CN115909576A - Application method of access control system based on block chain - Google Patents

Application method of access control system based on block chain Download PDF

Info

Publication number
CN115909576A
CN115909576A CN202211305087.4A CN202211305087A CN115909576A CN 115909576 A CN115909576 A CN 115909576A CN 202211305087 A CN202211305087 A CN 202211305087A CN 115909576 A CN115909576 A CN 115909576A
Authority
CN
China
Prior art keywords
access control
information
equipment
block chain
public key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211305087.4A
Other languages
Chinese (zh)
Inventor
张忠群
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Molian Information Technology Co ltd
Original Assignee
Shanghai Molian Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Molian Information Technology Co ltd filed Critical Shanghai Molian Information Technology Co ltd
Priority to CN202211305087.4A priority Critical patent/CN115909576A/en
Publication of CN115909576A publication Critical patent/CN115909576A/en
Pending legal-status Critical Current

Links

Images

Abstract

The embodiment of the invention relates to the technical field of security systems, in particular to an application method of an access control system based on a block chain, which comprises the steps of collecting identity information to be identified of a user through a first access control application in a rich execution environment in an access control device, and executing identity authentication and authority confirmation through a second access control application in a trusted execution environment, thereby ensuring the security of related information of the access control device in the processes of executing identity authentication and authority confirmation; the pass information is uploaded to a block chain for storage based on a public-private key asymmetric encryption technology, so that malicious deletion and tampering of the pass information are prevented; through when depositing the activation information of the access control equipment of card, increase the corresponding relation of the address of sending of depositing access control equipment ID and access control equipment, when depositing the card with communication information cochain, through verifying the corresponding relation of the access control equipment ID and the address of sending that send passinformation to ensure that passinformation not only satisfies legitimacy and integrality with the verification, can ensure to upload the certainty of access control equipment of passinformation moreover.

Description

Application method of access control system based on block chain
Technical Field
The embodiment of the invention relates to the technical field of security systems, in particular to an application method of an access control system based on a block chain.
Background
With the continuous progress of society, the requirements for producing living order are higher and higher, the safety requirements and authority management for production data are improved, and an access control system is installed in a plurality of industrial parks, enterprise units, confidential units, intelligent communities and other places to manage the passing of personnel and vehicles. These access control systems often comprise entrance guard's equipment and centralized high in the clouds management platform, gather the information of personnel or vehicle identity in real time by entrance guard's equipment, upload again to high in the clouds management platform and carry out the identity information authority and confirm, issue the instruction whether to pass by high in the clouds management platform again and give entrance guard's equipment.
However, this way of deciding authorization by the centralized cloud management platform brings several problems: 1. identity information is uploaded to a cloud management platform, and risks of revealing user identity privacy, injection attack and the like exist; 2. the centralized cloud management platform is easy to have management vulnerabilities, such as malicious deletion and data tampering by an administrator.
Disclosure of Invention
The embodiment of the invention aims to provide an application method of an access control system based on a block chain, which can effectively reduce the risk of user identity leakage and attack, complete the traffic management of the access control system, manage the traffic information of the access control system in a decentralized manner and prevent communication information from being deleted maliciously and tampered.
In order to solve the above technical problem, an embodiment of the present invention provides an application method of a block chain-based access control system, where the block chain-based access control system includes: the system comprises an access control device, an access control management platform and a block chain, wherein the access control device is provided with a first access control application in a rich execution environment and a second access control application in a trusted execution environment, and the access control device stores a device private key; the access control management platform stores equipment public keys and access control equipment IDs in one-to-one correspondence with equipment private keys of the access control equipment, and the application method at least comprises the following steps: identity authentication and permission validation processes; the identity authentication and permission validation process comprises:
the first access control application responds to an initiating instruction of an identity authentication and permission confirmation process input by a user and collects identity information to be identified of the user;
the second gate-controlled application matches the identity information to be identified with registration identity information pre-stored in the local trusted execution environment to determine whether the user is a registered user;
when the user is determined to be a registered user, the second access control application inquires whether the user has the current access control equipment permission in registration permission information of the registered user pre-stored in the local trusted execution environment; the registration authority information of the registered user is input into a trusted execution environment of the access control equipment by the access control management platform based on a pre-stored equipment public key and an access control equipment ID;
when the user is determined to have the current passing right of the access control equipment, the first access control application opens the access control equipment for the user to pass;
the second entrance guard application generates the current pass information, generates a first signature by using a locally stored device private key, and uploads the pass information, the first signature or a certificate which further includes a device public key carrying the entrance guard device to an intelligent contract of the block chain, wherein the pass information at least includes: the access control equipment ID, the user ID and the passing date and time;
the intelligent contract inquires whether the corresponding relation between the access control equipment ID in the current uploaded traffic information and the sending address adopted by the current uploaded traffic information is stored in a block chain; if the pass information exists, the verification mechanism of the block chain analyzes an equipment public key from the first signature, or when the uploaded information of this time also comprises a certificate carrying the equipment public key of the access control equipment, the equipment public key is analyzed from the certificate, and the uploaded information of this time is verified by using the equipment public key and the first signature; when the verification is successful, the current traffic information is stored in the block chain; and the corresponding relation is the corresponding relation between the access control equipment ID and the sending address adopted for uploading the activation information, which is stored in the activation information on the block chain by the verification mechanism, when the activation information is uploaded to the block chain after the access control equipment is successfully activated.
Compared with the prior art, the embodiment of the invention has the advantages that the first access control application in the rich execution environment and the second access control application in the trusted execution environment are deployed in the access control equipment, the first access control application is used for collecting the identity information to be identified of the user, and the second access control application is used for executing identity authentication and permission confirmation, so that the safety of related information of the access control equipment in the process of executing identity authentication and permission confirmation is ensured, and the identity of the user is prevented from being leaked and attacked; after the entrance guard passing process is executed once, the passing information is uploaded to a block chain for verification storage based on a public-private key asymmetric encryption technology, so that centralized management of entrance guard passing information is guaranteed, and communication information is prevented from being deleted maliciously and tampered; in addition, in order to prevent other equipment from falsely serving as current entrance guard equipment to upload pass information, when the intelligent contract date is the activation information of the entrance guard equipment with the certificate, the corresponding relation between the ID of the certificate-storing entrance guard equipment and the sending address (the sending address of the entrance guard equipment) adopted for uploading the activation information is increased, so that when other legal information of the entrance guard equipment is subsequently uploaded and certified, only when the corresponding relation between the ID of the entrance guard equipment and the sending address adopted for sending the uploaded information is stored in a block chain, the communication information can be uploaded and certified, and therefore the pass information can meet the legality and integrity requirements of the pass information and the certainty of the entrance guard equipment for uploading the pass information can be guaranteed.
Drawings
One or more embodiments are illustrated by way of example in the accompanying drawings, which correspond to the figures in which like reference numerals refer to similar elements and which are not to scale unless otherwise specified.
Fig. 1 is a schematic structural diagram of a block chain-based access control system according to an embodiment of the present invention;
FIG. 2 is a detailed flow diagram of an identity authentication and rights validation process according to an embodiment of the present invention;
fig. 3 is a detailed flowchart of an activation process of an access control device according to an embodiment of the present invention;
FIG. 4 is a detailed flow diagram of an identity and rights information entry process according to an embodiment of the present invention;
fig. 5 is a detailed flowchart of a process of querying an entrance guard record according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. However, it will be appreciated by those of ordinary skill in the art that numerous technical details are set forth in order to provide a better understanding of the present application in various embodiments of the present invention. However, the technical solution claimed in the present application can be implemented without these technical details and various changes and modifications based on the following embodiments.
An embodiment of the present invention relates to an application method of a block chain-based access control system, and as shown in fig. 1, the block chain-based access control system includes: entrance guard's equipment 1, entrance guard management platform 2 and block chain 3. The access control device 1 is deployed with a first access control application in a rich execution environment and a second access control application in a trusted execution environment as an end-side device of the whole access control system, wherein the first access control application plays a role of a sensor such as collecting various information on one hand, and on the other hand, as a network channel, interacts with the outside for the second access control application to receive and send data, and the access control device mainly comprises: the application module has the functions of information acquisition, access control switch, information display, near-field induction, wireless network and the like; the second gate inhibition application mainly performs various logic processing and storage operations, and mainly comprises the following steps: cryptographic, trusted time, secure storage, data processing, uplink (blockchain) data integration, and the like. The access control equipment stores an equipment private key; the access control management platform stores equipment public keys and access control equipment IDs which correspond to the equipment private keys of the access control equipment one by one; the blockchain is deployed with intelligent contracts and authentication mechanisms for data authentication and data chaining. The application method of the access control system based on the block chain provided by the embodiment at least includes an identity authentication and permission confirmation process, as shown in fig. 2, the identity authentication and permission confirmation process includes the following steps.
Step 101: the first entrance guard application responds to an initiating instruction of an identity authentication and permission confirmation process input by a user and collects identity information to be identified of the user.
Specifically, when the user wants to pass through the access control device, the user approaches the access control device and sends an instruction to the access control device to start the flow of identity authentication and permission confirmation. The manner of initiating the instruction may be, but is not limited to, voice, key, screen touch, etc. After receiving the instruction, the first access control application starts to acquire the identity information to be identified of the user, namely, the identity characteristics displayed by the user. In this embodiment, for the identity feature of the user, the support may include: the system comprises a radio frequency door card, fingerprints, a human face, a user and password, a license plate number and the like, so as to form identity information, namely radio frequency information, fingerprint images, human face images, user names and passwords, the license plate number and the like. In actual operation, the type of the collected user identity information also depends on the hardware capability of the access control device and the design of the access control system function.
Step 102: and the second gate inhibition application matches the identity information to be identified with the registration identity information prestored in the local trusted execution environment to determine whether the user is a registered user.
Specifically, after the first access control application sends the acquired identity information to be recognized to the second access control application, the second access control application performs identity authentication on a user who wants to pass through the access control device based on recognition of the identity information to be recognized. The method mainly comprises the steps that the second gate-controlled application carries out matching retrieval on the acquired identity information to be identified in registration identity information pre-stored in a local trusted execution environment, and if the identity information is retrieved, the current user is represented as a registered user; and if the identity information cannot be retrieved, the current user is characterized as a non-registered user. And for the condition that the current user is a non-registered user, the access control equipment directly ends the subsequent process and automatically returns to the link of acquiring the identity information to be identified of the user, and if no identity information to be identified is acquired after the preset time, the information acquisition function is closed to wait for initiating an instruction next time.
Step 103: when the user is determined to be a registered user, the second access control application inquires whether the user has the passing authority of the current access control equipment or not in the registration authority information of the registered user pre-stored in the local trusted execution environment; and the registration authority information of the registered user is input into the trusted execution environment of the access control equipment by the access control management platform based on the pre-stored equipment public key and the access control equipment ID.
Specifically, for a user identified as a registered user, the second gating application may continue to query, in the registration authority information of the registered user pre-stored in the local trusted execution environment, the registration authority information corresponding to the user, and determine, based on the queried registration authority information, a current authority condition of the user, including whether the authority state allows passing, whether the authority state is within a validity period, and the like. The registered authority information of the registered user is input into a trusted execution environment of the access control device by the access control management platform based on a pre-stored device public key and an access control device ID of the access control device. The information entry process of the identity and the authority will be described in detail later, and no further description is given here.
Step 104: and when the user is determined to have the right of passage of the current access control equipment, the first access control application opens the access control equipment for the user to pass through.
Specifically, when the second access control application determines that the current user has the right of passage of the current access control device by querying the registration right information of the registered user, the access control switch application in the first access control application may be instructed to open the access control device for the user to pass through. The user is given permission, for example by controlling a door lock or gate or the like.
Step 105: the second gate inhibition application generates the current pass information, generates a first signature by using a locally stored device private key, and uploads the pass information, the first signature or further a certificate including a device public key carrying the gate inhibition device to an intelligent contract of the block chain, wherein the pass information at least comprises: entrance guard equipment ID, user ID and passage date and time.
Specifically, after the entrance guard device completes one user pass, the second entrance guard application may generate pass information corresponding to the user pass, and as shown in table 1, the pass information at least includes: the access control equipment ID, the user ID and the passing date and time. The second entrance guard application generates a signature for the current pass information by using a local pre-stored equipment private key of the current entrance guard equipment, and the signature is marked as a first signature; the second entrance guard application uploads the pass information (original text), the first signature or further a certificate including the device public key carrying the current entrance guard device to an intelligent contract of the block chain for saving the certificate. The Certificate carrying the device public key may be a Certificate Authority (CA) of a third party that issues a Certificate carrying the node public key and the node information of the processing node to each processing node on the blockchain, and then the processing node issues a Certificate carrying the device public key and the device information of the access control device to each access control device in the access control system. The public key of the access control device can be restored from the certificate carrying the public key of the access control device.
TABLE 1 traffic information
Figure BDA0003905536040000051
Step 106: the intelligent contract inquires whether the corresponding relation between the access control equipment ID in the current uploaded traffic information and the sending address adopted by the current uploaded traffic information is stored in a block chain; if the access control equipment is in the access control equipment, analyzing an equipment public key from the first signature by using a verification mechanism of the block chain, or analyzing the equipment public key from a certificate when the uploaded information of the time also comprises the certificate carrying the equipment public key of the access control equipment, and verifying the uploaded pass information by using the equipment public key and the first signature; when the verification is successful, the current traffic information is stored in the block chain; and the corresponding relation is the corresponding relation between the access control equipment ID and the sending address adopted by the uploading of the activation information in the activation information stored on the blockchain by the verification mechanism when the activation information is uploaded to the blockchain after the access control equipment is successfully activated.
Specifically, after receiving the current uploaded pass information, the intelligent contract on the block chain does not directly forward the pass information to a verification mechanism to verify the validity and integrity of the pass information by using a public and private key, but first determines whether the pass information is generated and uploaded by the access control device corresponding to the access control device ID in the pass information. The judging method is that whether the corresponding relation between the entrance guard equipment ID in the current uploaded traffic information and the sending address adopted by the current uploaded traffic information is stored or not is inquired from the block chain.
The sending address adopted by one access control device for sending information is fixed and unchangeable, and the scheme can store and prove the corresponding relation between the access control device ID of the access control device and the sending address adopted by the access control device for sending information on a block chain after the access control device is activated. Therefore, when the information uploaded by the access control equipment is received again, the certainty of the information source can be ensured according to the corresponding relation between the certified access control equipment ID and the transmitting address. The activation process of the access control device will be described in detail in the following embodiments, which are not described herein.
In this embodiment, after receiving the current uploaded traffic information, the intelligent contract first queries, from the block chain, whether a corresponding relationship between an access control device ID in the current uploaded traffic information and a sending address used by the current uploaded traffic information is stored; if the verification mechanism does not exist, the verification operation of the traffic information can be directly stopped, and the information chaining process is finished.
When the verification mechanism verifies the pass information, the device public key can be firstly analyzed from the first signature (the device public key acquisition process is suitable for information verification of the block chain under the ether workshop environment), or the device public key can be analyzed from the certificate when the uploaded information comprises the certificate carrying the device public key of the access control device (the device public key acquisition process is suitable for information verification of the block chain under the certificate environment). In practical application, the information interaction with the block chain may use the device public key obtained by one of the two device public key obtaining methods to implement information verification, which is not limited in this embodiment. After the device public key of the access control device is obtained, the validity and integrity of the uploaded traffic information can be verified by using the device public key and the first signature, namely the first signature is decrypted by using the device public key to obtain summary information; meanwhile, the traffic information is generated into summary information by adopting a preset Hash algorithm; and comparing the two summary information, if the two summary information are the same, the verification is successful, otherwise, the verification fails. And when the verification is successful, the verification mechanism stores the pass information to the block chain for storing the pass.
Compared with the prior art, the embodiment has the advantages that the first access control application in the rich execution environment and the second access control application in the trusted execution environment are deployed in the access control equipment, the first access control application is used for collecting the identity information to be identified of the user, and the second access control application is used for executing identity authentication and permission confirmation, so that the safety of the relevant information of the access control equipment in the process of executing identity authentication and permission confirmation is ensured, and the identity of the user is prevented from being leaked and attacked; after the entrance guard passing process is executed once, the passing information is uploaded to a block chain for verification storage based on a public-private key asymmetric encryption technology, so that centralized management of entrance guard passing information is guaranteed, and communication information is prevented from being deleted maliciously and tampered; in addition, in order to prevent other devices from falsely acting as the current entrance guard equipment to upload the pass information, when the intelligent contract date has the activation information of the entrance guard equipment, the corresponding relation between the ID of the entrance guard equipment with the corresponding sending address (the sending address of the entrance guard equipment) used for uploading the activation information is increased, so that when other legal information of the entrance guard equipment with the pass is subsequently uploaded and stored, the pass can be uploaded and stored in the communication information only when the corresponding relation between the ID of the entrance guard equipment and the sending address used for sending the upload information is stored in the block chain, and therefore the pass information can meet the legality and integrity requirements, and the certainty of the entrance guard equipment uploading the pass information can be ensured.
Another embodiment of the present invention relates to an application method of a block chain-based access control system, which further includes an activation process of an access control device on the basis of the identity authentication and permission confirmation process shown in fig. 2. As shown in fig. 3, the process of activating the access control device includes the following steps.
Step 201: and the first access control application in the access control equipment responds to an initialization instruction input by an administrator, activates a local access control service function and a communication function between the local access control service function and the access control management platform, or further receives a certificate which is sent by the access control management platform and carries the equipment public key of the access control equipment.
Specifically, an access control manager installs an access control device at a designated position, and inputs an initialization instruction to a first access control application in the access control device after powering on and starting up the access control device, and the first access control application responds to the initialization instruction to activate a local access control service function and a communication function between the local access control service function and an access control management platform. The local access control service function can be the service functions of information acquisition, access control switch, information display, near-field induction and the like of the first access control application; the communication function is communication interaction between the first access control application and the access control management platform, for example, the first access control application attempts to report access control device information including, for example, a device ID, an activation time, and the like to the access control management platform.
In addition, when the block chain is the block chain in the certificate environment in this embodiment, the access control management platform may also issue the certificate carrying the device public key of the access control device to the access control device. The Certificate carrying the device public key may be a Certificate Authority (CA) of a third party that issues a Certificate carrying the node public key and the node information of the processing node to each processing node on the blockchain, and then the processing node issues a Certificate carrying the device public key and the device information of the access control device to each access control device in the access control system. The public key of the access control device can be restored from the certificate carrying the public key of the access control device. In order to ensure the security of the issued data and the efficiency of data processing, the access control management platform may generate a one-time session key (such as AES, SM4, DES, etc.), encrypt the issued data with the session key, and encrypt the session key with the device public key. After the data is issued, the first access control application of the access control equipment transmits the received data to the second access control application, and the second access control application can decrypt the session key by using the equipment private key firstly and then decrypt the issued data text by using the session key to obtain the certificate.
Step 202: the second access control application generates activation information after the first access control application is successfully activated, generates a second signature for the activation information by using a locally stored device private key, uploads the activation information and the second signature or further uploads a certificate including a device public key carrying the access control device to an intelligent contract of the block chain to be forwarded to a verification mechanism of the block chain through the intelligent contract, and the activation information at least comprises: the system comprises the access control equipment ID, activation time, last starting time and state information of the access control equipment.
Specifically, the second access control application generates activation information of the activation process after the first access control application is successfully activated, and as shown in table 2, the activation information at least includes: the access control equipment ID, the activation time, the last starting time and the state information of the access control equipment. The second entrance guard application generates a signature for the activation information generated in the activation process by using a locally pre-stored equipment private key of the current entrance guard equipment, and the signature is marked as a second signature; the second entrance guard application uploads the activation information (original text), the second signature or further a certificate including the device public key carrying the entrance guard device to an intelligent contract of the block chain, and the intelligent contract further forwards the received information to a verification mechanism for storing the certificate.
TABLE 2 activation information
Figure BDA0003905536040000071
Step 203: the verification mechanism analyzes the equipment public key from the second signature, or when the uploaded information of this time also comprises a certificate carrying the equipment public key of the access control equipment, the equipment public key is analyzed from the certificate, and the activation information is verified by using the equipment public key and the second signature; and after the verification is successful, storing the activation information and the corresponding relation between the access control equipment ID in the activation information and the sending address adopted by uploading the activation information in the block chain.
Specifically, after receiving the activation information uploaded this time, the verification mechanism on the blockchain executes validity and integrity verification of the activation information, and when verifying the pass information, the verification mechanism may first parse the device public key from the second signature (the device public key obtaining process is applicable to information verification of the blockchain in the ethernet environment), or parse the device public key from the certificate when the uploaded information of this time further includes the certificate carrying the device public key of the access control device (the device public key obtaining process is applicable to information verification of the blockchain in the certificate environment). In practical application, the information interaction with the block chain may be implemented by using a device public key obtained by one of the two device public key obtaining methods to verify the information, which is not limited in this embodiment. After the device public key of the access control device is obtained, the validity and integrity of the uploaded activation information at this time can be verified by using the device public key and the second signature, namely, the second signature is decrypted by using the device public key to obtain summary information; meanwhile, the traffic information is generated into summary information by adopting a preset Hash algorithm; and comparing the two summary information, if the two summary information are the same, the verification is successful, otherwise, the verification fails. And when the verification is successful, the verification mechanism stores the activation information to the block chain for evidence storage.
In addition, the sending address used by one access control device for sending information is fixed and unchangeable, so that after the verification mechanism uploads activation information on the access control device, the corresponding relation between the access control device ID of the access control device and the sending address used by the access control device for sending information is stored and verified on the block chain. Therefore, when the intelligent contract receives the information uploaded by the entrance guard equipment, the certainty of the information source can be ensured according to the corresponding relation between the ID of the entrance guard equipment and the sending address which are inquired and certified.
Specifically, the verification mechanism extracts the ID of the access control device and the sending address used by the access control device when the activation information is uploaded this time from the activation information uploaded this time, and binds the ID and the sending address to form a corresponding relationship. When the activation information is stored in the block chain, the verification mechanism also stores the bound access control equipment ID and the bound sending address in the block chain so as to ensure the certainty of the information source when the access control equipment ID uploads the information for subsequent verification.
Compared with the prior art, the method has the advantages that the activation information is uploaded to the block chain for evidence storage in the process of activating the access control device, so that the activation information is not tampered; and meanwhile, the ID and the sending address of the access control equipment are stored on the block chain, so that the certainty of the information source when the information is uploaded by the ID of the access control equipment is verified subsequently.
Another embodiment of the present invention relates to an application method of a block chain-based access control system, which includes an identity authentication and permission confirmation process and an access control device activation process shown in fig. 2 and 3, and further includes an identity and permission information entry process. As shown in fig. 4, the information entry process of the identity and the authority includes the following steps.
Step 301: the access control management platform receives the identity information and the authority information input by the administrator, and the identity information and the authority information at least comprise: the system comprises a user ID, an authorized entrance guard equipment list corresponding to the user ID, authority configuration, a valid period starting date and time, a valid period ending date and time and an operator ID.
Specifically, after the access control device is successfully activated, the access control management platform receives the identity information and the permission information input by the administrator, so that the information is filled into the access control device through the access control management platform. As shown in table 3, the identity information and the authority information at least include: the system comprises a user ID, an authorized entrance guard equipment list corresponding to the user ID, authority configuration, a valid period starting date and time, a valid period ending date and time and an operator ID.
TABLE 3 identity information and Authority information
Figure BDA0003905536040000091
Step 302: the access control management platform encrypts the identity information and the permission information based on the equipment public key of the access control equipment, and sends the encrypted identity information and permission information to a second access control application in the access control equipment.
Specifically, the access control management platform may encrypt the identity information and the permission information by using a device public key of the current access control device, for example, calculate a hash value of the identity information and the permission information as digest information by using a preset hash algorithm, and then encrypt the digest information by using the device public key of the current access control device. The access control management platform issues the encrypted identity information and the encrypted permission information to a first access control application in the access control equipment, and then transmits the encrypted information to a second access control application through the first access control application.
Step 303: and the second access control application decrypts the received encrypted identity information and the received encrypted authority information based on the device private key of the access control device, uses the ID of the access control device of the current access control device and the decrypted identity information and authority information as the registration authority information of the registered user, and stores or updates the registration authority information to a local trusted execution environment.
Specifically, after receiving the encrypted identity information and the encrypted permission information, the second access control application decrypts the encrypted information by using the device private key of the current access control device to obtain the identity information and the permission information; and then, taking the ID of the current access control equipment, the identity information and the authority information obtained by decryption as the registration authority information of the registered user, storing or updating the registration authority information into a local trusted execution environment, and finishing the recording of the registration authority information (including the identity information and the authority information) into the local.
In addition, in order to ensure the security of the delivered data and the efficiency of data processing, in the improved step 302, the access control management platform may generate a one-time session key (such as AES, SM4, DES, and the like), encrypt the delivered data with the session key, and encrypt the session key with the device public key. After the data is sent, in step 303 after the improvement, the first access control application of the access control device transmits the received data to the second access control application, and the second access control application may decrypt the session key using the device private key first, and then decrypt the sent data text using the session key to obtain the identity information and the permission information.
Step 304: after the second entrance guard application successfully inputs the registration authority information, a third signature is generated for the registration authority information by using a locally stored device private key, and the registration authority information and the third signature or a certificate carrying the device public key of the entrance guard device is further uploaded to an intelligent contract of the block chain.
Specifically, after the registration authority information is successfully input into the first access control application, the second access control application generates a signature for the current registration authority information by using a locally pre-stored device private key of the current access control device, and the signature is marked as a third signature; the second entrance guard application uploads the registration authority information (original text), the third signature or further a certificate containing the device public key carrying the entrance guard device to an intelligent contract of the block chain, and the certificate is forwarded to a verification mechanism through the intelligent contract to store the certificate.
Step 305: the intelligent contract inquires whether the corresponding relation between the access control equipment ID in the uploaded registration authority information and the sending address adopted by the uploaded registration authority information is stored in the block chain or not; if the access control equipment is in the access control equipment, analyzing an equipment public key from the third signature by using a verification mechanism of the block chain, or analyzing the equipment public key from a certificate when the uploaded information also comprises the certificate carrying the equipment public key of the access control equipment, and verifying the uploaded registration authority information by using the equipment public key and the third signature; and after the verification is successful, storing the current registration authority information into the block chain.
Specifically, after receiving the uploaded registration authority information, the intelligent contract on the blockchain does not directly forward the registration authority information to a verification mechanism to verify the validity and integrity of the registration authority information by using a public and private key, but first determines whether the registration authority information is generated and uploaded by the access control device corresponding to the access control device ID in the registration authority information. The judging method is that whether the corresponding relation between the access control equipment ID in the registration authority information uploaded this time and the sending address adopted by the registration authority information uploaded this time is stored or not is inquired from the block chain.
The sending address used by one access control device for sending information is fixed and unchangeable, and the scheme can store and prove the corresponding relation between the access control device ID of the access control device and the sending address used by the access control device for sending information on a block chain after the access control device is activated. Therefore, when the intelligent contract receives the information uploaded by the entrance guard equipment, the certainty of the information source can be ensured according to the corresponding relation between the ID of the entrance guard equipment and the sending address which has been proved. The activation process of the access control device will be described in detail in the foregoing embodiments, and will not be described herein.
In this embodiment, after receiving the registration authority information uploaded this time, the intelligent contract will first query from the block chain whether the corresponding relationship between the access control device ID in the registration authority information uploaded this time and the sending address used by the registration authority information uploaded this time is stored; if the verification result does not exist, the registration authority information which is used for representing the uploading may be forged by other equipment, the execution of the verification operation on the registration authority information can be directly stopped, and the information uplink process is finished.
When the verification mechanism verifies the registration authority information, the device public key can be firstly analyzed from the third signature (the device public key obtaining process is suitable for information verification of the block chain under the environment of the ether house), or the device public key can be analyzed from the certificate when the uploaded information of this time also comprises the certificate carrying the device public key of the access control device (the device public key obtaining process is suitable for information verification of the block chain under the environment of the certificate). In practical application, the information interaction with the block chain may use the device public key obtained by one of the two device public key obtaining methods to implement information verification, which is not limited in this embodiment. After the device public key of the access control device is obtained, the device public key and the third signature can be used for verifying the legality and integrity of the uploaded registration authority information, namely the device public key is used for decrypting the third signature to obtain summary information; meanwhile, the preset hash algorithm is adopted for the registration authority information to generate summary information; and comparing the two summary messages, if the two summary messages are the same, the verification is successful, and otherwise, the verification fails. And after the verification is successful, the verification mechanism stores the current registration authority information into the block chain for evidence storage.
Compared with the prior art, the embodiment uploads the registration authority information to the block chain for evidence storage based on public-private key asymmetric encryption technology after the registration authority information containing identity information and authority information is input into the access control equipment, so that decentralized management of the access control registration authority information is ensured, and the registration authority information is prevented from being deleted maliciously and tampered; in addition, in order to prevent other devices from falsely acting as the current access control device to upload the registration permission information, when the verification mechanism is used for verifying the activation information of the certified access control device, the corresponding relation between the ID of the certified access control device and the sending address (the sending address of the access control device) used for uploading the activation information is increased, so that when other legal information of the certified access control device is subsequently uploaded, the certification can be uploaded to the registration permission information only if the corresponding relation between the ID of the access control device and the sending address used for sending the uploaded information is stored in a block chain, and therefore the registration permission information can meet the legality and the integrity after verification, and the certainty of the access control device uploading the passage information can be ensured.
Another embodiment of the present invention relates to an application method of a block chain-based access control system, which further includes an access record query process based on the method process shown in any one of the foregoing fig. 2, fig. 3, and fig. 4. As shown in fig. 5, the entrance record query process includes the following steps.
Step 401: and the access control management platform receives the input query parameters.
Specifically, the administrator may query the relevant information stored on the blockchain by inputting a query parameter to the access control management platform, where the query parameter may be, but is not limited to: access control device ID, user ID, operator ID, expiration time, etc.
Step 402: and the access control management platform sends the query request carrying the query parameters to the intelligent contract of the block chain.
Step 403: and the intelligent contract inquires the evidence storage information matched with the inquiry parameters from the block chain according to the inquiry request and feeds the evidence storage information back to the access control management platform.
Compared with the related art, the information stored on the block chain is real and effective and cannot be tampered, so that the accuracy of the information acquired by inquiring is guaranteed. In addition, because the access control management platform only keeps the inquired certificate storage information when inquiring data, and the certificate storage information is obtained when being inquired, the problem of low data security possibly occurring when the access control management platform stores the relevant information of the certificate access control management is avoided.
That is, as can be understood by those skilled in the art, all or part of the steps in the method for implementing the embodiments described above may be implemented by a program instructing related hardware, where the program is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, or the like) or a processor (processor) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific examples for carrying out the invention, and that various changes in form and details may be made therein without departing from the spirit and scope of the invention in practice.

Claims (4)

1. An application method of an access control system based on a block chain is characterized in that the access control system based on the block chain comprises the following steps: the system comprises access control equipment, an access control management platform and a block chain, wherein the access control equipment is provided with a first access control application in a rich execution environment and a second access control application in a trusted execution environment, and the access control equipment stores an equipment private key; the access control management platform stores equipment public keys and access control equipment IDs which correspond to the equipment private keys of the access control equipment one by one, and the application method at least comprises the following steps: identity authentication and permission validation processes; the identity authentication and permission validation process comprises:
the first access control application responds to an initiating instruction of an identity authentication and permission confirmation process input by a user and collects identity information to be identified of the user;
the second gate inhibition application matches the identity information to be identified with registration identity information stored in the trusted execution environment locally in advance, and determines whether the user is a registered user or not;
when the user is determined to be a registered user, the second access control application inquires whether the user has the current access control equipment permission or not in registration permission information of the registered user, which is pre-stored in the local trusted execution environment; the registration authority information of the registered user is input into a trusted execution environment of the access control equipment by the access control management platform based on a pre-stored equipment public key and an access control equipment ID;
when the user is determined to have the current right of passage of the access control equipment, the first access control application opens the access control equipment for the user to pass through;
the second access control application generates the current pass information, generates a first signature by using a locally stored device private key, and uploads the pass information, the first signature or a certificate carrying a device public key of the access control device to an intelligent contract of the block chain, wherein the pass information at least comprises: the access control equipment ID, the user ID and the passing date and time;
the intelligent contract inquires whether the corresponding relation between the access control equipment ID in the current uploaded traffic information and the sending address adopted by the current uploaded traffic information is stored in a block chain; if the access control equipment is in the access control equipment, analyzing an equipment public key from the first signature by using a verification mechanism of the block chain, or analyzing an equipment public key from a certificate when the uploaded information of the time also comprises the certificate carrying the equipment public key of the access control equipment, and verifying the uploaded pass information of the time by using the equipment public key and the first signature; when the verification is successful, the current traffic information is stored in the block chain; and the corresponding relation is the corresponding relation between the access control equipment ID and the sending address adopted for uploading the activation information, which is stored in the activation information on the block chain by the verification mechanism, when the activation information is uploaded to the block chain after the access control equipment is successfully activated.
2. The method of claim 1, wherein the applying further comprises: an entrance guard equipment activation process; entrance guard's equipment activation process includes:
the first access control application in the access control equipment responds to an initialization instruction input by an administrator, activates a local access control service function and a communication function with the access control management platform, or further receives a certificate which is sent by the access control management platform and carries an equipment public key of the access control equipment;
the second access control application generates activation information after the first access control application is successfully activated, generates a second signature for the activation information by using a locally stored device private key, uploads the activation information and the second signature or further uploads a certificate including a device public key carrying the access control device to an intelligent contract of the block chain to be forwarded to a verification mechanism of the block chain through the intelligent contract, and the activation information at least includes: the method comprises the steps that the ID, the activation time, the last starting time and the state information of the access control equipment are obtained;
the verification mechanism analyzes a device public key from the second signature, or when the uploading information also comprises a certificate carrying the device public key of the access control device, the device public key is analyzed from the certificate, and the activation information is verified by using the device public key and the second signature; and after the verification is successful, storing the activation information and the corresponding relation between the access control equipment ID in the activation information and the sending address adopted by uploading the activation information into a block chain.
3. The method of claim 2, wherein the applying further comprises: identity and authority information input process; the information entry process of the identity and the authority comprises the following steps:
the access control management platform receives identity information and authority information input by an administrator, wherein the identity information and the authority information at least comprise: the system comprises a user ID, an authorized entrance guard equipment list corresponding to the user ID, authority configuration, an effective period starting date and time, an effective period ending date and time and an operator ID;
the access control management platform encrypts the identity information and the permission information based on the device public key of the access control device, and sends the encrypted identity information and permission information to the second access control application in the access control device;
the second access control application decrypts the received encrypted identity information and permission information based on the device private key of the access control device, takes the current access control device ID of the access control device and the identity information and permission information obtained by decryption as the registration permission information of the registered user, and stores or updates the registration permission information into the local trusted execution environment;
after the second entrance guard application successfully inputs the registration authority information, generating a third signature for the registration authority information by using a locally stored device private key, and uploading the registration authority information and the third signature or further uploading a certificate carrying a device public key of the entrance guard device to an intelligent contract of the block chain;
the intelligent contract inquires whether the corresponding relation between the access control equipment ID in the uploaded registration authority information and the sending address adopted by the uploaded registration authority information is stored in a block chain or not; if the access control equipment is in the access control equipment, analyzing an equipment public key from the third signature by using a verification mechanism of the block chain, or analyzing an equipment public key from a certificate when the uploaded information also comprises the certificate carrying the equipment public key of the access control equipment, and verifying the uploaded registration authority information by using the equipment public key and the third signature; and when the verification is successful, storing the current registration authority information into the block chain.
4. The method according to any one of claims 1-3, wherein the application method further comprises: the entrance guard records the inquiry process; entrance guard's record inquiry process includes:
the entrance guard management platform receives input query parameters;
the access control management platform sends the query request carrying the query parameters to the intelligent contract of the block chain;
and the intelligent contract inquires evidence storage information matched with the inquiry parameters from the block chain according to the inquiry request and feeds the evidence storage information back to the access control management platform.
CN202211305087.4A 2022-10-24 2022-10-24 Application method of access control system based on block chain Pending CN115909576A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211305087.4A CN115909576A (en) 2022-10-24 2022-10-24 Application method of access control system based on block chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211305087.4A CN115909576A (en) 2022-10-24 2022-10-24 Application method of access control system based on block chain

Publications (1)

Publication Number Publication Date
CN115909576A true CN115909576A (en) 2023-04-04

Family

ID=86470053

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211305087.4A Pending CN115909576A (en) 2022-10-24 2022-10-24 Application method of access control system based on block chain

Country Status (1)

Country Link
CN (1) CN115909576A (en)

Similar Documents

Publication Publication Date Title
CN108768988B (en) Block chain access control method, block chain access control equipment and computer readable storage medium
JP4890248B2 (en) Control access to a given area
US20180167394A1 (en) Controlling access to a locked space using cryptographic keys stored on a blockchain
CN109448197A (en) A kind of cloud intelligent lock system and key management method based on multi-enciphering mode
CN111447601B (en) Implementation method and device of automobile Bluetooth key
CN103544746A (en) Electronic access control system of dynamic bar code
US20150222436A1 (en) Techniques for securing networked access systems
JP2005512204A (en) Portable device and method for accessing a data key activated device
CA2617938A1 (en) System and method for user identification and authentication
CN1939028A (en) Accessing protected data on network storage from multiple devices
JP6896471B2 (en) Service usage authentication system and service usage authentication method
JPH11212922A (en) Password management and recovery system
CN113886771A (en) Software authorization authentication method
US11743053B2 (en) Electronic signature system and tamper-resistant device
CN111540093A (en) Access control system and control method thereof
CN106027473A (en) Identity card reading terminal and cloud authentication platform data transmission method and system
US10148433B1 (en) Private key/public key resource protection scheme
CN103152326A (en) Distributed authentication method and authentication system
KR20230104921A (en) How to break the protection of an object achieved by the protection device
KR101651563B1 (en) Using history-based authentication code management system and method thereof
CN110807854A (en) Unlocking strategy configuration method and equipment
CN114255533B (en) Intelligent lock system and implementation method thereof
CN115909576A (en) Application method of access control system based on block chain
CN114036490A (en) Security authentication method for calling plug-in software interface, USBKey driving device and authentication system
CN110287725B (en) Equipment, authority control method thereof and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination