CN115035633A - Access control system and access control method - Google Patents

Abstract

The present invention provides an access management system and method, which enables stable and instantaneous authentication processing to be performed without relying on unstable wireless communication for information transmission and reception between an access control device and a personal terminal. In the access management system, the control terminal (2) is provided with: a random number generator (5) that generates a random number that can uniquely determine a two-dimensional code; a two-dimensional code output part (6) that generates a random number generator (5) that generates a random number The random number of the two-dimensional code image embedded as information is displayed on the screen of the two-dimensional code reader connected to the control terminal (2); Whether the random number read by the QR code image for the screen access authentication is a random number generated by the QR code reader. The personal terminal (30) includes a two-dimensional code generation unit (34) that generates and displays a random number read from the two-dimensional code image displayed on the two-dimensional code reader as information embedded in a two-dimensional code image for access authentication on the screen.

Description

Access management system and access management method

technical field

The present invention relates to an access management system and an access management method.

Background technique

When entering or leaving a building or the like, from the viewpoint of safety and access control, an authentication device and an unlocking device that operates according to the authentication result may be installed at the entrance. Usually, an authentication medium such as an IC card is placed on the authentication device, and information such as a unique number registered in the corresponding authentication medium is read, and when it is determined that permission has been given to a door or the like to pass through, the unlocking device is activated and into a structure that can be accessed.

Patent Document 1 discloses a technique for controlling the access device by using wireless communication technology between a personal terminal and an access device to send and receive authentication information at the time of access.

Patent Document 1: Japanese Patent Laid-Open No. 2013-204233

SUMMARY OF THE INVENTION

The problem to be solved by the invention

The convenience of the technique described in Patent Document 1 is affected by the stability of wireless communication, and when the wireless communication is unstable depending on the installation location and environment, the convenience is greatly impaired.

The present invention has been made in view of the above-mentioned circumstances, and an object of the present invention is to enable stable and instantaneous authentication processing to be performed without relying on unstable wireless communication for transmission and reception of information between an access control device and a personal terminal.

means of solving problems

In order to solve the above-mentioned problems, an access management system according to an aspect of the present invention includes: a control terminal having a management function of the connected access equipment and an authentication function of an access person; Identification information, and has the function of reading and generating two-dimensional codes.

The control terminal has:

a random number generation unit that generates and issues a random number capable of uniquely determining the two-dimensional code at a predetermined cycle;

A two-dimensional code output unit that generates a two-dimensional code image in which the random number issued by the random number generating unit is embedded as information, and displays it on a screen of a two-dimensional code reader connected to the control terminal; and

A two-dimensional code authentication unit that determines whether or not the random number read from the two-dimensional code image for access authentication displayed on the screen of the personal terminal is a random number generated by the two-dimensional code reader.

The personal terminal has:

A two-dimensional code generation unit that generates a two-dimensional code image for access authentication embedded as information from a random number read from a two-dimensional code image displayed on a two-dimensional code reader, and displays it on a screen.

Invention effect

According to at least one aspect of the present invention, it is possible to stably and instantaneously execute authentication processing without relying on unstable wireless communication for transmission and reception of information between a control terminal that controls access and a personal terminal.

Problems, structures, and effects other than those described above will be clarified by the description of the following embodiments.

Description of drawings

1 is a schematic diagram showing an overall configuration example of an access management system including a control terminal, a personal terminal, and an information management apparatus in a building according to an embodiment of the present invention.

2 is a diagram showing a schematic configuration of a QR code reader and a schematic configuration of a personal terminal according to an embodiment of the present invention.

3 is a block diagram showing an example of a hardware configuration of a control terminal according to an embodiment of the present invention.

4 is a block diagram showing an example of a hardware configuration of an information management apparatus (data center) according to an embodiment of the present invention.

5 is a block diagram showing an example of a hardware configuration of a personal terminal according to an embodiment of the present invention.

6 is a diagram showing an example of a data structure of a random number issuance history area of a control terminal according to an embodiment of the present invention.

7 is a diagram showing an example of the data structure of the access permission list recording area of the control terminal according to the embodiment of the present invention.

8 is a diagram showing an example of a data structure of a personal information recording area of an information management device (data center) according to an embodiment of the present invention.

9 is a diagram showing an example of a data structure of a pass permission list recording area of an information management device (data center) according to an embodiment of the present invention.

10 is a diagram showing an example of a data structure of a QR code information area of a personal terminal according to an embodiment of the present invention.

11 is a sequence diagram showing an example of the operation of the entire access management system according to the embodiment of the present invention.

12 is a flowchart showing an example of processing performed by the access permission list creation unit of the information management device according to the embodiment of the present invention.

13 is a flowchart showing an example of processing performed by the personal terminal communication unit of the information management apparatus according to the embodiment of the present invention.

14 is a flowchart showing an example of processing performed by the random number generation unit of the control terminal according to the embodiment of the present invention.

15 is a flowchart showing an example of processing performed by the QR code generation unit of the personal terminal according to the embodiment of the present invention.

16 is a flowchart showing an example of processing performed by the QR code authentication unit of the control terminal according to the embodiment of the present invention.

Description of reference numerals

1...building (building facility), 2...control terminal, 3...communication device, 4...control device, 5...random number generation unit, 6...QR code output unit, 7...QR code authentication unit, 8...control terminal DB, 8A...random number issuance history area, 8B...pass permission list recording area, 9...exclusive part (1), 9A...QR code reader, 9B...electronic lock, 10...exclusive part (2), 10A...QR code Code reader, 10B...electronic lock, 20...information management device (data center), 21...communication device, 22...control device, 23...pass permission list creation unit, 24...personal terminal communication unit, 25...entry and exit information Storage area, 25A...entry and exit master information area, 25B...personal information recording area, 25C...pass permission list recording area, 30...personal terminal, 31...communication device, 32...control device, 33...dedicated application, 34...QR Code generation unit, 35...personal terminal DB, 35A...QR code information area, 40...entry and exit personnel information registration PC, 41...communication device, 50...entry and exit management system, N...network line, PA1 to PA2...QR code reader Schematic structure, PB1 to PB2... Personal terminal schematic structure, MA1 to MA5... Random number issuance history area, MB1 to MB5... Access permission list recording area, MC1 to MC6... Personal information recording area, MD1 to MD7... Access permission list recording area , ME1～ME5…QR code information area.

Detailed ways

Hereinafter, an example of an embodiment for carrying out the present invention will be described with reference to the drawings. In this specification and the drawings, components that have substantially the same function or structure are denoted by the same reference numerals, and repeated explanation is omitted.

[Overall structure of access management system]

First, with reference to FIG. 1, the whole structure of the access control system concerning one Embodiment of this invention is demonstrated.

FIG. 1 is a schematic diagram showing an overall configuration example of an access management system including a control terminal and a personal terminal in a building according to an embodiment of the present invention. The access management system 50 manages access to the facility through the cooperation of the control terminal 2 installed in the facility (building, management area, etc.) where the user accesses, the personal terminal 30 carried by the user, and the information management device 20 installed in the data center.

In the access management system 50, the access person information registration personnel use access equipment (eg, QR code reader 9A, electronic lock 9B) managed by facility 1 (hereinafter referred to as "building facility 1") provided with access management equipment ) registration of the information of the entry and exit personnel. Thereby, the access control system 50 performs withdrawal from the exclusive part of the building facility 1 only when the access person information registration person permits. In the example of FIG. 1 , an arbitrary floor (n floor) of Building A is shown as the building facility 1 .

The access control system 50 of the present embodiment can transmit the information stably and instantaneously when the information indicating the access is permitted to the QR code reader, and can prevent the access of a third party who is not permitted to access.

As shown in FIG. 1, in the access management system 50, each facility in the building facility 1 provided with access facilities is connected to the information management apparatus 20 via the communication apparatus 3 via the network line N forming the wide area network. For example, the access equipment is the control terminal 2 , the exclusive part 9 , and the exclusive part 10 . The control terminal 2 provided in the common unit includes a control device 4, a random number generator 5, a QR code output unit 6, a QR code authentication unit 7, and a control terminal storage area 8 (“control terminal DB8” in the figure).

A QR code reader 9A and an electronic lock 9B connected to the control device 4 are provided on the access door of the exclusive part 9 (hereinafter, also referred to as "exclusive part ( 1 )") which is a management area. A QR code reader 10A and an electronic lock 10B connected to the control device 4 are provided on a door for entry and exit of the exclusive part 10 (hereinafter, also referred to as "an exclusive part (2)").

The QR code readers 9A and 10A are devices that read QR codes (registered trademarks) held by persons who enter and exit the exclusive parts 9 and 10 and convert them into binary data. A QR code reader is an example of a two-dimensional code reader. In the present embodiment, a QR code is used as the two-dimensional code, but a matrix-type two-dimensional code or a stack-type two-dimensional code other than the QR code may be applied.

The electronic locks 9B and 10B are locks provided at the boundary of each management zone of the building facility 1 . The electronic locks 9B and 10B are unlocked and locked according to the unlocking command and the locking command from the control terminal 2 , thereby opening and closing the door, and controlling the passage of people entering and leaving to the management area.

Moreover, in the access control system 50, the information management apparatus 20 and the personal terminal 30 are connected via the network line N.

In addition, as for the access facility, a plurality of facilities can be set up in the building facility 1, such as two on the first floor of Building A and six on the second floor, and the number of targeted access facilities can be generated according to the system configuration, the structure of the access facility, and the like. Variety. In addition, as for the personal terminal 30, a personal terminal 30 that satisfies the requirements for introducing an application program corresponding to the access management system 50 can be set, and is not limited by a manufacturer, a model, or the like.

Building facility 1 has access facilities. Moreover, the building facility 1 has the control terminal 2 for managing each facility of an access facility, and the communication apparatus 3 connected with the network line N. The communication device 3 is used as a routing device.

The information management device 20 includes a communication device 21 connected to the network line N, a pass permission list creation unit 23, a personal terminal communication unit 24, and an entry/exit information storage area 25 (hereinafter, referred to as "entry/exit information DB 25").

The personal terminal 30 includes a communication device 31 connected to the network line N, a dedicated application 33, a QR code generator 34, and a personal terminal storage area 35 (hereinafter, referred to as "personal terminal DB 35").

The entry and exit information registration PC 40 is a client computer used when a registrant who registers entry and exit information performs an operation of registering entry and exit information in the information management device 20 . A personal computer or the like is used as the entry and exit person information registration PC 40 . The entry and exit information entered by the entry and exit information registration PC 40 is transmitted to the information management device 20 via the communication device 41 and registered in the entry and exit information DB 25 . The communication device 41 has the same configuration as the communication device 3 .

[Control Terminal]

Next, the control terminal 2 will be described in more detail.

The control device 4 in the control terminal 2 stores the permission list created by the pass permission list creation unit 23 of the information management device 20 in the control terminal DB 8 via the network line N and the communication device 3 . In addition, the random number generated by the random number generating unit 5 is stored in the random number issuance history area 8A. In addition, the QR code image generated by the QR code output unit 6 is output to the screen of the QR code reader 9A. In addition, the QR code image acquired by the built-in camera of the QR code reader 9A (the QR code reading camera PA2 in FIG. 2 ) is sent to the QR code authentication unit 7 . In addition, when the electronic lock 9B is unlocked in response to the result of the authentication determination in the QR code authentication unit 7 , an unlock command is transmitted to the electronic lock 9B.

The random number generator 5 in the control terminal 2 generates a random number for uniquely determining the QR code reader for each QR code reader. The random number generation unit 5 compares the generated random number with the past issuance history in the random number issuance history area 8A, and if it is a random number that has not been used in the past, newly stores it in the random number issuance history area 8A. When the same random number is already stored in the random number issuance history area 8A, the random number generation unit 5 performs the random number generation process again.

The QR code output unit 6 (an example of the two-dimensional code output unit) in the control terminal 2 obtains the latest random number from the random numbers stored in the random number issuance history area 8A, and generates a QR code in which the random number information is embedded . The generated QR code image is output to the screen of the QR code reader 9A. The processing of the QR code output unit 6 is periodically executed, and it is determined whether the random number used for the currently displayed QR code stored in the random number issuance history area 8A has been used once, or whether the QR code has displayed a specified number of times. over time. Then, the QR code output unit 6 generates a QR in which a new random number is embedded when it is determined that the number of times of use of the random number used in the currently displayed QR code is one or that the QR code has been displayed for a specified time or longer. code and displayed again on the QR code reader 9A.

The QR code authentication unit 7 (an example of the two-dimensional code authentication unit) in the control terminal 2 acquires the QR code displayed on the personal terminal 30 via the QR code reader 9A, and acquires the QR code generation date and time, random number, QRID (details). described later). Then, the QR code authentication unit 7 compares the QR code generation date and time with the current time, and determines whether or not the elapsed time from the QR code generation date and time is within the fixed time set in the access management system 50 .

When the determination conditions are satisfied in this time determination, the QR code authentication unit 7 next compares the acquired random number with the random number issuance history area 8A, and determines whether or not there is a random number for the QR code reader 9A. And whether the history of issuance and the number of times of use is 0.

When the determination conditions are satisfied in this random number determination, the QR code authentication unit 7 next determines whether or not the acquired QRID has permitted the passage of the QR code reader 9A in the passage permission list recording area 8B.

When the determination conditions are satisfied in this QRID determination, the QR code authentication unit 7 then permits the passage of the QR code reader 9A, and transmits an unlock command to the electronic lock 9B.

The control terminal DB 8 has a random number issuance history area 8A and a pass permission list recording area 8B. Details of the random number issuance history area 8A and the pass permission list recording area 8B will be described later with reference to FIGS. 6 and 7 .

[Information Management Device]

Next, the information management device 20 will be described in more detail.

The control device 22 in the information management device 20 stores the entry and exit person information input by the entry and exit person information registration PC 40 in the entry and exit person master information area 25A via the network line N and the communication device 21 . In addition, after the entry/exit person information is stored in the entry/exit person master information area 25A, the passage permission list created by the passage permission list creation unit 23 is stored in the passage permission list recording area 25C. In addition, after the access permission list is stored in the access permission list recording area 25C, the personal terminal is specified from the personal information recording area 25B, and the personal terminal communication unit 24 transmits the data stored in the target personal terminal 30 via the network line N and the communication device 21 to the target personal terminal 30 . The QRID in the pass permission list recording area 25C.

The access permission list creation unit 23 associates the information (for example, the name) of the person entering and leaving with the entry and exit information (for example, the entry and exit date and time) with respect to the entry and exit information registered from the entry and exit information registration PC 40, and in order to uniquely retrieve these information, the entry and exit management is performed. A unique random number is issued within the system 50 as a QRID. Information that associates the issued QRID with the entry and exit information is stored in the passage permission list recording area 25C.

The personal terminal communication unit 24 transmits the QRID recorded in the pass permission list recording area 25C to the target personal terminal.

The entry/exit person information DB 25 has an entry/exit person main information area 25A, a personal information recording area 25B, and a passage permission list recording area 25C. In the entry/exit master information area 25A, as entry/exit master information, information regarding entry/exit persons, information regarding entry/exit schedule, information regarding building facilities, and the like are registered and stored. In addition, the details of the personal information recording area 25B and the pass permission list recording area 25C will be described later with reference to FIGS. 8 and 9 .

[personal terminal]

Next, the personal terminal 30 will be described in more detail.

The personal terminal 30 includes a communication device 31, a control device 32, a dedicated application 33, a QR code generator 34, and a personal terminal storage area 35 ("personal terminal storage area 35" in the figure). Hereinafter, the dedicated application is simply referred to as a dedicated application.

The control device 32 in the personal terminal 30 stores the QRID information transmitted from the information management device 20 in the QR code information area 35A via the network line N and the communication device 21 . In addition, the control device 32 acquires a random number from the QR code image displayed by the QR code reader of the building facility 1 read by the QR code generation unit 34 . Then, the control device 32 generates a QR code with embedded random numbers from the QR code image, and displays it on the screen PB2 of the personal terminal 30 .

The QR code generation unit 34 (an example of the two-dimensional code generation unit) acquires a random number from the QR code image displayed on the QR code reader of the building facility 1 . Then, the QR code generation unit 34 generates a QR code using the acquired random number, the QRID stored in the QR code information area 35A, and the current time acquired from the personal terminal 30 and displays it on the screen PB2 of the personal terminal 30 .

The personal terminal DB 35 has a QR code information area 35A in which a QRID is stored as QR code information. Details of the QR code information area 35A will be described later with reference to FIG. 10 .

[Schematic structure of QR code reader and personal terminal]

Next, the schematic configuration of the QR code reader and the personal terminal will be described with reference to FIG. 2 .

FIG. 2 shows a schematic configuration of the QR code readers 9A and 10A and a schematic configuration of the personal terminal 30 . The QR code readers 9A and 10A shown on the left side of FIG. 2 are configured to include a QR code display unit PA1 and a QR code reading camera PA2. In the QR code display part PA1, a QR code image in which a random number for uniquely identifying a QR code reader is embedded is displayed. In addition, the QR code reading camera PA2 is located at the lower part of the QR code display part PA1, and is adjusted so that the screen PB2 of the personal terminal 30 can be adjusted to the QR code when it faces the normal personal terminal 30 (for example, a smartphone). Read within the field of view of camera PA2.

The personal terminal 30 shown on the right side of FIG. 2 is configured to include a camera PB1 and a screen PB2. The camera PB1 is a so-called built-in camera, and is provided on the same surface as the screen PB2. When the QR code readers 9A and 10A and the personal terminal 30 face each other, the camera PB1 and the QR code display part PA1 are generally opposed to each other, and the screen PB2 and the QR code reading camera PA2 are opposed to each other. The example on the right side of FIG. 2 is a configuration of a normal mobile terminal (eg, a smartphone, a tablet terminal), but the vertical relationship is not limited as long as the configuration includes a camera PB1 and a screen PB2. For example, even if it is a terminal provided with the camera PB1 in the lower part of the screen PB2, it can be regarded as the same as the right figure in FIG. 2 by inverting the terminal up and down.

Next, the hardware configuration of each of the control terminal 2 , the information management device 20 , and the personal terminal 30 will be described with reference to FIGS. 3 to 5 .

[Hardware structure of the control terminal]

FIG. 3 is a block diagram showing an example of a hardware configuration of the control terminal 2 shown in FIG. 1 . The example of the hardware configuration of the control terminal 2 shown in FIG. 2 corresponds to a computer, and can be realized using a personal computer or the like.

The control terminal 2 includes a CPU (Central Processing Unit) 110 connected to a system bus, a ROM (Read Only Memory) 120 , a RAM (Random Access Memory) 130 , and a nonvolatile storage device 140 . In addition, a network interface (referred to as "network IF" in the figure) 150 for communicating with an external device is provided.

The CPU 110 reads out and executes the program code of the software that realizes the functions of each part of the control terminal 2 from the ROM 120 . Variables and the like generated in the middle of arithmetic processing performed in the control terminal 2 are temporarily written in the RAM 130 . The CPU 110 realizes various functions of the control terminal 2 by executing the program codes recorded in the ROM 120 .

As the network interface 150 , for example, a NIC (Network Interface Card) or the like is used, and various data can be transmitted and received between devices via a LAN (Local Area Network) connected to a terminal of the NIC, a dedicated line, or the like. The network interface 150 is connected to the communication device 3 in the building facility 1 .

The nonvolatile storage device 140 is constituted by a nonvolatile storage device such as a hard disk and an SSD (Solid State Drive), and semi-permanently stores and stores programs, data, and the like necessary for the operation of the CPU 110 . In addition, the nonvolatile storage device 140 constitutes the control terminal DB8 of FIG. 1 .

In the control terminal 2, the input part 160 and the output part 170 are provided as needed. The reading results of the corresponding QR code readers 9A and 10A, sensor signals indicating the opening and closing states of the electronic locks 9B and 10B, and the like are input to each input unit 160 . In addition, the output unit 170 outputs control signals for the corresponding QR code readers 9A and 10A and the electronic locks 9B and 10B, respectively.

[Hardware structure of information management device (data center)]

FIG. 4 is a block diagram showing an example of the hardware configuration of the information management apparatus 20 (data center) shown in FIG. 1 . The hardware configuration of the information management apparatus 20 shown in FIG. 4 is an example of a computer, and can be realized using a personal computer or the like.

The information management device 20 also includes a CPU 210 , a ROM 220 , a RAM 230 , and a nonvolatile storage device 240 (corresponding to the entry and exit information DB 25 in FIG. 1 ) connected to the system bus. In addition, the information management device 20 includes a network interface (referred to as "network IF" in the figure) 250 for performing communication with an external device. The communication device 21 is realized by the network interface 250 . These configurations and functions are the same as those of the hardware configuration and functions of the control terminal 2 described in FIG. 3 , and thus the description is omitted. However, the information management device 20 can delete the configuration corresponding to the input unit 160 and the output unit 170 shown in FIG. 3 .

[Hardware structure of personal terminal]

FIG. 5 is a block diagram showing an example of the hardware configuration of the personal terminal 30 shown in FIG. 1 . The hardware configuration of the personal terminal 30 shown in FIG. 5 is an example of a computer, and can be realized using a personal computer or the like.

The personal terminal 30 also includes a CPU 310 , a ROM 320 , a RAM 330 , and a nonvolatile storage device 360 (corresponding to the personal terminal DB 35 in FIG. 1 ) connected to the system bus. Various functions of the personal terminal 30 are realized by the CPU 310 executing the program code of the dedicated application 33 recorded in the ROM 320 . In addition, the personal terminal 30 includes a network interface (referred to as "network IF" in the figure) 370 for performing communication with an external device. The communication device 31 is realized by the network interface 370 . These configurations and functions are the same as those of the hardware configuration and functions of the control terminal 2 described in FIG. 3 , and thus the description is omitted.

Further, the personal terminal 30 includes a display device 340 and an input device 350 . The display device 340 is a display panel such as a liquid crystal display, and displays a GUI (Graphical User Interface) screen, results of processing performed by the CPU 310 , and the like. The input device 350 uses a touch panel, a pointing device such as a mouse, a keyboard, and the like, and the user can operate the input device 350 to input information and instructions. The input device 350 generates an input signal corresponding to the user's operation and supplies it to the CPU 310 . In addition, the control terminal 2 and the information management device 20 may include a display device 340 and an input device 350 .

Next, the information (tables) stored in the storage areas (DB) included in the control terminal 2 , the information management device 20 , and the personal terminal 30 will be described.

[Random number issuance history area]

FIG. 6 shows an example of the data structure of the random number issuance history area 8A of the control terminal 2 . The random number issuance history area 8A has a table structure, and as its constituent elements, a number (No.) MA1, an issuance QR code reader MA2, a random number MA3, an issuance time MA4, and a usage count MA5 are provided. Hereinafter, the table shown in FIG. 6 will be referred to as an entry/exit time recording area table.

The number (No.) MA1 indicates the order in which the records in the entry and exit time recording area table are recorded.

The issuing QR code reader MA2 represents information (identifier or name) that uniquely identifies the QR code reader that issued the random number. For example, QR1 in the figure represents the QR code reader 9A, and QR2 represents the QR code reader 10A.

The random number MA3 is composed of characters, symbols, etc., and represents the content of the random number. The information contained in the random number, such as the number of digits and the type of characters, is arbitrary. In addition, this random number is unique within a facility provided with an access facility.

The issuance time MA4 indicates the date and time when the random number was issued.

The number of times of use MA5 indicates the number of times the random number is used.

When the random number generation unit 5 issues the random number, the issued QR code reader MA2, the random number MA3, the issue time MA4, and the number of times of use MA5 are newly stored.

[Passing permission list recording area]

FIG. 7 shows an example of the data structure of the access permission list recording area 8B of the control terminal 2 . The access permission list recording area 8B has a table structure, and as its constituent elements, a number (No.) MB1, QRID MB2, access permission QR reader MB3, access start date and time MB4, and access end date and time MB5 are provided. Hereinafter, the table shown in FIG. 7 is referred to as a pass permission list recording area table.

The number (No.) MB1 indicates the order of recording the records in the pass permission list recording area table.

QRID MB2 represents information (identifier) that uniquely identifies the QR code.

The passage permission QR code reader MB3 represents information (identifier or name) that uniquely identifies the QR code reader for which the passage is permitted.

The entry/exit start date and time MB4 indicates the date and time when the entry/exit person starts going in and out.

The entry and exit end date and time MB5 indicates the date and time when the entry and exit personnel finished their entry and exit.

When the access permission list recording area 25C of the information management device 20 is updated, the QRID MB2, the access permission QR reader MB3, the entry/exit start date and time MB4, and the entry/exit end date and time MB5 are newly stored in the access permission list recording area 8B. .

[Personal Information Recording Area]

FIG. 8 shows an example of the data structure of the personal information recording area 25B of the information management apparatus 20 (data center). The personal information recording area 25B has a table structure, and as its constituent elements, a number (No.) MC1, a name MC2, a QRID MC3, a personal terminal IP address MC4, a mail address MC5, and a personal terminal ID MC6 are provided. Hereinafter, the table shown in FIG. 8 is referred to as a personal information recording area table.

The number (No.) MC1 indicates the order in which the records in the personal information recording area table are recorded.

The name MC2 indicates the name of the person entering and leaving.

The QRID MC 3 represents information (identifier) that uniquely identifies the QR code.

The personal terminal IP address MC4 indicates the IP address used by the personal terminal 30 for communication.

The mail address MC5 represents the address of the electronic mail used by the personal terminal 30 . This mail address MC5 is not an essential component.

The personal terminal ID MC6 represents information (identifier) that uniquely identifies the personal terminal 30 . For example, as the personal terminal ID, a unique MAC (Media Access Control) address assigned to each network interface is used.

The personal terminal IP address MC4, the mail address MC5, and the personal terminal ID MC6 are preliminarily stored in the personal information recording area 25B, and the QRID MC3 is newly stored after being registered as entry and exit information.

[Passing permission list recording area]

FIG. 9 shows an example of the data structure of the access permission list recording area 25C of the information management device 20 (data center). The access permission list recording area 25C has a table structure, and as its constituent elements, number (No.) MD1, access permission building MD2, building IP address MD3, QRID MD4, access permission QR reader MD5, and entry/exit start date and time MD6 are provided. , and the end date and time MD7 of the access. Hereinafter, the table shown in FIG. 9 is referred to as a pass permission list recording area table.

After the entry and exit personnel information is registered, the corresponding access permission building MD2, building IP address MD3, QRID MD4, access permission QR reader MD5, access start date and time MD6, and access end date and time MD7 are newly stored.

[QR code information area]

FIG. 10 shows an example of the data structure of the QR code information area 35A of the personal terminal 30 . The QR code information area 35A has a table structure, and as its constituent elements, a number (No.) ME1, a QRID ME2, an access permission QR reader ME3, an entry/exit start date and time ME4, and an entry/exit end date and time ME5 are provided. Hereinafter, the table shown in FIG. 10 is referred to as a QR code information area table.

QR code information area table number (No.) ME1, QRID ME 2, access permission QR reader ME3, entry/exit start date and time ME4, and entry/exit end date and time ME5 have the same names as the access permission list recording area table (Fig. 7) Since the components are the same, the description is omitted.

In this way, the numbers (No.) ME1, QRID ME2, access permission QR reader ME3, entry/exit start date and time ME4, and entry/exit end date and time ME5 are newly stored.

[Operation of the entire access management system]

Next, the operation of the entire access management system 50 will be described with reference to FIG. 11 .

FIG. 11 is a sequence diagram showing an example of the operation of the entire access management system 50 . Here, the content described with reference to FIG. 11 is an outline of the operation of the entire access management system 50 .

First, as a premise, the entry and exit information registrant operates the entry and exit information registration PC 40, and transmits information such as entry and exit personnel and passage plans to the information management device 20 of the data center, so that the control terminal 2 installed at the door to be entered and exited in advance can be checked in advance. The authentication result in the (authentication device) is approved.

The information management device 20 associates the entry/exit personnel information, the entry/exit equipment permitted to enter/exit, the date and time information (valid date and time) of the entry/exit permission, and the like into a pass permission list table, and stores it in the entry/exit personnel information DB 25 . At this time, the information management device 20 assigns an ID (hereinafter, referred to as "QRID") that can uniquely identify a series of information (marked as "passing mode" in the figure) stored in the pass-through list table, and stores it in the pass-through in the list form (S1). At the same time, the information (QRID, access mode) of the access permission list table is also transmitted to the control terminal 2 installed in the building facility 1 where people come and go (S2), and is stored in the control terminal DB8 in the control terminal 2 (S3) . In the information management apparatus 20, information of the building facility 1 in which the access facility is installed is stored in advance. The control terminal 2 periodically generates random numbers (S4).

The information management device 20 operates after confirming that the entry and exit information is stored, and transmits the information (pass mode) of the pass permission list table including QRID and the like to the dedicated application 33 of the personal terminal 30 (S5). The information notified from the information management apparatus 20 to the personal terminal 30 includes at least the QRID and the information of the effective date and time. The dedicated application 33 of the personal terminal 30 stores the transmitted information in the personal terminal DB 35 in the personal terminal 30 (S6). At this time, it is assumed that the user registration of the user of the personal terminal 30 in the dedicated application 33 is performed in advance.

When the dedicated application 33 is activated before the entry and exit of the person, the camera PB1 built in the personal terminal 30 stands by in an activated state. At this time, on the screen of the QR code reader (for example, the QR code reader 9A) installed at the door of the object, a QR code ( S8). After the entry and exit person activates the dedicated application 33 and confirms that the camera PB1 is activated, the personal terminal 30 obtains a random number so that the QR code displayed on the QR code reader can be read by the camera PB1 (S7). That is, the personal terminal 30 and the QR code reader are made to face each other.

After facing, the personal terminal 30 uses the camera PB1 to read the QR code displayed on the QR code reader, and acquires a random number (S9). In addition, the control terminal 2 may display the QR code on the QR code reader after detecting that it faces the personal terminal 30 directly.

The dedicated application 33 generates an entry-exit authentication code based on a combination of the random number obtained from the QR code of the QR code reader, the QRID received from the information management device 20 in advance, and the QR code generation time (current time). The QR code is displayed on the screen of the personal terminal 30 (S10). Next, the QR code reader reads the QR code displayed on the personal terminal, and acquires the random number, QRID, and QR code generation time (S11).

Finally, the QR code reader reads the QR code displayed on the personal terminal 30 to obtain information such as random numbers and QRIDs, and compares it with the access permission list table stored in the control terminal 2 of the building facility 1 in advance, and determines In the case of permission to pass, the electronic lock 9B of the target door is unlocked (S12).

For example, the control terminal 2 compares the current time and the acquired QR code generation time, and determines whether the time difference between the two is within a predetermined time. If it is within a certain period of time, the control terminal 2 then compares the random number acquired from the QR code with the issuance history of the random number recorded in the control terminal 2, and determines whether it matches the random number displayed by the QR code reader. and not used. When the random numbers match and are not used, the acquired QRID is compared with the passage permission list table recorded in the control terminal 2, and it is determined whether the QRID permits passage to the target access facility. When the passage is permitted, the door is unlocked. At this time, the random number is stored for the number of times of use, and the same random number is used twice and cannot be used.

In the above series of authentication operations, by using authentication information such as a random number specifying a QR code reader and a QRID specifying an entry and exit person, security can be ensured when transmitting and receiving between the control terminal 2 and the personal terminal 30 . stably and instantaneously at the same time. In the present embodiment, the authentication process for entering and exiting is easy because the authentication process is completed while the person passing by while holding the personal terminal 30 displaying the QR code to the QR code reader.

Hereinafter, each process of the information management device 20 , the control terminal 2 , and the personal terminal 30 constituting the access management system 50 will be described with reference to FIGS. 12 to 16 .

[Incoming and outgoing personnel information registration processing]

Here, the flow of processing until a registrant who registers arbitrary entry/exit information via the arbitrary entry/exit information registration PC 40 connected to the network line N registers entry/exit information and transmits necessary information to the personal terminal 30 will be described.

(Processing by the Permit List Creation Department)

FIG. 12 is a flowchart showing an example of processing performed by the access permission list creation unit 23 of the information management device 20 .

According to FIG. 12 , personal information (eg, name) of the person entering and exiting and information of the entering and exiting destination (eg, information of the card reader (CR) corresponding to the door to be passed) are stored in advance (step SA1 ). When the above-mentioned entry/exit person information is stored, the process of the passage permission list creation unit 23 is started.

The passage permission list creation unit 23 determines whether or not the entry/exit information to be stored in the entry/exit information DB 25 is available (step SA2). Here, when the entry and exit information is complete (“Yes” in step SA2 ), the access permission list creation unit 23 issues a QRID, which is a unique random number, for each data of one entry and exit person (step SA3 ), The personal information and QRID are stored in MD2 to MD7 of the pass permission list recording area 25C and MC3 of the personal information recording area 25B (step SA4).

At this time, when the entry and exit information is defective, for example, the entry and exit information is not available (NO in step SA2 ), the passage permission list creation unit 23 performs a predetermined error notification (step SA5 ). The issuance of the QRID after the step SA2 and the storage process of the entry and exit person information and the QRID information are not performed (steps SA3 and SA4).

In addition, the QRID issued in step SA3 becomes a unique value within the access control system 50, and by using the QRID, it is possible to uniquely determine when and who gets permission to access where. In addition, MC2, MC4 to MC6 of the personal information recording area 25B are previously input by performing user registration from the dedicated application 33 installed in the personal terminal 30 in the personal terminal registration operation.

The pass permission list creation unit 23 notifies the personal terminal communication unit 24 of the completion of step SA4 or SA5.

(Processing by the Personal Terminal Communication Section)

FIG. 13 is a flowchart showing an example of processing performed by the personal terminal communication unit 24 of the information management apparatus 20 .

After the process of step SA4 in FIG. 12, the personal terminal communication unit 24 of the information management device 20 determines whether or not the same QRID exists in the pass permission list recording area 25C and the personal information recording area 25B (step SB1).

Then, when the same QRID exists (“Yes” in step SB1 ), the personal terminal communication unit 24 determines whether or not the personal terminal IP address MC4 and personal terminal ID MC6 are stored in the record of the target QRID in the personal information recording area 25B. (step SB2). Then, when the above-mentioned information is stored (“Yes” in step SB2 ), the personal terminal communication unit 24 transmits information such as QRID to the personal terminal IP address MC4 (step SB3 ).

At this time, in step SB1, when the same QRID does not exist in the pass permission list recording area 25C and the personal information recording area 25B (“No” in step SB1), the personal terminal communication unit 24 performs a predetermined error notification, The subsequent processes (here, steps SB2 to SB3) are not executed (step SB5).

In addition, in step SB2, when the personal terminal communication unit 24 does not have the personal terminal IP address MC4 and personal terminal ID MC6 in the personal information recording area 25B (“No” in step SB2), a predetermined error notification is performed, The subsequent processing (here, step SB3 ) is not executed (step SB4 ).

[Processing by the random number generator]

Here, the flow of processing until a QR code using a random number issued for each QR code reader connected to the control terminal 2 is generated and displayed on the screen of the QR code reader will be described.

FIG. 14 is a flowchart showing an example of processing performed by the random number generation unit 5 of the control terminal 2 .

First, when the random number generation unit 5 has reached a predetermined period (for example, 1 minute) (“Yes” in Step SC1 ), or when the random number has been used (“Yes” in Step SC2 ) (the details will be described later). described above) to start the random number generation process. That is, even when the predetermined cycle has not been reached (“NO” in step SC1 ), and when the random number has been used (“YES” in step SC2 ), the random number generation process is started. On the other hand, when the predetermined cycle has not been reached (“NO” in step SC1 ) or when the random number has not been used up (“NO” in step SC2 ), the random number generation process is not started.

After the processing of steps SC1 and SC2, the random number generator 5 issues a new random number to each QR code reader (step SC3). The random number generated in step SC3 is compared with the random number issuance history area 8A (step SC4). When the same random number exists in the random number issuance history area 8A (NO in step SC4 ), the process returns to step SC3 .

Then, when the same random number does not exist (“Yes” in step SC4 ), the random number generating unit 5 stores the newly generated random number and related information (issuance QR code reader, issuance time) in the random number In MA2 to MA4 of the issuance history area 8A, "0" is stored in the usage count MA5 (step SC5). Next, the random number generating unit 5 generates a QR code using the newly generated random number, transmits it to the target QR code reader (the QR code reader 9A in this case), and outputs it to the screen (step SC6 ).

[QR code generation and authentication]

Next, the generation and authentication processing of the QR code will be described with reference to FIGS. 15 and 16 . Here, a description will be given of the personal terminal 30 and control until a random number is obtained from a QR code displayed on a QR code reader displayed on the site (building facility 1 ), and a QR code for access that can be authenticated only by the target QR code reader is generated. Processing flow of terminal 2.

(Processing by the QR code generator)

FIG. 15 is a flowchart showing an example of processing performed by the QR code generation unit 34 of the personal terminal 30 .

First, in order to read the QR code on the screen of the QR code reader (in this case, the QR code reader 9A) installed at the door of the facility to be entered and exited, the QR code generation unit 34 executes the dedicated application 33 and After confirming that the camera PB1 is in the activated state, the personal terminal 30 and the QR code reader 9A are made to face each other (step SD1).

After the alignment, the QR code generation unit 34 reads the QR code of the QR code reader 9A with the camera PB1, and acquires a random number (step SD2). Next, the QRID previously stored in the QR code information area 35A, the random number acquired in step SD2, and the current time acquired from the personal terminal 30 (hereinafter, also referred to as "QR code generation time") are combined to generate a QR code for access authentication (step SD3).

The QR code generation unit 34 immediately displays the QR code generated in step SD3 on the screen of the personal terminal 30 (step SD4). Next, when the QR code generation unit 34 detects that a predetermined fixed time (for example, 30 seconds) has elapsed from the time of generation of the QR code, or when a manual termination operation (for example, termination of the dedicated application) is performed, the operation is terminated. The QR code is displayed (step SD6).

After the process of step SD4, the entry and exit person lifts the personal terminal 30 toward the QR code reader (SD5). However, the processes of steps SD2 to SD4 are performed with the personal terminal 30 facing the QR code reader 9A, and the personal terminal 30 is substantially kept facing the QR code reader 9A (lifted state).

(Processing by the QR code authentication section)

FIG. 16 is a flowchart showing an example of processing performed by the QR code authentication unit 7 of the control terminal 2 .

While the QR code for access authentication is displayed on the screen of the personal terminal 30 in step SD4 of FIG. 15 , when the QR code reader 9A reads it (step SE1 ), the QR code authentication unit 7. The QR code generation time, random number, and QRID are acquired from the QR code used for access authentication (step SE2).

Next, the QR code authentication unit 7 determines the QR code generation time (step SE3 ), and when it is determined that the QR code generation time is within a preset time (for example, 30 seconds) (“Yes” in step SE3 ) ), go to step SE4.

Next, the QR code authentication unit 7 determines whether the random number acquired from the portable terminal 60 exists in the random number issuance history area 8A (random number MA3) and whether the number of times of use MA5 is "0" (step SE4). Then, when it is determined that the acquired random number exists and is not used (YES in step SE4), the process proceeds to step SE6.

Next, the QR code authentication unit 7 determines whether or not the QRID acquired from the portable terminal 60 exists in the pass permission list recording area 8B (QRID MB2), and the permission to pass through the target door (pass permission QR reader MB3) is obtained (step SE6 ). ).

In addition, when it is determined as "Yes" in step SE4, that is, when it is determined that the acquired random number has been used, the QR code authentication unit 7 updates the usage count MA5 of the random number issuance history area 8A to "1" ”, and the random number generator 5 issues a random number again (step SE5). Thereby, the QR code output unit 6 of the QR code reader 9A updates the QR code being displayed on the QR code reader 9A.

Next, when the acquired QRID is permitted to pass through the door that is installed in the QR code reader 9A of the personal terminal 30 held up (“Yes” in step SE6 ), the QR code authentication unit 7 will The electronic lock (here, the electronic lock 9B) of the subject's door is unlocked (step SE7).

On the other hand, when a predetermined time or more has elapsed since the time of generating the QR code (“No” in step SE3 ), or when the acquired random number is illegal or used (“No” in step SE4 ) Or, when the QRID is illegal or not permitted to pass (“NO” in step SE6 ), a predetermined error notification is performed, and the QR code authentication unit 7 does not perform the unlocking operation of the electronic lock 9B (step SE8 ).

In this way, the determination of the random number by the QR code authentication unit 7 of the present embodiment refers to the random number issuance history in which the frequency of use of the random number is recorded, whether it has been issued in the past and not used, or has not been issued in the past, or has been issued in the past but has been used. any of the .

In this way, the QR code authentication unit 7 instructs the random number generation unit 5 to reissue the random number when it is determined that the random number has been used, assuming the determination results of the plurality of patterns. Therefore, the random number is reissued, and the QR code embedded with the random number is also updated. Therefore, a reduction in safety can be prevented.

[specific example]

Next, with reference to FIG. 1 and FIGS. 6 to 10 , the operation of the access management system 50 will be described with reference to a specific example.

For example, it is assumed that there is an inbound and outbound person A who wants to enter and exit from "09:00 on 2021/02/01" to "18:00 on 2021/02/01" in the exclusive part (1) of the building facility 1 . At this time, it is assumed that the entry/exit person A has completed the pre-registration operation of the personal terminal 30 (for example, a smartphone) in advance. In addition, in order to grant access permission to the exclusive part (1) to the access person A, the access person information registration person registers the personal information and access information of the access person A from the access person information registration PC 40 to the information management device 20 in advance. After completing the registration of the entry/exit information, a new unique QRID (here 789789789) is issued to the information of the newly registered entry/exit A in the passage permission list creation unit 23 of the information management device 20 . Then, the access permission list creation unit 23 stores the access person information and the QRID (789789789) in the personal information recording area 25B ( MC2 to MC6 ) and the access permission list recording area 25C ( MD2 to MD7 ).

At this time, part of the information ( MD4 to MD7 ) in the access permission list recording area 25C is also stored in the access permission list recording area 8B ( MB2 to MB5 ) in the control terminal 2 of the building facility 1 . Next, the personal terminal communication unit 24 transmits information such as QRID (789789789) to the personal terminal IP address (here, 789.789.789.789) in the personal information recording area 25B.

Next, it is assumed that the entry and exit person A enters the dedicated section ( 1 ) before "10:00 of 2021/02/01". First, the entry and exit person A sets the dedicated application 33 of the personal terminal 30 to the execution state, confirms that the camera PB1 is activated, and makes the QR code reader 9A face the personal terminal 30 directly.

The personal terminal 30 acquires a random number dedicated to the QR code reader 9A (here, aBc789) by reading the QR code displayed on the QR code reader 9A. Then, the QR code generation unit 34 of the personal terminal 30 uses the random number (aBc789), the QR code generation time not shown (here, 2021/02/01_10:00:30), and the QRID (789789789) to generate a The personal terminal 30 generates a QR code for access authentication and displays it on the screen.

Next, it is assumed that the QR code reader 9A has read the QR code for access authentication displayed on the personal terminal 30 kept facing at "2021/02/01_10:00:40". At this time, the QR code authentication unit 7 of the control terminal 2 determines that the QR code is valid because it is within a preset time limit for reading the QR code for access authentication (here, 30 seconds).

Next, in the QR code authentication unit 7, since the acquired random number (aBc789) exists in the random number issuance history area 8A, and the use count MA5 is also "0", it is determined that the display displayed on the QR code reader 9A has been read. Random number for the QR code. Finally, the acquired QRID (789789789) exists in the access permission list recording area 8B, and the access permission to the QR code reader 9A is obtained within the reading time of "2021/02/01 10:00:40" , it is determined that the passage is permitted, and the electronic lock 9B is unlocked.

As described above, the access management system (access management system 50 ) according to an embodiment of the present invention includes a control terminal (control terminal 2 ) having a function for managing connected access equipment and an authentication function for persons entering and leaving, and a hold confirmation A system of a personal terminal (personal terminal 30 ) that has the identification information of the two-dimensional code of the person entering and leaving, and has the function of reading and generating the two-dimensional code.

The control terminal (control terminal 2) includes: a random number generating unit (random number generating unit 5) that generates and issues a random number capable of uniquely determining a two-dimensional code at a predetermined cycle; a two-dimensional code output unit (QR code); The output unit 6) generates a two-dimensional code image in which the random number issued by the random number generating unit is embedded as information, and displays it on the two-dimensional code reader (QR code reader 9A, 10A) connected to the control terminal ) screen; and a two-dimensional code authentication part (QR code authentication part 7) that determines whether the random number read from the two-dimensional code image for access authentication displayed on the screen of the personal terminal is read by the two-dimensional code A random number generated by the generator.

The personal terminal (personal terminal 30) described above includes a two-dimensional code generating unit (QR code generating unit 34) that generates a random number read from a two-dimensional code image displayed on a two-dimensional code reader as a random number. The QR code image for access authentication is embedded in the information and displayed on the screen.

In the access control system 50 of the present embodiment configured as described above, the QR code reader and the personal terminal 30 facing each other mutually exchange information via the QR code image without relying on unstable wireless communication to transmit and receive information. send and receive. As a result, the control terminal 2 connected to the QR code reader can stably and instantaneously perform the authentication process for entry and exit.

In general, QR code images are characterized by the ease of copying, and thus there is a concern that security is lowered due to the copying of the QR code images used for access authentication. In contrast, in the present embodiment, by reading the QR code images displayed on the QR code reader and the personal terminal, respectively, the concern that the QR code image can be easily copied is overcome.

A QR code that can be used only once for the target door can be issued stably and instantaneously only when the person entering or leaving the door actually performs the authentication operation in front of the target door. Therefore, the authentication operation of access is easy, and the security of access management when using the QR code can be ensured.

In addition, the present invention is not limited to the above-described one embodiment, and it goes without saying that other various application examples and modifications can be obtained without departing from the gist of the present invention described in the scope of claims.

For example, the above-described one embodiment is an embodiment in which the configuration of the access management system is described in detail and concretely in order to explain the present invention easily, and is not limited to having all the described constituent elements. In addition, with respect to a part of the structure of each embodiment, addition, replacement, or deletion of other components can be performed.

In addition, a part or all of each of the above-described structures, functions, processing units, and the like may be realized by hardware, for example, by designing an integrated circuit or the like. As hardware, a processor device in a broad sense, such as an FPGA (Field Programmable Gate Array) and an ASIC (Application Specific Integrated Circuit), may be used.

In addition, in the sequence diagrams and flowcharts shown in FIGS. 11 to 16 , a plurality of processes may be executed in parallel or the order of the processes may be changed within a range that does not affect the processing results.

Claims (6)

1. An access management system, comprising: a control terminal having a management function of the connected access device and an authentication function of the access person; and a personal terminal which holds identification information of a two-dimensional code for identifying an entering or exiting person and has a function of reading and generating the two-dimensional code,

the control terminal is provided with:

a random number generation unit that generates and issues a random number capable of uniquely determining the two-dimensional code at a predetermined cycle;

a two-dimensional code output unit that generates a two-dimensional code image in which the random number issued by the random number generation unit is embedded as information, and displays the two-dimensional code image on a screen of a two-dimensional code reader connected to the control terminal; and

a two-dimensional code authentication unit that determines whether or not the random number read from the two-dimensional code image for entry/exit authentication displayed on the screen of the personal terminal is the random number generated by the two-dimensional code reader,

the personal terminal includes:

and a two-dimensional code generation unit that generates the two-dimensional code image for authentication of entrance and exit embedded with a random number read from the two-dimensional code image displayed on the two-dimensional code reader as information, and displays the two-dimensional code image on a screen.

2. The access management system of claim 1,

the random number capable of uniquely deciding the two-dimensional code is unique within a facility provided with an access device.

3. The access management system of claim 1,

the two-dimensional code authentication unit instructs the random number generation unit to reissue the random number when it is determined that the random number is used.

4. The access management system of claim 1,

the two-dimensional code authentication unit determines the random number by referring to a random number issuance history in which the number of times the random number is used is recorded, and determines that the random number has been issued and unused in the past, has not been issued in the past, and has been issued and used in the past.

5. The access management system of claim 1,

when the person who enters or exits enters a facility in which the entrance/exit device is installed, the personal terminal acquires the random number generated by the control terminal by facing the two-dimensional code reader to the personal terminal, and the two-dimensional code reader reads the two-dimensional code image generated by the personal terminal.

6. An access management method for an access management system, the access management system comprising: a control terminal having a management function of the connected access device and an authentication function of the access person; and a personal terminal which holds identification information of a two-dimensional code for identifying an entering or exiting person and has a function of reading and generating the two-dimensional code,

in the control terminal:

a random number generation unit that generates and issues a random number capable of uniquely determining the two-dimensional code at a predetermined cycle;

a two-dimensional code output unit that generates a two-dimensional code image in which the random number issued by the random number generation unit is embedded as information, and displays the two-dimensional code image on a screen of a two-dimensional code reader connected to the control terminal; and

a two-dimensional code authentication unit that determines whether or not the random number read from a two-dimensional code image for entry/exit authentication displayed on a screen of the personal terminal is a random number generated by the two-dimensional code reader,

in the personal terminal:

the two-dimensional code generation unit generates the two-dimensional code image for entrance/exit authentication in which the random number read from the two-dimensional code image displayed on the two-dimensional code reader is embedded as information, and displays the two-dimensional code image on a screen.

Images