WO2017200273A1 - Appareil, système et procédé de contrôle d'accès sur la base d'informations de carte et d'informations de terminal - Google Patents

Appareil, système et procédé de contrôle d'accès sur la base d'informations de carte et d'informations de terminal Download PDF

Info

Publication number
WO2017200273A1
WO2017200273A1 PCT/KR2017/005072 KR2017005072W WO2017200273A1 WO 2017200273 A1 WO2017200273 A1 WO 2017200273A1 KR 2017005072 W KR2017005072 W KR 2017005072W WO 2017200273 A1 WO2017200273 A1 WO 2017200273A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
terminal
authentication
card
access
Prior art date
Application number
PCT/KR2017/005072
Other languages
English (en)
Korean (ko)
Inventor
김태균
손인호
신명순
이정일
조대성
강봉권
이인수
Original Assignee
주식회사 케이티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 케이티 filed Critical 주식회사 케이티
Publication of WO2017200273A1 publication Critical patent/WO2017200273A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/22Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K19/00Record carriers for use with machines and with at least a part designed to carry digital markings
    • G06K19/06Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
    • G06K19/067Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components
    • G06K19/07Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K19/00Record carriers for use with machines and with at least a part designed to carry digital markings
    • G06K19/06Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
    • G06K19/067Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components
    • G06K19/07Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips
    • G06K19/0723Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips the record carrier comprising an arrangement for non-contact communication, e.g. wireless communication circuits on transponder cards, non-contact smart cards or RFIDs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K7/00Methods or arrangements for sensing record carriers, e.g. for reading patterns
    • G06K7/10Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K7/00Methods or arrangements for sensing record carriers, e.g. for reading patterns
    • G06K7/10Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation
    • G06K7/10009Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/27Individual registration on entry or exit involving the use of a pass with central registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention is a technology of access control, and more specifically, when collecting the terminal information of the user, when receiving a request for access authentication including the user's card information, the collected terminal information and the requested card information is authenticated to the user's An apparatus, system, and method for controlling access.
  • a user is authenticated using biometric information or a password such as a user's fingerprint, iris, and the like, and the user's access is selectively allowed according to the authentication result.
  • the access management technology using the RFID authenticates whether the RFID received from the user's terminal or the card is registered identification information, and permits the user's access.
  • MFA Multi Factor Authentication
  • the present invention was created under the recognition of the prior art as described above, an apparatus, system and method for authenticating card ID and terminal information of a user who is requested for access authentication based on MFA, and allowing access of a successful authentication user.
  • the purpose is to provide.
  • the present invention collects the location information of the user terminal by dividing the peripheral area where the access device is located in a Wi-Fi zone, the location information of the access device and the terminal information collected the authentication of the card ID is Upon confirming a match, another purpose is to control the opening and closing of the access device through which the user passes by the success of the access authentication.
  • an apparatus for controlling access based on card information and terminal information may include: a collector configured to collect terminal information of a user terminal received by an access point (AP) device around an access device; A receiving unit which receives a request for access authentication including card information of a user read by the access device; Determining an authentication result of multi factor authentication (MFA) including card authentication for determining whether card information for which authentication is requested is registered card information and terminal authentication for determining whether terminal information of received card information is the collected terminal information. Determination unit; And a control unit which transmits control information for which the determined authentication result is successful to the access device to control an access permission of the user.
  • MFA multi factor authentication
  • the collection unit collects, as the terminal information, terminal identification information received by the AP device through Wi-Fi communication or beacon communication.
  • the collecting unit collects the terminal information by executing Wi-Fi of the user terminal in which the function of always searching for the AP device is executed even when the Wi-Fi receiving function is turned off.
  • the receiving unit receives, as the card information, RFID (Radio Frequency IDentification) of the access card read by the reader of the access device.
  • RFID Radio Frequency IDentification
  • the apparatus further includes a DB (DataBase) for storing the card ID of the user's access card and the terminal identification information of the matched user terminal, the determination unit, the card ID of the card information requested for authentication as a key from the DB
  • the card authentication is determined to be successful. If the inquired terminal identification information is the collected terminal identification information, the terminal authentication is determined to be successful. The MFA authentication result is determined to be success.
  • the control unit transmits access control information of the access permission to the gate controller of the access device, and the gate controller controls the gate device through which the user passes by access control by the transmitted control information.
  • the device may include a DB in which a peripheral area of the access device is divided into a plurality of unit areas, and the strength of a wireless signal received from neighboring AP devices in each unit area is stored as location information for each unit area.
  • the collection unit collects the terminal information including the terminal identification information of the user terminal and the strength of each radio signal received in the unit area through the AP device.
  • the determination unit inquires of the position information most matched from the DB using the strength of the collected wireless signal as a key, and determines the unit area of the inquired location area as the unit area where the user terminal is located.
  • the DB further stores the unit area information where the access device is located,
  • the determination unit determines that the terminal authentication is successful when querying the unit region information of the access device from the DB using the unit region information of the collected terminal information as a key.
  • a system for controlling access based on card information and terminal information includes: a user terminal receiving a wireless signal from each AP device and transmitting terminal information in response; An AP device installed around each access device and receiving the terminal information from a user terminal receiving the wireless signal and transmitting the terminal information to a control device; An access device that reads card information of a user requesting access permission, requests access authentication including the card information, receives control information of an authentication result, and permits or disables user access; And collecting the terminal information through the AP device, receiving the authentication request from the access device, and determining whether the received card information is registered card information and the terminal information of the received card information and the card authentication. And a control device for determining an authentication result of the MFA including terminal authentication for determining whether the information is information and transmitting control information for which the determined authentication result is successful to the access device.
  • a method of controlling an access based on card information and terminal information comprising: collecting terminal information of a user terminal received by an AP device around an access device; Receiving an access authentication request including card information of a user read by the access device; Determining an authentication result of the MFA including card authentication for determining whether the card information requested for authentication is registered card information and terminal authentication for determining whether the terminal information of the received card information is the collected terminal information; And controlling the access permission of the user by transmitting control information having a successful authentication result to the access device.
  • the present invention has an advantage of improving the security of access management by granting access to a user only when both card authentication and terminal authentication are successful based on MFA.
  • FIG. 1 is a schematic structural diagram of a system according to an embodiment of the present invention.
  • FIG. 2 is a schematic internal configuration diagram of the control server of FIG. 1.
  • FIG. 3 is a signal flow diagram of an MFA authentication process according to an embodiment of the present invention.
  • RSSI 4 is an exemplary diagram of location information based on Received Signal Strength Identification (RSSI) according to another embodiment of the present invention.
  • FIG. 5 is an exemplary diagram in which location information of a unit area of FIG. 4 is stored.
  • FIG. 6 is an exemplary diagram of a control server collecting RSSI based location information of FIG. 4.
  • FIG. 7 is a signal flow diagram of an MFA authentication process according to another embodiment of the present invention.
  • FIG. 1 is a schematic structural diagram of a system 100 according to an embodiment of the present invention.
  • System 100 is an AP device 130 for receiving the terminal information of the user terminal 110, the card information is read access card 111, the terminal information of the user terminal 110, the terminal information is collected; ), The control server 150 for MFA authentication of the user's access based on the terminal information and the card information, and reads the card information of the access card 111 to request the access authentication to the control server 150, the control server 150 It is configured to include an access device 170 for receiving or permitting the user's access to receive the MFA authentication result from.
  • the user terminal 110 includes a smart terminal (eg, a smart phone) that receives a wireless communication service through the AP device 130.
  • the user terminal 110 may receive respective wireless signals from a plurality of AP devices 130 installed in the vicinity. When each wireless signal is received, the user terminal 110 selects the primary AP device 130 to receive a wireless communication service.
  • the user terminal 110 receives a wireless signal based on the beacon communication and Wi-Fi communication from the AP device 130, and the terminal information such as MAC address, USIM identification information, IMSI, etc. as the response information of the received wireless signal, AP Transmitted to the device 130 to receive a wireless communication service.
  • the terminal information is not particularly limited as long as it includes information uniquely identifying the user terminal 110.
  • the user terminal 110 should have a communication function for receiving a radio signal and a response of the terminal information.
  • the user terminal 110 is configured to always search for nearby AP devices 130. That is, the user terminal 110 is set to the "Always search allowed" function (for example, Android version 4.3 (SDK 18) or more) to the reception function of the Wi-Fi. Then, the user terminal 110 may scan the surrounding AP device 130 even when the Wi-Fi receiving function is turned off.
  • the "Always search allowed" function for example, Android version 4.3 (SDK 18) or more
  • the smart phone when the user terminal 110 is set as the "Always search" function is set as a smart phone, when a specific SSID is scanned as a background function supported by the Android OS, the smart phone automatically activates the Wi-Fi function.
  • the smart phone monitors the SSID transmitted from the AP device 130 or the base station, and activates the Wi-Fi function when the specific SSID transmitted by the AP device 130 around the access device 170 is scanned.
  • the AP device 130 may receive the terminal information of the smart phone and transmit it to the control server 150 in the process of processing the SSID-based connection from the smart phone. Then, the control server 150 may collect the terminal information of the smart phone in proximity to the access device 170 through the AP device 130.
  • the AP device 130 is installed in a plurality of peripheral areas where the access device 130 is located, transmits the wireless signal to the surrounding user terminals 110, establishes a wireless communication service, and provides a wireless Internet service. .
  • the AP device 130 receives terminal information from the user terminal 110 that has received the transmitted radio signal (1), and receives the received terminal information for the control server 150 for MFA authentication. (2).
  • the access card 111 is a card (for example, an RF card) possessed by the user for access authentication, and stores a card ID such as RFID in an internal storage. Access card 111 may be applied to a variety of communication methods for the transmission of the card ID is not necessarily limited to RF communication.
  • the user terminal 110 stores the card information of the mobile card, and supports various communication methods (eg, Wi-Fi, Bluetooth, NFC, etc.) supported by the user terminal 110. Card information can be sent.
  • various communication methods eg, Wi-Fi, Bluetooth, NFC, etc.
  • the access device 170 is configured to include a reader 171, a controller 173 and a gate 175 to permit and disallow the user's access according to the authentication process. Assuming that the access device 170 is installed in the office, the user enters the office area through the access device 170 in the external area. In addition, the user passes through the access device 170 in the office area and exits to the outside area.
  • the control server 150 is an apparatus for controlling access to a user by performing authentication processing based on the card information and the terminal information of the present invention.
  • the control server 150 performs wired and wireless communication with the AP device 130 and the access device 170 to provide an access control service.
  • a user uses the access control service using an RF access card 111 made of a plastic material.
  • the user tags the access card 111 to the reader 171, and the reader 171 reads card information including the RFID of the access card 111 (2).
  • the controller 173 receives the card information of the RFID from the reader 171 and transmits the card information of the RFID to the control server 150 to request access authentication of the user (5).
  • the control server 150 receives a request for access authentication, and if the received RFID matches the pre-stored RFID, it determines the card authentication as a success. If the card authentication is successful, the control server 150 inquires the terminal information pre-stored by the RFID, and if the inquiry terminal information matches the terminal information received from the AP device 130, the control server 150 determines that the terminal authentication is successful. MFA authentication includes the card authentication and the terminal authentication. If both the card authentication and the terminal authentication are successful, the control server 150 determines that the MFA authentication is successful, and transmits the authentication result of the control information to allow the user's access to the controller 173 (6). That is, MFA authentication is to confirm whether the user of the received RFID and the user of the terminal information collected. If one of the card authentication and the terminal authentication fails, the control server 150 transmits an authentication result of the control information that does not allow the user to access the controller 173.
  • the controller 173 receives the authentication result from the control server 150 and controls the opening / closing operation of the gate 175 according to the received authentication result (7).
  • the controller 173 controls the operation of the gate 175 such that the user is not allowed to enter or exit.
  • the gate 175 permits or disallows the user's access by an operation such as screen output, voice output, and access bar blocking according to the opening / closing control received from the controller 173.
  • FIG. 2 is a schematic internal configuration diagram of the control server 150 of FIG.
  • the control server 150 may include a memory, a memory controller, one or more processors (CPUs), peripheral interfaces, input / output (I / O) subsystems, display devices, input devices, and communication circuits.
  • the memory may include fast random access memory, and may also include one or more magnetic disk storage devices, nonvolatile memory such as flash memory devices, or other nonvolatile semiconductor memory devices. Access to memory by other components such as processors and peripheral interfaces may be controlled by the memory controller.
  • the memory may store various information and program instructions, and the program is executed by the processor.
  • the peripheral interface connects an input / output peripheral of the control server 150 with a processor and a memory.
  • One or more processors execute various instruction sets stored in various software programs and / or memories to perform various functions for the control server 150 and to process data.
  • I / O subsystems provide an interface between input and output peripherals, such as display devices and input devices, and peripheral interfaces.
  • the display device may use liquid crystal display (LCD) technology or light emitting polymer display (LPD) technology.
  • the processor is a processor configured to perform operations associated with the control server 150 and to perform instructions, for example, using instructions retrieved from a memory, to receive and manipulate input and output data between components of the control server 150. Can be controlled.
  • the communication circuit performs communication via an external port or communication by an RF signal.
  • the communication circuit converts an electrical signal into an RF signal and vice versa and can communicate with the communication network, other mobile gateway devices and communication devices through the RF signal.
  • the control server 150 includes a terminal information collecting unit 251, a card information receiving unit 253, a determining unit 255, a control unit 257, and a DB 259. It includes. Such components may be implemented in software, stored in memory, executed by a processor, or may be implemented in a combination of software and hardware.
  • the terminal information collecting unit 251 collects terminal information of the user terminal 110 through the AP device 130 around the access device 170.
  • a user having the user terminal 110 enters a predetermined area from the access device 170 and the user terminal 110 is in the area of the access device 170.
  • the AP device 130 around the access device 170 periodically transmits a wireless signal of a Wi-Fi or beacon frame to the user terminals 110 in the communication coverage area.
  • the communication coverage area corresponds to an area where the access device 170 is located.
  • the user terminal 110 receives the transmitted radio signal and responds with the terminal information to the AP device 130.
  • the AP device 130 transmits the terminal information replied to the terminal information collection unit 251. Then, the terminal information collecting unit 251 collects terminal information through the AP device 130.
  • the card information receiver 253 receives from the controller 173 a request for access authentication including card information of an access card 111 tagged by a user who enters and exits through the access device 170.
  • the card information received by the request for access authentication may include a card ID (eg, RFID), classification of entry or exit, information of an entrance gate, and the like.
  • the determination unit 255 queries the DB 259 to process the MFA authentication including card authentication and terminal authentication.
  • the DB 259 includes a card ID (eg, RFID) of an access card 111 of each user whose access registration is completed, and terminal identification information (eg, MAC address, USIM information) of the user terminal 110 matched to the card ID. Etc.).
  • the DB 259 is composed of a plurality of DBs 259 according to the stored information.
  • the determination unit 255 inquires the matching card ID and the matched terminal identification information from the DB 259 using the card ID requested for authentication as a key.
  • the determination unit 255 determines that authentication is requested with a valid access card 111 and processes the card authentication as a success.
  • the determination unit 255 compares whether the terminal identification information inquired from the DB 259 matches the terminal information recently received by the terminal information collection unit 251. When it is determined that matching terminal information is received, the determination unit 255 determines that the user having the user terminal 110 has requested access authentication in the area of the access device 170 and processes the terminal authentication as success. If both card authentication and terminal authentication succeed, the MFA-based authentication is treated as a success.
  • the control unit 257 transmits the control information according to the MFA-based authentication result to the access device 170 to control the access of the user. If the MFA authentication is successful, control information allowing the user's access is transmitted to the access device 170. Of course, if the MFA authentication fails, control information that is not allowed to access the user is transmitted to the access device 170.
  • FIG. 3 is a signal flow diagram of an MFA authentication process according to an embodiment of the present invention.
  • the control server 150 receives the information of the user terminal 110 of the user who enters and exits through the access device 170 and registers in the DB 259.
  • the user terminal 110 requests the authentication of the terminal registration by connecting to the control server 150 and transmits the terminal information (S301).
  • the control server 150 may be accompanied by login authentication of the ID and password received from the user terminal 110, and if the authentication is successful, the control server 150 may register the received terminal information in the DB 259.
  • the control server 150 responds to the user terminal 110 with the registration authentication result (S303).
  • the control server 150 may provide an access authentication service.
  • Each AP device 130 of the access device 170 transmits a radio signal to the user terminal 110 located within the coverage of the wireless communication. Then, the user terminal 110 receives the transmitted radio signal to scan the AP device (130) (S311).
  • the terminal information of the user terminal 110 is transmitted to the AP device 130 selected as the primary device. Answer (S313). Then, the AP device 130 transmits the terminal information responsive to the control server 150, and the control server 150 collects the terminal information through the AP device 130 (S315).
  • the access device 170 reads card information of the tagged access card 111 (S321).
  • the control server 150 receives the card information from the access device 170 receives a request for access authentication (S323).
  • the control server 150 processes the card authentication for the card information requested for authentication, and performs terminal authentication on the terminal information corresponding to the card information to perform MFA authentication (S325).
  • the control server 150 transmits the control information according to the authentication result to the access device 170 (S327).
  • RSSI 4 is an exemplary diagram of location information based on Received Signal Strength Identification (RSSI) according to another embodiment of the present invention.
  • each AP device 430 around the access device 470 receives the terminal information further including the location information of the user terminal 110, the received terminal information to the control server 150 send.
  • the neighboring area where the access device 470 is located is divided into a plurality of grid areas and divided into unit areas 401.
  • Each divided unit area 401 is provided with an AP device 430 to receive a wireless signal from a plurality of AP devices 430.
  • each unit area 401 is unique in strength (eg, RSSI) of each radio signal received from a plurality of neighboring AP devices 430, it may be identified as location information.
  • RSS Receiveived Signal Strength
  • the measured RSS values are averaged and stored in the DB 259 as unique location information identifying the unit area 401.
  • the location information of each unit area 401 stored in the DB 259 corresponds to a score map of RSS values.
  • the control server 150 receives the terminal information including the location information of the user terminal 110 through the AP device 430, inquires the location information stored in the DB 259 by using the received location information as a key, The unit area of the location information inquired as matching is the unit area where the user terminal 110 is located, and the location of the user is identified.
  • the user enters the office from the 5 or 8 unit area, which is an external area, to the 4 or 7 unit area, which is an office area. Also, a user moving from an office area of 4 or 7 unit areas to an external area of 5 or 8 unit areas is an exit from the office.
  • the control server 150 stores the 5 and 8 unit areas as the location information of the entrance and exit device 470 in the DB 259 for valid authentication of the entrance, and stores the 4 and 7 unit areas for the valid authentication of the exit. (259).
  • the control server 150 receives an authentication request for entrance to the office from the access device 470 and confirms through the DB 259 that the corresponding user terminal 110 is located in a 5 or 8 unit area, Allow entry.
  • the control server 150 receives an authentication request for exit from the office from the access device 470, and if the corresponding user terminal 110 is determined to be located in the 4 or 7 unit area, the user permits the exit of the user do.
  • control server 150 checks the unit area where the user terminal 110 is located from the terminal information collected from the user terminal 110 of the user whose card authentication is successful, and the unit area where the user terminal 110 is located is determined. If the access device 470 is confirmed as a unit area in which the access device is installed, it is determined that the user has requested access authentication in a valid unit area, and MFA authentication is processed as success.
  • the control server 150 stores a valid movement path in the DB 259 for the unit areas 4, 5, 7, and 8 where the access device 470 is located. For example, five valid travel paths for positioning in the unit region 5 are 2-> 5, 3-> 5, 6-> 5, 9-> 5 and 8-> 5.
  • the control server 150 is a movement path of the terminal information collected through the AP device 430 from any one of five movement paths stored in the DB 259 for the five unit area where the user terminal 110 is currently located. If confirmed, it is processed as a successful MFA authentication to permit the user's entry.
  • FIG. 5 is an exemplary diagram in which location information of the unit area 401 of FIG. 4 is stored.
  • the location information is a vector value 503 of the RSSI received from the four AP devices 430 of a, b, c, and d with respect to the location coordinates 501 of the unit region 401, and an error range of each vector value. 505 is stored in the DB 259 as table information.
  • the position information for each unit region 401 is not necessarily limited to the vector value and the error range.
  • Various signal pattern information based on the RSSI signal may be location information of the unit region 401.
  • the signal strength received from each AP device 430 may be converted into fingerprint information of the unit region 401 by the set conversion scheme and stored in the DB 259.
  • FIG. 6 is an exemplary diagram of a control server 450 collecting RSSI based location information of FIG. 4.
  • Each AP device 430 installed in the access area including the unit areas 401 periodically transmits a radio signal (eg, a beacon frame) to inform the operation information and coverage of the AP.
  • a radio signal eg, a beacon frame
  • a beacon frame is received from each AP device 430 every transmission interval (for example, 100 ms), and RSSI-based location information and terminal identification information according to the received signal strength are received.
  • the terminal information is transmitted to the AP device 430.
  • the user terminal 410 may be installed with the application 610 to generate the RSSI-based location information to the AP device 430.
  • the application 610 executed in the user terminal 410 transmits terminal information including terminal identification information and RSSI information to the AP device 430.
  • the terminal information collection unit 251 of the control server 450 collects the terminal information including the location information of the user terminal 410 through the AP device 430.
  • the determination unit 255 processes card authentication and processes terminal authentication for the user whose card authentication is successful. In the process of terminal authentication, the determination unit 255 determines that the terminal authentication is successful if the unit area where the user terminal 410 is located is the unit area where the access device 470 is located using the collected location information. If both card authentication and terminal authentication succeed, then MFA authentication is treated as success.
  • FIG. 7 is a signal flow diagram of an MFA authentication process according to another embodiment of the present invention.
  • a plurality of AP devices 430 are installed in the peripheral area of the access device 470 so that a plurality of AP signals are received for each unit area 401.
  • the AP signal may be a beacon frame based on a beacon communication or an SSID based on a Wi-Fi communication according to a service method, and there is no particular limitation.
  • RSSI-based signal strengths received from neighboring AP devices 430 are measured for each unit area 401, and the measured information is RSSI-based location information for each unit area 401 in the DB 259. Pre-stored as.
  • the plurality of AP devices 430 transmits a wireless signal to the surrounding user terminals 410 in the peripheral area of the access device 470 (S701).
  • a plurality of AP devices 430 receives radio signals such as beacon frames and SSIDs.
  • the user terminal 410 transmits terminal information including terminal identification information and RSSI-based location information to the AP device 430 (S703), and the AP device 430 controls the control server 450.
  • the terminal information is transmitted.
  • the control server 450 collects the terminal information including the location information of the user terminal 410 through the AP device 430.
  • the access device 470 reads the card information including the card ID and transmits it to the control server 450 (S707). ).
  • the control server 450 performs MFA authentication including card authentication and terminal authentication (S709).
  • the control server 450 inquires the DB 259 using the received card ID as a key.
  • the access user determines that the registered user is a registered user and processes the card authentication as a success.
  • the control server 450 compares the location information of the terminal information collected corresponding to the terminal identification information of the user whose card authentication is successful with the unit area 401 of the access device 470 inquired from the DB 259. If the match is found, the terminal is determined to be located in the valid unit area and the terminal authentication is successful. If the card authentication and the terminal authentication are successful, the control server 450 processes the MFA authentication as success.
  • the control server 450 transmits the control information according to the MFA authentication result to the access device (470) (S711).
  • the access device 470 permits or disallows access of the user according to the transmitted control information.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Toxicology (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Electromagnetism (AREA)
  • General Health & Medical Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention porte sur un appareil, un système et un procédé de contrôle d'accès autorisant l'accès d'un utilisateur qui est authentifié avec succès sur la base d'informations de carte et d'informations de terminal. L'appareil de la présente invention comprend : une unité de collecte pour collecter des informations de terminal d'un terminal utilisateur, qui sont reçues par un dispositif de point d'accès (AP) existant autour d'un dispositif d'accès; une unité de réception pour recevoir une requête d'authentification d'accès comprenant des informations de carte d'un utilisateur lues par le dispositif d'accès; une unité de détermination pour déterminer le résultat d'une authentification multifacteur (MFA), qui comprend une authentification de carte consistant à déterminer si les informations de carte pour lesquelles la requête d'authentification est faite correspondent à des informations de carte enregistrées, et une authentification de terminal consistant à déterminer si des informations de terminal figurant dans les informations de carte reçues correspondent aux informations de terminal collectées par l'unité de collecte; et une unité de commande pour effectuer une commande de manière à autoriser l'accès de l'utilisateur par envoi, au dispositif d'accès, d'informations de commande indiquant que l'authentification est réussie en résultat de la détermination.
PCT/KR2017/005072 2016-05-16 2017-05-16 Appareil, système et procédé de contrôle d'accès sur la base d'informations de carte et d'informations de terminal WO2017200273A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR20160059832 2016-05-16
KR10-2016-0059832 2016-05-16

Publications (1)

Publication Number Publication Date
WO2017200273A1 true WO2017200273A1 (fr) 2017-11-23

Family

ID=60325188

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2017/005072 WO2017200273A1 (fr) 2016-05-16 2017-05-16 Appareil, système et procédé de contrôle d'accès sur la base d'informations de carte et d'informations de terminal

Country Status (2)

Country Link
KR (1) KR101981604B1 (fr)
WO (1) WO2017200273A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113129810A (zh) * 2020-01-15 2021-07-16 西安诺瓦星云科技股份有限公司 接口匹配检测方法和系统

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102097868B1 (ko) 2018-06-15 2020-04-06 주식회사 에스원 Mdm 제어 방법, mdm을 이용한 출입 제어 방법 및 그 시스템
KR102612063B1 (ko) * 2023-09-15 2023-12-08 주식회사 스피드정보 실내 위치 측위를 활용한 출입 통제 방법, 장치 및 시스템

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20010007874A (ko) * 2000-10-13 2001-02-05 최형선 지문인식 및 얼굴인식을 이용한 출입통제시스템 및 그 방법
JP2008217598A (ja) * 2007-03-06 2008-09-18 Ntt Docomo Inc 入室管理システム、入室管理サーバ、入室管理方法
JP2011076520A (ja) * 2009-10-01 2011-04-14 Nec Corp 入場管理システム、入場管理方法及び入場管理制御プログラム
KR20150003549A (ko) * 2013-07-01 2015-01-09 포컬쳐주식회사 출입관리를 위한 무인 gate시스템
KR20160014295A (ko) * 2014-07-29 2016-02-11 현대자동차주식회사 차량 출입 관제 시스템 및 그 제어 방법

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101303810B1 (ko) * 2011-11-03 2013-09-04 주식회사 유니온커뮤니티 휴대 전화기를 이용한 출입관리기 제어방법 및 그 출입관리기
KR101329520B1 (ko) 2011-12-08 2013-11-20 포항공과대학교 산학협력단 순차적 무선 인증을 통한 스마트기기의 출입인증 및 위치인증 장치 및 이를 이용한 출입인증 및 위치인증 방법
KR101491706B1 (ko) * 2014-09-15 2015-02-11 박준희 앱 기반 출입 통제 서비스 제공 방법

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20010007874A (ko) * 2000-10-13 2001-02-05 최형선 지문인식 및 얼굴인식을 이용한 출입통제시스템 및 그 방법
JP2008217598A (ja) * 2007-03-06 2008-09-18 Ntt Docomo Inc 入室管理システム、入室管理サーバ、入室管理方法
JP2011076520A (ja) * 2009-10-01 2011-04-14 Nec Corp 入場管理システム、入場管理方法及び入場管理制御プログラム
KR20150003549A (ko) * 2013-07-01 2015-01-09 포컬쳐주식회사 출입관리를 위한 무인 gate시스템
KR20160014295A (ko) * 2014-07-29 2016-02-11 현대자동차주식회사 차량 출입 관제 시스템 및 그 제어 방법

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113129810A (zh) * 2020-01-15 2021-07-16 西安诺瓦星云科技股份有限公司 接口匹配检测方法和系统
CN113129810B (zh) * 2020-01-15 2022-06-17 西安诺瓦星云科技股份有限公司 接口匹配检测方法和系统

Also Published As

Publication number Publication date
KR101981604B1 (ko) 2019-05-23
KR20170129068A (ko) 2017-11-24

Similar Documents

Publication Publication Date Title
CN108305360B (zh) 门禁控制方法和相关装置
US20220278973A1 (en) Network device proximity-based authentication
CN104255064B (zh) 将接入信息从实体接入控制系统发送到用户终端
WO2010036017A2 (fr) Procédé et appareil permettant de communiquer avec un dispositif externe au moyen d’une interface sans contact
WO2017200273A1 (fr) Appareil, système et procédé de contrôle d'accès sur la base d'informations de carte et d'informations de terminal
US20090113027A1 (en) Personal network management method and personal network management apparatus
CN103229184A (zh) 用于对安全资源的访问的方法和系统
WO2019039746A1 (fr) Procédé et système de commande de verrouillage de porte de portail et dispositif de verrouillage de porte associé
WO2011149251A2 (fr) Système de gestion d'authentification d'un nœud capteur ayant une fonction de traitement d'abonnement, et procédé de fonctionnement du système
US20060161770A1 (en) Network apparatus and program
JP2013204233A (ja) 入退室管理システム、入退室管理方法、無線端末およびプログラム
KR20160099396A (ko) 통신 서비스 이용 방법 및 이를 지원하는 전자 장치
WO2014189262A1 (fr) Méthode d'authentification de terminal d'utilisateur d'un appareil point d'accès
KR101855494B1 (ko) 모바일 장치를 이용한 도어 시스템 및 방법
JP2009278396A (ja) 入退場管理システムおよび無線通信端末
WO2016148483A1 (fr) Appareil et procédé de gestion d'énergie domestique au moyen d'une balise dans un système de gestion d'énergie domestique
CN109775484A (zh) 电梯楼层控制方法、装置、系统及计算机设备
KR101623432B1 (ko) 블루투스 연결에 의한 실내에서의 출입인증을 차단할 수 있는 블루투스 출입인증장치 및 그 방법
KR20150137947A (ko) 근거리 유저 식별을 이용한 차량 도어락 시스템
WO2017164494A1 (fr) Procédé d'authentification d'utilisateur de terminal d'utilisateur accédant à un dispositif de contrôle d'accès, application pour le procédé, et serveur de distribution d'application dans lequel l'application est stockée
KR20160062369A (ko) 출입 인증 시스템 및 그 인증 방법
WO2018155828A1 (fr) Système d'authentification d'utilisateur pour chaque zone
KR20090061550A (ko) 펨토셀에서의 아이디 정보 기반 사용자 관리 방법 및시스템
WO2009075467A1 (fr) Système et procédé de gestion d'utilisateur basés sur une information d'identification dans une femto-cellule
KR102390887B1 (ko) 무선 통신 시스템에서 무선 기기 등록 방법 및 장치

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17799630

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 12/03/2019)

122 Ep: pct application non-entry in european phase

Ref document number: 17799630

Country of ref document: EP

Kind code of ref document: A1