the current first authentication factor of the office equipment, and if so, returns to step 203, otherwise, executes step 209.
Under the condition that the office equipment judges that the scanned second authentication factor is consistent with the current first authentication factor of the office equipment, the office equipment indicates that the user of the currently used office equipment is consistent with the current binding of the office equipment and the user does not leave the office equipment, therefore, the office equipment returns to the step 203, whether the authentication factor rolling period and the authentication scanning period reach is continuously monitored, if not, the user of the currently used office equipment is inconsistent with the current binding of the office equipment, and therefore, the office equipment executes the step 209 and executes the first safety control operation.
Step 207, the office equipment judges whether the time interval from the last scanning of the current distance to the second authentication factor sent by the user equipment exceeds a first preset time, if so, step 209 is executed, otherwise, step 208 is executed.
Step 208, after waiting for a second predetermined time, the office equipment sends a scanning instruction to the user equipment, scans the second authentication factor sent by the user equipment, executes step 206 if the second authentication factor sent by the user equipment is scanned, and executes step 207 if the second authentication factor sent by the user equipment is not scanned, wherein the second predetermined time is less than the first predetermined time.
That is, in the embodiment of the present invention, when an authentication scanning period arrives, if the second authentication factor sent by the user equipment is not scanned, the office equipment may shorten the scanning period, and scan the second authentication factor sent by the user equipment, so as to authenticate the second authentication factor of the user equipment in time.
In step 209, the office equipment performs a corresponding first security control operation according to a predetermined security policy.
In an optional implementation manner of the embodiment of the present invention, in a case that the office device does not scan the second authentication factor sent by the user device, before determining whether a time interval from the last scanning of the office device to the second authentication factor sent by the user device exceeds a first preset time, it may first determine whether the time interval from the last scanning of the office device to the second authentication factor sent by the user device exceeds a predetermined threshold, if so, first perform a corresponding second security control operation according to a predetermined security policy, and then perform step S207 to determine whether the time interval from the last scanning of the office device to the second authentication factor sent by the user device exceeds the first preset time. Wherein the time value indicated by the predetermined threshold is smaller than the time value indicated by the first preset time.
In the above alternative embodiment, the first safety control operation and the second safety control operation are different safety operations, and in a specific application, the first safety control operation may be a more strict safety control operation than the second safety control operation, for example, the first safety control operation may include: and sending an instruction of logging out the system to a main processor of the office equipment and/or sending a shutdown instruction to the main processor of the office equipment. And the second safety control operation may include: and sending a screen locking instruction to a main processor of the office equipment and/or sending an alarm instruction to an alarm of the office equipment and the like. With this alternative embodiment, a hierarchical security control strategy may be implemented to provide convenience for the user while ensuring security, for example, in a specific application, the predetermined threshold may be set to 5 minutes, the first preset time may be set to minutes, the office device does not scan the second authentication factor sent by the user device within 5 minutes, then perform a second security control operation, send a screen locking instruction to the main processor of the office device and/or send an alarm instruction to the alarm of the office device, the host locks the screen and/or alarms, but the office device maintains the scrolling of the authentication factor, if the second authentication factor sent by the user device is received within 5 minutes, authenticate the received second authentication factor, after the authentication is passed, continue to maintain the scrolling of the authentication factor, and periodically scan the second authentication factor sent by the user device, and if the second authentication factor sent by the user equipment is not received in the minute, executing a first safety control operation, sending a command of logging out of the system to a main processor of the office equipment and/or sending a shutdown command to the main processor of the office equipment, and after receiving the command, executing corresponding operation, wherein the office equipment exits the current flow and does not execute authentication factor rolling and regular scanning of the authentication factor.
In the embodiment of the invention, under the condition that the office equipment does not scan the second authentication factor sent by the user equipment within the first preset time, the fact that the time when the user equipment is far away from the office equipment exceeds the first preset time is indicated, and the user equipment is carried on the user, so that the user can be judged to be far away from the office equipment. In an optional implementation manner of the embodiment of the present invention, in order to facilitate next use by the user, after the office device executes the corresponding first security control operation according to the predetermined security policy, the office device may delete all the authentication factors stored locally, so as to facilitate subsequent use of the office device.
In an optional implementation manner of the embodiment of the present invention, the user equipment 20 may also determine whether the user is far away from the office equipment 10, and in this optional implementation manner, after the office equipment 10 performs authentication factor negotiation with the user equipment 20, the method may further include: and the user equipment judges whether a scanning authentication instruction sent by the office equipment is received or not within first preset time, if so, the user equipment sends the current second authentication factor of the user equipment, and otherwise, the user equipment deletes all the second authentication factors stored locally. In this optional embodiment, the duration of the predetermined time period may be the same as the duration of the first preset time determined by the office equipment 10, so that the user equipment side may be consistent with the office equipment side, and certainly, the duration of the predetermined time period does not have to be consistent with the duration of the first preset time, as long as the difference between the two is not large.
According to the security control method provided by the embodiment of the invention, the office equipment and the user equipment establish close-range wireless communication connection, negotiate the authentication factor, update the authentication factor according to the preset authentication factor rolling period, scan the authentication factor sent by the user equipment according to the preset authentication scanning period, and execute the first security control operation under the condition that the authentication factor sent by the user equipment is not scanned within the preset time interval, so that whether the user leaves the office equipment or not can be monitored in real time after the user logs in, and the security control operation is executed under the condition that the user leaves the office equipment for more than the preset time, thereby avoiding the problems of information leakage or illegal attack on the office system and the like caused by illegal use of the office system by other users during the leaving of the user.
Example 3
This embodiment provides a security control apparatus, which can be provided in the office equipment described in embodiment 1, for executing the security control method described in embodiment 2.
Fig. 3 is a schematic structural diagram of a safety control device provided in this embodiment, and as shown in fig. 3, the safety control device mainly includes: a communication establishment module 301, an authentication factor negotiation module 302, a period monitoring module 303, an authentication factor rolling module 304, a heartbeat detection module 305, an authentication factor verification module 306, a reconnection verification module 307, a reconnection data monitoring module 308, and a security control module 309. The following mainly describes the functions of the respective modules of the safety control device, and for other matters, reference may be made to the descriptions of embodiment 1 and embodiment 2.
In the embodiment of the present invention, the communication establishing module 301 is configured to establish a short-range wireless communication connection with a user equipment; an authentication factor negotiation module 302, configured to perform mutual authentication with the user equipment and negotiate an authentication factor, so as to obtain at least an initial authentication factor, where the initial authentication factor is used as a current first authentication factor of the office equipment; a period monitoring module 303, configured to monitor whether a predetermined authentication factor rolling period or an authentication scanning period is reached, trigger the authentication factor rolling module 304 when the predetermined authentication factor rolling period is reached, and trigger the heartbeat detecting module 305 when the predetermined authentication factor rolling period is reached; the authentication factor rolling module 304 is configured to obtain a next authentication factor of the current first authentication factor of the office device according to an authentication factor rolling manner agreed with the user device, and trigger the period monitoring module 303 by using the next authentication factor as the current first authentication factor of the office device; the heartbeat detection module 305 is configured to send a scan authentication instruction to the user equipment, scan a second authentication factor sent by the user equipment, trigger an authentication factor verification module 306 when the second authentication factor sent by the user equipment is scanned, and trigger a loopback verification module 307 when the second authentication factor sent by the user equipment is not scanned; the authentication factor verification module 306 is configured to determine whether the scanned second authentication factor is consistent with the current first authentication factor of the office device, and if so, trigger the period monitoring module 303, otherwise, trigger the security control module 309; the reconnection verification module 307 is configured to determine whether a time interval between the current time and the last time of scanning the second authentication factor broadcasted by the ue exceeds a first predetermined time, if so, trigger the security control module 309, otherwise trigger the reconnection data monitoring module 308; the reconnection data monitoring module 308 is configured to send a scanning instruction to the user equipment after waiting for a second predetermined time, scan a second authentication factor sent by the user equipment, trigger the authentication factor verification module 306 when the second authentication factor sent by the user equipment is scanned, and trigger the reconnection verification module 307 when the second authentication factor sent by the user equipment is not scanned, where the second predetermined time is less than the first predetermined time; the security control module 309 is configured to execute a corresponding first security control operation according to a predetermined security policy.
Through the safety control device provided by the embodiment of the invention, the short-distance wireless communication connection is established with the user equipment, the authentication factor is negotiated, the authentication factor is updated according to the rolling period of the preset authentication factor, the authentication factor sent by the user equipment is scanned according to the preset authentication scanning period, and the safety control operation is executed under the condition that the authentication factor sent by the user equipment is not scanned within the preset time interval, so that whether the user leaves the office equipment or not can be monitored in real time after the user logs in, and the safety control operation is executed under the condition that the user leaves the office equipment for more than the preset time, thereby avoiding the problems of information leakage or illegal attack on the office system and the like caused by illegal use of other users during the leaving of the user.
In an optional implementation manner of the embodiment of the present invention, the apparatus may further: a face verification module; the period monitoring module 303 is further configured to determine whether a predetermined key event occurs, and trigger the face verification module when the occurrence of the key event is detected; and the face verification module is used for starting the camera device to collect face data of a user, judging whether the collected face data is matched with the authentication face data stored in the office equipment, if so, triggering the period monitoring module 303, and otherwise, triggering the safety control module 309.
In an optional implementation manner of the embodiment of the present invention, the authentication factor scrolling module 304 may obtain the next authentication factor of the current first authentication factor of the office device in the following manner:
selecting a next authentication factor of the current first authentication factor of the office equipment from an authentication factor pool according to a preset strategy, wherein the authentication factor pool comprises a plurality of authentication factors including the initial authentication factor; alternatively, the first and second electrodes may be,
calculating the current first authentication factor of the office equipment or the preset parameter for generating the current first authentication factor of the office equipment according to the authentication factor algorithm negotiated with the user equipment to obtain the next authentication factor of the current first authentication factor of the office equipment; or
And reading the current value of the authentication factor calculator, and taking the current value of the authentication factor calculator as the next authentication factor of the current first authentication factor of the office equipment.
In an optional implementation manner of the embodiment of the present invention, the apparatus may further include: a key clearing module, configured to delete all authentication factors stored in the office device after the security control module 309 performs the first security control operation.
In an optional implementation manner of the embodiment of the present invention, the apparatus may further include: a threshold detection module, configured to, when the heartbeat detection module 305 does not scan the second authentication factor sent by the ue, before triggering the reconnection verification module 307, determine whether a time interval between the current time and the last time when the second authentication factor sent by the ue is scanned exceeds a predetermined threshold, if not, trigger the period detection module 303, otherwise, execute a corresponding second security control operation according to a predetermined security policy, and then trigger the reconnection verification module 307.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.
The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made in the above embodiments by those of ordinary skill in the art without departing from the principle and spirit of the present invention. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (14)

1. A safety control method, comprising:
step 1, office equipment and user equipment establish close range wireless communication connection;
step 2, the office equipment and the user equipment carry out authentication factor negotiation to at least obtain an initial authentication factor, and the initial authentication factor is used as a current first authentication factor of the office equipment;
step 3, the office equipment monitors whether a preset authentication factor rolling period and an authentication scanning period are reached, if so, step 4 is executed, and if so, step 5 is executed;
step 4, acquiring a next authentication factor of the current first authentication factor of the office equipment according to an authentication factor rolling mode appointed by the user equipment, taking the next authentication factor as the current first authentication factor of the office equipment, and returning to the step 3;
step 5, the office equipment sends a scanning instruction to the user equipment, scans a second authentication factor sent by the user equipment, executes step 6 under the condition that the second authentication factor sent by the user equipment is scanned, and executes step 7 under the condition that the second authentication factor sent by the user equipment is not scanned;
step 6, the office equipment judges whether the scanned second authentication factor is consistent with the current first authentication factor of the office equipment, if so, the step 3 is returned, otherwise, the step 9 is executed;
step 7, the office equipment judges whether the time interval from the last scanning of the current distance to the second authentication factor sent by the user equipment exceeds a first preset time, if so, step 9 is executed, otherwise, step 8 is executed;
step 8, after waiting for a second preset time, the office equipment sends a scanning instruction to the user equipment, scans a second authentication factor sent by the user equipment, executes step 6 under the condition that the second authentication factor sent by the user equipment is scanned, and executes step 7 under the condition that the second authentication factor sent by the user equipment is not scanned, wherein the second preset time is less than the first preset time;
step 9, the office equipment executes corresponding first security control operation according to a preset security policy;
wherein:
acquiring a next authentication factor of the current first authentication factor of the office equipment according to an authentication factor rolling mode appointed by the user equipment, wherein the authentication factor rolling mode comprises the following steps:
the office equipment selects a next authentication factor of a current first authentication factor of the office equipment from an authentication factor pool according to a preset strategy, wherein the authentication factor pool comprises a plurality of authentication factors including the initial authentication factor; alternatively, the first and second electrodes may be,
the office equipment calculates a current first authentication factor of the office equipment or preset parameters for generating the current first authentication factor of the office equipment according to an authentication factor algorithm negotiated with the user equipment to obtain a next authentication factor of the current first authentication factor of the office equipment; or
The office equipment reads the current value of an authentication factor calculator, and the current value of the authentication factor calculator is used as the next authentication factor of the current first authentication factor of the office equipment;
the second authentication factor is obtained by: after the user equipment completes the negotiation with the office equipment authentication factor, the initial authentication factor obtained through the negotiation is used as the current second authentication factor of the user equipment, whether a preset authentication factor rolling period is reached is monitored, when the authentication factor rolling period is reached, the next second authentication factor of the current second authentication factor of the user equipment is obtained according to the authentication factor rolling mode appointed with the office equipment, and the next second authentication factor is used as the current second authentication factor of the user equipment to ensure that the second authentication factor at the user equipment side is synchronous with the first authentication factor at the office equipment side.
2. The method of claim 1,
the step 3 further comprises: the office equipment monitors whether a preset key event occurs or not, and executes the step 10 under the condition that the key event occurs;
and step 10, the office equipment starts a camera device to collect the face data of the user, whether the collected face data is matched with the authentication face data stored in the office equipment is judged, if yes, the step 3 is returned, and if not, the step 9 is executed.
3. The method of claim 2, wherein the predetermined key events include at least one of: the office equipment and the user equipment negotiate authentication factors and complete, the office equipment receives an encryption input instruction, and the office equipment receives a password input instruction.
4. The method according to any one of claims 1 to 3,
after the office equipment performs the corresponding first security control operation according to the predetermined security policy, the method further includes: and the office equipment deletes all the authentication factors stored locally.
5. The method according to any one of claims 1 to 3, wherein after the office device and the user device perform authentication factor negotiation, the method further comprises:
the user equipment enters a dormant state, is awakened once every preset awakening period, and broadcasts the current second authentication factor of the user equipment during the awakening period.
6. The method according to any one of claims 1 to 3, wherein after the office device and the user device perform authentication factor negotiation, the method further comprises:
and the user equipment judges whether a scanning authentication instruction sent by the office equipment is received or not within the first preset time, if so, the user equipment sends a current second authentication factor of the user equipment, and otherwise, the user equipment deletes all second authentication factors stored locally.
7. The method according to any of claims 1 to 3, wherein in step 5, in case that the second authentication factor sent by the user equipment is not scanned, before performing step 7, the method further comprises:
and the office equipment judges whether the time interval from the last scanning of the current distance to the second authentication factor sent by the user equipment exceeds a preset threshold, if not, the step 3 is returned, if yes, the corresponding second security control operation is executed according to a preset security policy, and then the step 7 is executed.
8. A security control apparatus in an office machine, comprising:
the communication establishing module is used for establishing short-distance wireless communication connection with the user equipment;
the authentication factor negotiation module is used for performing mutual authentication with the user equipment and negotiating authentication factors to at least obtain an initial authentication factor, and the initial authentication factor is used as a current first authentication factor of the office equipment;
the period monitoring module is used for monitoring whether a preset authentication factor rolling period or an authentication scanning period is reached, triggering the authentication factor rolling module under the condition that the authentication factor rolling period is reached, and triggering the heartbeat detection module under the condition that the authentication scanning period is reached;
the authentication factor rolling module is configured to obtain a next authentication factor of the current first authentication factor of the office device according to an authentication factor rolling manner agreed with the user device, and trigger the period monitoring module by using the next authentication factor as the current first authentication factor of the office device;
the heartbeat detection module is used for sending a scanning authentication instruction to the user equipment, scanning a second authentication factor sent by the user equipment, triggering an authentication factor verification module under the condition that the second authentication factor sent by the user equipment is scanned, and triggering a back connection verification module under the condition that the second authentication factor sent by the user equipment is not scanned;
the authentication factor verification module is used for judging whether the scanned second authentication factor is consistent with the current first authentication factor of the office equipment or not, and triggering the period monitoring module under the condition of consistency, otherwise, triggering the safety control module;
the reconnection verification module is used for judging whether the time interval from the last scanning of the current distance to the second authentication factor broadcasted by the user equipment exceeds a first preset time, if so, triggering the safety control module, and otherwise, triggering the reconnection data monitoring module;
the reconnection data monitoring module is used for sending a scanning instruction to the user equipment after waiting for second preset time, scanning a second authentication factor sent by the user equipment, triggering the authentication factor verification module under the condition that the second authentication factor sent by the user equipment is scanned, and triggering the reconnection verification module under the condition that the second authentication factor sent by the user equipment is not scanned, wherein the second preset time is less than the first preset time;
the safety control module is used for executing corresponding first safety control operation according to a preset safety strategy;
wherein:
the authentication factor rolling module acquires the next authentication factor of the current first authentication factor of the office equipment according to the following modes:
selecting a next authentication factor of the current first authentication factor of the office equipment from an authentication factor pool according to a preset strategy, wherein the authentication factor pool comprises a plurality of authentication factors including the initial authentication factor; alternatively, the first and second electrodes may be,
calculating the current first authentication factor of the office equipment or the preset parameter for generating the current first authentication factor of the office equipment according to the authentication factor algorithm negotiated with the user equipment to obtain the next authentication factor of the current first authentication factor of the office equipment; or
Reading the current value of an authentication factor calculator, and taking the current value of the authentication factor calculator as the next authentication factor of the current first authentication factor of the office equipment;
the second authentication factor is obtained by: after the user equipment completes the negotiation with the office equipment authentication factor, the initial authentication factor obtained through the negotiation is used as the current second authentication factor of the user equipment, whether a preset authentication factor rolling period is reached is monitored, when the authentication factor rolling period is reached, the next second authentication factor of the current second authentication factor of the user equipment is obtained according to the authentication factor rolling mode appointed with the office equipment, and the next second authentication factor is used as the current second authentication factor of the user equipment to ensure that the second authentication factor at the user equipment side is synchronous with the first authentication factor at the office equipment side.
9. The apparatus of claim 8, further comprising: a face verification module;
the period monitoring module is also used for judging whether a preset key event occurs or not, and triggering the face verification module under the condition that the key event occurs is monitored;
the face verification module is used for starting the camera device to collect face data of a user, judging whether the collected face data is matched with the authentication face data stored in the office equipment or not, if so, triggering the period monitoring module, otherwise, triggering the safety control module.
10. The apparatus of any one of claims 8 to 9, further comprising:
and the key clearing module is used for deleting all the authentication factors stored in the office equipment after the security control module executes the first security control operation.
11. The apparatus of any one of claims 8 to 9, further comprising:
a threshold detection module, configured to, when the heartbeat detection module does not scan the second authentication factor sent by the user equipment, before triggering the reconnection verification module, determine whether a time interval between the current time and the last time when the second authentication factor sent by the user equipment is scanned exceeds a predetermined threshold, if not, trigger the period monitoring module, otherwise, execute a corresponding second security control operation according to a predetermined security policy, and then trigger the reconnection verification module.
12. A security control system comprising office equipment and user equipment, wherein,
the office equipment comprising the apparatus of any of claims 8 to 11;
the user equipment is configured to: establishing a close range wireless communication connection with the office equipment; carrying out authentication factor negotiation with the user equipment to obtain an initial authentication factor, and taking the initial authentication factor as a current second authentication factor of the user equipment; receiving a scanning authentication instruction sent by the office equipment, and sending a current second authentication factor of the user equipment; and when the authentication factor rolling period is monitored to be reached, acquiring a next second authentication factor of the current second authentication factor of the user equipment according to an authentication factor rolling mode appointed by the office equipment, and taking the next second authentication factor as the current second authentication factor of the user equipment.
13. The system according to claim 12, wherein the user equipment is further configured to delete all second authentication factors stored locally if the scan authentication instruction sent by the office equipment is not received within a predetermined time period.
14. The system according to claim 12, wherein the ue is further configured to enter a sleep state after performing authentication factor negotiation with the ue, wake up once every predetermined wake-up period, and broadcast a current second authentication factor of the ue during the wake-up period.
CN201910560952.1A 2019-06-26 2019-06-26 Safety control method, device and system Active CN112152810B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201910560952.1A CN112152810B (en) 2019-06-26 2019-06-26 Safety control method, device and system
PCT/CN2020/093218 WO2020259203A1 (en) 2019-06-26 2020-05-29 Security control method, apparatus and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910560952.1A CN112152810B (en) 2019-06-26 2019-06-26 Safety control method, device and system

Publications (2)

Publication Number Publication Date
CN112152810A CN112152810A (en) 2020-12-29
CN112152810B true CN112152810B (en) 2022-02-22

Family

ID=73869849

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910560952.1A Active CN112152810B (en) 2019-06-26 2019-06-26 Safety control method, device and system

Country Status (2)

Country Link
CN (1) CN112152810B (en)
WO (1) WO2020259203A1 (en)

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101872392A (en) * 2009-04-23 2010-10-27 陶梦曦 Computer dynamic security certification method
CN102047708A (en) * 2008-05-28 2011-05-04 微软公司 Techniques to provision and manage a digital telephone to authenticate with a network
WO2011054044A1 (en) * 2009-11-06 2011-05-12 Emue Holdings Pty Ltd A method and a system for validating identifiers
CN102685330A (en) * 2012-05-15 2012-09-19 江苏中科梦兰电子科技有限公司 Method for logging in operation system by taking cell phone as authentication tool
CN103488932A (en) * 2013-10-16 2014-01-01 重庆邮电大学 Desktop security intercommunication system for mobile device and personal computer and implementation method thereof
CN104363226A (en) * 2014-11-12 2015-02-18 深圳市腾讯计算机系统有限公司 Method, device and system for logging in operating system
EP2925037A1 (en) * 2014-03-28 2015-09-30 Nxp B.V. NFC-based authorization of access to data from a third party device
CN105681328A (en) * 2016-02-26 2016-06-15 安徽华米信息科技有限公司 Electronic device controlling method and device as well as electronic device
CN105744468A (en) * 2016-02-03 2016-07-06 重庆邮电大学 Attendance monitoring method and system based on Bluetooth communication technology
CN105893802A (en) * 2016-03-29 2016-08-24 四川效率源信息安全技术股份有限公司 Method for locking/unlocking computer screen based on Bluetooth
CN106792436A (en) * 2016-11-21 2017-05-31 深圳市金立通信设备有限公司 A kind of method of switch mode, first terminal and second terminal
CN108322507A (en) * 2017-12-28 2018-07-24 天地融科技股份有限公司 A kind of method and system executing safety operation using safety equipment

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7877790B2 (en) * 2005-10-31 2011-01-25 At&T Intellectual Property I, L.P. System and method of using personal data
CN102136048B (en) * 2011-03-28 2012-12-19 东南大学 Mobile phone Bluetooth-based ambient intelligent computer protection device and method
WO2015116166A1 (en) * 2014-01-31 2015-08-06 Hewlett-Packard Development Company, L.P. Authentication system and method
CN107733872B (en) * 2017-09-18 2022-03-25 北京小米移动软件有限公司 Information printing method and device
CN108846270A (en) * 2018-06-30 2018-11-20 常州大学 A kind of computer security login safeguards system
CN109583160A (en) * 2018-11-21 2019-04-05 安徽云融信息技术有限公司 Computer opening identity authentication system and its authentication method

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102047708A (en) * 2008-05-28 2011-05-04 微软公司 Techniques to provision and manage a digital telephone to authenticate with a network
CN101872392A (en) * 2009-04-23 2010-10-27 陶梦曦 Computer dynamic security certification method
WO2011054044A1 (en) * 2009-11-06 2011-05-12 Emue Holdings Pty Ltd A method and a system for validating identifiers
CN102685330A (en) * 2012-05-15 2012-09-19 江苏中科梦兰电子科技有限公司 Method for logging in operation system by taking cell phone as authentication tool
CN103488932A (en) * 2013-10-16 2014-01-01 重庆邮电大学 Desktop security intercommunication system for mobile device and personal computer and implementation method thereof
EP2925037A1 (en) * 2014-03-28 2015-09-30 Nxp B.V. NFC-based authorization of access to data from a third party device
CN104363226A (en) * 2014-11-12 2015-02-18 深圳市腾讯计算机系统有限公司 Method, device and system for logging in operating system
CN105744468A (en) * 2016-02-03 2016-07-06 重庆邮电大学 Attendance monitoring method and system based on Bluetooth communication technology
CN105681328A (en) * 2016-02-26 2016-06-15 安徽华米信息科技有限公司 Electronic device controlling method and device as well as electronic device
CN105893802A (en) * 2016-03-29 2016-08-24 四川效率源信息安全技术股份有限公司 Method for locking/unlocking computer screen based on Bluetooth
CN106792436A (en) * 2016-11-21 2017-05-31 深圳市金立通信设备有限公司 A kind of method of switch mode, first terminal and second terminal
CN108322507A (en) * 2017-12-28 2018-07-24 天地融科技股份有限公司 A kind of method and system executing safety operation using safety equipment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"A very simple user access control technique through smart device authentication using Bluetooth communication";Sohum Misra;《International Conference on Electronics, Communication and Instrumentation (ICECI)》;20140317;全文 *
"基于蓝牙模块的双因子身份认证机制的设计与实现";祁树壮;《中国优秀硕士学位论文全文数据库 信息科技辑》;20160715;全文 *

Also Published As

Publication number Publication date
CN112152810A (en) 2020-12-29
WO2020259203A1 (en) 2020-12-30

Similar Documents

Publication Publication Date Title
CN107249170B (en) Method and system for safe communication of Bluetooth equipment
US10168974B2 (en) Continuous glucose monitor communication with multiple display devices
CN105788047B (en) A kind of control of bluetooth access equipment, control of bluetooth access management system and method
JP4679205B2 (en) Authentication system, apparatus, method, program, and communication terminal
JP5281128B2 (en) WI-FI access method, access point, and WI-FI access system
CN101563881B (en) Establishment of ad-hoc networks between multiple devices
CN109920100B (en) Unlocking method and system of intelligent lock
CN104751032A (en) Authentication method and authentication device
CN108322507B (en) Method and system for executing security operation by using security device
CN108200037B (en) Method and system for executing security operation by using security device
CN106664652B (en) Method and terminal for awakening wireless fidelity network
WO2013153171A1 (en) Method and network node device for controlling the run of technology specific push-button configuration sessions within a heterogeneous or homogeneous wireless network and heterogeneous or homogeneous wireless network
CN108337235B (en) Method and system for executing security operation by using security device
CN110930574A (en) Access control method and system and intelligent device
CN112152810B (en) Safety control method, device and system
CN112668032B (en) Method and system for encrypting and decrypting computer, server and mobile equipment
CN105989488B (en) Payment method and system
CN112153642B (en) Equipment authentication method in office environment, office equipment and system
US9876792B2 (en) Apparatus and method for host abstracted networked authorization
CN112152960B (en) Office system safety control method, device and system
CN110831000B (en) Secure access method, device and system
CN112149082A (en) Office system safety control method, device and system
CN112149098A (en) Office system safety control method, device and system
CN113038464B (en) Information transmission method and equipment
CN112149099B (en) Office safety control method, safety keyboard and office system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant