技术领域technical field
本发明涉及无线通信安全领域,更具体地,涉及一种便携式接入端设备及WiFi接入鉴权方法、装置。The present invention relates to the field of wireless communication security, and more specifically, to a portable access terminal device and a WiFi access authentication method and device.
背景技术Background technique
无线通信,尤其是涉及计算机领域的无线通信技术中,基于IEEE802.11协议衍生的WiFi通信技术,其安全性越来越受重视。实现WiFi通信,依照WiFi芯片的功能,及操作系统的支持,而具有多种模式,诸如Managed、AP、P2P Group Owner(GO)、P2P Client等等。其中Managed是指Station即站点模式,用于接入处于AP模式下的WiFi节点。同理,P2P GO用于为处于P2P模式下的其他WiFi设备构建一个通信组,以便实现组内成员设备之间的通信。In wireless communication, especially in the wireless communication technology related to the computer field, the security of the WiFi communication technology derived from the IEEE802.11 protocol is getting more and more attention. To realize WiFi communication, according to the function of WiFi chip and the support of the operating system, there are various modes, such as Managed, AP, P2P Group Owner (GO), P2P Client and so on. Among them, Managed refers to the Station mode, which is used to access the WiFi node in the AP mode. Similarly, P2P GO is used to build a communication group for other WiFi devices in P2P mode, so as to realize communication between member devices in the group.
为了实现安全通信,除WiFi协议规范的完全开放的网络之外,通常需要进行鉴权,鉴权的模式多种多样,常见的如WEP、WPA等方式,不同方式下的安全系数有所不同,但其原理同出一辙,即对用户身份进行合法性认证。常见的场景中,移动设备以WiFi工作站(Station,简称STA)的方式接入WiFi接入点(AP),AP要求欲接入自身的STA提供密码,并对密码进行验证,当密码校验成功后,允许相应的STA完成接入,否则拒绝相应的STA接入。In order to achieve secure communication, in addition to the fully open network specified by the WiFi protocol, authentication is usually required. There are various authentication modes, such as WEP, WPA, etc., and the security factors are different under different modes. But the principle is the same, that is, to authenticate the user's identity. In a common scenario, a mobile device accesses a WiFi access point (AP) as a WiFi workstation (Station, STA for short), and the AP requires the STA that wants to access itself to provide a password and verify the password. After that, the corresponding STA is allowed to complete the access, otherwise the corresponding STA is denied access.
传统的这种鉴权方式,由于目下针对WiFi通信的攻击越来越频繁,基于WEP的安全机制变得不堪一击,基于WPA的安全机制,理论上也可通过密码词典或者其他暴力方式加以破解,加之越来越多的钓鱼WiFi接入点的出现,使得传统的WiFi安全功能捉襟见肘。另一方面,基于字符的密码安全机制,脱离了人体特征而独立存在,故密码被以其他方式窃取也是非常普遍的。In this traditional authentication method, due to the increasingly frequent attacks on WiFi communication, the security mechanism based on WEP has become vulnerable. The security mechanism based on WPA can theoretically be cracked by a password dictionary or other violent methods. , coupled with the emergence of more and more phishing WiFi access points, makes traditional WiFi security features stretched. On the other hand, character-based password security mechanisms exist independently of human characteristics, so it is very common for passwords to be stolen in other ways.
有鉴于此,完善WiFi网络的密码鉴权机制,有利于改善WiFi网络的通信安全。In view of this, improving the password authentication mechanism of the WiFi network is conducive to improving the communication security of the WiFi network.
发明内容Contents of the invention
鉴于上述的至少一方面的问题,本发明提供一种WiFi接入鉴权方法及其相应的装置,以便实现对WiFi接入点设备架设的通信网络的接入。In view of at least one problem above, the present invention provides a WiFi access authentication method and a corresponding device thereof, so as to realize access to a communication network set up by a WiFi access point device.
相应的,本发明还提供一种便携式接入端设备,以用于实施前述的方法或运行所述的装置。Correspondingly, the present invention also provides a portable access device for implementing the aforementioned method or running the aforementioned apparatus.
据此,本发明采用了如下各方面实现的技术方案:Accordingly, the present invention adopts the technical solutions realized in the following aspects:
第一方面,本发明提供一种WiFi接入鉴权方法,其包括如下步骤:In a first aspect, the present invention provides a WiFi access authentication method, which includes the following steps:
向WiFi接入点设备发送连接请求管理帧以发起接入请求;Send a connection request management frame to the WiFi access point device to initiate an access request;
响应于该接入请求之后以管理帧反馈的的鉴权执行指令,启动图像获取单元获取人脸特征数据;In response to the access request after the authentication execution instruction fed back by the management frame, start the image acquisition unit to acquire facial feature data;
向WiFi接入点设备反馈包含该人脸特征数据的组播帧或认证管理帧以应答所述鉴权执行指令;Feedback a multicast frame or an authentication management frame containing the facial feature data to the WiFi access point device in response to the authentication execution instruction;
当该人脸特征数据通过鉴权,获得表征认证成功的管理帧后,实施WiFi协议所规范的关联过程,实现对所述WiFi接入点设备所架设的通信网络的接入。When the facial feature data passes the authentication and obtains the management frame representing successful authentication, the association process specified by the WiFi protocol is implemented to realize access to the communication network set up by the WiFi access point device.
结合第一方面,具体而言,响应于用户指令而执行向WiFi接入点设备发起接入请求的步骤。With reference to the first aspect, specifically, the step of initiating an access request to the WiFi access point device is performed in response to a user instruction.
结合第一方面的一种实施例中,所述接入请求经由所述WiFi接入点设备路由至控制端设备,所述鉴权执行指令来源于所述控制端设备并经由所述WiFi接入点设备路由。In an embodiment combined with the first aspect, the access request is routed to the control terminal device via the WiFi access point device, and the authentication execution instruction originates from the control terminal device and is accessed via the WiFi access point device. Click Device Routing.
结合第一方面的另一实施例中,所述接入请求被传送至所述WiFi接入点设备,所述鉴权执行指令来源于该WiFi接入点设备自身。In another embodiment combined with the first aspect, the access request is sent to the WiFi access point device, and the authentication execution instruction comes from the WiFi access point device itself.
结合第一方面,具体而言,启动图像获取单元获取人脸特征数据的步骤中,先激活扫描界面获取人脸图像,再从获取的人脸图像中获取所述的人脸特征数据。With reference to the first aspect, specifically, in the step of activating the image acquisition unit to acquire face feature data, first activate the scanning interface to acquire a face image, and then acquire the face feature data from the acquired face image.
结合第一方面,以组播信号的形式反馈所述人脸特征数据以应答所述鉴权执行指令。With reference to the first aspect, the facial feature data is fed back in the form of a multicast signal in response to the authentication execution instruction.
具体的,所述人脸特征数据加载于所述组播信号的组播帧的可编辑字段中。Specifically, the facial feature data is loaded in an editable field of a multicast frame of the multicast signal.
结合第一方面的一种实施例,通过获取所述WiFi接入点设备源发或路由的响应于所反馈的人脸特征数据的认证结果信息,从中确定所反馈的人脸特征数据是否通过鉴权。With reference to an embodiment of the first aspect, by acquiring the authentication result information sent or routed by the WiFi access point device in response to the fed back facial feature data, it is determined whether the fed back facial feature data passes the authentication. right.
结合第一方面的另一实施例,通过获取所述WiFi接入点设备的包含允许或阻止所述通信网络的管理帧,从中确定所反馈的人脸特征数据是否通过鉴权。In another embodiment with reference to the first aspect, by obtaining the management frame of the WiFi access point device that includes allowing or blocking the communication network, it is determined whether the fed back facial feature data passes the authentication.
作为对第一方面进一步增强的实施例,当所述认证结果信息表征所反馈的人脸特征数据未通过鉴权时,在用户界面显示告警信息。As an embodiment further enhanced to the first aspect, when the authentication result information indicates that the fed-back facial feature data has not passed the authentication, a warning message is displayed on the user interface.
较佳的,适用于第一方面,实现对所述WiFi接入点设备所架设的通信网络的接入后,建立起到该WiFi接入点设备之间的信任连接。Preferably, it is applicable to the first aspect, after the access to the communication network set up by the WiFi access point device is realized, a trusted connection between the WiFi access point devices is established.
结合第一方面,本发明还包括如下步骤:In conjunction with the first aspect, the present invention also includes the following steps:
统计发起所述接入请求后未成功接入所述通信网络的次数,当该次数达到预定值后,判定本机处于接入请求被屏蔽的状态,响应于用户指令发起恢复允许其接入请求的恢复请求。Count the number of unsuccessful access to the communication network after initiating the access request, and when the number of times reaches a predetermined value, determine that the machine is in a state where the access request is blocked, and initiate a recovery to allow the access request in response to a user instruction recovery request.
第二方面,本发明提供一种WiFi接入鉴权装置,其包括:In a second aspect, the present invention provides a WiFi access authentication device, which includes:
请求单元,用于向WiFi接入点设备发送连接请求管理帧以发起接入请求;A request unit, configured to send a connection request management frame to the WiFi access point device to initiate an access request;
图像单元,被配置为响应于该接入请求之后的以管理帧反馈的鉴权执行指令,启动图像获取单元获取人脸特征数据;The image unit is configured to start the image acquisition unit to acquire facial feature data in response to the authentication execution instruction fed back by the management frame after the access request;
应答单元,用于向WiFi接入点设备反馈包含该人脸特征数据的组播帧或认证管理帧以应答所述鉴权执行指令;A response unit, configured to feed back a multicast frame or an authentication management frame containing the facial feature data to the WiFi access point device in response to the authentication execution instruction;
接入单元,被配置为当该人脸特征数据通过鉴权,获得表征认证成功的管理帧后,实施WiFi协议所规范的关联过程,实现对所述WiFi接入点设备所架设的通信网络的接入。The access unit is configured to implement the association process specified by the WiFi protocol after the facial feature data has passed the authentication and obtains the management frame representing the success of the authentication, so as to realize the connection of the communication network set up by the WiFi access point device. access.
结合第一方面,具体而言,所述请求单元被配置为响应于用户指令而执行向WiFi接入点设备发起接入请求。With reference to the first aspect, specifically, the requesting unit is configured to initiate an access request to the WiFi access point device in response to a user instruction.
结合第一方面的一种实施例中,所述接入请求经由所述WiFi接入点设备路由至控制端设备,所述鉴权执行指令来源于所述控制端设备并经由所述WiFi接入点设备路由。In an embodiment combined with the first aspect, the access request is routed to the control terminal device via the WiFi access point device, and the authentication execution instruction originates from the control terminal device and is accessed via the WiFi access point device. Click Device Routing.
结合第一方面的另一实施例中,所述接入请求被传送至所述WiFi接入点设备,所述鉴权执行指令来源于该WiFi接入点设备自身。In another embodiment combined with the first aspect, the access request is sent to the WiFi access point device, and the authentication execution instruction comes from the WiFi access point device itself.
结合第一方面,具体而言,所述图像单元被配置为先激活扫描界面获取人脸图像,再从获取的人脸图像中获取所述的人脸特征数据。With reference to the first aspect, specifically, the image unit is configured to first activate a scanning interface to obtain a face image, and then obtain the face feature data from the obtained face image.
结合第一方面,所述应答单元被配置为以组播信号的形式反馈所述人脸特征数据以应答所述鉴权执行指令。With reference to the first aspect, the response unit is configured to feed back the facial feature data in the form of a multicast signal to respond to the authentication execution instruction.
具体的,所述人脸特征数据加载于所述组播信号的组播帧的可编辑字段中。Specifically, the facial feature data is loaded in an editable field of a multicast frame of the multicast signal.
结合第一方面的一种实施例,所述接入单元被配置为通过获取所述WiFi接入点设备源发或路由的响应于所反馈的人脸特征数据的认证结果信息,从中确定所反馈的人脸特征数据是否通过鉴权。With reference to an embodiment of the first aspect, the access unit is configured to determine the feedback information from the authentication result information sent or routed by the WiFi access point device in response to the feedback facial feature data. Whether the facial feature data passed the authentication.
结合第一方面的另一实施例,所述接入单元被配置为通过获取所述WiFi接入点设备的包含允许或阻止所述通信网络的管理帧,从中确定所反馈的人脸特征数据是否通过鉴权。With reference to another embodiment of the first aspect, the access unit is configured to obtain a management frame of the WiFi access point device that includes allowing or blocking the communication network, and determine whether the fed-back facial feature data is Pass authentication.
作为对第一方面进一步增强的实施例,所述接入单元被配置为当所述认证结果信息表征所反馈的人脸特征数据未通过鉴权时,在用户界面显示告警信息。As an embodiment further enhanced to the first aspect, the access unit is configured to display a warning message on the user interface when the authentication result information indicates that the fed-back face feature data has not passed the authentication.
较佳的,适用于第一方面,所述接入单元被配置为在实现对所述WiFi接入点设备所架设的通信网络的接入后,建立起到该WiFi接入点设备之间的信任连接。Preferably, applicable to the first aspect, the access unit is configured to establish a connection between the WiFi access point device after realizing access to the communication network set up by the WiFi access point device Trust the connection.
结合第一方面,本发明还包括:In combination with the first aspect, the present invention also includes:
恢复单元,用于统计发起所述接入请求后未成功接入所述通信网络的次数,当该次数达到预定值后,判定本机处于接入请求被屏蔽的状态,响应于用户指令发起恢复允许其接入请求的恢复请求。The recovery unit is used to count the number of unsuccessful accesses to the communication network after initiating the access request. When the number of times reaches a predetermined value, it is determined that the machine is in a state where the access request is blocked, and a recovery is initiated in response to a user instruction Resume request for its access request.
第三方面的一种实施例中,本发明提供的一种便携式接入端设备,其包括:In an embodiment of the third aspect, the present invention provides a portable access terminal device, which includes:
无线保真模块,用于提供通信网络;a wireless fidelity module for providing a communication network;
触敏显示器,用于显示界面,实现人机交互;A touch-sensitive display is used to display the interface and realize human-computer interaction;
一个或多个处理器;one or more processors;
存储器;memory;
一个或多个应用程序,其中所述一个或多个应用程序被存储在所述存储器中并被配置为由所述一个或多个处理器执行;one or more application programs, wherein the one or more application programs are stored in the memory and configured to be executed by the one or more processors;
所述一个或多个程序用于驱动所述一个或多个处理器构造用于执行与前述第一方面的方法的任意一种实施方式相应的装置。The one or more programs are used to drive the one or more processors to configure a device corresponding to any implementation manner of the method in the first aspect above.
第三方面的另一种实施例中,本发明提供的一种便携式接入端设备,其包括:In another embodiment of the third aspect, the present invention provides a portable access terminal device, which includes:
无线保真模块,用于提供通信网络;a wireless fidelity module for providing a communication network;
触敏显示器,用于显示界面,实现人机交互;A touch-sensitive display is used to display the interface and realize human-computer interaction;
一个或多个处理器;one or more processors;
存储器;memory;
一个或多个应用程序,其中所述一个或多个应用程序被存储在所述存储器中并被配置为由所述一个或多个处理器执行;one or more application programs, wherein the one or more application programs are stored in the memory and configured to be executed by the one or more processors;
所述一个或多个程序用于驱动所述一个或多个处理器构造用于执行前述第二方面的任意一种实施方式所实现的装置。The one or more programs are used to drive the one or more processors configured to execute the device realized in any implementation manner of the aforementioned second aspect.
在一个可能的设计中,便携式控制端设备的结构中包括的处理器和存储器,所述存储器用于存储支持收发装置执行上述方法的程序,所述处理器被配置为用于执行所述存储器中存储的程序。所述便携式控制端设备还可以包括通信接口,用于便携式控制端设备与其他设备或通信网络通信。In a possible design, the structure of the portable control terminal device includes a processor and a memory, the memory is used to store a program that supports the transceiver device to execute the above method, and the processor is configured to execute the program in the memory. stored program. The portable console device may also include a communication interface for the portable console device to communicate with other devices or a communication network.
再一方面,本发明实施例提供了一种计算机存储介质,用于储存为上述便携式控制端设备所用的计算机软件指令,其包含用于执行上述为便携式控制端设备所设计的程序,或者包含用于执行上述的方法/装置所设计的程序。In yet another aspect, an embodiment of the present invention provides a computer storage medium for storing computer software instructions for the above-mentioned portable control terminal device, which includes instructions for executing the above-mentioned program designed for the portable control terminal device, or contains instructions for using A program designed to execute the above-mentioned method/device.
相对于现有技术,本发明提供的方案,使得用户可以使用便携式控制端设备体验本发明的有益效果。具体表现参与WiFi接入点设备所架设的通信网络的各方:1、对于便携式控制端设备,通过在便携式控制端设备处接收WiFi接入点设备传送的用于接入其通信网络的人脸特征数据,对该人脸特征数据进行身份校验,然后向WiFi接入点设备反馈是否校验成功的认证结果信息,此举实质上由便携式控制端设备接管了原来WiFi接入点设备所具备的鉴权功能,或者至少是予以加强(WiFi接入点设备理论上仍可保留既有的鉴权功能,在此基础上增加人脸特征数据鉴权功能)。可以获知,一方面,将WiFi接入点设备的鉴权功能转移到便携式控制端设备之后,相对于需要管理员通过网页形式登录WiFi接入点设备进行网页配置的方式,利用便携式控制端设备强大的编程功能和友好的用户界面,此种方式可以更便利和高效地对WiFi接入点设备进行鉴权管理;另一方面,这种接管方式使依赖于人体特征的验证成为可能,尤其是人脸特征这种数据量传送相对较大的方式,可以使WiFi接入点设备保持瘦身的同时,还能通过便携式控制终端来实现更为强大和安全的鉴权功能;再一方面,便携式控制端设备可以更为便利地利用其他途径接入互联网,可以与云端服务器相结合,来对鉴权过程中所涉的数据,如人脸特征数据等进行存储和更高层面的管理,对于用户安全管理而言,起到更为周全的效用。Compared with the prior art, the solution provided by the present invention enables users to use the portable control terminal device to experience the beneficial effects of the present invention. Concretely represent the parties involved in the communication network set up by the WiFi access point device: 1. For the portable control terminal device, by receiving at the portable control terminal device the face for accessing its communication network transmitted by the WiFi access point device Feature data, verify the identity of the face feature data, and then feed back the authentication result information of whether the verification is successful to the WiFi access point device. In essence, the portable control terminal device takes over the original WiFi access point device. The authentication function, or at least strengthen it (the WiFi access point device can still retain the existing authentication function in theory, and add the facial feature data authentication function on this basis). It can be known that, on the one hand, after the authentication function of the WiFi access point device is transferred to the portable control terminal device, compared with the way that the administrator needs to log in to the WiFi access point device through the web page to configure the web page, using the powerful portable control terminal device programming function and friendly user interface, this method can more conveniently and efficiently manage the authentication of WiFi access point devices; on the other hand, this takeover method makes it possible to rely on human characteristics, especially Facial features, a relatively large amount of data transmission, can keep the WiFi access point device slim and at the same time realize more powerful and secure authentication functions through the portable control terminal; on the other hand, the portable control terminal The device can use other means to access the Internet more conveniently, and can be combined with the cloud server to store and manage the data involved in the authentication process, such as facial feature data, etc., which is very important for user security management. In terms of, it has a more comprehensive effect.
2、对于WiFi接入点设备,其负责响应于接入端设备的接入请求,并视情况要求接入端设备反馈鉴权执行指令,从而进一步获取接入端设备反馈的人脸特征数据,在此基础上,将接入端设备的人脸特征数据提交给便携式控制端设备进行鉴权,并依据鉴权结果决定允许或阻止接入端设备接入所架设的通信网络的请求。可以获知,WiFi接入点设备与控制端设备的连接是可信任的,因此,前者的鉴权功能至少部分地转移给后者,前者便可节省系统开销,由后者实现安全管理。而后者,也即控制端设备,由于其自身具有更为强大的硬件支持和系统功能,因而,可以对接入端设备的鉴权过程进行有效验证。控制端设备与接入端设备之间的通信,通过WiFi接入点设备进行路由,确保相互之间的通信畅通。理论上,WiFi接入点设备由此可以省去其传统的基于密码校验的鉴权功能从而节约其硬件开销,而将其鉴权功能全权委托控制端设备处理,但是,仍可保留其传统的鉴权功能,并且可以考虑将其传统鉴权功能专用于实现WiFi接入点设备与所述控制端设备之间建立信任连接时使用。2. For the WiFi access point device, it is responsible for responding to the access request of the access device, and depending on the situation, requires the access device to feed back authentication execution instructions, so as to further obtain the facial feature data fed back by the access device, On this basis, submit the facial feature data of the access device to the portable control device for authentication, and decide whether to allow or block the request of the access device to access the established communication network according to the authentication result. It can be known that the connection between the WiFi access point device and the control device is trustworthy, therefore, at least part of the authentication function of the former is transferred to the latter, the former can save system overhead, and the latter implements security management. The latter, that is, the control terminal device, can effectively verify the authentication process of the access terminal device due to its own more powerful hardware support and system functions. The communication between the control terminal device and the access terminal device is routed through the WiFi access point device to ensure smooth communication between them. Theoretically, the WiFi access point device can thus save its traditional authentication function based on password verification to save its hardware overhead, and entrust its authentication function to the control device for processing. However, its traditional authentication function can still be retained. The authentication function, and it can be considered to use its traditional authentication function exclusively for establishing a trusted connection between the WiFi access point device and the control terminal device.
3、对于便携式接入端设备,其可以以某种方式发起对WiFi接入点设备架设的通信网络的接入请求,当WiFi接入点设备收到该请求后,便可向其反馈鉴权执行指令,从而使其启动图像获取单元以获取人脸特征数据,再将人脸特征数据交由WiFi接入点设备路由到所述的控制端设备,最终依据对所述人脸特征数据的鉴权结果来确定接入端设备自身是否成功接入所述的通信网络。可以看出,要接入通信网络的接入端设备,其鉴权逻辑相较于传统的鉴权方式发生了变化,以更为良好的交互方式,直接获取用户头像,从中提取人脸特征数据,便可通过该人脸特征数据来对接入通信网络的过程进行鉴权。相较于输入密码,简化了用户操作,进一步还可提高效率。此外,接入端设备摆脱了手动输入密码的过程之后,能够有效避免钓鱼软件或者其它窃听软件对密码输入过程实施的非法监听,从而大大提高接入端设备接入通信网络时的安全系数。3. For the portable access terminal device, it can initiate an access request to the communication network set up by the WiFi access point device in a certain way, and when the WiFi access point device receives the request, it can feedback authentication to it Execute the instruction, so that it starts the image acquisition unit to obtain face feature data, and then hand over the face feature data to the WiFi access point device to route to the control terminal device, and finally according to the identification of the face feature data The weighting result is used to determine whether the access device itself successfully accesses the communication network. It can be seen that the authentication logic of the access terminal device to access the communication network has changed compared with the traditional authentication method. In a better interactive way, the user's avatar is directly obtained, and the facial feature data is extracted from it. , the process of accessing the communication network can be authenticated through the facial feature data. Compared with inputting a password, user operations are simplified, and efficiency can be further improved. In addition, after the access device gets rid of the process of manually entering the password, it can effectively avoid illegal monitoring of the password input process by phishing software or other eavesdropping software, thereby greatly improving the security factor when the access device accesses the communication network.
概而言之,本发明的实施,使得参与WiFi通信网络的通信各方,具体包括接入端设备、控制端设备、WiFi接入点设备均体现出区别于传统技术的技术改进,使得WiFi通信网络的鉴权方式发生改变,从而增强网络安全,提高鉴权效率,以及改善用户交互体验。In a nutshell, the implementation of the present invention makes the communication parties participating in the WiFi communication network, specifically including the access terminal equipment, the control terminal equipment, and the WiFi access point equipment, all reflect technical improvements that are different from traditional technologies, so that WiFi communication The authentication method of the network has changed, thereby enhancing network security, improving authentication efficiency, and improving user interaction experience.
本发明的这些方面或其他方面在以下实施例的描述中会更加简明易懂。These or other aspects of the present invention will be more clearly understood in the description of the following embodiments.
附图说明Description of drawings
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present invention. For those skilled in the art, other drawings can also be obtained based on these drawings without any creative effort.
图1示出由本发明的便携式控制端设备、便携式接入端设备以及WiFi接入点设备构造的一个网络系统的原理框图;Fig. 1 shows a functional block diagram of a network system constructed by portable control terminal equipment, portable access terminal equipment and WiFi access point equipment of the present invention;
图2为本发明的WiFi接入远程鉴权方法的一种实施例的流程示意图。FIG. 2 is a schematic flowchart of an embodiment of a method for remote authentication of WiFi access in the present invention.
图3是本发明的WiFi接入鉴权方法的一种实施例的流程示意图。Fig. 3 is a schematic flowchart of an embodiment of the WiFi access authentication method of the present invention.
图4为本发明的WiFi接入鉴权控制方法的一种实施例的流程示意图。FIG. 4 is a schematic flowchart of an embodiment of a method for controlling WiFi access authentication in the present invention.
图5示出了本发明的WiFi接入远程鉴权方法的另一实施例的流程示意图。Fig. 5 shows a schematic flowchart of another embodiment of the method for remote authentication of WiFi access in the present invention.
图6示出了本发明的WiFi接入远程鉴权方法的再一实施例的流程示意图。Fig. 6 shows a schematic flowchart of still another embodiment of the method for remote authentication of WiFi access in the present invention.
图7示出了本发明的WiFi接入远程鉴权方法的又一实施例的流程示意图。Fig. 7 shows a schematic flowchart of another embodiment of the method for remote authentication of WiFi access in the present invention.
图8示出了本发明的WiFi接入鉴权方法的另一实施例的流程示意图。Fig. 8 shows a schematic flowchart of another embodiment of the WiFi access authentication method of the present invention.
图9示出了本发明的WiFi接入鉴权控制方法的另一实施例的流程示意图。Fig. 9 shows a schematic flowchart of another embodiment of the WiFi access authentication control method of the present invention.
图10示出了本发明的WiFi接入鉴权控制方法的又一实施例的流程示意图。Fig. 10 shows a schematic flowchart of another embodiment of the WiFi access authentication control method of the present invention.
图11示出了本发明的WiFi接入鉴权控制方法的另一实施例的流程示意图。Fig. 11 shows a schematic flowchart of another embodiment of the WiFi access authentication control method of the present invention.
图12示出了本发明的WiFi接入鉴权控制方法的再一实施例的流程示意图。Fig. 12 shows a schematic flowchart of another embodiment of the WiFi access authentication control method of the present invention.
图13示出了本发明的WiFi接入鉴权控制方法的又一实施例的流程示意图。Fig. 13 shows a schematic flowchart of another embodiment of the WiFi access authentication control method of the present invention.
图14为本发明的WiFi接入远程鉴权装置的一个实施例的原理示意图。Fig. 14 is a principle schematic diagram of an embodiment of the device for remote authentication of WiFi access according to the present invention.
图15为本发明的WiFi接入远程鉴权装置的另一实施例的原理示意图。Fig. 15 is a schematic diagram of another embodiment of the device for remote authentication of WiFi access according to the present invention.
图16为本发明的WiFi接入远程鉴权装置的另一实施例的原理示意图。FIG. 16 is a schematic diagram of another embodiment of the device for remote authentication of WiFi access according to the present invention.
图17为本发明的WiFi接入远程鉴权装置的另一实施例的原理示意图。FIG. 17 is a schematic diagram of another embodiment of the device for remote authentication of WiFi access according to the present invention.
图18为本发明的WiFi接入远程鉴权装置的再一实施例的原理示意图。FIG. 18 is a schematic diagram of another embodiment of the device for remote authentication of WiFi access according to the present invention.
图19为本发明的WiFi接入鉴权装置的一个实施例的原理示意图。FIG. 19 is a schematic diagram of an embodiment of the WiFi access authentication device of the present invention.
图20为本发明的WiFi接入鉴权装置的另一实施例的原理示意图。Fig. 20 is a schematic diagram of another embodiment of the WiFi access authentication device of the present invention.
图21为本发明的WiFi接入鉴权控制装置的一个实施例的原理示意图。Fig. 21 is a schematic schematic diagram of an embodiment of the WiFi access authentication control device of the present invention.
图22为本发明的WiFi接入鉴权控制装置的另一实施例的原理示意图。Fig. 22 is a schematic schematic diagram of another embodiment of the WiFi access authentication control device of the present invention.
图23为本发明的WiFi接入鉴权控制装置的另一实施例的原理示意图。Fig. 23 is a schematic schematic diagram of another embodiment of the WiFi access authentication control device of the present invention.
图24为本发明的WiFi接入鉴权控制装置的另一实施例的原理示意图。Fig. 24 is a schematic schematic diagram of another embodiment of the WiFi access authentication control device of the present invention.
图25为本发明的WiFi接入鉴权控制装置的另一实施例的原理示意图。Fig. 25 is a schematic schematic diagram of another embodiment of the WiFi access authentication control device of the present invention.
图26为本发明的WiFi接入鉴权控制装置的再一实施例的原理示意图。Fig. 26 is a schematic diagram of another embodiment of the WiFi access authentication control device of the present invention.
图27为本发明的便携式控制端设备、便携式接入端设备以及WiFi接入点设备能够适用的结构的示意图。FIG. 27 is a schematic diagram of applicable structures of the portable control terminal device, the portable access terminal device and the WiFi access point device of the present invention.
具体实施方式detailed description
为了使本技术领域的人员更好地理解本发明方案,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述。In order to enable those skilled in the art to better understand the solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention.
在本发明的说明书和权利要求书及上述附图中的描述的一些流程中,包含了按照特定顺序出现的多个操作,但是应该清楚了解,这些操作可以不按照其在本文中出现的顺序来执行或并行执行,操作的序号如101、102等,仅仅是用于区分开各个不同的操作,序号本身不代表任何的执行顺序。另外,这些流程可以包括更多或更少的操作,并且这些操作可以按顺序执行或并行执行。需要说明的是,本文中的“第一”、“第二”等描述,是用于区分不同的消息、设备、模块等,不代表先后顺序,也不限定“第一”和“第二”是不同的类型。In some processes described in the specification and claims of the present invention and the above-mentioned drawings, a plurality of operations appearing in a specific order are contained, but it should be clearly understood that these operations may not be performed in the order in which they appear herein Execution or parallel execution, the serial numbers of the operations, such as 101, 102, etc., are only used to distinguish different operations, and the serial numbers themselves do not represent any execution order. Additionally, these processes can include more or fewer operations, and these operations can be performed sequentially or in parallel. It should be noted that the descriptions of "first" and "second" in this article are used to distinguish different messages, devices, modules, etc. are different types.
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative efforts fall within the protection scope of the present invention.
本发明所称的人脸特征数据,是指基于人脸图像进行特征提出而得的数据,其中的人脸图像,通常通过启动一个或多个摄像头之类的图像获取单元来获得。必要时,图像获取单元可以通过一帧或多帧实时图像来加以比较确认,以保证其所获取的人脸图像是符合规范的有效的图像,以期避免非授权用户通过合法用户的人脸图像来伪造身份。所述人脸特征数据在传输和存储过程中,可以体现为某种加密形式,例如采用数据摘要、签名、公钥加密、对称加密等不同形式,只需在对其运用时,能够运用逆向的算法对其加密形式进行解密,从而实现正确的数据运算即可。本发明所称的存储于特征库中的预存特征数据,是预先采集后生成的所述人脸特征数据,在存储时也可体现为上述的加密形式,在后续需要进行鉴权验证时,能被调用以供比较。The face feature data referred to in the present invention refers to the data obtained by feature extraction based on face images, wherein the face images are usually obtained by starting one or more image acquisition units such as cameras. When necessary, the image acquisition unit can compare and confirm through one or more frames of real-time images, so as to ensure that the facial images it acquires are valid images that meet the specifications, in order to prevent unauthorized users from using legitimate user facial images. fake identity. In the process of transmission and storage, the facial feature data can be embodied in a certain encrypted form, such as data summary, signature, public key encryption, symmetric encryption, etc. The algorithm decrypts its encrypted form, so as to realize the correct data operation. The pre-stored feature data stored in the feature library referred to in the present invention is the face feature data generated after pre-collection, which can also be embodied in the above-mentioned encrypted form when storing, and can be used when subsequent authentication verification is required. is called for comparison.
本发明所称的通信网络,是指受IEEE 802.11及其系列协议所规范的用于实现WiFi接入服务的网络,在这种网络的环境中,具有一台如本发明所称的WiFi接入点设备,其发射包含有服务集标识的WiFi信号而实现所述通信网络的架设,并允许合法用户的接入;具有一台诸如本发明所称的接入端设备,其配置有WiFi芯片模组,以便可以搜索所述通信网络的信标帧而确定该通信网络的服务集标识,或者发起主动问询后,获取所述的服务集标识,从而发起接入该服务集标识所代表的通信网络的接入请求,在该接入点设备通过其接入请求后,完成WiFi连接的建立。通常,这种通信网络可以经由WiFi接入点设备进一步路由并连接到内外网络中,以便接入同一局域网或互联网或其他类型的广域网。在本发明中,将允许一台控制端设备与WiFi接入点设备建立信任连接,并通过控制端设备接管WiFi接入点设备对其他欲接入其通信网络的接入端设备的鉴权业务,而使得本发明相对于传统实现方案实现技术增强。The communication network referred to in the present invention refers to a network for implementing WiFi access services regulated by IEEE 802.11 and its series of protocols. In such a network environment, there is a WiFi access network as referred to in the present invention A point device, which transmits a WiFi signal containing a service set identifier to realize the erection of the communication network, and allows legal users to access; has an access terminal device such as the claimed in the present invention, which is configured with a WiFi chip module group, so that the beacon frame of the communication network can be searched to determine the service set identifier of the communication network, or after an active inquiry is initiated, the service set identifier is obtained, so as to initiate access to the communication represented by the service set identifier The access request of the network, after the access point device passes the access request, the establishment of the WiFi connection is completed. Usually, this communication network can be further routed and connected to internal and external networks via WiFi access point devices, so as to access the same local area network or the Internet or other types of wide area networks. In the present invention, a control terminal device will be allowed to establish a trusted connection with the WiFi access point device, and the control terminal device will take over the authentication service of the WiFi access point device to other access terminal devices that want to access its communication network , so that the present invention realizes technical enhancement relative to traditional implementation solutions.
本发明所称的设备,具体是即将揭示的控制端设备以及接入点设备,通常指诸如平板电脑、手机、智能腕表之类的可便携地移动的,配置有智能化操作系统的移动设备,这些操作系统可以是Windows Phone、Android、IOS或其他形式的移动端操作系统,当然也可以是诸如Windows系统的桌面系列,只要所采用的设备具备便携、智能、具有WiFi通信功能的特点,本领域技术人员即可将其目为本领域所称的相应的便携式设备。The device referred to in the present invention, specifically the control terminal device and access point device to be revealed, usually refers to portable mobile devices such as tablet computers, mobile phones, and smart watches, equipped with an intelligent operating system , these operating systems can be Windows Phone, Android, IOS or other forms of mobile operating systems, of course, they can also be desktop series such as Windows systems, as long as the devices used are portable, intelligent, and have the characteristics of WiFi communication functions, this Those skilled in the art can refer to it as the corresponding portable device referred to in the art.
在IEEE 802.11协议规范的WiFi连接过程中,WiFi连接的建立通常需要历经连接请求(Probe Request/Response)、认证处理(Authentication)、建立关联(Association)等过程。在连接请求时阶段,接入端设备与接入点设备之间建立初步的相互识别,在认证阶段,则允许两者双向交互完成鉴权,最后,利用建立关联的管理帧的交互来实现连接的确认。本发明的各种方法、各个方面,以此为基础进行改进,相应的,一些概念也进行了简化描述。例如,连接请求的过程可能在本发明中被简化为一个接入请求,认证处理的过程可能在本发明中被分解为多个交互步骤,甚至包括参与实现认证的多端设备之间的分别步骤,而所述的建立关联的过程,则可能在本发明中被简化为建立接入端设备与接入点设备之间的连接。因此,本领域技术人员应当知晓,即使本发明的描述未必能够完全延用IEEE 802.11协议中的规范描述,但仍可依据本发明的说明而以IEEE802.11与本发明的关键技术特征为基础,对本发明所实施各种具体方案做技术合理化的理解。特别地,不应因个别术语或特征的简化描述而误解或曲解本发明的本原的实施意图及其涵盖的合理保护范围。In the WiFi connection process specified by the IEEE 802.11 protocol, the establishment of a WiFi connection usually needs to go through processes such as a connection request (Probe Request/Response), authentication processing (Authentication), and establishment of an association (Association). In the stage of connection request, a preliminary mutual identification is established between the access device and the access point device. In the authentication stage, the two-way interaction is allowed to complete the authentication. Finally, the connection is realized by using the interaction of the associated management frame. confirmation. Various methods and aspects of the present invention are improved based on this, and correspondingly, some concepts are also simplified. For example, the connection request process may be simplified as an access request in the present invention, and the authentication processing process may be decomposed into multiple interactive steps in the present invention, even including separate steps between the multi-terminal devices participating in the authentication, However, the process of establishing an association may be simplified in the present invention as establishing a connection between an access terminal device and an access point device. Therefore, those skilled in the art should know that even though the description of the present invention may not fully extend the specification description in the IEEE 802.11 protocol, it can still be based on the key technical features of IEEE802.11 and the present invention according to the description of the present invention, Understand the technical rationalization of various specific solutions implemented in the present invention. In particular, the original implementation intention of the present invention and the reasonable protection scope covered by it should not be misunderstood or misinterpreted due to the simplified description of individual terms or features.
为了便于理解本发明,以下介绍本发明的一种运行环境,也可视为本发明的一种应用场景。In order to facilitate understanding of the present invention, an operating environment of the present invention is introduced below, which may also be regarded as an application scenario of the present invention.
如图1所示,本发明由WiFi接入点设备架设并开放一WiFi通信网络,通常的AP(Access Point)可以实现这种功能,或者具有AP功能并且添加了路由功能的类似设备,均可用于架设本发明的通信网络。As shown in Figure 1, the present invention sets up and opens a WiFi communication network by the WiFi access point equipment, common AP (Access Point) can realize this kind of function, or have AP function and add the similar equipment of routing function, all can be used To set up the communication network of the present invention.
有一便携式的控制端设备,例如一部同样包括有WiFi芯片模组的智能手机,以合法用户身份接入该通信网络并可以通过该智能手机安装的应用程序对该通信网络的配置和鉴权功能实施管理。控制端设备适宜与WiFi接入点设备之间建立基于WiFi连接的信任连接关系,一种方式是使两者进行硬关联,也即WiFi接入点设备出厂时,便将其管理接口的信息固化,由此只要安装了本发明的应用程序并且掌握有其管理接口的信息的智能设备,便可成为所述的控制端设备;另一种方式是WiFi接入点设备以传统的方式提供鉴权功能,允许智能设备通过诸如WEP、WPA等鉴权方式与之接入,并且允许智能设备调用其管理界面,将智能设备自身指定为控制端设备,进一步可以通过该控制端设备来实现对基于人脸特征数据进行鉴权的功能的可使用状态的控制。无论何种方式,控制端设备均可以独占或者非独占的方式,成为WiFi接入点设备的管理终端。There is a portable control terminal device, such as a smart phone that also includes a WiFi chip module, which accesses the communication network as a legal user and can configure and authenticate the communication network through the application installed on the smart phone Implement management. It is suitable for the control terminal device to establish a trusted connection relationship based on WiFi connection with the WiFi access point device. One way is to make the two hard-associated, that is, when the WiFi access point device leaves the factory, the information on its management interface is solidified. , so as long as the application program of the present invention is installed and the smart device has the information of its management interface, it can become the control terminal device; another way is that the WiFi access point device provides authentication in a traditional way The function allows smart devices to access it through authentication methods such as WEP, WPA, etc., and allows smart devices to call their management interface, designate the smart device itself as the control device, and further implement human-based control through the control device. Control of the usable status of the function of face feature data for authentication. In any way, the control terminal device can become the management terminal of the WiFi access point device in an exclusive or non-exclusive manner.
有至少一台欲接入所述通信网络的智能设备可以充当本发明的接入端设备,当然地,配置有WiFi芯片模组及摄像头之类的图像获取单元,其探测到所述通信网络的信标帧(beacon帧)后,可以发起连接请求,期望完成对该通信网络的接入。当下一步进入认证过程被要求提供鉴权数据时,可以应要求而向用户获取相应的鉴权数据,当然也可简化为接入端设备的自动化提供鉴权数据的过程而非必须采用应答的方式来实现,并将其提交给WiFi接入点设备,最终在建立关联的阶段视WiFi接入点设备鉴权通过与否而确定自身是否成功接入所述的通信网络。这些鉴权数据可以包括或不包括传统的诸如WEP、WPA方式的验证密码,但在本发明中,重点需要包括由所述图像获取单元获取的人脸特征数据。At least one smart device that wants to access the communication network can serve as the access terminal device of the present invention. Of course, it is equipped with an image acquisition unit such as a WiFi chip module and a camera, which detects the communication network. After a beacon frame (beacon frame), a connection request can be initiated, expecting to complete access to the communication network. When the next step enters the authentication process and is required to provide authentication data, the corresponding authentication data can be obtained from the user upon request. Of course, the process of providing authentication data for the automation of the access terminal device can also be simplified instead of a response method. and submit it to the WiFi access point device, and finally determine whether the WiFi access point device successfully accesses the communication network at the stage of establishing association depending on whether the authentication of the WiFi access point device passes or not. These authentication data may or may not include traditional authentication passwords such as WEP and WPA, but in the present invention, the focus needs to include the facial feature data acquired by the image acquisition unit.
所述接入端设备、控制端设备以及WiFi接入点设备可以分别安装不同的操作系统,只要各设备之间遵照本发明的方案所实现的相同的协议或通信接口标准,便可无障碍地配合构建本发明的运行环境。需要注意的是,所述的控制端设备可以为一台或多台,而所述接入端设备也可以同时存在一台或多台,不应以其数量来限制本发明的实质创造精神。The access terminal device, the control terminal device and the WiFi access point device can be installed with different operating systems, as long as the devices follow the same protocol or communication interface standard implemented by the solution of the present invention, they can communicate without hindrance. Cooperate to build the operating environment of the present invention. It should be noted that there may be one or more control-end devices, and one or more access-end devices may exist at the same time, and the essential inventive spirit of the present invention shall not be limited by the number thereof.
图1所示的运行构造的工作机理是:所述WiFi接入点设备启动后,按照默认设置完成通信网络的配置,启动其WiFi接入服务。控制端设备启动后,可以传统的例如基于WPA的密码验证方式接入WiFi接入点设备的通信网络,接入该通信网络的控制端设备,可以默认为具有管理员资格,或者凭某种类似于管理员登录的认证机制而享有该资格。具有该种管理员资格的控制端设备,可以管理员身份读取WiFi接入点设备的配置选项,在其触敏显示屏提供的用户界面中显示配置页面,并且在用户完成设置选项的修改后,提交到WiFi接入点设备中完成修改和生效。此外,WiFi接入点设备对于控制端设备之外的欲接入的设备,均可视为接入端设备,要求其提供人脸特征数据,并将人脸特征数据提交给控制端设备进行验证,当验证通过后,允许该接入端设备接入自身网络,否则禁止其登录。接入端设备提交的人脸特征数据,本质上是一种待鉴权数据,被WiFi接入点设备按照默认的逻辑路由给控制端设备,而控制端设备产生的认证结果信息则交由WiFi接入点设备据以处理,从而完成一个核心鉴权接入过程。The working mechanism of the running structure shown in FIG. 1 is: after the WiFi access point device is started, it completes the configuration of the communication network according to the default settings, and starts its WiFi access service. After the control terminal device is started, it can access the communication network of the WiFi access point device in a traditional way such as WPA-based password authentication. This qualification is obtained through the authentication mechanism of the administrator login. The control terminal device with this kind of administrator qualification can read the configuration options of the WiFi access point device as an administrator, display the configuration page in the user interface provided by its touch-sensitive display screen, and after the user completes the modification of the setting options , submit it to the WiFi access point device to complete the modification and take effect. In addition, the WiFi access point device can be regarded as an access device for devices other than the control device, and is required to provide facial feature data and submit the facial feature data to the control device for verification , when the verification is passed, the access device is allowed to access its own network, otherwise it is prohibited from logging in. The facial feature data submitted by the access device is essentially a kind of data to be authenticated, which is routed to the control device by the WiFi access point device according to the default logic, and the authentication result information generated by the control device is handed over to the WiFi The access point device processes accordingly to complete a core authentication access process.
关于各个具体设备的具体实现,将在后续本发明的多个实施例中逐一予以揭示。The specific implementation of each specific device will be disclosed one by one in subsequent multiple embodiments of the present invention.
请参阅图2,本发明一种实施例中,本发明的一种便携式控制端设备所采用的WiFi接入远程鉴权方法,包括如下步骤:步骤S12,获取WiFi接入点设备传送的请求接入其通信网络而提交的待校验的人脸特征数据;步骤S13,校验所述人脸特征数据,获取表征校验成功或失败的认证结果信息;步骤S14,向所述WiFi接入点设备反馈所述认证结果信息。Please refer to Fig. 2, in an embodiment of the present invention, a WiFi access remote authentication method adopted by a portable control terminal device of the present invention includes the following steps: Step S12, obtaining the request received by the WiFi access point device The face feature data to be verified submitted by entering its communication network; step S13, verifying the face feature data, and obtaining the authentication result information representing the success or failure of the verification; step S14, sending a message to the WiFi access point The device feeds back the authentication result information.
显然,控制端设备已经先行基于WiFi信任连接接入了所述WiFi接入点设备所架设的通信网络,由此,一旦本发明的接入端设备向WiFi接入点设备提供用于请求接入其通信网络的鉴权用的人脸特征数据,WiFi接入点设备便将该人脸特征数据路由给控制端设备,控制端设备便对人脸特征数据进行校验,输出认证结果信息,并将认证结果信息发送给WiFi接入点设备。WiFi接入点设备获取该认证结果信息后,如果认证结果信息表征校验成功,则允许接入端设备接入该通信网络,否则,如果表征校验失败,则拒绝接入端设备接入该通信网络。拒绝接入端设备接入该网络的方式,可以是对其人脸特征数据不予回应,也可以是反馈一个表征鉴权失败的管理帧给接入端设备。该方法的实施,可以由控制端设备接管WiFi接入点设备对欲接入其通信网络的接入端设备的鉴权过程。Apparently, the control terminal device has already accessed the communication network set up by the WiFi access point device based on the WiFi trusted connection in advance, thus, once the access terminal device of the present invention provides the WiFi access point device with a request for access The face feature data used for authentication of the communication network, the WiFi access point device will route the face feature data to the control device, and the control device will verify the face feature data, output the authentication result information, and Send the authentication result information to the WiFi access point device. After the WiFi access point device obtains the authentication result information, if the verification of the authentication result information is successful, the access device is allowed to access the communication network; otherwise, if the verification fails, the access device is refused to access the communication network. Communications network. The method of refusing the access device to access the network may be to not respond to its facial feature data, or to feed back a management frame indicating authentication failure to the access device. In the implementation of the method, the control terminal device can take over the authentication process of the WiFi access point device for the access terminal device that intends to access its communication network.
请参阅图3,本发明的一种实施例中,本发明的一种便携式接入端设备所采用的WiFi接入鉴权方法,包括如下步骤:步骤S21,向WiFi接入点设备发送连接请求管理帧以发起接入请求;步骤S22,响应于该接入请求之后的以管理帧反馈的鉴权执行指令,启动图像获取单元获取人脸特征数据;步骤S23,向WiFi接入点设备反馈包含该人脸特征数据的组播帧或认证管理帧以应答所述鉴权执行指令;步骤S24,当该人脸特征数据通过鉴权,获得表征认证成功的管理帧后,实施WiFi协议所规范的关联过程,实现对所述WiFi接入点设备所架设的通信网络的接入。Please refer to FIG. 3 , in an embodiment of the present invention, a WiFi access authentication method adopted by a portable access terminal device of the present invention includes the following steps: Step S21, sending a connection request to the WiFi access point device Management frame to initiate an access request; step S22, in response to the authentication execution instruction fed back by the management frame after the access request, start the image acquisition unit to obtain facial feature data; step S23, feed back to the WiFi access point device containing The multicast frame or the authentication management frame of the face feature data are to respond to the authentication execution instruction; step S24, when the face feature data passes the authentication, after obtaining the management frame representing the success of the authentication, implement the standard of the WiFi protocol The association process realizes the access to the communication network set up by the WiFi access point device.
显然,通过在收到WiFi接入点设备的鉴权执行指令之后启动接入端设备具有的图像获取单元获取人脸特征数据,并将人脸特征数据提交给WiFi接入点设备,可由WiFi接入点设备将之路由到控制端设备实施鉴权,如获鉴权通过,即可接入所述的通信网络,从而,这一过程增强了便携式接入端设备的鉴权逻辑,使得接入端设备接入通信网络的过程更为便捷高效,而且由于改变基于密码的鉴权方式为基于人体特征的方式,因而更为安全。Obviously, by starting the image acquisition unit of the access device after receiving the authentication execution instruction from the WiFi access point device to obtain face feature data, and submitting the face feature data to the WiFi access point device, the WiFi access point device can The access point device routes it to the control terminal device for authentication. If the authentication is passed, it can access the communication network. Thus, this process enhances the authentication logic of the portable access terminal device, making the access It is more convenient and efficient for the end device to access the communication network, and it is more secure because the authentication method based on password is changed to the method based on human characteristics.
请参阅图4,本发明的一种实施例中,本发明的一种WiFi接入点设备所采用的WiFi接入鉴权控制方法,包括如下步骤:步骤S31,接收接入端设备的接入请求;步骤S32,响应所述接入请求而反馈鉴权执行指令;步骤S33,接收应答所述鉴权执行指令而反馈的人脸特征数据,请求控制端设备予以鉴权;步骤34,依据控制端设备反馈的表征鉴权成功或失败的认证结果信息,相应允许或阻止所述接入端设备接入预设的通信网络。Please refer to FIG. 4 , in an embodiment of the present invention, a WiFi access authentication control method adopted by a WiFi access point device of the present invention includes the following steps: Step S31, receiving an access terminal device access request; step S32, responding to the access request and feeding back the authentication execution instruction; step S33, receiving the face feature data fed back in response to the authentication execution instruction, and requesting the control terminal device to authenticate; step 34, according to the control The authentication result information indicating the success or failure of the authentication fed back by the end device allows or prevents the access end device from accessing the preset communication network accordingly.
WiFi接入点设备监听到接入端设备的接入请求后,便可源发一鉴权执行指令或者路由控制端设备的鉴权执行指令给所述的接入端设备,以便接入端设备启动获取人脸特征数据的操作。当接入端设备反馈人脸特征数据之后,WiFi接入点设备便可将该人脸特征数据给控制端设备,以便请求控制端设备予以鉴权,最终,依据客户端设备反馈的结果,相应控制允许或阻止接入端设备接入所述的通信网络。这一过程中,WiFi接入点设备未自行进行鉴权,而是起到路由作用,将鉴权功能交由控制端设备实际,并对其鉴权结果进行利用,据之控制接入端设备的请求。由此,WiFi接入点设备可以按照本方法改进和增强其WiFi芯片模块的功能,使得其按照本方法一方面增加对人脸特征数据校验过程的配合支持,另一方面又能确保正常的网络路由功能。After the WiFi access point device monitors the access request of the access device, it can send an authentication execution command or an authentication execution command of the routing control device to the access device, so that the access device Start the operation of obtaining facial feature data. After the access device feeds back the face feature data, the WiFi access point device can send the face feature data to the control device, so as to request the control device to authenticate. Finally, according to the feedback result of the client device, the corresponding Controlling allows or prevents the access device from accessing said communication network. In this process, the WiFi access point device does not perform authentication on its own, but acts as a router. The authentication function is handed over to the control device, and the authentication result is used to control the access device. request. Therefore, the WiFi access point device can improve and enhance the function of its WiFi chip module according to this method, so that it can increase the cooperation support for the facial feature data verification process according to this method on the one hand, and can ensure normal operation on the other hand. Network routing function.
可见,上述的控制端设备、接入端设备以及WiFi接入点设备之间,关联于由接入点设备架设的同一通信网络,各施其职,互相配合,使鉴权效果更为有效。It can be seen that the above-mentioned control terminal device, access terminal device and WiFi access point device are associated with the same communication network set up by the access point device, each performs its own duties and cooperates with each other to make the authentication effect more effective.
本发明适用于所述便携式控制端设备的WiFi接入远程鉴权方法具有多种实施例,以下将以前一实施例为基础,就其各步骤展开说明其余各种变化实施例的有关内容。请依然参阅图2并结合以下文字加以理解:The WiFi access remote authentication method applicable to the portable control terminal device of the present invention has multiple embodiments, and the following will describe the relevant content of other various variant embodiments based on the previous embodiment in terms of each step. Please still refer to Figure 2 and understand it in conjunction with the following text:
在默认控制端设备与WiFi接入点设备建立有信任连接的情况下,所述的WiFi接入远程鉴权方法通常按照步骤S12至步骤S14的过程执行。关于建立信任连接的过程也在这里予以揭示:一种实施例中,控制端设备预先与WiFi接入点设备之间以WiFi连接的方式建立起信任连接,具体而言,控制端设备可以STA模式启动接入处于AP模式下的WiFi接入点设备。然后,作为本发明的通用于各个实施例但并非必须的情况,可以设置一步骤S10(未图示),其响应于用户管理指令,显示用户管理界面,以用于修改作用于所述WiFi接入点设备的设置选项。通过执行步骤S10,控制端设备便可依据预协议而调用WiFi接入点设备的设置选项,将这些设置选项显示在用户管理界面上,在触敏显示器处显示。用户在控制端设备调起所述用户管理界面,是通过在控制端设备上触发用户管理指令,或者由以默认触发用户管理指令的方式发起的。而所述的用户管理界面,受该用户管理指令的触发而显示,在其上显示WiFi接入点设备的各种设置选项,允许用户修改这些作用于WiFi接入点设备(尤其是指其通信网络的设置选项)的设置选项,来通过控制端设备实现对WiFi接入点设备的管理界面的接管,从而提供更便利的管理操作。所述的设置选项,例如通信网络的SSID名称、DHCP功能设置项、信道号、鉴权方式选择等,多种多样,凡属于WiFi网络功能有关的选项,其改变将导致WiFi接入点设备发生配置效果变化的,均可视为此项。特别不能将所述的“选项”一词理解为“二选一”、“多选一”的局限情形,本领域技术人员对此应当知晓。In the case that the default control terminal device establishes a trusted connection with the WiFi access point device, the described WiFi access remote authentication method is usually executed according to the process from step S12 to step S14. The process of establishing a trusted connection is also disclosed here: In one embodiment, the control terminal device establishes a trusted connection with the WiFi access point device in advance in the form of a WiFi connection. Specifically, the control terminal device can be in STA mode Start accessing the WiFi access point device in AP mode. Then, as a situation that is commonly used in various embodiments of the present invention but is not necessary, a step S10 (not shown) may be set, which responds to a user management instruction and displays a user management interface for modifying the settings that act on the WiFi interface. Setting options for the entry point device. By executing step S10, the control terminal device can invoke the setting options of the WiFi access point device according to the pre-protocol, and display these setting options on the user management interface and on the touch-sensitive display. The user invokes the user management interface on the control terminal device by triggering the user management instruction on the control terminal device, or by triggering the user management instruction by default. The user management interface is triggered by the user management command and displayed, and various setting options of the WiFi access point device are displayed on it, allowing the user to modify these effects on the WiFi access point device (especially referring to its communication The setting option of the network setting option) is used to realize the takeover of the management interface of the WiFi access point device through the control terminal device, thereby providing more convenient management operations. The setting options, such as the SSID name of the communication network, DHCP function setting items, channel number, authentication mode selection, etc., are various. Any option related to the WiFi network function will cause the WiFi access point device to change. Any change in the configuration effect can be regarded as this item. In particular, the term "option" cannot be understood as a limited situation of "choose one from two" or "choose one from many", and those skilled in the art should know this.
所述的步骤S12,获取WiFi接入点设备传送的请求接入其通信网络而提交的待校验的人脸特征数据,其具体实现方式如下:In the step S12, the facial feature data to be verified submitted by the request sent by the WiFi access point device to access its communication network, the specific implementation method is as follows:
一种实施例中,控制端设备可以直接处理接入端设备发送的包含所述待校验的人脸特征数据的组播信号来获取所述人脸特征数据。具体而言,由于接入端设备尚未成功接入WiFi接入点设备提供的通信网络,因而,不能通过数据帧来发送人脸特征数据,但可以使用一组共多个组播帧来传输其数据。接入端设备将人脸特征数据转换为二进制码,然后加载到多个组播帧的可编辑字段,具体是指其地址字段中,然后发送所述多个组播帧。控制端设备直接接收该些组播帧,然后从可编辑字段中的二进制码提取出,再转换为人脸特征数据即可。In an embodiment, the control terminal device may directly process the multicast signal sent by the access terminal device that includes the facial feature data to be verified to acquire the facial feature data. Specifically, since the access device has not yet successfully connected to the communication network provided by the WiFi access point device, it cannot send facial feature data through data frames, but it can use a group of multiple multicast frames to transmit its data. data. The access device converts the facial feature data into binary codes, and then loads them into editable fields of multiple multicast frames, specifically address fields thereof, and then sends the multiple multicast frames. The control device directly receives these multicast frames, extracts the binary codes in the editable fields, and then converts them into facial feature data.
另一实施例中,上述对接入端设备的组播信号提取人脸特征数据的操作由WiFi接入点设备完成,然后再由WiFi接入点设备将之加载到数据帧中发送给控制端设备,控制端设备直接从数据帧中提取人脸特征数据即可。In another embodiment, the above-mentioned operation of extracting facial feature data from the multicast signal of the access terminal device is completed by the WiFi access point device, and then the WiFi access point device loads it into a data frame and sends it to the control terminal The device and the control device can directly extract the facial feature data from the data frame.
获取所述人脸特征数据之后,依照协议,如果其为加密数据,应当对其进行解密,否则,可以直接用于后续的校验。After the facial feature data is acquired, according to the agreement, if it is encrypted data, it should be decrypted; otherwise, it can be directly used for subsequent verification.
所述的步骤S13,校验所述人脸特征数据,获取表征校验成功或失败的认证结果信息,其具体实现方式如下:The step S13 is to verify the face feature data, and obtain the authentication result information indicating the success or failure of the verification, and its specific implementation method is as follows:
具体而言,控制端设备能够预先获得一个存储有合法用户的人脸特征数据的特征库,这一特征库可以存储在控制端设备本地存储器中,也可以是存储在可以被控制端设备通过远程请求进行利用的云端服务器中。特征库中的人脸特征数据,也即预存特征数据,可以加密的形式存在以加强其数据安全性。校验所述人脸特征数据时,控制端设备可以适用特征库存储位置不同而执行如下不同的过程:Specifically, the control terminal device can obtain in advance a feature library that stores legal user's face feature data. This feature library can be stored in the local memory of the control terminal device, or can be stored in a remote control device. In the cloud server requested to be exploited. The facial feature data in the feature database, that is, the pre-stored feature data, can exist in encrypted form to enhance its data security. When verifying the facial feature data, the control terminal device can perform the following different processes for different storage locations of the feature library:
适用于本地存储的特征库,控制端设备将待校验的人脸特征数据与特征库中的预存特征数据进行比较,如果确认存在与该人脸特征数据一致的预存特征数据,即可视该人脸特征数据为合法用户身份提供的内容,否则,视为非法用户身份提供的内容,根据这两种情况,便可分别生成表征校验成功或失败的认证结果信息。这里所称的人脸特征数据与预存特征数据的一致,不应局限在数据表达形式或其数据内容上是否完全一致,例如,可以是指两者的近似度到达预设的程度,或者处于允许的范围内,即可视为两者一致。Applicable to the feature database stored locally, the control terminal device compares the face feature data to be verified with the pre-stored feature data in the feature library, and if it is confirmed that there is pre-stored feature data consistent with the face feature data, it can be viewed The face feature data is the content provided by the legal user identity, otherwise, it is regarded as the content provided by the illegal user identity. According to these two situations, the authentication result information indicating the success or failure of the verification can be generated respectively. The consistency between the face feature data and the pre-stored feature data mentioned here should not be limited to whether the data expression form or its data content is completely consistent. Within the range of , the two can be considered to be consistent.
适用于存储在云端服务器的特征库,控制端设备将所述的待校验的人脸特征数据封装在校验请求中,发送到云端服务器,由服务器利用该人脸特征数据执行诸如上述的校验过程,最终由云端服务器生成所述的认证结果信息反馈给控制端设备。Applicable to the feature library stored in the cloud server, the control terminal device encapsulates the face feature data to be verified in a verification request, and sends it to the cloud server, and the server uses the face feature data to perform verification such as the above verification process, and finally the cloud server generates the verification result information and feeds it back to the control terminal device.
可以知晓,无论是在本地进行校验,还是提交到云端服务器进行校验,控制端设备均可通过校验获取到所述的认证结果信息。It can be known that whether the authentication is performed locally or submitted to the cloud server for authentication, the control device can obtain the authentication result information through the authentication.
为了构造该特征库,一种实施例中,控制端设备所执行的WiFi接入远程鉴权方法启动执行如下的步骤S18(未图示),响应于用户采集指令,显示图像采集界面,用于采集用户的人脸特征数据作为所述的预存特征数据。In order to construct the feature library, in one embodiment, the WiFi access remote authentication method executed by the control terminal device starts to execute the following step S18 (not shown), in response to the user's collection instruction, an image collection interface is displayed for Collect user's facial feature data as the pre-stored feature data.
通常,控制端设备会构造专门用于实现该方法的应用程序,当该应用程序运行时,可以通过虚拟按键或者特定手势激活并显示所述的图像采集界面,伴随该图像采集界面被激活,将启动控制端设备的图像获取单元例如摄像头进行拍摄图像预览,当用户确定一个面部表情后,通过诸如语音、手势、虚拟按键之类的形式实现的另一确认指令,图像获取单元便可为之拍摄一幅人脸图像,并对该人脸图像进行加工,以提取出其中的人脸特征数据,然后将该人脸特征数据作为所述的预存特征数据存储于所述的本地特征库中,或者提交到所述的云端特征库进行存储。诚如前述,被存储这些人脸特征数据时,在特征库中可以表现为某种加密形式,以便加强其数据安全性。Usually, the control terminal device will construct an application program specially used to implement the method. When the application program is running, the image acquisition interface can be activated and displayed through a virtual button or a specific gesture. With the image acquisition interface being activated, the Start the image acquisition unit of the control terminal device, such as a camera, to preview the captured image. After the user confirms a facial expression, the image acquisition unit can take pictures for it through another confirmation instruction in the form of voice, gesture, virtual button, etc. A face image, and process the face image to extract the face feature data therein, and then store the face feature data as the pre-stored feature data in the local feature library, or Submit to the cloud feature library for storage. As mentioned above, when these face feature data are stored, they can be expressed in some form of encryption in the feature database to enhance their data security.
所述的步骤S14,向所述WiFi接入点设备反馈所述认证结果信息,其具体实现方式如下:The step S14 is to feed back the authentication result information to the WiFi access point device, and its specific implementation is as follows:
首先,向所述WiFi接入点设备反馈所述认证结果信息,其目的在于导致所述WiFi接入点设备允许或阻止提供所述待校验的人脸特征数据的接入端设备接入该WiFi接入点设备所架设的通信网络,但是这种对接入通信网络进行允许或者阻止的功能,是由所述的WiFi接入点设备实现的。因此,WiFi接入点设备将在收到所述的认证结果信息之后,依据认证结果信息所表征的内容,对相应的发起接入通信网络请求的接入端设备做出是否允许其接入通信网络的响应,从而可以在接入端设备处通过视察其是否成功接入通信网络而确认鉴权是否通过。First, feed back the authentication result information to the WiFi access point device, the purpose of which is to cause the WiFi access point device to allow or prevent the access terminal device that provides the facial feature data to be verified from accessing the The communication network set up by the WiFi access point device, but the function of allowing or preventing access to the communication network is realized by the WiFi access point device. Therefore, after receiving the authentication result information, the WiFi access point device will, according to the content represented by the authentication result information, decide whether to allow the corresponding access terminal device that initiates the access communication network request to allow it to access the communication network. Response from the network, so that the access device can confirm whether the authentication is passed by checking whether it successfully accesses the communication network.
以上的各种变化实施例均未考虑对接入端设备发起的欲接入所述通信网络的接入请求的处理,而只考虑对其后续提交的人脸特征数据进行处理,因此,适应上述的实施例,对于所述接入请求,特别是基于传统WiFi协议的信标帧而发起的握手请求,将由WiFi接入点设备依照其传统的协议逻辑进行处理,并且由其进一步要求接入端设备提交所述的人脸特征数据,然后再由WiFi接入点设备路由给控制端设备做上述各实施方式中的处理,这样,对于控制端设备而言,便忽略了对接入端设备的接入请求进行处理的环节,只考虑将人脸特征数据视为请求而加以校验的功能实现,从而简化了系统开销。The above various variant embodiments do not consider the processing of the access request initiated by the access device to access the communication network, but only consider the subsequent processing of the facial feature data submitted by it. Therefore, adapting to the above In the embodiment, for the access request, especially the handshake request initiated based on the beacon frame of the traditional WiFi protocol, it will be processed by the WiFi access point device according to its traditional protocol logic, and it will further require the access terminal to The device submits the facial feature data, and then the WiFi access point device routes it to the control device to perform the processing in the above-mentioned embodiments. In this way, for the control device, the access device is ignored. In the link of access request processing, only consider the function realization of facial feature data as a request and verify it, thus simplifying the system overhead.
但是,在本发明进一步改进的实施例中,如图5所示,该方法进一步包括前置步骤S11,获取接入端设备欲接入所述WiFi接入点设备所架设的通信网络的接入请求而反馈鉴权执行指令,以便后续获取响应于该鉴权执行指令而提交的所述待校验的人脸特征数据。However, in a further improved embodiment of the present invention, as shown in FIG. 5 , the method further includes a pre-step S11 of obtaining an access point for the access terminal device to access the communication network set up by the WiFi access point device. The authentication execution instruction is fed back upon the request, so as to subsequently obtain the facial feature data to be verified submitted in response to the authentication execution instruction.
具体而言,接入端设备探测到WiFi接入点设备架设的通信网络的信标帧(beacon)或者通过Probe Request(返回Probe Response帧)确定通信网络的SSID后,便可向WiFi接入点设备发起接入请求,在前述的各种控制端设备未考虑这种接入请求的第一类的上述的实施例中,该接入请求将被WiFi接入点设备直接处理;而在本实施例中,WiFi接入点设备可以路由该接入请求给控制端设备,或者以某种转换后的形式传送给控制端设备,无论何种形式,控制端设备收到后均视为接入端设备欲接入所述WiFi接入点设备所架设的通信网络的接入请求。响应于该接入请求,控制端设备将反馈一鉴权执行指令经WiFi接入点设备中到所述的接入端设备,或者由WiFi接入点设备将其转换为某种形式给该接入端设备,而在前述的第一类实施例中,所述的鉴权执行指令将由WiFi接入点设备源发地发送给接入端设备。接入端设备收到所述的鉴权执行指令后(或者由接入端设备将收到的Probe Response帧视为鉴权执行指令),便可依照预设程序,响应于该鉴权执行指令而启动其图像获取单元获取待校验的人体特征数据进行反馈提交,从而执行前述的后续步骤S12-S14。Specifically, after the access device detects the beacon frame (beacon) of the communication network set up by the WiFi access point device or determines the SSID of the communication network through the Probe Request (returning the Probe Response frame), it can send a message to the WiFi access point. The device initiates an access request. In the above-mentioned embodiment of the first type of access request that is not considered by the aforementioned various control devices, the access request will be directly processed by the WiFi access point device; and in this embodiment In this example, the WiFi access point device can route the access request to the control device, or transmit it to the control device in a converted form. Regardless of the form, the control device will be regarded as the access terminal after receiving it. An access request for the device to access the communication network set up by the WiFi access point device. In response to the access request, the control terminal device will feed back an authentication execution instruction to the access terminal device through the WiFi access point device, or the WiFi access point device will convert it into a certain form to the access terminal device. In the aforementioned first type of embodiment, the authentication execution instruction will be sent from the WiFi access point device to the access terminal device. After the access device receives the authentication execution instruction (or the access device regards the received Probe Response frame as the authentication execution instruction), it can respond to the authentication execution instruction according to the preset procedure And start its image acquisition unit to acquire the human body feature data to be verified for feedback and submission, so as to execute the aforementioned subsequent steps S12-S14.
结合上述在控制端设备实现的WiFi接入远程鉴权方法的各实施例可以看出,部分实施例中,所述接入端设备的接入请求及响应于该请求的鉴权执行指令,可以由控制端设备处理并经WiFi接入点进行路由。另一部分实施例中,则无需控制端设备参与处理所述接入请求和鉴权执行指令。相较之下,如果由WiFi接入点设备处理接入端的接入请求并为之反馈鉴权执行指令,则可简化通信过程,减少控制端设备的负荷;如果由控制端设备处理接入端设备的接入请求并由其源发反馈鉴权执行指令,则可加强控制端设备的集中管理能力,进一步提升通信网络安全性能。更进一步的改进方式中,在WiFi接入点设备实施连接请求的过程中,用于确认该连接请求过程的一个管理帧如Request Response帧,便可被视为所述的鉴权执行指令。Combining the above embodiments of the WiFi access remote authentication method implemented by the control terminal device, it can be seen that in some embodiments, the access request of the access terminal device and the authentication execution instruction in response to the request can be Processed by the console device and routed via the WiFi access point. In another part of the embodiments, the control device does not need to participate in processing the access request and the authentication execution instruction. In contrast, if the WiFi access point device processes the access request of the access terminal and feeds back the authentication execution instruction, the communication process can be simplified and the load on the control terminal device can be reduced; if the control terminal device handles the access terminal The access request of the device and its source sends a feedback authentication execution command, which can strengthen the centralized management capability of the control device and further improve the security performance of the communication network. In a further improvement, in the process of implementing the connection request by the WiFi access point device, a management frame such as a Request Response frame used to confirm the connection request process can be regarded as the authentication execution instruction.
如图6所示,进一步完善的一种实施例中,控制端设备所执行的WiFi接入远程鉴权方法还包括步骤S15,统计具有相同来源地址的所述人脸特征数据被多次鉴权的失败次数,当失败次数超出预设值后,屏蔽该来源地址的人脸特征数据。As shown in Figure 6, in a further improved embodiment, the WiFi access remote authentication method performed by the control terminal device also includes step S15, counting the facial feature data with the same source address being authenticated multiple times The number of failures, when the number of failures exceeds the preset value, mask the face feature data of the source address.
对同一来源地址多次提交的所述待校验的人脸特征数据被多次鉴权失败的失败次数进行跟踪管理,有助于提高通信网络的安全性,故而,控制端设备可以对其接收到的人脸特征数据进行统计。无论WiFi接入点设备是直接路由接入端设备的所述人脸特征数据,还是以自身形式重构该人脸特征数据的数据报文格式,当其发送给所述控制端设备时,均会在提交的数据包中包含所述的接入端设备的唯一性特征,例如其MAC地址、UUID或主机名称等。故此,一个唯一性特征便表征了一个来源地址,控制端设备可以对具有相同来源地址的人脸特征数据校验失败次数进行统计,较佳的情况下,可以设置一个例如半小时或五分钟的统计周期,当这个周期内,同一来源地址多次提交的人脸特征数据的累计遭受指定次数(预设值)的校验失败后,或称超出这个预设值后,将导致控制端设备将该来源地址视为恶意攻击来源地,或者至少视为非法用户入侵行为。这种情况下,控制端设备将屏蔽该来源地址的人脸特征数据,后续将不再对该来源地址的人脸特征数据进行校验和反馈,避免本机甚至整个通信网络遭受恶意攻击。Tracking and managing the number of failed authentications of the face feature data to be verified submitted multiple times by the same source address helps to improve the security of the communication network, so the control terminal device can receive it The acquired face feature data is used for statistics. Regardless of whether the WiFi access point device directly routes the facial feature data of the access terminal device, or reconstructs the data message format of the facial feature data in its own form, when it is sent to the control terminal device, all The unique characteristics of the access device, such as its MAC address, UUID or host name, will be included in the submitted data packet. Therefore, a unique feature represents a source address, and the control device can count the number of failed verifications of face feature data with the same source address. Statistical period, when within this period, the accumulative number of face feature data submitted by the same source address fails the verification of the specified number of times (preset value), or exceeds this preset value, it will cause the control terminal device to This source address is considered as the source of malicious attacks, or at least as an illegal user intrusion. In this case, the control device will shield the face feature data of the source address, and will no longer perform verification and feedback of the face feature data of the source address in the future, so as to avoid malicious attacks on the local machine and even the entire communication network.
更为简便且实现了有效管理的一种方式是将上述欲屏蔽的来源地址添加到一个黑名单中,后续针对所传送来的待校验的人脸特征数据,先查询黑名单是否存在其来源地址,如果存在,则直接滤除该人脸特征数据实现对该来源地址的人脸特征数据的屏蔽,如果不存在,则按照正常步骤处理。A more convenient and effective way to manage is to add the above-mentioned source address to be blocked to a blacklist, and then check whether the blacklist has its source for the transmitted facial feature data to be verified. Address, if it exists, directly filter out the face feature data to realize the shielding of the face feature data of the source address, if it does not exist, then process according to the normal steps.
适应步骤S15的设置,还可以根据需要进一步设置一个步骤S16,接收属于所述来源地址的恢复请求,响应于用户指令而取消屏蔽该来源地址的人脸特征数据。To adapt to the setting of step S15, a step S16 can also be further set as needed, receiving a recovery request belonging to the source address, and unmasking the facial feature data of the source address in response to a user instruction.
接入端设备可能预置有当自身提供的人脸特征数据被屏蔽时,请求屏蔽方予以恢复其后续校验请求的容灾手段,具体是通过向通信网络发送一个恢复请求来实施。为此,控制端设备将接收该恢复请求,该恢复请求中也包含该接入端设备的来源地址,这一请求将被审核,因而,控制端设备未必能在第一时间解除对该来源地址的屏蔽。解除屏蔽通常以手动的方式来实现,管理者可以通过控制端设备的用户管理界面,获知所述的恢复请求,并且决定是否同意该恢复请求。当该恢复请求被同意后,控制端设备便可将所述来源地址从其黑名单中删除,后续便不再屏蔽具有该来源地址的人脸特征数据,接入端设备接入通信网络的可能性由此得以解禁。需要指出的是,尽管使用了用户管理界面,但用户管理界面的设置选项也可包括存储于控制端设备的选项,例如上述黑名单和上述恢复请求的内容,可以存储在控制端设备的存储器中,而与WiFi接入点设备的设置选项一样,在所述的用户管理界面中显示。The access device may be preset with a disaster recovery method that requests the blocking party to restore its subsequent verification request when the facial feature data provided by itself is blocked, specifically by sending a recovery request to the communication network. For this reason, the control device will receive the recovery request, which also includes the source address of the access device, and this request will be reviewed. Therefore, the control device may not be able to release the source address immediately. shielding. Unblocking is usually implemented manually, and the administrator can learn about the recovery request through the user management interface of the control terminal device, and decide whether to agree to the recovery request. When the recovery request is approved, the control terminal device can delete the source address from its blacklist, and then no longer shield the facial feature data with the source address, and the access terminal device may access the communication network. Sex is thus freed. It should be pointed out that although the user management interface is used, the setting options of the user management interface may also include options stored in the control terminal device, such as the content of the above-mentioned blacklist and the above-mentioned recovery request, which may be stored in the memory of the control terminal device , which is the same as the setting option of the WiFi access point device, displayed in the user management interface.
如图7所示,进一步改进的另一种实施例中,控制端设备所执行的WiFi接入远程鉴权方法还包括步骤S15’,统计具有相同来源地址的所述人脸特征数据被多次鉴权的失败次数,当失败次数超出预设值后,发送表征屏蔽属于该来源地址的接入请求的通知信息给所述的WiFi接入点设备。As shown in Figure 7, in another further improved embodiment, the WiFi access remote authentication method performed by the control terminal device also includes step S15', counting the facial feature data with the same source address multiple times The number of authentication failures, when the number of failures exceeds the preset value, send a notification message to the WiFi access point device to indicate that the access request belonging to the source address is blocked.
可以看出,与前一完善的实施例相同的是,控制端设备可以对人脸特征数据被多次鉴权失败的次数进行统计,不同的是后续如何实现对接入端设备的屏蔽。本实施例中,当失败次数超出预设值后,将生成一通知信息发送给WiFi接入点设备,该通知信息的内容表征屏蔽属于该来源地址的接入请求。也就是说,控制端设备以通知信息的形式,通知WiFi接入点设备对指定来源地址的接入请求予以屏蔽。相应的,WiFi接入点设备便可根据该通知信息对其中的来源地址的接入请求不再响应或者直接发送拒绝接入的网络帧,以使该来源地址相对应的接入端设备无法接入WiFi接入点设备的通信网络。显然,不同于前例,屏蔽来源地址的功能将由WiFi接入点设备来实现,其屏蔽效果更快捷且直接,WiFi接入点设备甚至无需再处理该来源地址的人脸特征数据。It can be seen that, the same as the previous complete embodiment, the control device can count the number of failed authentications of the facial feature data, and the difference is how to implement the subsequent shielding of the access device. In this embodiment, when the number of failures exceeds the preset value, a notification message will be generated and sent to the WiFi access point device, and the content of the notification message indicates that access requests belonging to the source address are blocked. That is to say, the control terminal device notifies the WiFi access point device to block the access request from the specified source address in the form of notification information. Correspondingly, the WiFi access point device can no longer respond to the access request of the source address or directly send a network frame denying access according to the notification information, so that the access terminal device corresponding to the source address cannot receive into the communication network of the WiFi access point device. Obviously, unlike the previous example, the function of shielding the source address will be realized by the WiFi access point device. The shielding effect is faster and more direct, and the WiFi access point device does not even need to process the facial feature data of the source address.
同理,适应步骤S15’,还可以根据需要进一步设置一个步骤S16’,接收属于所述来源地址的恢复请求,响应于用户指令而发送取消屏蔽该来源地址的接入请求的通知信息给所述的WiFi接入点设备。Similarly, to adapt to step S15', a further step S16' may be set as needed, to receive a recovery request belonging to the source address, and send a notification message of unmasking the access request of the source address to the said source address in response to a user instruction. WiFi access point device.
接入端设备可能预置有当自身提供的人脸特征数据被屏蔽时,请求屏蔽方予以恢复其后续校验请求的容灾手段,具体是通过向通信网络发送一个恢复请求来实施。为此,控制端设备将接收该恢复请求,该恢复请求中也包含该接入端设备的来源地址,这一请求将被审核,因而,控制端设备未必能在第一时间解除对该来源地址的屏蔽。解除屏蔽通常以手动的方式来实现,管理者可以通过控制端设备的用户管理界面,获知所述的恢复请求,并且决定是否同意该恢复请求。当该恢复请求被同意后,控制端设备便可封装一通知信息,用于表征取消屏蔽该来源地址的接入请求,将该通知信息发送给WiFi接入点设备。WiFi接入点设备接收该通知信息后,便将所述来源地址从已记录的数据(可能表现为黑名单形式)中删除,后续便不再屏蔽具有该来源地址的接入请求,接入端设备接入通信网络的可能性由此得以解禁。需要指出的是,用户管理界面的设置选项也可包括存储于WiFi接入点端设备的所述被记录的欲屏蔽来源地址的数据,例如上述的黑名单,管理员在所述的用户管理界面中允许所述的恢复请求后,用户管理界面便可显示删除了对应于该恢复请求的来源地址的列表。The access device may be preset with a disaster recovery method that requests the blocking party to restore its subsequent verification request when the facial feature data provided by itself is blocked, specifically by sending a recovery request to the communication network. For this reason, the control device will receive the recovery request, which also includes the source address of the access device, and this request will be reviewed. Therefore, the control device may not be able to release the source address immediately. shielding. Unblocking is usually implemented manually, and the administrator can learn about the recovery request through the user management interface of the control terminal device, and decide whether to agree to the recovery request. After the recovery request is approved, the control terminal device can encapsulate a notification message for representing the access request of unmasking the source address, and send the notification message to the WiFi access point device. After the WiFi access point device receives the notification information, it deletes the source address from the recorded data (may appear in the form of a blacklist), and subsequently no longer blocks access requests with the source address. The possibility of connecting the device to the communication network is thus unlocked. It should be pointed out that the setting options of the user management interface may also include the data of the recorded source address to be shielded stored in the WiFi access point device, such as the above-mentioned blacklist. After allowing the recovery request described in , the user management interface can display a list of deleted source addresses corresponding to the recovery request.
以上详尽而充分地揭示了本发明的便携式控制端设备所实施的WiFi接入远程鉴权方法的多种实施例,从中可以知晓,控制端设备可以基于人脸特征数据实现对WiFi通信网络的鉴权管理,从而加强这种通信网络的安全性。The above has fully and fully revealed various embodiments of the WiFi access remote authentication method implemented by the portable control terminal device of the present invention, from which it can be known that the control terminal device can realize the authentication of the WiFi communication network based on facial feature data. rights management, thereby enhancing the security of such communication networks.
本发明适用于所述便携式接入端设备的WiFi接入鉴权方法具有多种实施例,以下将以前一实施例为基础,就其各步骤展开说明其余各种变化实施例的有关内容。请依然参阅图3并结合以下文字加以理解:The WiFi access authentication method applicable to the portable access terminal device of the present invention has multiple embodiments, and the following will describe the relevant content of the remaining various variant embodiments based on the previous embodiment in terms of each step. Please still refer to Figure 3 and understand it in conjunction with the following text:
所述的步骤S21,向WiFi接入点设备发送连接请求管理帧以发起接入请求,其具体实现方式如下:In the step S21, a connection request management frame is sent to the WiFi access point device to initiate an access request, and its specific implementation is as follows:
所述的WiFi接入点设备作为AP配置有通信网络,向空中辐射WiFi信号。一种实施例中,WiFi接入点设备定时广播其信标帧(Beacon帧,未隐藏SSID时),本发明的便携式接入端设备通过扫描,发现该信标帧,便可发起所述的接入请求;另一种实施例中,尤其是对于隐藏SSID的情况,接入端设备可以通过发起连接请求管理帧即Probe Request帧并从WiFi接入点设备反馈的连接成功管理帧即Probe Response帧中获得网络配置信息,由此也可发起接入请求。The WiFi access point device is configured with a communication network as an AP, and radiates WiFi signals into the air. In one embodiment, the WiFi access point device regularly broadcasts its beacon frame (Beacon frame, when the SSID is not hidden), and the portable access terminal device of the present invention finds the beacon frame through scanning, and then can initiate the described Access request; in another embodiment, especially for the case of hiding the SSID, the access terminal device can initiate a connection request management frame, that is, a Probe Request frame, and obtain a connection success management frame that is fed back from the WiFi access point device, that is, a Probe Response The network configuration information is obtained in the frame, and an access request can also be initiated from this.
通常,用户可以通过接入端设备操作系统的设置页面的WiFi开关选项来发起对附近WiFi通信网络的扫描,获得一个SSID列表,然后由用户点选相应的通信网络的SSID而接入相应的通信网络。接入端设备也能存储用户曾接入的通信网络的配置信息,这种情况下,用户只需打开WiFi开关选项,也可由系统按照预设优先策略自动接入较优的WiFi通信网络。因而,可以视为通过用户交互,可以产生指示接入端设备接入本发明的通信网络的用户指令,接入端设备响应于该用户指令而对该通信网络发起接入请求。Usually, the user can initiate a scan of nearby WiFi communication networks through the WiFi switch option on the setting page of the operating system of the access device to obtain a list of SSIDs, and then the user clicks on the SSID of the corresponding communication network to access the corresponding communication The internet. The access device can also store the configuration information of the communication network that the user has accessed. In this case, the user only needs to turn on the WiFi switch option, and the system can automatically access the better WiFi communication network according to the preset priority strategy. Therefore, it can be considered that through user interaction, a user instruction instructing the access terminal device to access the communication network of the present invention can be generated, and the access terminal device initiates an access request to the communication network in response to the user instruction.
所述的步骤S22,响应于该接入请求之后的以管理帧反馈的鉴权执行指令,启动图像获取单元获取人脸特征数据。In the step S22, in response to the authentication execution instruction fed back by the management frame after the access request, the image acquisition unit is started to acquire facial feature data.
可以通过多种实施方式来产生所述的鉴权执行指令:The authentication execution instruction can be generated through various implementation methods:
一个实施例中,所述的接入请求被发送到WiFi接入点设备之后,由WiFi接入点设备直接或经过某种帧格式转换(如加载到数据帧中)后路由至所述的控制端设备,由此导致控制端设备反馈一鉴权执行指令,再由WiFi接入点设备将该鉴权执行指令路由至接入端设备。In one embodiment, after the access request is sent to the WiFi access point device, the WiFi access point device routes it to the control device directly or after a certain frame format conversion (such as loading into a data frame) end device, thus causing the control end device to feed back an authentication execution instruction, and then the WiFi access point device routes the authentication execution instruction to the access end device.
另一实施例中,所述的接入请求被发送到WiFi接入点设备之后,由WiFi接入点设备直接加以处理,而由WiFi接入点设备源发地以管理帧反馈鉴权执行指令给接入端设备。In another embodiment, after the access request is sent to the WiFi access point device, it is directly processed by the WiFi access point device, and the WiFi access point device feeds back the authentication execution instruction with the management frame to the access device.
再一实施中,所述鉴权执行指令可以由接入端设备依照预设程序逻辑,在发送了所述接入请求之后自行触发,具体而言,可以是由其依照传统的协议过程,在完成连接请求的阶段,收到诸如Probe Response帧(在此便被视为鉴权执行指令)之后自行触发后续步骤,而避免依赖于外部设备,简化业务流程。In yet another implementation, the authentication execution instruction may be automatically triggered by the access terminal device after sending the access request according to the preset program logic. After completing the connection request stage, after receiving a frame such as Probe Response (here it is regarded as an authentication execution instruction), it will trigger subsequent steps by itself, avoiding dependence on external devices, and simplifying business processes.
无论采用何种方式来对所述的接入请求反馈鉴权执行指令,均不影响接入端设备的后续步骤的执行。但有例外的情况,即如果该接入请求所包含的指示到本接入端设备的来源地址被WiFi接入点设备屏蔽,则会导致接入端设备无法收到所述的鉴权执行指令,从而终止后续步骤的执行。No matter which method is used to feed back the authentication execution instruction to the access request, it will not affect the execution of the subsequent steps of the access device. However, there are exceptions, that is, if the source address of the access device contained in the access request is blocked by the WiFi access point device, the access device will not be able to receive the authentication execution command , thereby terminating the execution of subsequent steps.
当接入端设备获得所述鉴权执行指令后,该鉴权执行指令会触发接入端设备中的图像获取单元的启动。伴随图像获取单元的启动,会激活一扫描界面,在该扫描界面中显示图像获取单元的预览图像。当用户将图像获取单元的镜头朝向人脸,通过语音、手势、按键等任意方式施加拍摄指令时便可以获得一张相应的人脸图像,并对人脸图像进行人脸特征数据的提取。或者,图像获取单元免经用户指令作用,而自动地以预览图像中的任意帧内容作为人脸图像,然后对该人脸图像提取人脸特征数据。在成功获取到所述人脸特征数据后,便可受控或者自行退出所述的扫描界面。After the access device obtains the authentication execution instruction, the authentication execution instruction will trigger the start of the image acquisition unit in the access device. With the start of the image acquisition unit, a scanning interface is activated, and the preview image of the image acquisition unit is displayed on the scanning interface. When the user directs the lens of the image acquisition unit towards the face, and applies a shooting command through voice, gesture, button, etc., a corresponding face image can be obtained, and the face feature data can be extracted from the face image. Alternatively, the image acquisition unit automatically takes any frame content in the preview image as the face image without being instructed by the user, and then extracts face feature data from the face image. After successfully obtaining the facial feature data, the scanning interface can be controlled or exited by itself.
所述的步骤S23,向WiFi接入点设备反馈包含该人脸特征数据的组播帧或认证管理帧以应答所述鉴权执行指令,其具体实现方式如下:The step S23 is to feed back a multicast frame or an authentication management frame containing the facial feature data to the WiFi access point device in response to the authentication execution instruction, and its specific implementation is as follows:
当接入端设备完成所述的人脸特征数据获取后,便需要将该人脸特征数据提交给WiFi接入点设备,以便完成对该人脸特征数据的鉴权,作为对所述鉴权执行指令的应答。After the access terminal device completes the acquisition of the facial feature data, it needs to submit the facial feature data to the WiFi access point device in order to complete the authentication of the facial feature data as a Response to execute command.
一种实施例中,基于对WiFi协议设备间连接过程的改进,接入端设备可以在认证管理帧中加载所述人脸特征数据后传输给WiFi接入点设备。以下再揭示一种利用组播帧实现人脸特征数据传输的实例:In one embodiment, based on the improvement of the connection process between WiFi protocol devices, the access device can load the facial feature data in the authentication management frame and then transmit it to the WiFi access point device. The following reveals another example of utilizing multicast frames to realize the transmission of facial feature data:
接入端设备由于未与WiFi接入点设备建立WiFi连接,不能以数据帧的形式传输所述的人脸特征数据,为此,接入端设备使用一组共多个组播帧来传输人脸特征数据。具体而言,接入端设备将人脸特征数据转换为二进制码,分段加载到多个组播帧的可编辑字段,具体是指其地址字段中,然后发送所述多个组播帧。Since the access device has not established a WiFi connection with the WiFi access point device, it cannot transmit the facial feature data in the form of a data frame. Therefore, the access device uses a group of multiple multicast frames to transmit the face feature data. face feature data. Specifically, the access device converts the facial feature data into binary codes, loads them into editable fields of multiple multicast frames, specifically address fields, and then sends the multiple multicast frames.
负责处理人脸特征数据的设备,参照在前揭示的相应的实施例,一般为所述WiFi接入点设备,也可为所述的控制端设备,接收该些组播帧后,从各个组播帧的可编辑字段中提取出所加载的人脸特征数据的二进制码,并按分段顺序进行组装,然后对应转换为人脸特征数据。The device responsible for processing facial feature data, referring to the corresponding embodiments disclosed above, is generally the WiFi access point device, and can also be the control terminal device. After receiving these multicast frames, the The binary code of the loaded face feature data is extracted from the editable field of the broadcast frame, assembled in a segmented order, and then correspondingly converted into face feature data.
出于加强传输过程中的数据安全性的考虑,获取所述人脸特征数据之后,可以依照与负责处理人脸特征数据的设备的协议,为人脸特征数据加密,然后再将加密后的人脸特征数据编码到所述的组播帧中。相对应的,负责处理的设备也应当对其进行解密。For the sake of strengthening the data security in the transmission process, after obtaining the facial feature data, the facial feature data can be encrypted according to the agreement with the device responsible for processing the facial feature data, and then the encrypted face Feature data is encoded into said multicast frame. Correspondingly, the device responsible for processing should also decrypt it.
负责处理人脸特征数据的设备,结合前述的一种实施例,可以是所述的WiFi接入点设备,其将解析获得所接收的人脸特征数据,再将其编码到数据帧中,传输给所述控制端设备,再由控制端设备从数据帧中提取所述的人脸特征数据;结合前述的另一实施例,可以由所述控制端设备直接获取经WiFi接入点设备路由的组播帧,解析得到其中的人脸特征数据。The device responsible for processing facial feature data, combined with the aforementioned embodiment, may be the WiFi access point device, which will analyze and obtain the received facial feature data, and then encode it into a data frame for transmission Give the control terminal device, and then extract the described face feature data from the data frame by the control terminal device; The multicast frame is parsed to obtain the facial feature data.
控制端设备继而对其所接收的人脸特征数据进行鉴权。前述揭示的部分实施例中,如果控制端设备的黑名单中含有指向所述接入端设备的来源地址,该来源地址可以随所述人脸特征数据一并提供以备识别,那么,控制端设备可能不对所述人脸特征数据做出响应,或者虽然做出响应,但最终将导致该人脸特征数据被拒绝鉴权。如果控制端设备未在其黑名单中发现提供该人脸特征数据的接入端设备的来源地址,则按正常过程对该人脸特征数据进行鉴权。依照前述不同的实施例,控制端设备将接入端设备的人脸特征数据与本机或云端服务器的特征库中的预存特征数据进行比较,当发现特征库中存在与所述人脸特征数据一致的预存特征数据时,即可视为鉴权成功,否则视为鉴权失败,据此生成认证结果信息,发送给WiFi接入点设备。这里所称的人脸特征数据与预存特征数据的一致,不应局限在数据表达形式或其数据内容上是否完全一致,例如,可以是指两者的近似度到达预设的程度,或者处于允许的范围内,即可视为两者一致。The control terminal device then authenticates the facial feature data it receives. In some embodiments disclosed above, if the blacklist of the control terminal device contains a source address pointing to the access terminal device, the source address can be provided together with the facial feature data for identification, then the control terminal The device may not respond to the facial feature data, or may respond, but eventually the facial feature data will be rejected for authentication. If the control terminal device does not find the source address of the access terminal device that provides the facial feature data in its blacklist, it will authenticate the facial feature data according to the normal process. According to the aforementioned different embodiments, the control terminal device compares the facial feature data of the access terminal device with the pre-stored feature data in the feature database of the local machine or the cloud server, and when it is found that there is a face feature data in the feature database that is similar to the facial feature data When the pre-stored feature data is consistent, the authentication can be regarded as successful, otherwise it is regarded as the authentication failure, and the authentication result information is generated based on this and sent to the WiFi access point device. The consistency between the face feature data and the pre-stored feature data mentioned here should not be limited to whether the data expression form or its data content is completely consistent. Within the range of , the two can be considered to be consistent.
进一步完善的实施方式中,所述WiFi接入点设备可以缓存或存储与所述来源地址相对应的属于所述特征库的预存特征数据,甚至缓存或存储整个特征库,这种情况下,当接入端设备到达WiFi接入点设备时,WiFi接入点设备可以先行与其缓存的特征库进行比较,以确定是否鉴权成功,并根据鉴权结果自行生成认证结果信息,而使这种对人脸特征数据鉴权的过程不必依赖于控制端设备的参与。当WiFi接入点设备以缓存的形式处理所述的预存特征数据或其整个特征库时,适宜为该预存特征数据或特征库设置一个有效期,以保证数据更新的及时性。显然,可以通过控制端设备来控制WiFi接入点设备缓存或存储的预存特征数据或整个特征库的远程更新。In a further perfect implementation, the WiFi access point device may cache or store the pre-stored feature data corresponding to the source address belonging to the feature library, or even cache or store the entire feature library. In this case, when When the access device arrives at the WiFi access point device, the WiFi access point device can first compare it with its cached feature library to determine whether the authentication is successful, and generate authentication result information by itself according to the authentication result, so that this pair of The process of facial feature data authentication does not have to rely on the participation of the control device. When the WiFi access point device processes the pre-stored feature data or its entire feature database in the form of cache, it is appropriate to set a validity period for the pre-stored feature data or feature database to ensure the timeliness of data update. Apparently, the remote update of the pre-stored feature data cached or stored by the WiFi access point device or the entire feature library can be controlled by the control terminal device.
所述的步骤S24,当该人脸特征数据通过鉴权,获得表征认证成功的管理帧后,实施WiFi协议所规范的关联过程,实现对所述WiFi接入点设备所架设的通信网络的接入,其具体实现方式如下:In the step S24, when the facial feature data passes the authentication and obtains the management frame representing the success of the authentication, the association process specified by the WiFi protocol is implemented to realize the connection to the communication network set up by the WiFi access point device. The specific implementation method is as follows:
无论是控制端设备向WiFi接入点设备发送所述表征鉴权成功或失败的认证结果信息,还是由WiFi接入点设备自行生成所述认证结果信息,所述的WiFi接入点设备均能够根据鉴权结果对所述接入端设备的接入请求做出最后的响应。具体而言,WiFi接入点设备可以依据认证结果信息做出如下任意一种或任意多种方式的响应,以达到对所述接入请求进行最终响应的目的:Whether the control terminal device sends the authentication result information representing the success or failure of the authentication to the WiFi access point device, or the WiFi access point device generates the authentication result information by itself, the WiFi access point device can Make a final response to the access request of the access device according to the authentication result. Specifically, the WiFi access point device may respond in any one or multiple ways as follows according to the authentication result information, so as to achieve the purpose of making a final response to the access request:
方式一,依据IEEE 802.11协议,根据所述认证结果信息表征鉴权成功或失败的不同情况,相应地向接入端设备反馈表征允许或阻止其接入所述通信网络的管理帧,通常是一种管理帧,完成认证阶段。接入端设备接收到该管理帧后,便可从管理帧的内容确认是否通过鉴权,从而相应地建立或终止与WiFi接入点设备的通信网络的连接,在鉴权通过时,启动关联阶段,实现对所述WiFi接入点设备所架设的通信网络的接入。Method 1: According to the IEEE 802.11 protocol, according to the different situations of the authentication result information representing authentication success or failure, correspondingly feed back a management frame representing permission or prevention of access to the communication network to the access device, usually a A management frame completes the authentication phase. After the access device receives the management frame, it can confirm from the content of the management frame whether the authentication is passed, so as to establish or terminate the connection with the communication network of the WiFi access point device accordingly, and start the association when the authentication is passed. In the stage, the access to the communication network set up by the WiFi access point device is realized.
方式二,根据所述认证结果信息表征鉴权成功或失败的不同情况,当其表征鉴权成功时,WiFi接入点设备即允许接入端设备的关联请求而使其接入所述的通信网络,实现接入端设备对所述信号网络的成功接入;当表征鉴权失败时,则不对接入端设备的关联请求做出响应,由此导致接入端设备视为请求超时而视为鉴权失败。Method 2: According to the different situations of authentication success or failure indicated by the authentication result information, when it indicates that the authentication is successful, the WiFi access point device allows the association request of the access terminal device to allow it to access the communication Network, to realize the successful access of the access device to the signal network; when the authentication fails, it will not respond to the association request of the access device, thus causing the access device to regard the request as timed out Authentication failed.
方式三,WiFi接入点设备将所述的认证结果信息作为响应发送给所述的接入端设备,自身则按照IEEE 802.11协议操作,接入端设备接收并解析该认证结果信息后,当表征鉴权成功时,即按照协议发起关联请求确认实现对所述通信网络的接入;当表征鉴权失败时,则可据此做出诸如再次请求之类的后续作业。Mode 3: The WiFi access point device sends the authentication result information as a response to the access terminal device, and operates itself according to the IEEE 802.11 protocol. After the access terminal device receives and parses the authentication result information, when it represents When the authentication is successful, an association request is initiated according to the protocol to confirm the access to the communication network; when the authentication fails, follow-up operations such as requesting again can be made accordingly.
当然,广义看待,方式一所述的管理帧,本身也可视为所述的认证结果信息。本领域技术人员可以灵活运用上述各种方式灵活实现人脸特征数据通过鉴权后,在接入端设备中建立连接或者进行示警的处理。一种普遍适用的实施方式中,当接入端设备确认鉴权失败后,可以在用户界面显示告警信息,以通知用户做出后续处理,完善人机交互。而当接入端设备确认鉴权成功后,实施WiFi协议所规范的关联过程,则这种连接被确认为信任连接,信任连接建立后,接入端设备可以某种与WiFi接入点设备预约的协议,存储用于后续免鉴权登录所述的通信网络的连接信息,从而使接入端设备利用该连接信息免经任何鉴权程序而轻松接入所述的通信网络。Of course, viewed in a broad sense, the management frame described in the first manner itself can also be regarded as the authentication result information. Those skilled in the art can flexibly use the above-mentioned various methods to flexibly implement the process of establishing a connection or performing an alarm in the access device after the facial feature data has passed the authentication. In a generally applicable implementation manner, when the access terminal device confirms that the authentication fails, it may display an alarm message on the user interface to notify the user to perform follow-up processing and improve human-computer interaction. When the access device confirms that the authentication is successful, it implements the association process specified by the WiFi protocol, and this connection is confirmed as a trusted connection. After the trusted connection is established, the access device can make a reservation with the WiFi access point device. The protocol stores the connection information for subsequent authentication-free login to the communication network, so that the access terminal device can use the connection information to easily access the communication network without going through any authentication procedures.
请参阅图8,作为本发明进一步增强的实施例中,本发明适用于便携式接入端设备的WiFi接入鉴权方法还包括步骤S25,统计发起所述接入请求后未成功接入所述通信网络的次数,当该次数达到预定值后,判定本机处于接入请求被屏蔽的状态,响应于用户指令发起恢复允许其接入请求的恢复请求,其具体实现方式如下:Please refer to FIG. 8 , as a further enhanced embodiment of the present invention, the WiFi access authentication method applicable to portable access terminal devices in the present invention also includes step S25, counting the failed access to the WiFi after initiating the access request The number of times of the communication network, when the number reaches a predetermined value, it is determined that the machine is in a state where the access request is blocked, and in response to the user instruction, a recovery request is initiated to allow the access request. The specific implementation method is as follows:
在如前所述的控制端设备或WiFi接入点设备支持容灾手段的前提下,接入端设备可以对连接失败的次数进行统计,以便在自身被控制端设备或WiFi接入点设备屏蔽接入的情况下,可以通过技术手段恢复自身接入所述通信网络的可能。On the premise that the control terminal device or WiFi access point device supports disaster recovery means as mentioned above, the access terminal device can count the number of connection failures so that it can be shielded by the control terminal device or WiFi access point device In the case of access, the possibility of accessing the communication network can be restored by technical means.
如前所述,当鉴权失败后,将导致接入端设备无法建立到所述WiFi接入点设备的通信网络的连接,一部设备因其提供的人脸特征数据多次鉴权失败而遭永久性屏蔽是不合理的。为达到合理安全的目的,接入端设备对自身接入所述通信网络失败的次数进行统计,并且为其提供一预设值,当该统计次数超过该预设值后,即可判定本机处于接入请求被屏蔽的状态,因此而在用户界面开放一个控制部件,该控制部件可以为一虚拟按键,以便通过该控制部件请求所述通信网络恢复对其接入请求的响应。作为一种等同替换手段,还可设置一个有效期,仅当统计伊始至该有效期的时长到达时,才能开放所述的控制部件。As mentioned above, when the authentication fails, the access device will not be able to establish a connection to the communication network of the WiFi access point device. Permanent blocking is unreasonable. In order to achieve reasonable security, the access device counts the number of times it fails to access the communication network, and provides a preset value for it. When the count exceeds the preset value, it can determine that the device has In the state that the access request is blocked, a control part is opened on the user interface, and the control part may be a virtual key, so as to request the communication network to resume responding to its access request through the control part. As an equivalent alternative, a validity period can also be set, and the control unit can be opened only when the period from the beginning of statistics to the validity period reaches.
继而,用户可以通过触发所述的控制部件而触发其用户指令,从而,接入端设备响应于该用户指令而向所述的通信网络发起恢复允许自身的接入请求的恢复请求。相应的,视屏蔽机制是由控制端设备还是WiFi接入点设备实现,该恢复请求将到达控制端设备或WiFi接入点设备,接收该恢复请求的设备能够通知管理员进行回应,当管理员通过该恢复请求后,接入端设备后续的接入请求便能被所述的通信网络正常处理。Then, the user can trigger the user instruction by triggering the control component, so that the access terminal device initiates a recovery request to the communication network to allow its own access request in response to the user instruction. Correspondingly, depending on whether the shielding mechanism is implemented by the control device or the WiFi access point device, the recovery request will reach the control device or the WiFi access point device, and the device that receives the recovery request can notify the administrator to respond. When the administrator After the recovery request is passed, subsequent access requests of the access device can be normally processed by the communication network.
以上详尽而充分地揭示了本发明的便携式接入端设备所实施的WiFi接入鉴权方法的多种实施例,从中可以知晓,接入端设备可以应欲接入的通信网络的要求,在本机采集人脸特征数据,提供给通信网络进行鉴权,从而配合加强通信网络的安全性。The foregoing fully and fully discloses various embodiments of the WiFi access authentication method implemented by the portable access terminal device of the present invention, from which it can be known that the access terminal device can respond to the requirements of the communication network to be accessed. This machine collects facial feature data and provides it to the communication network for authentication, so as to cooperate with strengthening the security of the communication network.
本发明适用于WiFi接入点设备的WiFi接入鉴权控制方法具有多种实施例,以下将以前一实施例为基础,就其各步骤展开说明其余各种变化实施例的有关内容。请依然参阅图4并结合以下文字加以理解:The WiFi access authentication control method applicable to WiFi access point devices of the present invention has multiple embodiments. The following will describe the relevant content of the remaining various variant embodiments based on the previous embodiment in terms of each step. Please still refer to Figure 4 and understand it in conjunction with the following text:
所述的WiFi接入点设备,通常也叫WiFi路由器,传统的WiFi路由器具有WiFi芯片模组,并且通过底层驱动实现了相应的管理功能,这些管理功能通常以IEEE 802.11协议为基础进行开发。在本发明涉及的至少部分实施例中,可以发现,同在IEEE 802.11协议的基础上,需要依照本发明的相应实施例所实现的功能而丰富WiFi芯片模式的底层驱动功能,使其有利于协助实现本发明的至少部分实施例所欲实现的功能,这些功能将体现在所述的WiFi接入鉴权控制方法的多种变化实施例的不同步骤描述中。The WiFi access point device is usually also called a WiFi router. A traditional WiFi router has a WiFi chip module and implements corresponding management functions through the underlying driver. These management functions are usually developed based on the IEEE 802.11 protocol. In at least some of the embodiments involved in the present invention, it can be found that on the basis of the IEEE 802.11 protocol, it is necessary to enrich the underlying driver functions of the WiFi chip mode according to the functions realized in the corresponding embodiments of the present invention, so that it is beneficial to assist The functions to be realized by at least some embodiments of the present invention are realized, and these functions will be reflected in the descriptions of different steps in various variant embodiments of the WiFi access authentication control method.
所述的步骤S31,接收接入端设备的接入请求,同理,所述的接入请求是接入端设备在侦测到本发明的服务集标识(SSID)后发起的前期请求。依照前述揭示的控制端设备与WiFi接入点设备之间的角色分配关系的不同,接收所述的接入请求的过程能够体现为不同实施例的变化。The step S31 is to receive an access request from the access device. Similarly, the access request is a previous request initiated by the access device after detecting the SSID of the present invention. According to the difference in the role distribution relationship between the control terminal device and the WiFi access point device disclosed above, the process of receiving the access request can be embodied as changes in different embodiments.
适用于由WiFi接入点设备对接入请求进行传统方式的管理的一种实施例中,WiFi接入点设备接收到接入请求后,将自行对该接入请求进行响应,故而不对其进行路由或者转换输出,尤其不必传送到所述的控制端设备。相反,另一改进的实施例中,WiFi接入点设备接收到请求后,可以将该接入请求以自身的形式如某种数据帧、管理帧的形式转发给所述的控制端设备,由控制端设备负责响应,当然也可直接路由该接入请求给控制端设备进行响应。具体而言,所述的接入请求应当能够到达对这种请求进行直接响应的设备中。In an embodiment applicable to the traditional management of the access request by the WiFi access point device, after receiving the access request, the WiFi access point device will respond to the access request by itself, so it will not be managed. Routing or switching outputs, in particular, do not have to be routed to the control end device in question. On the contrary, in another improved embodiment, after the WiFi access point device receives the request, it can forward the access request to the control terminal device in its own form, such as a certain data frame or management frame, by The control terminal device is responsible for responding, and of course, the access request can also be directly routed to the control terminal device for response. Specifically, said access request should be able to reach a device that directly responds to such a request.
在适用于所述WiFi接入点设备能够对接入请求进行屏蔽的情况的一种实施例中,WiFi接入端设备接收到该接入请求后,从该请求中提取出发起该接入请求的接入端设备的来源地址,查询其黑名单,当确认该来源地址包含于黑名单中时,便终止对该接入请求的响应,或者直接响应于该接入请求而反馈一表征拒绝接入的管理帧,从而加强通信网络的安全管理。如来源地址未出现在黑名单中,则可按照正常的过程继续其他步骤。In an embodiment applicable to the case where the WiFi access point device can shield the access request, after receiving the access request, the WiFi access point device extracts from the request the The source address of the access device, query its blacklist, and when it is confirmed that the source address is included in the blacklist, it will terminate the response to the access request, or directly respond to the access request and feed back an indication of rejection. Incoming management frames, thereby enhancing the security management of the communication network. If the source address does not appear in the blacklist, you can continue to other steps according to the normal process.
所述的步骤S32,响应所述接入请求而反馈鉴权执行指令,其具体实现方式如下:In the step S32, an authentication execution instruction is fed back in response to the access request, and its specific implementation is as follows:
结合前述有关控制端设备的不同实施方式可知,所述的鉴权执行指令既可以由控制端设备源发且经WiFi接入点设备路由,也可由WiFi接入点设备源发,因而,这里所称的反馈鉴权执行指令,既可指将控制端设备源发的鉴权执行指令路由给所述接入端设备的实施方式,也可为由WiFi接入点设备源发性发送给所述的接入端设备的实施方式,结合前面揭示的实施例,自所述接入请求发起后,完成IEEE 802.11协议的连接请求阶段,再到认证阶段发起认证请求之后,而产生响应于该认证请求的认证应答的管理帧,也可视之为一种鉴权执行指令。具体采用何种方式,仍需视控制端设备与WiFi接入点设备的管理角色分配关系而定。Combining with the aforementioned different implementations of the control terminal device, it can be known that the authentication execution instruction can be sent by the control terminal device and routed by the WiFi access point device, or can be sent by the WiFi access point device. Therefore, here The so-called feedback authentication execution instruction can refer to the implementation mode in which the authentication execution instruction sent by the control terminal device is routed to the access terminal device, or can be sent by the WiFi access point device to the said access terminal device. The embodiment of the access terminal device, combined with the above-disclosed embodiments, completes the connection request phase of the IEEE 802.11 protocol after the initiation of the access request, and then initiates the authentication request in the authentication phase, and generates a response to the authentication request The management frame of the authentication response can also be regarded as an authentication execution instruction. The specific way to be adopted still depends on the management role distribution relationship between the control terminal device and the WiFi access point device.
可以推知,当WiFi接入点设备依据黑名单对某一接入请求实施屏蔽操作之后,将不再响应于该接入请求而反馈所述的鉴权执行指令。It can be inferred that after the WiFi access point device performs a shielding operation on an access request according to the blacklist, it will no longer feed back the authentication execution instruction in response to the access request.
所述的步骤S33,接收应答所述鉴权执行指令而反馈的人脸特征数据,请求控制端设备予以鉴权,其具体实施方式表现为如下各种变化情况:In the step S33, the facial feature data fed back in response to the authentication execution instruction is received, and the control terminal device is requested to be authenticated, and its specific implementation is manifested in the following various changes:
如前所揭示,便携式接入端设备将响应于WiFi接入点设备传送的所述鉴权执行指令而采集人脸特征数据,并将人脸特征数据反馈到通信网络,直接被控制端设备接收,或如本实施例,先行到达WiFi接入点设备。As disclosed above, the portable access terminal device will collect facial feature data in response to the authentication execution instruction transmitted by the WiFi access point device, and feed back the facial feature data to the communication network, which is directly received by the control terminal device , or as in this embodiment, reach the WiFi access point device first.
参照如前揭示的一种实施方式中,WiFi接入点设备可以自行对所接收的人脸特征数据进行鉴权,WiFi接入点设备存储或缓存有鉴权所需的所述的特征库或其中的一条或多条预存特征数据,WiFi接入点将接收到的人脸特征数据与所述的(特征库中的)预存特征数据进行匹配,当匹配到具有一致性的人脸特征数据时,便视为鉴权成功;否则视为鉴权失败。有关本实施例的后续处理,在前述接入端设备相应的方法中已经予以综合揭示,后续将以后一实施例为基础,进行重点介绍。Referring to an embodiment disclosed above, the WiFi access point device can authenticate the received facial feature data by itself, and the WiFi access point device stores or caches the feature library or One or more of the pre-stored feature data, the WiFi access point will match the received face feature data with the pre-stored feature data (in the feature library), when matching the face feature data with consistency , the authentication is considered successful; otherwise, the authentication fails. The follow-up processing of this embodiment has been comprehensively disclosed in the corresponding method of the aforementioned access device, and will be mainly introduced later on the basis of the latter embodiment.
另一实施例中,WiFi接入点设备不负责对所接收的人脸特征数据进行鉴权,而是将人脸特征数据路由至所述控制端设备或者自行封装该人脸特征数据成数据帧后发送给所述控制端设备,请求控制端设备对其进行鉴权,由所述控制端设备将所述的人脸特征数据与其本地的特征库或云端服务器中的特征库的预存特征数据进行比较,确认两者是否一致,并将认证结果信息反馈给WiFi接入点设备,WiFi接入点设备根据认证结果信息表征的内容而确认鉴权成功抑或失败。In another embodiment, the WiFi access point device is not responsible for authenticating the received face feature data, but routes the face feature data to the control terminal device or encapsulates the face feature data into a data frame by itself Then send it to the control terminal device, request the control terminal device to authenticate it, and compare the described face feature data with the pre-stored feature data of the feature database in the local feature database or the cloud server by the control terminal equipment. Compare to confirm whether the two are consistent, and feed back the authentication result information to the WiFi access point device, and the WiFi access point device confirms whether the authentication succeeds or fails according to the content represented by the authentication result information.
当然,在多个设备传输的过程中,人脸特征数据既可以是明文的,也可以是加密的,加密方式也可灵活设定。只需在各个设备之间对这种信息传输进行预先协议,工作时互相配合即可。Of course, during the transmission process of multiple devices, the facial feature data can be in plain text or encrypted, and the encryption method can also be flexibly set. It is only necessary to carry out pre-agreement on this kind of information transmission between various devices, and cooperate with each other during work.
需要指出的是,接入端设备由于未与WiFi接入点设备建立WiFi连接,不能以数据帧的形式传输所述的人脸特征数据,为此,接入端设备使用一组共多个组播帧来传输人脸特征数据。具体而言,接入端设备将人脸特征数据转换为二进制码,分段加载到多个组播帧的可编辑字段,具体是指其地址字段中,然后发送所述多个组播帧。在本实施例中,所述WiFi接入点设备负责接收该些组播帧后,从各个组播帧的可编辑字段中提取出所加载的人脸特征数据的二进制码,并按分段顺序进行组装,然后对应转换为人脸特征数据。It should be pointed out that since the access device has not established a WiFi connection with the WiFi access point device, it cannot transmit the facial feature data in the form of a data frame. Broadcast frames to transmit facial feature data. Specifically, the access device converts the facial feature data into binary codes, loads them into editable fields of multiple multicast frames, specifically address fields, and then sends the multiple multicast frames. In this embodiment, after the WiFi access point device is responsible for receiving these multicast frames, it extracts the binary code of the loaded facial feature data from the editable field of each multicast frame, and proceeds in segment order Assembled, and then correspondingly converted to face feature data.
控制端设备继而对其所接收的人脸特征数据进行鉴权。前述揭示的部分实施例中,如果控制端设备的黑名单中含有指向所述接入端设备的来源地址,该来源地址可以随所述人脸特征数据一并提供以备识别,那么,控制端设备可能不对所述人脸特征数据做出响应,或者虽然做出响应,但最终告知该人脸特征数据被拒绝鉴权。如果控制端设备未在其黑名单中发现提供该人脸特征数据的接入端设备的来源地址,则按正常过程对该人脸特征数据进行鉴权。依照前述不同的实施例,控制端设备将接入端设备的人脸特征数据与本机或云端服务器的特征库中的预存特征数据进行比较,当发现特征库中存在与所述人脸特征数据一致的预存特征数据时,即可视为鉴权成功,否则视为鉴权失败,据此生成认证结果信息,发送给WiFi接入点设备。需要强调的是,这里所称的人脸特征数据与预存特征数据的一致,不应局限在数据表达形式或其数据内容上是否完全一致,例如,可以是指两者的近似度到达预设的程度,或者处于允许的范围内,即可视为两者一致。The control terminal device then authenticates the facial feature data it receives. In some embodiments disclosed above, if the blacklist of the control terminal device contains a source address pointing to the access terminal device, the source address can be provided together with the facial feature data for identification, then the control terminal The device may not respond to the facial feature data, or may respond but finally informs that the facial feature data is denied authentication. If the control terminal device does not find the source address of the access terminal device that provides the facial feature data in its blacklist, it will authenticate the facial feature data according to the normal process. According to the aforementioned different embodiments, the control terminal device compares the facial feature data of the access terminal device with the pre-stored feature data in the feature database of the local machine or the cloud server, and when it is found that there is a face feature data in the feature database that is similar to the facial feature data When the pre-stored feature data is consistent, the authentication can be regarded as successful, otherwise it is regarded as the authentication failure, and the authentication result information is generated based on this and sent to the WiFi access point device. It should be emphasized that the consistency between the facial feature data and pre-stored feature data mentioned here should not be limited to whether the data expression form or its data content is completely consistent. For example, it can mean that the similarity between the two reaches the preset degree, or within the allowable range, it can be considered that the two are consistent.
所述的步骤S34,依据控制端设备反馈的表征鉴权成功或失败的认证结果信息,相应允许或阻止所述接入端设备接入预设的通信网络,其具体的多种实现方式如下:In the step S34, according to the authentication result information fed back by the control device, indicating the success or failure of the authentication, correspondingly allowing or preventing the access device from accessing the preset communication network, the specific implementation methods are as follows:
如前所述,典型的一种实施例中,所述认证结果信息来自于所述的控制端设备,WiFi接入点设备接收到所述控制端设备反馈的认证结果信息之后,解析该认证结果信息,以确定该认证结果信息所表征的具体内容,通常是指鉴权成功或鉴权失败两种类型的内容。As mentioned above, in a typical embodiment, the authentication result information comes from the control device, and the WiFi access point device parses the authentication result after receiving the authentication result information fed back by the control device information to determine the specific content represented by the authentication result information, which usually refers to two types of content: authentication success or authentication failure.
此外,在本发明的另一实施例中,WiFi接入点设备可以依据其受控制端设备控制而实现更新的缓存或存储的特征库(或具体到其预存特征数据)来供所述待校验的人脸特征数据进行匹配,并将匹配结果也对应处理成所述的认证结果信息,由此WiFi接入点设备便可原发地生成所述的认证结果信息。In addition, in another embodiment of the present invention, the WiFi access point device can implement an updated cache or stored feature library (or specific to its pre-stored feature data) according to its control by the control terminal device for the to-be-checked Match the verified face feature data, and process the matching result into the authentication result information accordingly, so that the WiFi access point device can generate the authentication result information originally.
这里所披露的实施例显然更为接近IEEE 802.11协议的传统实现,按照该协议规范的建立连接的过程,在认证阶段由接入端设备提交所述的人脸特征数据供鉴权,在控制端设备或WiFi接入点设备对其鉴权成功或失败后,由WiFi接入点设备依据鉴权生成的认证结果信息反馈一认证应答帧,具体可为表征认证成功的管理帧或表征认证失败的管理帧,从接入端设备的视角,该认证应答帧也可广义地视为其收到了认证结果信息。The embodiments disclosed here are obviously closer to the traditional implementation of the IEEE 802.11 protocol. According to the process of establishing a connection specified in the protocol, the access device submits the facial feature data for authentication in the authentication phase, and the control terminal After the device or the WiFi access point device authenticates it successfully or fails, the WiFi access point device feeds back an authentication response frame based on the authentication result information generated by the authentication, which can specifically be a management frame representing successful authentication or a frame representing authentication failure. Management frame, from the perspective of the access device, the authentication response frame can also be broadly regarded as having received authentication result information.
当然,也可转而做出更大幅度的改进,具体而言:WiFi接入点设备也可不直接处理控制端设备的认证结果信息,而将其直接路由给所述的接入端设备。或者,即使WiFi接入点设备自行对人脸特征数据进行认证,也可生成不同于IEEE 802.11协议规范的认证结果信息。这类实施方式中,所述认证结果信息的形式和内容均可以不同于IEEE 802.11协议的,只要接入端设备与WiFi接入点设备之间能够预先协议即可。Of course, a greater improvement can also be made instead, specifically: the WiFi access point device may not directly process the authentication result information of the control device, but directly route it to the access device. Or, even if the WiFi access point device authenticates the facial feature data by itself, it can also generate authentication result information different from the IEEE 802.11 protocol specification. In this type of implementation, the form and content of the authentication result information may be different from the IEEE 802.11 protocol, as long as there is a pre-agreement between the access terminal device and the WiFi access point device.
由此观之,无论如何,虽非充分必要步骤,WiFi接入点设备可以向接入端设备源发或转发认证结果信息,接入端设备可以解析该认证结果信息,据之决定自身的后续连接过程。From this point of view, in any case, although it is not a sufficient and necessary step, the WiFi access point device can source or forward the authentication result information to the access device, and the access device can analyze the authentication result information and decide its own follow-up. connection process.
然而,作为基本功能,WiFi接入点设备可以解析自身视觉下的所述认证结果信息。WiFi接入点设备解析所述认证结果信息之后,可以根据其表征的内容,即鉴权成功还是失败,对接入端设备后续期望完成连接的关联请求做出响应,确定是否允许建立到所述接入端设备之间的WiFi信任连接。结合前面揭示的各种情况,WiFi接入点设备可以依据所述认证结果信息的不同,对接入端设备的所述接入请求做出如下的结果性控制,如下:However, as a basic function, the WiFi access point device can analyze the authentication result information under its own vision. After the WiFi access point device parses the authentication result information, it can respond to the subsequent association request of the access terminal device expecting to complete the connection according to the content represented by it, that is, whether the authentication is successful or failed, and determine whether to allow the establishment of the connection to the WiFi trusted connection between access devices. Combining the various situations disclosed above, the WiFi access point device can perform the following resultant control on the access request of the access terminal device according to the difference in the authentication result information, as follows:
当认证结果信息表征鉴权成功时,向接入端设备发送表征认证成功的管理帧,以允许接入端设备接入所架设的通信网络,对于接入端设备依照IEEE 802.11协议在收到表征认证成功的管理帧后自行发起的关联请求及后续通信予以正常应答,响应于该关联请求而反馈关联成功的管理帧给所述接入端设备以示确认,从而建立接入端设备与WiFi接入点设备之间的WiFi连接。When the authentication result information indicates that the authentication is successful, a management frame indicating successful authentication will be sent to the access device to allow the access device to access the established communication network. After the successful authentication of the management frame, the self-initiated association request and subsequent communication are responded normally, and in response to the association request, the management frame of the successful association is fed back to the access device to confirm, thereby establishing the connection between the access device and the WiFi WiFi connection between point devices.
当认证结果信息表征鉴权失败时,向接入端设备发送表征认证失败的管理帧,以阻止接入端设备接入所架设的通信网络,对于接入端设备依照IEEE802.11协议在收到表征认证失败的管理帧后而自行发起的关联请求,WiFi接入点设备或不予响应,或响应于该关联请求而反馈关联失败的管理帧给所述接入端设备以示告警。When the authentication result information indicates that the authentication fails, a management frame indicating that the authentication fails is sent to the access device to prevent the access device from accessing the established communication network. The WiFi access point device either does not respond to the association request initiated by itself after the management frame representing the authentication failure, or responds to the association request and feeds back the management frame of the association failure to the access device as an alarm.
当然,根据前述揭示的部分实施例可知,接入端设备接收到所述的认证结果信息之后,便知晓自身提供的人脸特征数据是鉴权成功还是失败,因此,接入端设备可以自行依据认证结果信息决定是否继续后续IEEE 802.11协议所规范的连接过程。当认证结果信息表征鉴权成功时(如所述表征认证成功的管理帧),则可发起关联请求,在收到WiFi接入点设备反馈的关联成功的应答帧之后,完成对所述通信网络的接入。当认证结果信息表征鉴权失败时(如所述表征认证失败的管理帧),则可终止后续的连接过程,必要时通过用户界面显示告警信息。Certainly, according to some embodiments disclosed above, it can be seen that after receiving the authentication result information, the access terminal device knows whether the facial feature data provided by itself is successful or unsuccessful in authentication. The authentication result information determines whether to continue the connection process specified by the subsequent IEEE 802.11 protocol. When the authentication result information indicates that the authentication is successful (such as the management frame representing the successful authentication), an association request can be initiated, and after receiving the successful association response frame fed back by the WiFi access point device, the communication network is completed. access. When the authentication result information represents authentication failure (such as the management frame representing authentication failure), the subsequent connection process may be terminated, and an alarm message may be displayed through the user interface if necessary.
应当明确,根据上述的各实施例,在接入端设备处,从其视角,接收到的认证结果信息,既可以是由WiFi接入点设备原发或路由的包含有预协议自定义内容的通信格式,也可以将WiFi接入点设备依据其收到的认证结果信息所表征的内容而按照IEEE 802.11协议发送的表征认证成功或失败的管理帧。It should be clear that, according to the above-mentioned embodiments, at the access terminal device, from its perspective, the received authentication result information may be original or routed by the WiFi access point device and contain pre-protocol custom content. The communication format may also be the management frame indicating the success or failure of authentication sent by the WiFi access point device according to the IEEE 802.11 protocol according to the content represented by the authentication result information it receives.
为方便管理和操作,在接入端设备成功接入WiFi接入点设备的通信网络之后,WiFi接入点设备可以将接入端设备的信息保存到本地,将之视为信任连接,后续接入端设备重新接入时,基于信任关系,可以免去其认证阶段的执行过程,从而简化后续接入。For the convenience of management and operation, after the access device successfully connects to the communication network of the WiFi access point device, the WiFi access point device can save the information of the access device locally and regard it as a trusted connection. When the ingress device reconnects, based on the trust relationship, the execution process of the authentication phase can be omitted, thereby simplifying subsequent access.
请参阅图9,在一个进一步具体化的实施例中,本发明的WiFi接入点设备所执行的WiFi接入鉴权控制方法还包括前置步骤S30,基于WiFi连接方式预建立本机与所述控制端设备的信任连接,其具体实现方式请参照前述有关介绍。Please refer to FIG. 9. In a further specific embodiment, the WiFi access authentication control method executed by the WiFi access point device of the present invention also includes a pre-step S30, pre-establishing the connection between the device and the device based on the WiFi connection mode. For the trust connection of the above-mentioned control device, please refer to the above-mentioned introduction for the specific implementation method.
请参阅图10,进一步完善的实施例中,本发明的的WiFi接入点设备所执行的WiFi接入鉴权控制方法还包括步骤S35,响应于所述控制端设备的读取指令和/或配置指令,反馈和/或修改本机的通信网络的配置参数,其具体实现方式可以结合前面关于控制端设备的多种实施方式,如下:Please refer to FIG. 10 , in a further improved embodiment, the WiFi access authentication control method performed by the WiFi access point device of the present invention further includes step S35, in response to the read instruction and/or Configuration instructions, feedback and/or modification of the configuration parameters of the communication network of the machine, its specific implementation can be combined with the various implementations of the previous control terminal equipment, as follows:
如前所述的控制端设备,可以从WiFi接入点设备中读取所述通信网络的配置参数,并为其显示一用户管理界面,在用户管理界面中表述成相关设置选项,提供给用户进行修改,当用户提交修改时,再提交给WiFi接入点设备进行参数修改,从而改变所述通信网络的至少一部分参数的配置。As mentioned above, the control terminal device can read the configuration parameters of the communication network from the WiFi access point device, and display a user management interface for it, and express it as related setting options in the user management interface, and provide it to the user To modify, when the user submits the modification, it is submitted to the WiFi access point device for parameter modification, thereby changing the configuration of at least a part of the parameters of the communication network.
相应的,表现在WiFi接入点设备一侧,其可以接收控制端设备的读取指令,而调用涉及所述通信网络的配置文件,并向控制端设备反馈所述配置文件中涉及所述通信网络的配置参数。同理,WiFi接入点设备还可以接收控制端设备由用户修改了所述的配置参数(对应于用户界面中的设置选项)之后封装形成的配置指令,从配置指令中读取被修改的配置参数及其数据,依据配置指令对相关配置参数的数据进行修改,并令其生效,从而实现与控制端设备相配合,为用户提供更良好的远程维护体验。Correspondingly, on the side of the WiFi access point device, it can receive the read instruction from the control device, invoke the configuration file related to the communication network, and feed back the configuration file related to the communication to the control device. Network configuration parameters. Similarly, the WiFi access point device can also receive the configuration instruction encapsulated by the control terminal device after the user modifies the configuration parameters (corresponding to the setting options in the user interface), and read the modified configuration from the configuration instruction Parameters and their data, modify the data of relevant configuration parameters according to the configuration instructions, and make them take effect, so as to realize the cooperation with the control device and provide users with a better remote maintenance experience.
如前所述,本发明可以出于提高安全性的考虑而增加在WiFi接入点设备处的控制功能,为此,请参阅下方的各种改进方式所揭示的内容:As mentioned above, the present invention can increase the control function at the WiFi access point device for the consideration of improving security. For this, please refer to the content disclosed in the following various improvement methods:
适应于在控制端设备处实现的一个实施例,如图11所示,WiFi接入点设备所执行的WiFi接入鉴权控制方法还设置步骤S36,其接收来自所述控制端设备的表征屏蔽属于指定来源地址的接入请求的通知信息,终止对该通知信息所含指定来源地址的接入端设备的接入请求的响应(例如不反馈Probe Response帧),或向其反馈无法连接的管理帧。由此,接入端设备将视为无法与所述通信网络连接。Adapting to an embodiment implemented at the control terminal device, as shown in FIG. 11 , the WiFi access authentication control method executed by the WiFi access point device also includes step S36, which receives the token shielding from the control terminal device The notification information of the access request belonging to the specified source address, terminate the response to the access request of the access terminal device with the specified source address included in the notification information (for example, do not feed back the Probe Response frame), or feed back the management that cannot connect frame. Thus, the access device will be considered as unable to connect with the communication network.
进一步的改进方式中,在收到该通知信息后,将该来源地址添加到持有的黑名单列表中,由此,WiFi接入点设备可以通过将所接收的接入终端的接入请求中的来源地址与黑名单中的记录进行匹配,看该来源地址是否存在于该黑名单中,当其存在时即直接将其接入请求屏蔽;若不存在,则按正常规则处理。In a further improvement, after receiving the notification information, the source address is added to the held blacklist, so that the WiFi access point device can pass the received access request of the access terminal to The source address of the source address is matched with the records in the blacklist to see if the source address exists in the blacklist. If it exists, the access request is directly blocked; if it does not exist, it is processed according to the normal rules.
为完善对WiFi接入点设备的管理功能,进一步增强的实施例中,参阅图12,在前一实施例的基础上,本发明的WiFi接入鉴权控制方法还包括步骤S37,接收控制端设备的取消屏蔽该来源地址的接入请求的通知信息,恢复对所述来源地址相对应的接入端设备的接入请求的响应。参照前一实施例,可以具体表现为依据所述的通知信息,提取出该通知信息中的欲取消屏蔽的来源地址,然后从其黑名单中删除即可。In order to improve the management function of WiFi access point devices, in a further enhanced embodiment, refer to FIG. 12 , on the basis of the previous embodiment, the WiFi access authentication control method of the present invention further includes step S37, receiving the control terminal The device cancels the notification information of the access request of the source address, and resumes responding to the access request of the access terminal device corresponding to the source address. Referring to the previous embodiment, it can be embodied as extracting the source address to be unmasked in the notification information according to the notification information, and then deleting it from the blacklist.
进一步增加的实施例中,适用于所述控制端实现的用户界面管理功能,参见图13,WiFi接入点设备所执行的WiFi接入鉴权控制方法还设置步骤S38,接收接入端设备的恢复请求,路由该请求至所述的控制端设备以请求控制端设备取消对该接入端设备的人脸特征数据的屏蔽。本步骤与前述控制端设备实施屏蔽人脸特征数据的实施例相适应,当所述控制端设备对人脸特征数据加以屏蔽之后,允许接入端设备发起所述的恢复请求,该恢复请求通过所述的通信网络发送,便被WiFi接入点设备路由至所述的控制端设备。所述的控制端设备收到该通知信息后,会在用户界面向用户告警,用户依照告警信息指示进入用户管理界面的专用页面,审核是否允许该恢复请求,当其允许时,控制端设备便取消了对所述的接入端设备的人脸特征数据的屏蔽,也即重新针对所述接入端设备开放了鉴权功能。由此而在接入端设备被控制端设备屏蔽后提供一种有效的技术救灾手段。In a further added embodiment, it is applicable to the user interface management function implemented by the control terminal. Referring to FIG. 13, the WiFi access authentication control method executed by the WiFi access point device also includes step S38, receiving the Recovering the request, routing the request to the control device to request the control device to cancel the masking of the facial feature data of the access device. This step is compatible with the embodiment of the aforementioned control device implementing shielding of face feature data. After the control device shields the face feature data, the access device is allowed to initiate the recovery request, and the recovery request passes The transmission by the communication network is routed by the WiFi access point device to the control terminal device. After the control device receives the notification information, it will alert the user on the user interface, and the user will enter the special page of the user management interface according to the warning information to check whether the recovery request is allowed. The masking of the facial feature data of the access device is canceled, that is, the authentication function is re-opened for the access device. Therefore, an effective technical disaster relief method is provided after the access terminal equipment is shielded by the control terminal equipment.
以上详尽而充分地揭示了本发明的便携式WiFi接入点设备所实施的WiFi接入鉴权控制方法的多种实施例,从中可以知晓,WiFi接入点设备可以与控制端设备和接入端设备相配合,完善其开放的通信网络的鉴权功能,提高安全系数和管理便利程度。The above has fully and fully disclosed various embodiments of the WiFi access authentication control method implemented by the portable WiFi access point device of the present invention, from which it can be known that the WiFi access point device can be connected with the control terminal device and the access terminal The equipment cooperates to improve the authentication function of its open communication network, improve the safety factor and the convenience of management.
根据计算机程序的模块化设计理念,本发明还为上述各方法提供相应的装置,以下进行详细介绍:According to the modular design concept of computer programs, the present invention also provides corresponding devices for the above-mentioned methods, which are described in detail below:
本发明适用于所述便携式控制端设备而提供的一种WiFi接入远程鉴权装置具有多种实施例,以下将以与所述的WiFi接入远程鉴权方法相适应的方式,展开说明该装置的各种变化实施例的有关内容。The present invention is applicable to the portable control terminal device and provides a WiFi access remote authentication device with various embodiments, which will be described below in a manner that is compatible with the above-mentioned WiFi access remote authentication method Relevant content of various variant embodiments of the device.
请参阅图14,WiFi接入远程鉴权装置包括获取单元12、校验单元13以及反馈单元14,各单元所实现的功能请结合附图和以下文字加以理解:Please refer to Figure 14. The WiFi access remote authentication device includes an acquisition unit 12, a verification unit 13, and a feedback unit 14. Please understand the functions of each unit in conjunction with the accompanying drawings and the following text:
在默认控制端设备与WiFi接入点设备建立有信任连接的情况下,所述的WiFi接入远程鉴权装置通常按照其获取单元12、校验单元13、反馈单元14的顺序运行来执行。关于建立信任连接的过程也在这里予以揭示:一种实施例中,控制端设备预先与WiFi接入点设备之间以WiFi连接的方式建立起信任连接,具体而言,控制端设备可以STA模式启动接入处于AP模式下的WiFi接入点设备,然后,作为本发明的通用于各个实施例但并非必须的情况,可以如图15所示设置一配置单元10,被配置为响应于用户管理指令,显示用户管理界面,以用于修改作用于所述WiFi接入点设备的设置选项。通过运行该配置单元10,控制端设备便可依据预协议而调用WiFi接入点设备的设置选项,将这些设置选项显示在用户管理界面上,在触敏显示器处显示。用户在控制端设备调起所述用户管理界面,是通过在控制端设备上触发用户管理指令,或者由以默认触发用户管理指令的方式发起的。而所述的用户管理界面,受该用户管理指令的触发而显示,在其上显示WiFi接入点设备的各种设置选项,允许用户修改这些作用于WiFi接入点设备(尤其是指其通信网络的设置选项)的设置选项,来通过控制端设备实现对WiFi接入点设备的管理界面的接管,从而提供更便利的管理操作。所述的设置选项,例如通信网络的SSID名称、DHCP功能设置项、信道号、鉴权方式选择等,多种多样,凡属于WiFi网络功能有关的选项,其改变将导致WiFi接入点设备发生配置效果变化的,均可视为此项。特别不能将所述的“选项”一词理解为“二选一”、“多选一”的局限情形,本领域技术人员对此应当知晓。In the case that the default control terminal device establishes a trusted connection with the WiFi access point device, the WiFi access remote authentication device is usually executed in the order of its acquisition unit 12 , verification unit 13 , and feedback unit 14 . The process of establishing a trusted connection is also disclosed here: In one embodiment, the control terminal device establishes a trusted connection with the WiFi access point device in advance in the form of a WiFi connection. Specifically, the control terminal device can be in STA mode Start access to the WiFi access point device in AP mode, then, as a situation that is common to various embodiments of the present invention but not necessary, a configuration unit 10 can be set as shown in Figure 15, configured to respond to user management An instruction for displaying a user management interface for modifying the setting options applied to the WiFi access point device. By running the configuration unit 10, the control terminal device can invoke the setting options of the WiFi access point device according to the pre-protocol, and display these setting options on the user management interface and on the touch-sensitive display. The user invokes the user management interface on the control terminal device by triggering the user management instruction on the control terminal device, or by triggering the user management instruction by default. The user management interface is triggered by the user management command and displayed, and various setting options of the WiFi access point device are displayed on it, allowing the user to modify these effects on the WiFi access point device (especially referring to its communication The setting option of the network setting option) is used to realize the takeover of the management interface of the WiFi access point device through the control terminal device, thereby providing more convenient management operations. The setting options, such as the SSID name of the communication network, DHCP function setting items, channel number, authentication mode selection, etc., are various. Any option related to the WiFi network function will cause the WiFi access point device to change. Any change in the configuration effect can be regarded as this item. In particular, the term "option" cannot be understood as a limited situation of "choose one from two" or "choose one from many", and those skilled in the art should know this.
所述的获取单元12,用于获取WiFi接入点设备传送的请求接入其通信网络而提交的待校验的人脸特征数据,其具体实现方式如下:The acquisition unit 12 is used to acquire the facial feature data to be verified submitted by the WiFi access point device to request access to its communication network, and its specific implementation is as follows:
一种实施例中,控制端设备可以直接处理接入端设备发送的包含所述待校验的人脸特征数据的组播信号来获取所述人脸特征数据。具体而言,由于接入端设备尚未成功接入WiFi接入点设备提供的通信网络,因而,不能通过数据帧来发送人脸特征数据,但可以使用一组共多个组播帧来传输其数据。接入端设备将人脸特征数据转换为二进制码,然后加载到多个组播帧的可编辑字段,具体是指其地址字段中,然后发送所述多个组播帧。控制端设备直接接收该些组播帧,然后从可编辑字段中的二进制码提取出,再转换为人脸特征数据即可。In an embodiment, the control terminal device may directly process the multicast signal sent by the access terminal device that includes the facial feature data to be verified to acquire the facial feature data. Specifically, since the access device has not yet successfully connected to the communication network provided by the WiFi access point device, it cannot send facial feature data through data frames, but it can use a group of multiple multicast frames to transmit its data. data. The access device converts the facial feature data into binary codes, and then loads them into editable fields of multiple multicast frames, specifically address fields thereof, and then sends the multiple multicast frames. The control device directly receives these multicast frames, extracts the binary codes in the editable fields, and then converts them into facial feature data.
另一实施例中,上述对接入端设备的组播信号提取人脸特征数据的操作由WiFi接入点设备完成,然后再由WiFi接入点设备将之加载到数据帧中发送给控制端设备,控制端设备直接从数据帧中提取人脸特征数据即可。In another embodiment, the above-mentioned operation of extracting facial feature data from the multicast signal of the access terminal device is completed by the WiFi access point device, and then the WiFi access point device loads it into a data frame and sends it to the control terminal The device and the control device can directly extract the facial feature data from the data frame.
获取单元12获取所述人脸特征数据之后,依照协议,如果其为加密数据,应当对其进行解密,否则,可以直接用于后续的校验。After the acquisition unit 12 acquires the facial feature data, according to the protocol, if it is encrypted data, it should be decrypted, otherwise, it can be directly used for subsequent verification.
所述的校验单元13,用于校验所述人脸特征数据,获取表征校验成功或失败的认证结果信息,其具体实现方式如下:The verification unit 13 is used to verify the facial feature data, and obtain authentication result information representing the success or failure of the verification, and its specific implementation is as follows:
具体而言,控制端设备能够预先获得一个存储有合法用户的人脸特征数据的特征库,这一特征库可以存储在控制端设备本地存储器中,也可以是存储在可以被控制端设备通过远程请求进行利用的云端服务器中。特征库中的人脸特征数据,也即预存特征数据,可以加密的形式存在以加强其数据安全性。校验所述人脸特征数据时,控制端设备可以适用特征库存储位置不同而执行如下不同的过程:Specifically, the control terminal device can obtain in advance a feature library that stores legal user's face feature data. This feature library can be stored in the local memory of the control terminal device, or can be stored in a remote control device. In the cloud server requested to be exploited. The facial feature data in the feature database, that is, the pre-stored feature data, can exist in encrypted form to enhance its data security. When verifying the facial feature data, the control terminal device can perform the following different processes for different storage locations of the feature library:
适用于本地存储的特征库,控制端设备通过校验单元13,将待校验的人脸特征数据与特征库中的预存特征数据进行比较,如果确认存在与该人脸特征数据一致的预存特征数据,即可视该人脸特征数据为合法用户身份提供的内容,否则,视为非法用户身份提供的内容,根据这两种情况,便可分别生成表征校验成功或失败的认证结果信息。这里所称的人脸特征数据与预存特征数据的一致,不应局限在数据表达形式或其数据内容上是否完全一致,例如,可以是指两者的近似度到达预设的程度,或者处于允许的范围内,即可视为两者一致。Applicable to the feature library of local storage, the control terminal device compares the face feature data to be verified with the pre-stored feature data in the feature library through the verification unit 13, if it is confirmed that there is a pre-stored feature consistent with the face feature data Data, that is, the facial feature data can be regarded as the content provided by the legal user identity, otherwise, it is regarded as the content provided by the illegal user identity. According to these two situations, the authentication result information indicating the success or failure of the verification can be generated respectively. The consistency between the face feature data and the pre-stored feature data mentioned here should not be limited to whether the data expression form or its data content is completely consistent. Within the range of , the two can be considered to be consistent.
适用于存储在云端服务器的特征库,控制端设备通过校验单元13将所述的待校验的人脸特征数据封装在校验请求中,发送到云端服务器,由服务器利用该人脸特征数据执行诸如上述的校验过程,最终由云端服务器生成所述的认证结果信息反馈给控制端设备。Applicable to the feature library stored in the cloud server, the control terminal device encapsulates the face feature data to be verified in the verification request through the verification unit 13, and sends it to the cloud server, and the server uses the face feature data Execute the verification process such as the above, and finally the cloud server generates the authentication result information and feeds it back to the control terminal device.
可以知晓,无论是在本地进行校验,还是提交到云端服务器进行校验,控制端设备均可通过校验单元13获取到所述的认证结果信息。It can be known that, no matter whether it is verified locally or submitted to a cloud server for verification, the control terminal device can obtain the authentication result information through the verification unit 13 .
为了构造该特征库,一种实施例中,控制端设备所执行的WiFi接入远程鉴权装置启动执行其进一步包括的采集单元18,被配置为响应于用户采集指令,显示图像采集界面,用于采集用户的人脸特征数据作为所述的预存特征数据。In order to construct the feature library, in one embodiment, the WiFi access remote authentication device executed by the control terminal device starts to execute the collection unit 18 further included in it, which is configured to display an image collection interface in response to user collection instructions, and use To collect the user's facial feature data as the pre-stored feature data.
通常,控制端设备会构造专门用于实现该装置及该采集单元18的应用程序,当该应用程序运行时,可以通过虚拟按键或者特定手势激活并显示所述的图像采集界面,伴随该图像采集界面被激活,将启动控制端设备的图像获取单元例如摄像头进行拍摄图像预览,当用户确定一个面部表情后,通过诸如语音、手势、虚拟按键之类的形式实现的另一确认指令,图像获取单元便可为之拍摄一幅人脸图像,并对该人脸图像进行加工,以提取出其中的人脸特征数据,然后将该人脸特征数据作为所述的预存特征数据存储于所述的本地特征库中,或者提交到所述的云端特征库进行存储。诚如前述,被存储这些人脸特征数据时,在特征库中可以表现为某种加密形式,以便加强其数据安全性。Usually, the control terminal device will construct an application program specially used to realize the device and the acquisition unit 18. When the application program is running, the image acquisition interface can be activated and displayed through virtual keys or specific gestures, and the image acquisition interface can be accompanied by When the interface is activated, the image acquisition unit of the control terminal device, such as a camera, will be activated to preview the captured image. When the user confirms a facial expression, another confirmation instruction is realized through voice, gesture, virtual button, etc., and the image acquisition unit A face image can be taken for it, and the face image is processed to extract the face feature data, and then the face feature data is stored in the local as the pre-stored feature data In the feature library, or submitted to the cloud feature library for storage. As mentioned above, when these face feature data are stored, they can be expressed in some form of encryption in the feature database to enhance their data security.
所述反馈单元14,用于向所述WiFi接入点设备反馈所述认证结果信息,其具体实现方式如下:The feedback unit 14 is configured to feed back the authentication result information to the WiFi access point device, and its specific implementation is as follows:
首先,反馈单元14向所述WiFi接入点设备反馈所述认证结果信息,其目的在于导致所述WiFi接入点设备允许或阻止提供所述待校验的人脸特征数据的接入端设备接入该WiFi接入点设备所架设的通信网络,但是这种对接入通信网络进行允许或者阻止的功能,是由所述的WiFi接入点设备实现的。因此,WiFi接入点设备将在收到所述的认证结果信息之后,依据认证结果信息所表征的内容,对相应的发起接入通信网络请求的接入端设备做出是否允许其接入通信网络的响应,从而可以在接入端设备处通过视察其是否成功接入通信网络而确认鉴权是否通过。First, the feedback unit 14 feeds back the authentication result information to the WiFi access point device, the purpose of which is to cause the WiFi access point device to allow or block the access terminal device that provides the facial feature data to be verified Access to the communication network set up by the WiFi access point device, but the function of allowing or preventing access to the communication network is realized by the WiFi access point device. Therefore, after receiving the authentication result information, the WiFi access point device will, according to the content represented by the authentication result information, decide whether to allow the corresponding access terminal device that initiates the access communication network request to allow it to access the communication network. Response from the network, so that the access device can confirm whether the authentication is passed by checking whether it successfully accesses the communication network.
以上的各种变化实施例均未考虑对接入端设备发起的欲接入所述通信网络的接入请求的处理,而只考虑对其后续提交的人脸特征数据进行处理,因此,适应上述的实施例,对于所述接入请求,特别是基于传统WiFi协议的信标帧而发起的握手请求,将由WiFi接入点设备依照其传统的协议逻辑进行处理,并且由其进一步要求接入端设备提交所述的人脸特征数据,然后再由WiFi接入点设备路由给控制端设备做上述各实施方式中的处理,这样,对于控制端设备而言,便忽略了对接入端设备的接入请求进行处理的环节,只考虑将人脸特征数据视为请求而加以校验的功能实现,从而简化了系统开销。The above various variant embodiments do not consider the processing of the access request initiated by the access device to access the communication network, but only consider the subsequent processing of the facial feature data submitted by it. Therefore, adapting to the above In the embodiment, for the access request, especially the handshake request initiated based on the beacon frame of the traditional WiFi protocol, it will be processed by the WiFi access point device according to its traditional protocol logic, and it will further require the access terminal to The device submits the facial feature data, and then the WiFi access point device routes it to the control device to perform the processing in the above-mentioned embodiments. In this way, for the control device, the access device is ignored. In the link of access request processing, only consider the function realization of facial feature data as a request and verify it, thus simplifying the system overhead.
但是,在本发明进一步改进的实施例中,如图16所示,WiFi接入远程鉴权装置进一步包括前置运行的启动单元11,用于获取接入端设备欲接入所述WiFi接入点设备所架设的通信网络的接入请求而反馈鉴权执行指令,以便后续获取响应于该鉴权执行指令而提交的所述待校验的人脸特征数据。However, in a further improved embodiment of the present invention, as shown in FIG. 16 , the WiFi access remote authentication device further includes a pre-running startup unit 11, which is used to acquire The authentication execution instruction is fed back to the access request of the communication network set up by the point device, so as to obtain the facial feature data to be verified submitted in response to the authentication execution instruction.
具体而言,接入端设备探测到WiFi接入点设备架设的通信网络的信标帧(beacon)或者通过Probe Request(返回Probe Response帧)确定通信网络的SSID后,便可向WiFi接入点设备发起接入请求,在前述的各种控制端设备未考虑这种接入请求的第一类的上述的实施例中,该接入请求将被WiFi接入点设备直接处理;而在本实施例中,WiFi接入点设备可以路由该接入请求给控制端设备,或者以某种转换后的形式传送给控制端设备,无论何种形式,控制端设备收到后均视为接入端设备欲接入所述WiFi接入点设备所架设的通信网络的接入请求。响应于该接入请求,控制端设备将通过启动单元11反馈一鉴权执行指令经WiFi接入点设备中到所述的接入端设备,或者由WiFi接入点设备将其转换为某种形式给该接入端设备,而在前述的第一类实施例中,所述的鉴权执行指令将由WiFi接入点设备源发地发送给接入端设备。接入端设备收到所述的鉴权执行指令后(或者由接入端设备将收到的Probe Response帧视为鉴权执行指令),便可依照预设程序,响应于该鉴权执行指令而启动其图像获取单元获取待校验的人体特征数据进行反馈提交,从而确保本装置其余单元的正常运行。Specifically, after the access device detects the beacon frame (beacon) of the communication network set up by the WiFi access point device or determines the SSID of the communication network through the Probe Request (returning the Probe Response frame), it can send a message to the WiFi access point. The device initiates an access request. In the above-mentioned embodiment of the first type of access request that is not considered by the aforementioned various control devices, the access request will be directly processed by the WiFi access point device; and in this embodiment In this example, the WiFi access point device can route the access request to the control device, or transmit it to the control device in a converted form. Regardless of the form, the control device will be regarded as the access terminal after receiving it. An access request for the device to access the communication network set up by the WiFi access point device. In response to the access request, the control terminal device will feed back an authentication execution instruction through the starting unit 11 to the access terminal device through the WiFi access point device, or the WiFi access point device will convert it into a certain The form is given to the access terminal device, while in the foregoing first type of embodiment, the authentication execution instruction will be sent to the access terminal device from the WiFi access point device. After the access device receives the authentication execution instruction (or the access device regards the received Probe Response frame as the authentication execution instruction), it can respond to the authentication execution instruction according to the preset procedure And start its image acquisition unit to obtain the human body feature data to be verified for feedback and submission, so as to ensure the normal operation of other units of the device.
结合上述在控制端设备实现的WiFi接入远程鉴权装置的各实施例可以看出,部分实施例中,所述接入端设备的接入请求及响应于该请求的鉴权执行指令,可以由控制端设备处理并经WiFi接入点进行路由。另一部分实施例中,则无需控制端设备参与处理所述接入请求和鉴权执行指令。相较之下,如果由WiFi接入点设备处理接入端的接入请求并为之反馈鉴权执行指令,则可简化通信过程,减少控制端设备的负荷;如果由控制端设备处理接入端设备的接入请求并由其源发反馈鉴权执行指令,则可加强控制端设备的集中管理能力,进一步提升通信网络安全性能。更进一步的改进方式中,在WiFi接入点设备实施连接请求的过程中,用于确认该连接请求过程的一个管理帧如Request Response帧,便可被视为所述的鉴权执行指令。Combining the above embodiments of the WiFi access remote authentication device implemented on the control device, it can be seen that in some embodiments, the access request of the access device and the authentication execution instruction in response to the request can be Processed by the console device and routed via the WiFi access point. In another part of the embodiments, the control device does not need to participate in processing the access request and the authentication execution instruction. In contrast, if the WiFi access point device processes the access request of the access terminal and feeds back the authentication execution instruction, the communication process can be simplified and the load on the control terminal device can be reduced; if the control terminal device handles the access terminal The access request of the device and its source sends a feedback authentication execution command, which can strengthen the centralized management capability of the control device and further improve the security performance of the communication network. In a further improvement, in the process of implementing the connection request by the WiFi access point device, a management frame such as a Request Response frame used to confirm the connection request process can be regarded as the authentication execution instruction.
如图17所示,进一步完善的一种实施例中,控制端设备所执行的WiFi接入远程鉴权装置还包括统计单元15,用于统计具有相同来源地址的所述人脸特征数据被多次鉴权的失败次数,当失败次数超出预设值后,屏蔽该来源地址的人脸特征数据。As shown in FIG. 17 , in a further improved embodiment, the device for remote authentication of WiFi access executed by the control terminal device also includes a statistics unit 15, which is used to count the facial feature data with the same source address being duplicated. The number of authentication failures for one time, when the number of failures exceeds the preset value, the face feature data of the source address will be blocked.
统计单元15对同一来源地址多次提交的所述待校验的人脸特征数据多次鉴权失败的失败次数进行跟踪管理,有助于提高通信网络的安全性,故而,控制端设备可以对其接收到的人脸特征数据进行统计。无论WiFi接入点设备是直接路由接入端设备的所述人脸特征数据,还是以自身形式重构该人脸特征数据的数据报文格式,当其发送给所述控制端设备时,均会在提交的数据包中包含所述的接入端设备的唯一性特征,例如其MAC地址、UUID或主机名称等。故此,一个唯一性特征便表征了一个来源地址,控制端设备可以对具有相同来源地址的人脸特征数据校验失败次数进行统计,较佳的情况下,可以设置一个例如半小时或五分钟的统计周期,当这个周期内,同一来源地址多次提交的人脸特征数据的累计遭受指定次数(预设值)的校验失败后,或称超出这个预设值后,将导致控制端设备将该来源地址视为恶意攻击来源地,或者至少视为非法用户入侵行为。这种情况下,控制端设备将屏蔽该来源地址的人脸特征数据,后续将不再对该来源地址的人脸特征数据进行校验和反馈,避免本机甚至整个通信网络遭受恶意攻击。Statistical unit 15 tracks and manages the number of failed authentications of the facial feature data to be verified submitted repeatedly by the same source address, which helps to improve the security of the communication network. Therefore, the control terminal equipment can The face feature data it receives is counted. Regardless of whether the WiFi access point device directly routes the facial feature data of the access terminal device, or reconstructs the data message format of the facial feature data in its own form, when it is sent to the control terminal device, all The unique characteristics of the access device, such as its MAC address, UUID or host name, will be included in the submitted data packet. Therefore, a unique feature represents a source address, and the control device can count the number of failed verifications of face feature data with the same source address. Statistical period, when within this period, the accumulative number of face feature data submitted by the same source address fails the verification of the specified number of times (preset value), or exceeds this preset value, it will cause the control terminal device to This source address is considered as the source of malicious attacks, or at least as an illegal user intrusion. In this case, the control device will shield the face feature data of the source address, and will no longer perform verification and feedback of the face feature data of the source address in the future, so as to avoid malicious attacks on the local machine and even the entire communication network.
更为简便且实现了有效管理的一种方式是将上述欲屏蔽的来源地址添加到一个黑名单中,后续针对所传送来的待校验的人脸特征数据,先查询黑名单是否存在其来源地址,如果存在,则直接滤除该人脸特征数据实现对该来源地址的人脸特征数据的屏蔽,如果不存在,则按照正常过程处理。A more convenient and effective way to manage is to add the above-mentioned source address to be blocked to a blacklist, and then check whether the blacklist has its source for the transmitted facial feature data to be verified. Address, if it exists, then directly filter out the face feature data to realize the shielding of the face feature data of the source address, if it does not exist, then process it according to the normal process.
适应统计单元15的设置,还可以根据需要进一步设置一个灾备单元16,用于接收属于所述来源地址的恢复请求,响应于用户指令而取消屏蔽该来源地址的人脸特征数据。To adapt to the setting of the statistical unit 15, a disaster recovery unit 16 can be further set up as needed, for receiving the restoration request belonging to the source address, and unmasking the facial feature data of the source address in response to user instructions.
接入端设备可能预置有当自身提供的人脸特征数据被屏蔽时,请求屏蔽方予以恢复其后续校验请求的容灾手段,具体是通过向通信网络发送一个恢复请求来实施。为此,控制端设备将接收该恢复请求,该恢复请求中也包含该接入端设备的来源地址,这一请求将被审核,因而,控制端设备未必能在第一时间解除对该来源地址的屏蔽。解除屏蔽通常以手动的方式来实现,管理者可以通过控制端设备的用户管理界面,获知所述的恢复请求,并且决定是否同意该恢复请求。当该恢复请求被同意后,控制端设备便可将所述来源地址从其黑名单中删除,后续便不再屏蔽具有该来源地址的人脸特征数据,接入端设备接入通信网络的可能性由此得以解禁。需要指出的是,尽管使用了用户管理界面,但用户管理界面的设置选项也可包括存储于控制端设备的选项,例如上述黑名单和上述恢复请求的内容,可以存储在控制端设备的存储器中,而与WiFi接入点设备的设置选项一样,在所述的用户管理界面中显示。The access device may be preset with a disaster recovery method that requests the blocking party to restore its subsequent verification request when the facial feature data provided by itself is blocked, specifically by sending a recovery request to the communication network. For this reason, the control device will receive the recovery request, which also includes the source address of the access device, and this request will be reviewed. Therefore, the control device may not be able to release the source address immediately. shielding. Unblocking is usually implemented manually, and the administrator can learn about the recovery request through the user management interface of the control terminal device, and decide whether to agree to the recovery request. When the recovery request is approved, the control terminal device can delete the source address from its blacklist, and then no longer shield the facial feature data with the source address, and the access terminal device may access the communication network. Sex is thus freed. It should be pointed out that although the user management interface is used, the setting options of the user management interface may also include options stored in the control terminal device, such as the content of the above-mentioned blacklist and the above-mentioned recovery request, which may be stored in the memory of the control terminal device , which is the same as the setting option of the WiFi access point device, displayed in the user management interface.
如图18所示,进一步改进的另一种实施例中,控制端设备所执行的WiFi接入远程鉴权装置还包括统计单元15’,用于统计具有相同来源地址的所述人脸特征数据被多次鉴权的失败次数,当失败次数超出预设值后,发送表征屏蔽属于该来源地址的接入请求的通知信息给所述的WiFi接入点设备。As shown in Figure 18, in another further improved embodiment, the WiFi access remote authentication device executed by the control terminal device also includes a statistical unit 15' for counting the facial feature data with the same source address When the number of times of authentication failures exceeds a preset value, a notification message indicating that the access request belonging to the source address is blocked is sent to the WiFi access point device.
可以看出,与前一完善的实施例相同的是,控制端设备可以对人脸特征数据被多次鉴权失败的次数进行统计,不同的是后续如何实现对接入端设备的屏蔽。本实施例中,当失败次数超出预设值后,统计单元15’将生成一通知信息发送给WiFi接入点设备,该通知信息的内容表征屏蔽属于该来源地址的接入请求。也就是说,控制端设备以通知信息的形式,通知WiFi接入点设备对指定来源地址的接入请求予以屏蔽。相应的,WiFi接入点设备便可根据该通知信息对其中的来源地址的接入请求不再响应或者直接发送拒绝接入的网络帧,以使该来源地址相对应的接入端设备无法接入WiFi接入点设备的通信网络。显然,不同于前例,屏蔽来源地址的功能将由WiFi接入点设备来实现,其屏蔽效果更快捷且直接,WiFi接入点设备甚至无需再处理该来源地址的人脸特征数据。It can be seen that, the same as the previous complete embodiment, the control device can count the number of failed authentications of the facial feature data, and the difference is how to implement the subsequent shielding of the access device. In this embodiment, when the number of failures exceeds the preset value, the statistical unit 15' will generate a notification message and send it to the WiFi access point device. The content of the notification message indicates that the access request belonging to the source address is blocked. That is to say, the control terminal device notifies the WiFi access point device to block the access request from the specified source address in the form of notification information. Correspondingly, the WiFi access point device can no longer respond to the access request of the source address or directly send a network frame denying access according to the notification information, so that the access terminal device corresponding to the source address cannot receive into the communication network of the WiFi access point device. Obviously, unlike the previous example, the function of shielding the source address will be realized by the WiFi access point device. The shielding effect is faster and more direct, and the WiFi access point device does not even need to process the facial feature data of the source address.
同理,适应统计单元15’,还可以根据需要进一步设置一个灾备单元16’,用于接收属于所述来源地址的恢复请求,响应于用户指令而发送取消屏蔽该来源地址的接入请求的通知信息给所述的WiFi接入点设备。Similarly, the adaptive statistics unit 15' can also further set up a disaster recovery unit 16' as required, for receiving the restoration request belonging to the source address, and sending a request to unblock the access request of the source address in response to a user instruction. Notify the information to the WiFi access point device.
接入端设备可能预置有当自身提供的人脸特征数据被屏蔽时,请求屏蔽方予以恢复其后续校验请求的容灾手段,具体是通过向通信网络发送一个恢复请求来实施。为此,控制端设备将接收该恢复请求,该恢复请求中也包含该接入端设备的来源地址,这一请求将被审核,因而,控制端设备未必能在第一时间解除对该来源地址的屏蔽。解除屏蔽通常以手动的方式来实现,管理者可以通过控制端设备的用户管理界面,获知所述的恢复请求,并且决定是否同意该恢复请求。当该恢复请求被同意后,控制端设备便可封装一通知信息,用于表征取消屏蔽该来源地址的接入请求,将该通知信息发送给WiFi接入点设备。WiFi接入点设备接收该通知信息后,便将所述来源地址从已记录的数据(可能表现为黑名单形式)中删除,后续便不再屏蔽具有该来源地址的接入请求,接入端设备接入通信网络的可能性由此得以解禁。需要指出的是,用户管理界面的设置选项也可包括存储于WiFi接入点端设备的所述被记录的欲屏蔽来源地址的数据,例如上述的黑名单,管理员在所述的用户管理界面中允许所述的恢复请求后,用户管理界面便可显示删除了对应于该恢复请求的来源地址的列表。The access device may be preset with a disaster recovery method that requests the blocking party to restore its subsequent verification request when the facial feature data provided by itself is blocked, specifically by sending a recovery request to the communication network. For this reason, the control device will receive the recovery request, which also includes the source address of the access device, and this request will be reviewed. Therefore, the control device may not be able to release the source address immediately. shielding. Unblocking is usually implemented manually, and the administrator can learn about the recovery request through the user management interface of the control terminal device, and decide whether to agree to the recovery request. After the recovery request is approved, the control terminal device can encapsulate a notification message for representing the access request of unmasking the source address, and send the notification message to the WiFi access point device. After the WiFi access point device receives the notification information, it deletes the source address from the recorded data (may appear in the form of a blacklist), and subsequently no longer blocks access requests with the source address. The possibility of connecting the device to the communication network is thus unlocked. It should be pointed out that the setting options of the user management interface may also include the data of the recorded source address to be shielded stored in the WiFi access point device, such as the above-mentioned blacklist. After allowing the recovery request described in , the user management interface can display a list of deleted source addresses corresponding to the recovery request.
以上详尽而充分地揭示了本发明的便携式控制端设备所实施的WiFi接入远程鉴权方法的多种实施例,从中可以知晓,控制端设备可以基于人脸特征数据实现对WiFi通信网络的鉴权管理,从而加强这种通信网络的安全性。The above has fully and fully revealed various embodiments of the WiFi access remote authentication method implemented by the portable control terminal device of the present invention, from which it can be known that the control terminal device can realize the authentication of the WiFi communication network based on facial feature data. rights management, thereby enhancing the security of such communication networks.
本发明为所述便携式接入端设备提供的WiFi接入鉴权装置具有多种实施例,该装置包括请求单元21、图像单元22、应答单元23以及接入单元24,以下将以前一实施例为基础,就其各单元展开说明其余各种变化实施例的有关内容。请参阅图19并结合以下文字加以理解:The WiFi access authentication device provided by the present invention for the portable access terminal device has multiple embodiments, the device includes a request unit 21, an image unit 22, a response unit 23 and an access unit 24, the previous embodiment will be described below Based on this, the relevant content of the remaining various variant embodiments will be described with respect to each unit thereof. Please refer to Figure 19 and understand it in conjunction with the following text:
所述的请求单元21,用于向WiFi接入点设备发送连接请求管理帧以发起接入请求,其具体实现方式如下:The request unit 21 is configured to send a connection request management frame to the WiFi access point device to initiate an access request, and its specific implementation is as follows:
所述的WiFi接入点设备作为AP配置有通信网络,向空中辐射WiFi信号。一种实施例中,WiFi接入点设备定时广播其信标帧(Beacon帧,未隐藏SSID时),本发明的便携式接入端设备通过扫描,发现该信标帧,便可发起所述的接入请求;另一种实施例中,尤其是对于隐藏SSID的情况,接入端设备可以通过发起连接请求管理帧即Probe Request帧并从WiFi接入点设备反馈的连接成功管理帧即Probe Response帧中获得网络配置信息,由此也可发起接入请求。The WiFi access point device is configured with a communication network as an AP, and radiates WiFi signals into the air. In one embodiment, the WiFi access point device regularly broadcasts its beacon frame (Beacon frame, when the SSID is not hidden), and the portable access terminal device of the present invention finds the beacon frame through scanning, and then can initiate the described Access request; in another embodiment, especially for the case of hiding the SSID, the access terminal device can initiate a connection request management frame, that is, a Probe Request frame, and obtain a connection success management frame that is fed back from the WiFi access point device, that is, a Probe Response The network configuration information is obtained in the frame, and an access request can also be initiated from this.
通常,用户可以通过接入端设备操作系统的设置页面的WiFi开关选项来发起对附近WiFi通信网络的扫描,获得一个SSID列表,然后由用户点选相应的通信网络的SSID而接入相应的通信网络。接入端设备也能存储用户曾接入的通信网络的配置信息,这种情况下,用户只需打开WiFi开关选项,也可由系统按照预设优先策略自动接入较优的WiFi通信网络。因而,可以视为通过用户交互,可以产生指示接入端设备接入本发明的通信网络的用户指令,接入端设备响应于该用户指令而对该通信网络发起接入请求。Usually, the user can initiate a scan of nearby WiFi communication networks through the WiFi switch option on the setting page of the operating system of the access device to obtain a list of SSIDs, and then the user clicks on the SSID of the corresponding communication network to access the corresponding communication The internet. The access device can also store the configuration information of the communication network that the user has accessed. In this case, the user only needs to turn on the WiFi switch option, and the system can automatically access the better WiFi communication network according to the preset priority strategy. Therefore, it can be considered that through user interaction, a user instruction instructing the access terminal device to access the communication network of the present invention can be generated, and the access terminal device initiates an access request to the communication network in response to the user instruction.
所述的图像单元22,被配置为响应于该接入请求之后的以管理帧反馈的鉴权执行指令,启动图像获取单元获取人脸特征数据。The image unit 22 is configured to start the image acquisition unit to acquire facial feature data in response to an authentication execution instruction fed back in a management frame after the access request.
该图像单元22可以通过多种实施方式来产生所述的鉴权执行指令:The image unit 22 can generate the authentication execution instruction through various implementation methods:
一个实施例中,所述的接入请求被发送到WiFi接入点设备之后,由WiFi接入点设备直接或经过某种帧格式转换(如加载到数据帧中)后路由至所述的控制端设备,由此导致控制端设备反馈一鉴权执行指令,再由WiFi接入点设备将该鉴权执行指令路由至接入端设备。In one embodiment, after the access request is sent to the WiFi access point device, the WiFi access point device routes it to the control device directly or after a certain frame format conversion (such as loading into a data frame) end device, thus causing the control end device to feed back an authentication execution instruction, and then the WiFi access point device routes the authentication execution instruction to the access end device.
另一实施例中,所述的接入请求被发送到WiFi接入点设备之后,由WiFi接入点设备直接加以处理,而由WiFi接入点设备源发地以管理帧反馈鉴权执行指令给接入端设备。In another embodiment, after the access request is sent to the WiFi access point device, it is directly processed by the WiFi access point device, and the WiFi access point device feeds back the authentication execution instruction with the management frame to the access device.
再一实施中,所述鉴权执行指令可以由接入端设备依照预设程序逻辑,在发送了所述接入请求之后自行触发,具体而言,可以是由其依照传统的协议过程,在完成连接请求的阶段,收到诸如Probe Response帧(在此便被视为鉴权执行指令)之后自行触发后续步骤,而避免依赖于外部设备,简化业务流程。In yet another implementation, the authentication execution instruction may be automatically triggered by the access terminal device after sending the access request according to the preset program logic. After completing the connection request stage, after receiving a frame such as Probe Response (here it is regarded as an authentication execution instruction), it will trigger subsequent steps by itself, avoiding dependence on external devices, and simplifying business processes.
无论采用何种方式来对所述的接入请求反馈鉴权执行指令,均不影响接入端设备的后续步骤的执行。但有例外的情况,即如果该接入请求所包含的指示到本接入端设备的来源地址被WiFi接入点设备屏蔽,则会导致接入端设备无法收到所述的鉴权执行指令,从而终止后续步骤的执行。No matter which method is used to feed back the authentication execution instruction to the access request, it will not affect the execution of the subsequent steps of the access device. However, there are exceptions, that is, if the source address of the access device contained in the access request is blocked by the WiFi access point device, the access device will not be able to receive the authentication execution command , thereby terminating the execution of subsequent steps.
当接入端设备获得所述鉴权执行指令后,该鉴权执行指令会触发接入端设备中的图像获取单元的启动。伴随图像获取单元的启动,会激活一扫描界面,在该扫描界面中显示图像获取单元的预览图像。当用户将图像获取单元的镜头朝向人脸,通过语音、手势、按键等任意方式施加拍摄指令时便可以获得一张相应的人脸图像,并对人脸图像进行人脸特征数据的提取。或者,图像获取单元免经用户指令作用,而自动地以预览图像中的任意帧内容作为人脸图像,然后对该人脸图像提取人脸特征数据。在成功获取到所述人脸特征数据后,便可受控或者自行退出所述的扫描界面。After the access device obtains the authentication execution instruction, the authentication execution instruction will trigger the start of the image acquisition unit in the access device. With the start of the image acquisition unit, a scanning interface is activated, and the preview image of the image acquisition unit is displayed on the scanning interface. When the user directs the lens of the image acquisition unit towards the face, and applies a shooting command through voice, gesture, button, etc., a corresponding face image can be obtained, and the face feature data can be extracted from the face image. Alternatively, the image acquisition unit automatically takes any frame content in the preview image as the face image without being instructed by the user, and then extracts face feature data from the face image. After successfully obtaining the facial feature data, the scanning interface can be controlled or exited by itself.
所述的应答单元23,用于向WiFi接入点设备反馈包含该人脸特征数据的组播帧或认证管理帧以应答所述鉴权执行指令,其具体实现方式如下:The response unit 23 is used to feed back a multicast frame or an authentication management frame containing the facial feature data to the WiFi access point device to respond to the authentication execution instruction, and its specific implementation is as follows:
当接入端设备完成所述的人脸特征数据获取后,便需要将该人脸特征数据提交给WiFi接入点设备,以便完成对该人脸特征数据的鉴权,作为对所述鉴权执行指令的应答。After the access terminal device completes the acquisition of the facial feature data, it needs to submit the facial feature data to the WiFi access point device in order to complete the authentication of the facial feature data as a Response to execute command.
一种实施例中,基于对WiFi协议设备间连接过程的改进,接入端设备可以在认证管理帧中加载所述人脸特征数据后传输给WiFi接入点设备。以下再揭示一种利用组播帧实现人脸特征数据传输的实例:In one embodiment, based on the improvement of the connection process between WiFi protocol devices, the access device can load the facial feature data in the authentication management frame and then transmit it to the WiFi access point device. The following reveals another example of utilizing multicast frames to realize the transmission of facial feature data:
接入端设备由于未与WiFi接入点设备建立WiFi连接,不能以数据帧的形式传输所述的人脸特征数据,为此,接入端设备使用一组共多个组播帧来传输人脸特征数据。具体而言,接入端设备将人脸特征数据转换为二进制码,分段加载到多个组播帧的可编辑字段,具体是指其地址字段中,然后发送所述多个组播帧。Since the access device has not established a WiFi connection with the WiFi access point device, it cannot transmit the facial feature data in the form of a data frame. Therefore, the access device uses a group of multiple multicast frames to transmit the face feature data. face feature data. Specifically, the access device converts the facial feature data into binary codes, loads them into editable fields of multiple multicast frames, specifically address fields, and then sends the multiple multicast frames.
负责处理人脸特征数据的设备,参照在前揭示的相应的实施例,一般为所述WiFi接入点设备,也可为所述的控制端设备,接收该些组播帧后,从各个组播帧的可编辑字段中提取出所加载的人脸特征数据的二进制码,并按分段顺序进行组装,然后对应转换为人脸特征数据。The device responsible for processing facial feature data, referring to the corresponding embodiments disclosed above, is generally the WiFi access point device, and can also be the control terminal device. After receiving these multicast frames, the The binary code of the loaded face feature data is extracted from the editable field of the broadcast frame, assembled in a segmented order, and then correspondingly converted into face feature data.
出于加强传输过程中的数据安全性的考虑,获取所述人脸特征数据之后,可以依照与负责处理人脸特征数据的设备的协议,为人脸特征数据加密,然后再将加密后的人脸特征数据编码到所述的组播帧中。相对应的,负责处理的设备也应当对其进行解密。For the sake of strengthening the data security in the transmission process, after obtaining the facial feature data, the facial feature data can be encrypted according to the agreement with the device responsible for processing the facial feature data, and then the encrypted face Feature data is encoded into said multicast frame. Correspondingly, the device responsible for processing should also decrypt it.
负责处理人脸特征数据的设备,结合前述的一种实施例,可以是所述的WiFi接入点设备,其将解析获得所接收的人脸特征数据,再将其编码到数据帧中,传输给所述控制端设备,再由控制端设备从数据帧中提取所述的人脸特征数据;结合前述的另一实施例,可以由所述控制端设备直接获取经WiFi接入点设备路由的组播帧,解析得到其中的人脸特征数据。The device responsible for processing facial feature data, combined with the aforementioned embodiment, may be the WiFi access point device, which will analyze and obtain the received facial feature data, and then encode it into a data frame for transmission Give the control terminal device, and then extract the described face feature data from the data frame by the control terminal device; The multicast frame is parsed to obtain the facial feature data.
控制端设备继而对其所接收的人脸特征数据进行鉴权。前述揭示的部分实施例中,如果控制端设备的黑名单中含有指向所述接入端设备的来源地址,该来源地址可以随所述人脸特征数据一并提供以备识别,那么,控制端设备可能不对所述人脸特征数据做出响应,或者虽然做出响应,但最终将导致该人脸特征数据被拒绝鉴权。如果控制端设备未在其黑名单中发现提供该人脸特征数据的接入端设备的来源地址,则按正常过程对该人脸特征数据进行鉴权。依照前述不同的实施例,控制端设备将接入端设备的人脸特征数据与本机或云端服务器的特征库中的预存特征数据进行比较,当发现特征库中存在与所述人脸特征数据一致的预存特征数据时,即可视为鉴权成功,否则视为鉴权失败,据此生成认证结果信息,发送给WiFi接入点设备。这里所称的人脸特征数据与预存特征数据的一致,不应局限在数据表达形式或其数据内容上是否完全一致,例如,可以是指两者的近似度到达预设的程度,或者处于允许的范围内,即可视为两者一致。The control terminal device then authenticates the facial feature data it receives. In some embodiments disclosed above, if the blacklist of the control terminal device contains a source address pointing to the access terminal device, the source address can be provided together with the facial feature data for identification, then the control terminal The device may not respond to the facial feature data, or may respond, but eventually the facial feature data will be rejected for authentication. If the control terminal device does not find the source address of the access terminal device that provides the facial feature data in its blacklist, it will authenticate the facial feature data according to the normal process. According to the aforementioned different embodiments, the control terminal device compares the facial feature data of the access terminal device with the pre-stored feature data in the feature database of the local machine or the cloud server, and when it is found that there is a face feature data in the feature database that is similar to the facial feature data When the pre-stored feature data is consistent, the authentication can be regarded as successful, otherwise it is regarded as the authentication failure, and the authentication result information is generated based on this and sent to the WiFi access point device. The consistency between the face feature data and the pre-stored feature data mentioned here should not be limited to whether the data expression form or its data content is completely consistent. Within the range, the two can be considered to be consistent.
进一步完善的实施方式中,所述WiFi接入点设备可以缓存或存储与所述来源地址相对应的属于所述特征库的预存特征数据,甚至缓存或存储整个特征库,这种情况下,当接入端设备到达WiFi接入点设备时,WiFi接入点设备可以先行与其缓存的特征库进行比较,以确定是否鉴权成功,并根据鉴权结果自行生成认证结果信息,而使这种对人脸特征数据鉴权的过程不必依赖于控制端设备的参与。当WiFi接入点设备以缓存的形式处理所述的预存特征数据或其整个特征库时,适宜为该预存特征数据或特征库设置一个有效期,以保证数据更新的及时性。显然,可以通过控制端设备来控制WiFi接入点设备缓存或存储的预存特征数据或整个特征库的远程更新。In a further perfect implementation, the WiFi access point device may cache or store the pre-stored feature data corresponding to the source address belonging to the feature library, or even cache or store the entire feature library. In this case, when When the access device arrives at the WiFi access point device, the WiFi access point device can first compare it with its cached feature library to determine whether the authentication is successful, and generate authentication result information by itself according to the authentication result, so that this pair of The process of facial feature data authentication does not have to rely on the participation of the control device. When the WiFi access point device processes the pre-stored feature data or its entire feature database in the form of cache, it is appropriate to set a validity period for the pre-stored feature data or feature database to ensure the timeliness of data update. Apparently, the remote update of the pre-stored feature data cached or stored by the WiFi access point device or the entire feature library can be controlled by the control terminal device.
所述的接入单元24,被配置为当该人脸特征数据通过鉴权,获得表征认证成功的管理帧后,实施WiFi协议所规范的关联过程,实现对所述WiFi接入点设备所架设的通信网络的接入,其具体实现方式如下:The access unit 24 is configured to implement the association process specified by the WiFi protocol when the facial feature data passes the authentication and obtains the management frame representing successful authentication, so as to realize the setup of the WiFi access point device. The access to the communication network, the specific implementation method is as follows:
无论是控制端设备向WiFi接入点设备发送所述表征鉴权成功或失败的认证结果信息,还是由WiFi接入点设备自行生成所述认证结果信息,所述的WiFi接入点设备均能够根据鉴权结果对所述接入端设备的接入请求做出最后的响应。具体而言,WiFi接入点设备可以依据认证结果信息做出如下任意一种或任意多种方式的响应,以达到对所述接入请求进行最终响应的目的:Whether the control terminal device sends the authentication result information representing the success or failure of the authentication to the WiFi access point device, or the WiFi access point device generates the authentication result information by itself, the WiFi access point device can Make a final response to the access request of the access device according to the authentication result. Specifically, the WiFi access point device may respond in any one or multiple ways as follows according to the authentication result information, so as to achieve the purpose of making a final response to the access request:
方式一,依据IEEE 802.11协议,根据所述认证结果信息表征鉴权成功或失败的不同情况,相应地向接入端设备反馈表征允许或阻止其接入所述通信网络的管理帧,通常是一种管理帧,完成认证阶段。接入端设备接收到该管理帧后,便可从管理帧的内容确认是否通过鉴权,从而相应地建立或终止与WiFi接入点设备的通信网络的连接,在鉴权通过时,启动关联阶段,实现对所述WiFi接入点设备所架设的通信网络的接入。Method 1: According to the IEEE 802.11 protocol, according to the different situations of the authentication result information representing authentication success or failure, correspondingly feed back a management frame representing permission or prevention of access to the communication network to the access device, usually a A management frame completes the authentication phase. After the access device receives the management frame, it can confirm from the content of the management frame whether the authentication is passed, so as to establish or terminate the connection with the communication network of the WiFi access point device accordingly, and start the association when the authentication is passed. In the stage, the access to the communication network set up by the WiFi access point device is realized.
方式二,根据所述认证结果信息表征鉴权成功或失败的不同情况,当其表征鉴权成功时,WiFi接入点设备即允许接入端设备的关联请求而使其接入所述的通信网络,实现接入端设备对所述信号网络的成功接入;当表征鉴权失败时,则不对接入端设备的关联请求做出响应,由此导致接入端设备视为请求超时而视为鉴权失败。Method 2: According to the different situations of authentication success or failure indicated by the authentication result information, when it indicates that the authentication is successful, the WiFi access point device allows the association request of the access terminal device to allow it to access the communication Network, to realize the successful access of the access device to the signal network; when the authentication fails, it will not respond to the association request of the access device, thus causing the access device to regard the request as timed out Authentication failed.
方式三,WiFi接入点设备将所述的认证结果信息作为响应发送给所述的接入端设备,自身则按照IEEE 802.11协议操作,接入端设备接收并解析该认证结果信息后,当表征鉴权成功时,即按照协议发起关联请求确认实现对所述通信网络的接入;当表征鉴权失败时,则可据此做出诸如再次请求之类的后续作业。Mode 3: The WiFi access point device sends the authentication result information as a response to the access terminal device, and operates itself according to the IEEE 802.11 protocol. After the access terminal device receives and parses the authentication result information, when it represents When the authentication is successful, an association request is initiated according to the protocol to confirm the access to the communication network; when the authentication fails, follow-up operations such as requesting again can be made accordingly.
当然,广义看待,方式一所述的管理帧,本身也可视为所述的认证结果信息。本领域技术人员可以灵活运用上述各种方式灵活实现人脸特征数据通过鉴权后,在接入端设备中建立连接或者进行示警的处理。一种普遍适用的实施方式中,当接入端设备确认鉴权失败后,可以在用户界面显示告警信息,以通知用户做出后续处理,完善人机交互。而当接入端设备确认鉴权成功后,实施WiFi协议所规范的关联过程,则这种连接被确认为信任连接,信任连接建立后,接入端设备可以某种与WiFi接入点设备预约的协议,存储用于后续免鉴权登录所述的通信网络的连接信息,从而使接入端设备利用该连接信息免经任何鉴权程序而轻松接入所述的通信网络。Of course, viewed in a broad sense, the management frame described in the first manner itself can also be regarded as the authentication result information. Those skilled in the art can flexibly use the above-mentioned various methods to flexibly implement the process of establishing a connection or performing an alarm in the access device after the facial feature data has passed the authentication. In a generally applicable implementation manner, when the access terminal device confirms that the authentication fails, it may display an alarm message on the user interface to notify the user to perform follow-up processing and improve human-computer interaction. When the access device confirms that the authentication is successful, it implements the association process specified by the WiFi protocol, and this connection is confirmed as a trusted connection. After the trusted connection is established, the access device can make a reservation with the WiFi access point device. The protocol stores the connection information for subsequent authentication-free login to the communication network, so that the access terminal device can use the connection information to easily access the communication network without going through any authentication procedures.
请参阅图20,作为本发明进一步增强的实施例中,本发明适用于便携式接入端设备的WiFi接入鉴权装置还包括恢复单元25,用于统计发起所述接入请求后未成功接入所述通信网络的次数,当该次数达到预定值后,判定本机处于接入请求被屏蔽的状态,响应于用户指令发起恢复允许其接入请求的恢复请求,其具体实现方式如下:Please refer to FIG. 20 , as a further enhanced embodiment of the present invention, the WiFi access authentication device applicable to portable access terminal equipment of the present invention also includes a recovery unit 25, which is used to count the unsuccessful connections after initiating the access request. When the number of times reaches the predetermined value, it is determined that the machine is in the state where the access request is blocked, and in response to the user instruction, it initiates a recovery request to restore the access request. The specific implementation method is as follows:
在如前所述的控制端设备或WiFi接入点设备支持容灾手段的前提下,接入端设备可以对连接失败的次数进行统计,以便在自身被控制端设备或WiFi接入点设备屏蔽接入的情况下,可以通过技术手段恢复自身接入所述通信网络的可能。On the premise that the control terminal device or WiFi access point device supports disaster recovery means as mentioned above, the access terminal device can count the number of connection failures so that it can be shielded by the control terminal device or WiFi access point device In the case of access, the possibility of accessing the communication network can be restored by technical means.
如前所述,当鉴权失败后,将导致接入端设备无法建立到所述WiFi接入点设备的通信网络的连接,一部设备因其提供的人脸特征数据多次鉴权失败而遭永久性屏蔽是不合理的。为达到合理安全的目的,接入端设备对自身接入所述通信网络失败的次数进行统计,并且为其提供一预设值,当该统计次数超过该预设值后,即可判定本机处于接入请求被屏蔽的状态,因此而在用户界面开放一个控制部件,该控制部件可以为一虚拟按键,以便通过该控制部件请求所述通信网络恢复对其接入请求的响应。作为一种等同替换手段,还可设置一个有效期,仅当统计伊始至该有效期的时长到达时,才能开放所述的控制部件。As mentioned above, when the authentication fails, the access device will not be able to establish a connection to the communication network of the WiFi access point device. Permanent blocking is unreasonable. In order to achieve reasonable security, the access device counts the number of times it fails to access the communication network, and provides a preset value for it. When the count exceeds the preset value, it can determine that the device has In the state that the access request is blocked, a control part is opened on the user interface, and the control part may be a virtual key, so as to request the communication network to resume responding to its access request through the control part. As an equivalent alternative, a validity period can also be set, and the control unit can be opened only when the period from the beginning of statistics to the validity period reaches.
继而,用户可以通过触发所述的控制部件而触发其用户指令,从而,接入端设备响应于该用户指令而向所述的通信网络发起恢复允许自身的接入请求的恢复请求。相应的,视屏蔽机制是由控制端设备还是WiFi接入点设备实现,该恢复请求将到达控制端设备或WiFi接入点设备,接收该恢复请求的设备能够通知管理员进行回应,当管理员通过该恢复请求后,接入端设备后续的接入请求便能被所述的通信网络正常处理。Then, the user can trigger the user instruction by triggering the control component, so that the access terminal device initiates a recovery request to the communication network to allow its own access request in response to the user instruction. Correspondingly, depending on whether the shielding mechanism is implemented by the control device or the WiFi access point device, the recovery request will reach the control device or the WiFi access point device, and the device that receives the recovery request can notify the administrator to respond. When the administrator After the recovery request is passed, subsequent access requests of the access device can be normally processed by the communication network.
以上详尽而充分地揭示了本发明的便携式接入端设备所实施的WiFi接入鉴权方法的多种实施例,从中可以知晓,接入端设备可以应欲接入的通信网络的要求,在本机采集人脸特征数据,提供给通信网络进行鉴权,从而配合加强通信网络的安全性。The foregoing fully and fully discloses various embodiments of the WiFi access authentication method implemented by the portable access terminal device of the present invention, from which it can be known that the access terminal device can respond to the requirements of the communication network to be accessed. This machine collects facial feature data and provides it to the communication network for authentication, so as to cooperate with strengthening the security of the communication network.
本发明适用于WiFi接入点设备的WiFi接入鉴权控制装置具有多种实施例,该装置包括接收单元31、响应单元32、路由单元33以及执行单元34,以下将以前一实施例为基础,就其各单元展开说明其余各种变化实施例的有关内容。请参阅图21并结合以下文字加以理解:The WiFi access authentication control device applicable to WiFi access point devices of the present invention has various embodiments, the device includes a receiving unit 31, a response unit 32, a routing unit 33 and an execution unit 34, the following will be based on the previous embodiment , with respect to its units, the relevant content of the remaining various variant embodiments will be described. Please refer to Figure 21 and understand it in conjunction with the following text:
所述的WiFi接入点设备,通常也叫WiFi路由器,传统的WiFi路由器具有WiFi芯片模组,并且通过底层驱动实现了相应的管理功能,这些管理功能通常以IEEE 802.11协议为基础进行开发。在本发明涉及的至少部分实施例中,可以发现,同在IEEE 802.11协议的基础上,需要依照本发明的相应实施例所实现的功能而丰富WiFi芯片模式的底层驱动功能,使其有利于协助实现本发明的至少部分实施例所欲实现的功能,这些功能将体现在所述的WiFi接入鉴权控制装置的多种变化实施例的不同单元的描述中。The WiFi access point device is usually also called a WiFi router. A traditional WiFi router has a WiFi chip module and implements corresponding management functions through the underlying driver. These management functions are usually developed based on the IEEE 802.11 protocol. In at least some of the embodiments involved in the present invention, it can be found that on the basis of the IEEE 802.11 protocol, it is necessary to enrich the underlying driver functions of the WiFi chip mode according to the functions realized in the corresponding embodiments of the present invention, so that it is beneficial to assist The functions intended to be realized by at least some embodiments of the present invention are realized, and these functions will be reflected in the descriptions of different units in various embodiments of the WiFi access authentication control device.
所述的接收单元31,用于接收接入端设备的接入请求,同理,所述的接入请求是接入端设备在侦测到本发明的服务集标识(SSID)后发起的前期请求。依照前述揭示的控制端设备与WiFi接入点设备之间的角色分配关系的不同,接收所述的接入请求的过程能够体现为不同实施例的变化。The receiving unit 31 is configured to receive an access request from an access device. Similarly, the access request is an early stage initiated by the access device after detecting the service set identifier (SSID) of the present invention. ask. According to the difference in the role distribution relationship between the control terminal device and the WiFi access point device disclosed above, the process of receiving the access request can be embodied as changes in different embodiments.
适用于由WiFi接入点设备对接入请求进行传统方式的管理的一种实施例中,WiFi接入点设备接收到接入请求后,将自行对该接入请求进行响应,故而不对其进行路由或者转换输出,尤其不必传送到所述的控制端设备。相反,另一改进的实施例中,WiFi接入点设备接收到请求后,可以将该接入请求以自身的形式如某种数据帧、管理帧的形式转发给所述的控制端设备,由控制端设备负责响应,当然也可直接路由该接入请求给控制端设备进行响应。具体而言,所述的接入请求应当能够到达对这种请求进行直接响应的设备中。In an embodiment applicable to the traditional management of the access request by the WiFi access point device, after receiving the access request, the WiFi access point device will respond to the access request by itself, so it will not be managed. Routing or switching outputs, in particular, do not have to be routed to the control end device in question. On the contrary, in another improved embodiment, after the WiFi access point device receives the request, it can forward the access request to the control terminal device in its own form, such as a certain data frame or management frame, by The control terminal device is responsible for responding, and of course, the access request can also be directly routed to the control terminal device for response. Specifically, said access request should be able to reach a device that directly responds to such a request.
在适用于所述WiFi接入点设备能够对接入请求进行屏蔽的情况的一种实施例中,WiFi接入端设备接收到该接入请求后,从该请求中提取出发起该接入请求的接入端设备的来源地址,查询其黑名单,当确认该来源地址包含于黑名单中时,便终止对该接入请求的响应,或者直接响应于该接入请求而反馈一表征拒绝接入的管理帧,从而加强通信网络的安全管理。如来源地址未出现在黑名单中,则可按照正常的过程继续其他单元。In an embodiment applicable to the case where the WiFi access point device can shield the access request, after receiving the access request, the WiFi access point device extracts from the request the The source address of the access device, query its blacklist, and when it is confirmed that the source address is included in the blacklist, it will terminate the response to the access request, or directly respond to the access request and feed back an indication of rejection. Incoming management frames, thereby enhancing the security management of the communication network. If the source address does not appear in the blacklist, you can continue to other units according to the normal process.
所述的响应单元32,用于响应所述接入请求而反馈鉴权执行指令,其具体实现方式如下:The response unit 32 is configured to respond to the access request and feed back an authentication execution instruction, and its specific implementation is as follows:
结合前述有关控制端设备的不同实施方式可知,所述的鉴权执行指令既可以由控制端设备源发且经WiFi接入点设备路由,也可由WiFi接入点设备源发,因而,这里所称的反馈鉴权执行指令,既可指将控制端设备源发的鉴权执行指令路由给所述接入端设备的实施方式,也可为由WiFi接入点设备源发性发送给所述的接入端设备的实施方式,结合前面揭示的实施例,自所述接入请求发起后,完成IEEE 802.11协议的连接请求阶段,再到认证阶段发起认证请求之后,而产生响应于该认证请求的认证应答的管理帧,也可视之为一种鉴权执行指令。具体采用何种方式,仍需视控制端设备与WiFi接入点设备的管理角色分配关系而定。Combining with the aforementioned different implementations of the control terminal device, it can be known that the authentication execution instruction can be sent by the control terminal device and routed by the WiFi access point device, or can be sent by the WiFi access point device. Therefore, here The so-called feedback authentication execution instruction can refer to the implementation mode in which the authentication execution instruction sent by the control terminal device is routed to the access terminal device, or can be sent by the WiFi access point device to the said access terminal device. The embodiment of the access terminal device, combined with the above-disclosed embodiments, completes the connection request phase of the IEEE 802.11 protocol after the initiation of the access request, and then initiates the authentication request in the authentication phase, and generates a response to the authentication request The management frame of the authentication response can also be regarded as an authentication execution instruction. The specific way to be adopted still depends on the management role distribution relationship between the control terminal device and the WiFi access point device.
可以推知,当WiFi接入点设备依据黑名单对某一接入请求实施屏蔽操作之后,将不再响应于该接入请求而反馈所述的鉴权执行指令。It can be inferred that after the WiFi access point device performs a shielding operation on an access request according to the blacklist, it will no longer feed back the authentication execution instruction in response to the access request.
所述的路由单元33,用于接收应答所述鉴权执行指令而反馈的人脸特征数据,请求控制端设备予以鉴权,其具体实施方式表现为如下各种变化情况:The routing unit 33 is used to receive the facial feature data fed back in response to the authentication execution instruction, and request the control terminal device to authenticate. The specific implementation methods are as follows:
如前所揭示,便携式接入端设备将响应于WiFi接入点设备传送的所述鉴权执行指令而采集人脸特征数据,并将人脸特征数据反馈到通信网络,直接被控制端设备接收,或如本实施例,先行到达WiFi接入点设备。As disclosed above, the portable access terminal device will collect facial feature data in response to the authentication execution instruction transmitted by the WiFi access point device, and feed back the facial feature data to the communication network, which is directly received by the control terminal device , or as in this embodiment, reach the WiFi access point device first.
参照如前揭示的一种实施方式中,WiFi接入点设备可以自行对所接收的人脸特征数据进行鉴权,WiFi接入点设备存储或缓存有鉴权所需的所述的特征库或其中的一条或多条预存特征数据,WiFi接入点将接收到的人脸特征数据与所述的(特征库中的)预存特征数据进行匹配,当匹配到具有一致性的人脸特征数据时,便视为鉴权成功;否则视为鉴权失败。有关本实施例的后续处理,在前述接入端设备相应的方法中已经予以综合揭示,后续将以后一实施例为基础,进行重点介绍。Referring to an embodiment disclosed above, the WiFi access point device can authenticate the received facial feature data by itself, and the WiFi access point device stores or caches the feature library or One or more of the pre-stored feature data, the WiFi access point will match the received face feature data with the pre-stored feature data (in the feature library), when matching the face feature data with consistency , the authentication is considered successful; otherwise, the authentication fails. The follow-up processing of this embodiment has been comprehensively disclosed in the corresponding method of the aforementioned access device, and will be mainly introduced later on the basis of the latter embodiment.
另一实施例中,WiFi接入点设备不负责对所接收的人脸特征数据进行鉴权,而是将人脸特征数据路由至所述控制端设备或者自行封装该人脸特征数据成数据帧后发送给所述控制端设备,请求控制端设备对其进行鉴权,由所述控制端设备将所述的人脸特征数据与其本地的特征库或云端服务器中的特征库的预存特征数据进行比较,确认两者是否一致,并将认证结果信息反馈给WiFi接入点设备,WiFi接入点设备根据认证结果信息表征的内容而确认鉴权成功抑或失败。In another embodiment, the WiFi access point device is not responsible for authenticating the received face feature data, but routes the face feature data to the control terminal device or encapsulates the face feature data into a data frame by itself Then send it to the control terminal device, request the control terminal device to authenticate it, and compare the described face feature data with the pre-stored feature data of the feature database in the local feature database or the cloud server by the control terminal equipment. Compare to confirm whether the two are consistent, and feed back the authentication result information to the WiFi access point device, and the WiFi access point device confirms whether the authentication succeeds or fails according to the content represented by the authentication result information.
当然,在多个设备传输的过程中,人脸特征数据既可以是明文的,也可以是加密的,加密方式也可灵活设定。只需在各个设备之间对这种信息传输进行预先协议,工作时互相配合即可。Of course, during the transmission process of multiple devices, the facial feature data can be in plain text or encrypted, and the encryption method can also be flexibly set. It is only necessary to carry out pre-agreement on this kind of information transmission between various devices, and cooperate with each other during work.
需要指出的是,接入端设备由于未与WiFi接入点设备建立WiFi连接,不能以数据帧的形式传输所述的人脸特征数据,为此,接入端设备使用一组共多个组播帧来传输人脸特征数据。具体而言,接入端设备将人脸特征数据转换为二进制码,分段加载到多个组播帧的可编辑字段,具体是指其地址字段中,然后发送所述多个组播帧。在本实施例中,所述WiFi接入点设备负责接收该些组播帧后,从各个组播帧的可编辑字段中提取出所加载的人脸特征数据的二进制码,并按分段顺序进行组装,然后对应转换为人脸特征数据。It should be pointed out that since the access device has not established a WiFi connection with the WiFi access point device, it cannot transmit the facial feature data in the form of a data frame. Broadcast frames to transmit facial feature data. Specifically, the access device converts the facial feature data into binary codes, loads them into editable fields of multiple multicast frames, specifically address fields, and then sends the multiple multicast frames. In this embodiment, after the WiFi access point device is responsible for receiving these multicast frames, it extracts the binary code of the loaded facial feature data from the editable field of each multicast frame, and proceeds in segment order Assembled, and then correspondingly converted to face feature data.
控制端设备继而对其所接收的人脸特征数据进行鉴权。前述揭示的部分实施例中,如果控制端设备的黑名单中含有指向所述接入端设备的来源地址,该来源地址可以随所述人脸特征数据一并提供以备识别,那么,控制端设备可能不对所述人脸特征数据做出响应,或者虽然做出响应,但最终告知该人脸特征数据被拒绝鉴权。如果控制端设备未在其黑名单中发现提供该人脸特征数据的接入端设备的来源地址,则按正常过程对该人脸特征数据进行鉴权。依照前述不同的实施例,控制端设备将接入端设备的人脸特征数据与本机或云端服务器的特征库中的预存特征数据进行比较,当发现特征库中存在与所述人脸特征数据一致的预存特征数据时,即可视为鉴权成功,否则视为鉴权失败,据此生成认证结果信息,发送给WiFi接入点设备。需要强调的是,这里所称的人脸特征数据与预存特征数据的一致,不应局限在数据表达形式或其数据内容上是否完全一致,例如,可以是指两者的近似度到达预设的程度,或者处于允许的范围内,即可视为两者一致。The control terminal device then authenticates the facial feature data it receives. In some embodiments disclosed above, if the blacklist of the control terminal device contains a source address pointing to the access terminal device, the source address can be provided together with the facial feature data for identification, then the control terminal The device may not respond to the facial feature data, or may respond but finally informs that the facial feature data is denied authentication. If the control terminal device does not find the source address of the access terminal device that provides the facial feature data in its blacklist, it will authenticate the facial feature data according to the normal process. According to the aforementioned different embodiments, the control terminal device compares the facial feature data of the access terminal device with the pre-stored feature data in the feature database of the local machine or the cloud server, and when it is found that there is a face feature data in the feature database that is similar to the facial feature data When the pre-stored feature data is consistent, the authentication can be regarded as successful, otherwise it is regarded as the authentication failure, and the authentication result information is generated based on this and sent to the WiFi access point device. It should be emphasized that the consistency between the facial feature data and pre-stored feature data mentioned here should not be limited to whether the data expression form or its data content is completely consistent. For example, it can mean that the similarity between the two reaches the preset degree, or within the allowable range, it can be considered that the two are consistent.
所述的执行单元34,用于依据控制端设备反馈的表征鉴权成功或失败的认证结果信息,相应允许或阻止所述接入端设备接入预设的通信网络,其具体的多种实现方式如下:The execution unit 34 is configured to allow or prevent the access terminal device from accessing a preset communication network according to the authentication result information fed back by the control terminal device, indicating the success or failure of the authentication. There are various implementations thereof The way is as follows:
如前所述,典型的一种实施例中,所述认证结果信息来自于所述的控制端设备,WiFi接入点设备接收到所述控制端设备反馈的认证结果信息之后,解析该认证结果信息,以确定该认证结果信息所表征的具体内容,通常是指鉴权成功或鉴权失败两种类型的内容。As mentioned above, in a typical embodiment, the authentication result information comes from the control device, and the WiFi access point device parses the authentication result after receiving the authentication result information fed back by the control device information to determine the specific content represented by the authentication result information, which usually refers to two types of content: authentication success or authentication failure.
此外,在本发明的另一实施例中,WiFi接入点设备可以依据其受控制端设备控制而实现更新的缓存或存储的特征库(或具体到其预存特征数据)来供所述待校验的人脸特征数据进行匹配,并将匹配结果也对应处理成所述的认证结果信息,由此WiFi接入点设备便可原发地生成所述的认证结果信息。In addition, in another embodiment of the present invention, the WiFi access point device can implement an updated cache or stored feature library (or specific to its pre-stored feature data) according to its control by the control terminal device for the to-be-checked Match the verified face feature data, and process the matching result into the authentication result information accordingly, so that the WiFi access point device can generate the authentication result information originally.
这里所披露的实施例显然更为接近IEEE 802.11协议的传统实现,按照该协议规范的建立连接的过程,在认证阶段由接入端设备提交所述的人脸特征数据供鉴权,在控制端设备或WiFi接入点设备对其鉴权成功或失败后,由WiFi接入点设备依据鉴权生成的认证结果信息反馈一认证应答帧,具体可为表征认证成功的管理帧或表征认证失败的管理帧,从接入端设备的视角,该认证应答帧也可广义地视为其收到了认证结果信息。The embodiments disclosed here are obviously closer to the traditional implementation of the IEEE 802.11 protocol. According to the process of establishing a connection specified in the protocol, the access device submits the facial feature data for authentication in the authentication phase, and the control terminal After the device or the WiFi access point device authenticates it successfully or fails, the WiFi access point device feeds back an authentication response frame based on the authentication result information generated by the authentication, which can specifically be a management frame representing successful authentication or a frame representing authentication failure. Management frame, from the perspective of the access device, the authentication response frame can also be broadly regarded as having received authentication result information.
当然,也可转而做出更大幅度的改进,具体而言:WiFi接入点设备也可不直接处理控制端设备的认证结果信息,而将其直接路由给所述的接入端设备。或者,即使WiFi接入点设备自行对人脸特征数据进行认证,也可生成不同于IEEE 802.11协议规范的认证结果信息。这类实施方式中,所述认证结果信息的形式和内容均可以不同于IEEE 802.11协议的,只要接入端设备与WiFi接入点设备之间能够预先协议即可。Of course, a greater improvement can also be made instead, specifically: the WiFi access point device may not directly process the authentication result information of the control device, but directly route it to the access device. Or, even if the WiFi access point device authenticates the facial feature data by itself, it can also generate authentication result information different from the IEEE 802.11 protocol specification. In this type of implementation, the form and content of the authentication result information may be different from the IEEE 802.11 protocol, as long as there is a pre-agreement between the access terminal device and the WiFi access point device.
由此观之,无论如何,虽非充分必要,WiFi接入点设备可以向接入端设备源发或转发认证结果信息,接入端设备可以解析该认证结果信息,据之决定自身的后续连接过程。From this point of view, in any case, although it is not necessary, the WiFi access point device can source or forward the authentication result information to the access device, and the access device can analyze the authentication result information and decide its subsequent connection accordingly process.
然而,作为基本功能,WiFi接入点设备可以解析自身视觉下的所述认证结果信息。WiFi接入点设备解析所述认证结果信息之后,可以根据其表征的内容,即鉴权成功还是失败,对接入端设备后续期望完成连接的关联请求做出响应,确定是否允许建立到所述接入端设备之间的WiFi信任连接。结合前面揭示的各种情况,WiFi接入点设备可以依据所述认证结果信息的不同,对接入端设备的所述接入请求做出如下的结果性控制,如下:However, as a basic function, the WiFi access point device can analyze the authentication result information under its own vision. After the WiFi access point device parses the authentication result information, it can respond to the subsequent association request of the access terminal device expecting to complete the connection according to the content represented by it, that is, whether the authentication is successful or failed, and determine whether to allow the establishment of the connection to the WiFi trusted connection between access devices. Combining the various situations disclosed above, the WiFi access point device can perform the following resultant control on the access request of the access terminal device according to the difference in the authentication result information, as follows:
当认证结果信息表征鉴权成功时,向接入端设备发送表征认证成功的管理帧,以允许接入端设备接入所架设的通信网络,对于接入端设备依照IEEE 802.11协议在收到表征认证成功的管理帧后自行发起的关联请求及后续通信予以正常应答,响应于该关联请求而反馈关联成功的管理帧给所述接入端设备以示确认,从而建立接入端设备与WiFi接入点设备之间的WiFi连接。When the authentication result information indicates that the authentication is successful, a management frame indicating successful authentication will be sent to the access device to allow the access device to access the established communication network. After the successful authentication of the management frame, the self-initiated association request and subsequent communication are responded normally, and in response to the association request, the management frame of the successful association is fed back to the access device to confirm, thereby establishing the connection between the access device and the WiFi WiFi connection between point devices.
当认证结果信息表征鉴权失败时,向接入端设备发送表征认证失败的管理帧,以阻止接入端设备接入所架设的通信网络,对于接入端设备依照IEEE802.11协议在收到表征认证失败的管理帧后而自行发起的关联请求,WiFi接入点设备或不予响应,或响应于该关联请求而反馈关联失败的管理帧给所述接入端设备以示告警。When the authentication result information indicates that the authentication fails, a management frame indicating that the authentication fails is sent to the access device to prevent the access device from accessing the established communication network. The WiFi access point device either does not respond to the association request initiated by itself after the management frame representing the authentication failure, or responds to the association request and feeds back the management frame of the association failure to the access device as an alarm.
当然,根据前述揭示的部分实施例可知,接入端设备接收到所述的认证结果信息之后,便知晓自身提供的人脸特征数据是鉴权成功还是失败,因此,接入端设备可以自行依据认证结果信息决定是否继续后续IEEE 802.11协议所规范的连接过程。当认证结果信息表征鉴权成功时(如所述表征认证成功的管理帧),则可发起关联请求,在收到WiFi接入点设备反馈的关联成功的应答帧之后,完成对所述通信网络的接入。当认证结果信息表征鉴权失败时(如所述表征认证失败的管理帧),则可终止后续的连接过程,必要时通过用户界面显示告警信息。Certainly, according to some embodiments disclosed above, it can be seen that after receiving the authentication result information, the access terminal device knows whether the facial feature data provided by itself is successful or unsuccessful in authentication. The authentication result information determines whether to continue the connection process specified by the subsequent IEEE 802.11 protocol. When the authentication result information indicates that the authentication is successful (such as the management frame representing the successful authentication), an association request can be initiated, and after receiving the successful association response frame fed back by the WiFi access point device, the communication network is completed. access. When the authentication result information represents authentication failure (such as the management frame representing authentication failure), the subsequent connection process may be terminated, and an alarm message may be displayed through the user interface if necessary.
应当明确,根据上述的各实施例,在接入端设备处,从其视角,接收到的认证结果信息,既可以是由WiFi接入点设备原发或路由的包含有预协议自定义内容的通信格式,也可以将WiFi接入点设备依据其收到的认证结果信息所表征的内容而按照IEEE 802.11协议发送的表征认证成功或失败的管理帧。It should be clear that, according to the above-mentioned embodiments, at the access terminal device, from its perspective, the received authentication result information may be original or routed by the WiFi access point device and contain pre-protocol custom content. The communication format may also be the management frame indicating the success or failure of authentication sent by the WiFi access point device according to the IEEE 802.11 protocol according to the content represented by the authentication result information it receives.
为方便管理和操作,在接入端设备成功接入WiFi接入点设备的通信网络之后,WiFi接入点设备可以将接入端设备的信息保存到本地,将之视为信任连接,后续接入端设备重新接入时,基于信任关系,可以免去其认证阶段的执行过程,从而简化后续接入。For the convenience of management and operation, after the access device successfully connects to the communication network of the WiFi access point device, the WiFi access point device can save the information of the access device locally and regard it as a trusted connection. When the ingress device reconnects, based on the trust relationship, the execution process of the authentication phase can be omitted, thereby simplifying subsequent access.
请参阅图22,在一个进一步具体化的实施例中,本发明的WiFi接入点设备所执行的WiFi接入鉴权控制装置还包括前置运行的连接单元30,被配置为基于WiFi连接方式预建立本机与所述控制端设备的信任连接,其具体实现方式请参照前述有关介绍。Please refer to FIG. 22. In a further specific embodiment, the WiFi access authentication control device executed by the WiFi access point device of the present invention also includes a pre-running connection unit 30, which is configured to be based on the WiFi connection mode Pre-establish a trusted connection between the local machine and the control terminal device, and for the specific implementation method, please refer to the above-mentioned relevant introduction.
请参阅图23,进一步完善的实施例中,本发明的的WiFi接入点设备所执行的WiFi接入鉴权控制装置还包括受访单元35,被配置为响应于所述控制端设备的读取指令和/或配置指令,反馈和/或修改本机的通信网络的配置参数,其具体实现方式可以结合前面关于控制端设备的多种实施方式,如下:Please refer to FIG. 23 , in a further improved embodiment, the WiFi access authentication control device executed by the WiFi access point device of the present invention also includes an access unit 35 configured to respond to the reading of the control terminal device Fetch instructions and/or configure instructions, feed back and/or modify the configuration parameters of the communication network of the machine, and its specific implementation can be combined with the various implementations of the previous control terminal equipment, as follows:
如前所述的控制端设备,可以从WiFi接入点设备中读取所述通信网络的配置参数,并为其显示一用户管理界面,在用户管理界面中表述成相关设置选项,提供给用户进行修改,当用户提交修改时,再提交给WiFi接入点设备进行参数修改,从而改变所述通信网络的至少一部分参数的配置。As mentioned above, the control terminal device can read the configuration parameters of the communication network from the WiFi access point device, and display a user management interface for it, and express it as related setting options in the user management interface, and provide it to the user To modify, when the user submits the modification, it is submitted to the WiFi access point device for parameter modification, thereby changing the configuration of at least a part of the parameters of the communication network.
相应的,表现在WiFi接入点设备一侧,其可以接收控制端设备的读取指令,而调用涉及所述通信网络的配置文件,并向控制端设备反馈所述配置文件中涉及所述通信网络的配置参数。同理,WiFi接入点设备还可以接收控制端设备由用户修改了所述的配置参数(对应于用户界面中的设置选项)之后封装形成的配置指令,从配置指令中读取被修改的配置参数及其数据,依据配置指令对相关配置参数的数据进行修改,并令其生效,从而实现与控制端设备相配合,为用户提供更良好的远程维护体验。Correspondingly, on the side of the WiFi access point device, it can receive the read instruction from the control device, invoke the configuration file related to the communication network, and feed back the configuration file related to the communication to the control device. Network configuration parameters. Similarly, the WiFi access point device can also receive the configuration instruction encapsulated by the control terminal device after the user modifies the configuration parameters (corresponding to the setting options in the user interface), and read the modified configuration from the configuration instruction Parameters and their data, modify the data of relevant configuration parameters according to the configuration instructions, and make them take effect, so as to realize the cooperation with the control device and provide users with a better remote maintenance experience.
如前所述,本发明可以出于提高安全性的考虑而增加在WiFi接入点设备处的控制功能,为此,请参阅下方的各种改进方式所揭示的内容:As mentioned above, the present invention can increase the control function at the WiFi access point device for the consideration of improving security. For this, please refer to the content disclosed in the following various improvement methods:
适应于在控制端设备处实现的一个实施例,如图24所示,WiFi接入点设备所执行的WiFi接入鉴权控制装置还设置限制单元36,用于接收来自所述控制端设备的表征屏蔽属于指定来源地址的接入请求的通知信息,终止对该通知信息所含指定来源地址的接入端设备的接入请求的响应(例如不反馈Probe Response帧),或向其反馈无法连接的管理帧。由此,接入端设备将视为无法与所述通信网络连接。Adapting to an embodiment implemented at the control terminal device, as shown in FIG. 24 , the WiFi access authentication control device executed by the WiFi access point device also sets a restriction unit 36 for receiving information from the control terminal device. Indicates that the notification information of the access request belonging to the specified source address is shielded, the response to the access request of the access terminal device with the specified source address included in the notification information is terminated (for example, no Probe Response frame is fed back), or the connection cannot be reported to it management frame. Thus, the access device will be considered as unable to connect with the communication network.
进一步的改进方式中,在收到该通知信息后,将该来源地址添加到持有的黑名单列表中,由此,WiFi接入点设备可以通过将所接收的接入终端的接入请求中的来源地址与黑名单中的记录进行匹配,看该来源地址是否存在于该黑名单中,当其存在时即直接将其接入请求屏蔽;若不存在,则按正常规则处理。In a further improvement, after receiving the notification information, the source address is added to the held blacklist, so that the WiFi access point device can pass the received access request of the access terminal to The source address of the source address is matched with the records in the blacklist to see if the source address exists in the blacklist. If it exists, the access request is directly blocked; if it does not exist, it is processed according to the normal rules.
为完善对WiFi接入点设备的管理功能,进一步增强的实施例中,参阅图25,在前一实施例的基础上,本发明的WiFi接入鉴权控制装置还包括解禁单元37,用于接收控制端设备的取消屏蔽该来源地址的接入请求的通知信息,恢复对所述来源地址相对应的接入端设备的接入请求的响应。参照前一实施例,可以具体表现为依据所述的通知信息,提取出该通知信息中的欲取消屏蔽的来源地址,然后从其黑名单中删除即可。In order to improve the management function of WiFi access point equipment, in a further enhanced embodiment, refer to FIG. 25. On the basis of the previous embodiment, the WiFi access authentication control device of the present invention also includes an unlocking unit 37 for Receiving the notification information of unblocking the access request of the source address from the control device, and restoring the response to the access request of the access device corresponding to the source address. Referring to the previous embodiment, it can be embodied as extracting the source address to be unmasked in the notification information according to the notification information, and then deleting it from the blacklist.
进一步增加的实施例中,适用于所述控制端实现的用户界面管理功能,请参阅图26,WiFi接入点设备所执行的WiFi接入鉴权控制装置还设置解禁单元37’,用于接收接入端设备的恢复请求,路由该请求至所述的控制端设备以请求控制端设备取消对该接入端设备的人脸特征数据的屏蔽。本单元与前述控制端设备实施屏蔽人脸特征数据的实施例相适应,当所述控制端设备对人脸特征数据加以屏蔽之后,允许接入端设备发起所述的恢复请求,该恢复请求通过所述的通信网络发送,便被WiFi接入点设备路由至所述的控制端设备。所述的控制端设备收到该通知信息后,会在用户界面向用户告警,用户依照告警信息指示进入用户管理界面的专用页面,审核是否允许该恢复请求,当其允许时,控制端设备便取消了对所述的接入端设备的人脸特征数据的屏蔽,也即重新针对所述接入端设备开放了鉴权功能。由此而在接入端设备被控制端设备屏蔽后提供一种有效的技术救灾手段。In a further added embodiment, it is applicable to the user interface management function implemented by the control terminal, please refer to FIG. 26, the WiFi access authentication control device executed by the WiFi access point device is also provided with an unlocking unit 37' for receiving The restoration request of the access device is routed to the control device to request the control device to cancel the masking of the facial feature data of the access device. This unit is adapted to the embodiment in which the aforementioned control device implements masking of face feature data. After the control device shields the face feature data, the access device is allowed to initiate the recovery request, and the recovery request passes The transmission by the communication network is routed by the WiFi access point device to the control terminal device. After the control device receives the notification information, it will alert the user on the user interface, and the user will enter the special page of the user management interface according to the warning information to check whether the recovery request is allowed. The masking of the facial feature data of the access device is canceled, that is, the authentication function is re-opened for the access device. Therefore, an effective technical disaster relief method is provided after the access terminal equipment is shielded by the control terminal equipment.
以上详尽而充分地揭示了本发明的便携式WiFi接入点设备所实施的WiFi接入鉴权控制方法的多种实施例,从中可以知晓,WiFi接入点设备可以与控制端设备和接入端设备相配合,完善其开放的通信网络的鉴权功能,提高安全系数和管理便利程度。The above has fully and fully disclosed various embodiments of the WiFi access authentication control method implemented by the portable WiFi access point device of the present invention, from which it can be known that the WiFi access point device can be connected with the control terminal device and the access terminal The equipment cooperates to improve the authentication function of its open communication network, improve the safety factor and the convenience of management.
本发明实施例还提供了一种便携式控制端设备和一种便携式接入端设备,可以视为同一类移动终端,并且允许具有诸如参照本发明后续的介绍的结构。如图27所示,为了便于说明,仅示出了与本发明实施例相关的部分,具体技术细节未揭示的,请参照本发明实施例方法部分。该终端可以为包括手机、平板电脑、PDA(Personal Digital Assistant,个人数字助理)、POS(Point of Sales,销售终端)、车载电脑等任意终端设备,以终端为手机为例:The embodiment of the present invention also provides a portable control terminal device and a portable access terminal device, which can be regarded as the same type of mobile terminal, and are allowed to have a structure such as referring to the subsequent introduction of the present invention. As shown in FIG. 27 , for ease of description, only the parts related to the embodiments of the present invention are shown. For specific technical details not disclosed, please refer to the method part of the embodiments of the present invention. The terminal can be any terminal device including mobile phone, tablet computer, PDA (Personal Digital Assistant, personal digital assistant), POS (Point of Sales, sales terminal), vehicle-mounted computer, etc. Taking the terminal as a mobile phone as an example:
图27示出的是与本发明实施例提供的终端相关的手机的部分结构的框图。参考图27,手机包括:射频(Radio Frequency,RF)电路1510、存储器1520、输入单元1530、显示单元1540、传感器1550、音频电路1560、无线保真(wireless fidelity,WiFi)模块1570(也即WiFi芯片模组)、处理器1580、以及电源1590等部件。本领域技术人员可以理解,图27中示出的手机结构并不构成对手机的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Fig. 27 is a block diagram showing a partial structure of a mobile phone related to the terminal provided by the embodiment of the present invention. Referring to FIG. 27 , the mobile phone includes: a radio frequency (Radio Frequency, RF) circuit 1510, a memory 1520, an input unit 1530, a display unit 1540, a sensor 1550, an audio circuit 1560, a wireless fidelity (wireless fidelity, WiFi) module 1570 (that is, a WiFi chip module), processor 1580, and power supply 1590 and other components. Those skilled in the art can understand that the structure of the mobile phone shown in FIG. 27 does not constitute a limitation to the mobile phone, and may include more or less components than shown in the figure, or combine some components, or arrange different components.
下面结合图27对手机的各个构成部件进行具体的介绍:The following is a specific introduction to each component of the mobile phone in conjunction with Figure 27:
RF电路1510可用于收发信息或通话过程中,信号的接收和发送,特别地,将基站的下行信息接收后,给处理器1580处理;另外,将设计上行的数据发送给基站。通常,RF电路1510包括但不限于天线、至少一个放大器、收发信机、耦合器、低噪声放大器(Low NoiseAmplifier,LNA)、双工器等。此外,RF电路1510还可以通过无线通信与网络和其他设备通信。上述无线通信可以使用任一通信标准或协议,包括但不限于全球移动通讯系统(GlobalSystem of Mobile communication,GSM)、通用分组无线服务(General Packet RadioService,GPRS)、码分多址(Code Division Multiple Access,CDMA)、宽带码分多址(Wideband Code Division Multiple Access,WCDMA)、长期演进(Long Term Evolution,LTE)、电子邮件、短消息服务(Short Messaging Service,SMS)等。The RF circuit 1510 can be used for sending and receiving information or receiving and sending signals during a call. In particular, after receiving the downlink information from the base station, it is processed by the processor 1580; in addition, the designed uplink data is sent to the base station. Generally, the RF circuit 1510 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier (Low Noise Amplifier, LNA), a duplexer, and the like. In addition, RF circuitry 1510 may also communicate with networks and other devices via wireless communications. The above-mentioned wireless communication can use any communication standard or protocol, including but not limited to Global System of Mobile Communication (Global System of Mobile communication, GSM), General Packet Radio Service (General Packet Radio Service, GPRS), Code Division Multiple Access (Code Division Multiple Access) , CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (Long Term Evolution, LTE), email, Short Messaging Service (Short Messaging Service, SMS), etc.
存储器1520可用于存储软件程序以及模块,处理器1580通过运行存储在存储器1520的软件程序以及模块,从而执行手机的各种功能应用以及数据处理。存储器1520可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序(比如声音播放功能、图像播放功能等)等;存储数据区可存储根据手机的使用所创建的数据(比如音频数据、电话本等)等。此外,存储器1520可以包括高速随机存取存储器,还可以包括非易失性存储器,例如至少一个磁盘存储器件、闪存器件、或其他易失性固态存储器件。The memory 1520 can be used to store software programs and modules, and the processor 1580 executes various functional applications and data processing of the mobile phone by running the software programs and modules stored in the memory 1520 . Memory 1520 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, at least one application program required by a function (such as a sound playback function, an image playback function, etc.) and the like; Data created by the use of mobile phones (such as audio data, phonebook, etc.), etc. In addition, the memory 1520 may include a high-speed random access memory, and may also include a non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage devices.
输入单元1530可用于接收输入的数字或字符信息,以及产生与手机的用户设置以及功能控制有关的键信号输入。具体地,输入单元1530可包括触控面板1531以及其他输入设备1532。触控面板1531,也称为触摸屏,可收集用户在其上或附近的触摸操作(比如用户使用手指、触笔等任何适合的物体或附件在触控面板1531上或在触控面板1531附近的操作),并根据预先设定的程式驱动相应的连接装置。可选的,触控面板1531可包括触摸检测装置和触摸控制器两个部分。其中,触摸检测装置检测用户的触摸方位,并检测触摸操作带来的信号,将信号传送给触摸控制器;触摸控制器从触摸检测装置上接收触摸信息,并将它转换成触点坐标,再送给处理器1580,并能接收处理器1580发来的命令并加以执行。此外,可以采用电阻式、电容式、红外线以及表面声波等多种类型实现触控面板1531。除了触控面板1531,输入单元1530还可以包括其他输入设备1532。具体地,其他输入设备1532可以包括但不限于物理键盘、功能键(比如音量控制按键、开关按键等)、轨迹球、鼠标、操作杆等中的一种或多种。The input unit 1530 can be used to receive input numbers or character information, and generate key signal input related to user settings and function control of the mobile phone. Specifically, the input unit 1530 may include a touch panel 1531 and other input devices 1532 . The touch panel 1531, also referred to as a touch screen, can collect touch operations of the user on or near it (for example, the user uses any suitable object or accessory such as a finger or a stylus on the touch panel 1531 or near the touch panel 1531). operation), and drive the corresponding connection device according to the preset program. Optionally, the touch panel 1531 may include two parts, a touch detection device and a touch controller. Among them, the touch detection device detects the user's touch orientation, and detects the signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts it into contact coordinates, and sends it to the to the processor 1580, and can receive and execute commands sent by the processor 1580. In addition, the touch panel 1531 can be implemented in various types such as resistive, capacitive, infrared, and surface acoustic wave. In addition to the touch panel 1531 , the input unit 1530 may also include other input devices 1532 . Specifically, other input devices 1532 may include but not limited to one or more of a physical keyboard, function keys (such as volume control keys, switch keys, etc.), trackball, mouse, joystick, and the like.
显示单元1540可用于显示由用户输入的信息或提供给用户的信息以及手机的各种菜单。显示单元1540可包括显示面板1541,可选的,可以采用液晶显示器(LiquidCrystal Display,LCD)、有机发光二极管(Organic Light-Emitting Diode,OLED)等形式来配置显示面板1541。进一步的,触控面板1531可覆盖显示面板1541,当触控面板1531检测到在其上或附近的触摸操作后,传送给处理器1580以确定触摸事件的类型,随后处理器1580根据触摸事件的类型在显示面板1541上提供相应的视觉输出。虽然在图27中,触控面板1531与显示面板1541是作为两个独立的部件来实现手机的输入和输入功能,但是在某些实施例中,可以将触控面板1531与显示面板1541集成而实现手机的输入和输出功能。The display unit 1540 may be used to display information input by or provided to the user and various menus of the mobile phone. The display unit 1540 may include a display panel 1541. Optionally, the display panel 1541 may be configured in the form of a liquid crystal display (Liquid Crystal Display, LCD), an organic light-emitting diode (Organic Light-Emitting Diode, OLED), or the like. Furthermore, the touch panel 1531 may cover the display panel 1541, and when the touch panel 1531 detects a touch operation on or near it, it transmits to the processor 1580 to determine the type of the touch event, and then the processor 1580 determines the type of the touch event according to the The type provides a corresponding visual output on the display panel 1541 . Although in FIG. 27, the touch panel 1531 and the display panel 1541 are used as two independent components to realize the input and input functions of the mobile phone, in some embodiments, the touch panel 1531 and the display panel 1541 can be integrated to form a mobile phone. Realize the input and output functions of the mobile phone.
手机还可包括至少一种传感器1550,比如光传感器、运动传感器以及其他传感器。具体地,光传感器可包括环境光传感器及接近传感器,其中,环境光传感器可根据环境光线的明暗来调节显示面板1541的亮度,接近传感器可在手机移动到耳边时,关闭显示面板1541和/或背光。作为运动传感器的一种,加速计传感器可检测各个方向上(一般为三轴)加速度的大小,静止时可检测出重力的大小及方向,可用于识别手机姿态的应用(比如横竖屏切换、相关游戏、磁力计姿态校准)、振动识别相关功能(比如计步器、敲击)等;至于手机还可配置的陀螺仪、气压计、湿度计、温度计、红外线传感器等其他传感器,在此不再赘述。The handset may also include at least one sensor 1550, such as a light sensor, motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display panel 1541 according to the brightness of the ambient light, and the proximity sensor may turn off the display panel 1541 and/or when the mobile phone is moved to the ear. or backlight. As a kind of motion sensor, the accelerometer sensor can detect the magnitude of acceleration in various directions (generally three axes), and can detect the magnitude and direction of gravity when it is stationary, and can be used to identify the application of mobile phone posture (such as horizontal and vertical screen switching, related Games, magnetometer attitude calibration), vibration recognition related functions (such as pedometer, tap), etc.; as for other sensors such as gyroscope, barometer, hygrometer, thermometer, infrared sensor, etc. repeat.
音频电路1560、扬声器1561,传声器1562可提供用户与手机之间的音频接口。音频电路1560可将接收到的音频数据转换后的电信号,传输到扬声器1561,由扬声器1561转换为声音信号输出;另一方面,传声器1562将收集的声音信号转换为电信号,由音频电路1560接收后转换为音频数据,再将音频数据输出处理器1580处理后,经RF电路1510以发送给比如另一手机,或者将音频数据输出至存储器1520以便进一步处理。The audio circuit 1560, the speaker 1561, and the microphone 1562 can provide an audio interface between the user and the mobile phone. The audio circuit 1560 can transmit the electrical signal converted from the received audio data to the speaker 1561, and the speaker 1561 converts it into an audio signal for output; After being received, it is converted into audio data, and then the audio data is processed by the output processor 1580, and then sent to another mobile phone through the RF circuit 1510, or the audio data is output to the memory 1520 for further processing.
WiFi属于短距离无线传输技术,手机通过WiFi模块1570可以帮助用户收发电子邮件、浏览网页和访问流式媒体等,它为用户提供了无线的宽带互联网访问。虽然图27示出了WiFi模块1570,但是可以理解的是,其并不属于手机的必须构成,完全可以根据需要在不改变发明的本质的范围内而省略。WiFi is a short-distance wireless transmission technology. The mobile phone can help users send and receive emails, browse web pages, and access streaming media through the WiFi module 1570. It provides users with wireless broadband Internet access. Although Fig. 27 shows the WiFi module 1570, it can be understood that it is not an essential component of the mobile phone, and can be completely omitted as required without changing the essence of the invention.
处理器1580是手机的控制中心,利用各种接口和线路连接整个手机的各个部分,通过运行或执行存储在存储器1520内的软件程序和/或模块,以及调用存储在存储器1520内的数据,执行手机的各种功能和处理数据,从而对手机进行整体监控。可选的,处理器1580可包括一个或多个处理单元;优选的,处理器1580可集成应用处理器和调制解调处理器,其中,应用处理器主要处理操作系统、用户界面和应用程序等,调制解调处理器主要处理无线通信。可以理解的是,上述调制解调处理器也可以不集成到处理器1580中。The processor 1580 is the control center of the mobile phone. It uses various interfaces and lines to connect various parts of the entire mobile phone. By running or executing software programs and/or modules stored in the memory 1520, and calling data stored in the memory 1520, execution Various functions and processing data of the mobile phone, so as to monitor the mobile phone as a whole. Optionally, the processor 1580 may include one or more processing units; preferably, the processor 1580 may integrate an application processor and a modem processor, wherein the application processor mainly processes operating systems, user interfaces, and application programs, etc. , the modem processor mainly handles wireless communications. It can be understood that the foregoing modem processor may not be integrated into the processor 1580 .
手机还包括给各个部件供电的电源1590(比如电池),优选的,电源可以通过电源管理系统与处理器1580逻辑相连,从而通过电源管理系统实现管理充电、放电、以及功耗管理等功能。The mobile phone also includes a power supply 1590 (such as a battery) for supplying power to various components. Preferably, the power supply can be logically connected to the processor 1580 through the power management system, so that functions such as charging, discharging, and power consumption management can be realized through the power management system.
尽管未示出,手机还可以包括摄像头、蓝牙模块等,在此不再赘述。Although not shown, the mobile phone may also include a camera, a Bluetooth module, etc., which will not be repeated here.
适应于所述的便携式控制端设备,在本发明实施例中,该终端所包括的处理器1580还具有如前述的WiFi接入远程鉴权方法/装置的多种不同实施例所实现的功能。Adapting to the portable control terminal device, in the embodiment of the present invention, the processor 1580 included in the terminal also has the functions realized by various embodiments of the foregoing WiFi access remote authentication method/apparatus.
适应于所述的便携式接入端设备,在本发明的实施例中,该终端包括的处理器1580还具有如前述的WiFi接入鉴权方法/装置的多种不同实施例所实现的功能。Adapting to the portable access terminal device, in the embodiment of the present invention, the processor 1580 included in the terminal also has the functions realized by various embodiments of the foregoing WiFi access authentication method/apparatus.
同理,本发明实施例还提供了一种WiFi接入点设备,其与便携式控制端设备和便携式接入端设备同理,可以包括无线保真模块1570、存储器1520、处理器1580等必要部件,运行应用程序,处理器将应用程序调入内存并运行之,以使处理器1580呈现如前述的WiFi接入鉴权控制方法/装置的多种不同实施例所实现的功能。Similarly, the embodiment of the present invention also provides a WiFi access point device, which is similar to the portable control terminal device and the portable access terminal device, and may include necessary components such as a wireless fidelity module 1570, a memory 1520, and a processor 1580. , running the application program, the processor loads the application program into the memory and runs it, so that the processor 1580 presents the functions realized by the various embodiments of the foregoing WiFi access authentication control method/apparatus.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, device and method can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware or in the form of software functional units.
本领域普通技术人员可以理解上述实施例的各种方法中的全部或部分步骤是可以通过程序来指令相关的硬件来完成,该程序可以存储于一计算机可读存储介质中,存储介质可以包括:只读存储器(ROM,Read Only Memory)、随机存取存储器(RAM,RandomAccess Memory)、磁盘或光盘等。Those of ordinary skill in the art can understand that all or part of the steps in the various methods of the above-mentioned embodiments can be completed by instructing related hardware through a program, and the program can be stored in a computer-readable storage medium, and the storage medium can include: Read Only Memory (ROM, Read Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk, etc.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分步骤是可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。Those of ordinary skill in the art can understand that all or part of the steps in the method of the above-mentioned embodiments can be completed by instructing related hardware through a program, and the program can be stored in a computer-readable storage medium, and the above-mentioned storage The medium can be read-only memory, magnetic or optical disk, etc.
以上对本发明所提供的系列方案进行了详细介绍,对于本领域的一般技术人员,依据本发明实施例的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本发明的限制。The series of solutions provided by the present invention have been introduced in detail above. For those of ordinary skill in the art, according to the ideas of the embodiments of the present invention, there will be changes in the specific implementation and application range. In summary, this The content of the description should not be construed as limiting the present invention.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610366296.8ACN106060817A (en) | 2016-05-27 | 2016-05-27 | Portable access end apparatus, WiFi access authentication method and WiFi access authentication device |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610366296.8ACN106060817A (en) | 2016-05-27 | 2016-05-27 | Portable access end apparatus, WiFi access authentication method and WiFi access authentication device |
| Publication Number | Publication Date |
|---|---|
| CN106060817Atrue CN106060817A (en) | 2016-10-26 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610366296.8APendingCN106060817A (en) | 2016-05-27 | 2016-05-27 | Portable access end apparatus, WiFi access authentication method and WiFi access authentication device |
| Country | Link |
|---|---|
| CN (1) | CN106060817A (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107315472A (en)* | 2017-06-15 | 2017-11-03 | 闻泰通讯股份有限公司 | A kind of split type VR data interactive methods and device |
| CN110113747A (en)* | 2017-06-08 | 2019-08-09 | 上海掌门科技有限公司 | It is a kind of for connecting the method and apparatus of hiding wireless access point |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101854732A (en)* | 2010-01-22 | 2010-10-06 | 苏州超锐微电子有限公司 | Method for accessing wired Ethernet through WiFi wireless network |
| US20120072106A1 (en)* | 2010-07-21 | 2012-03-22 | Korea Advanced Institute Of Science And Technology | Location based service system and method for performing indoor navigation |
| CN102625303A (en)* | 2011-01-27 | 2012-08-01 | 西安龙飞软件有限公司 | A method for WFII/3G router access authentication by using fingerprint |
| CN102930193A (en)* | 2012-09-19 | 2013-02-13 | 东莞中山大学研究院 | A Realization Method of Community Login Based on Face Recognition |
| CN104902477A (en)* | 2015-06-26 | 2015-09-09 | 努比亚技术有限公司 | Authentication terminal, wireless router, wireless router connection method and wireless router connection system |
| CN205265722U (en)* | 2015-10-20 | 2016-05-25 | 潘福平 | "Residential gateway" access system based on facial discernment |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101854732A (en)* | 2010-01-22 | 2010-10-06 | 苏州超锐微电子有限公司 | Method for accessing wired Ethernet through WiFi wireless network |
| US20120072106A1 (en)* | 2010-07-21 | 2012-03-22 | Korea Advanced Institute Of Science And Technology | Location based service system and method for performing indoor navigation |
| CN102625303A (en)* | 2011-01-27 | 2012-08-01 | 西安龙飞软件有限公司 | A method for WFII/3G router access authentication by using fingerprint |
| CN102930193A (en)* | 2012-09-19 | 2013-02-13 | 东莞中山大学研究院 | A Realization Method of Community Login Based on Face Recognition |
| CN104902477A (en)* | 2015-06-26 | 2015-09-09 | 努比亚技术有限公司 | Authentication terminal, wireless router, wireless router connection method and wireless router connection system |
| CN205265722U (en)* | 2015-10-20 | 2016-05-25 | 潘福平 | "Residential gateway" access system based on facial discernment |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110113747A (en)* | 2017-06-08 | 2019-08-09 | 上海掌门科技有限公司 | It is a kind of for connecting the method and apparatus of hiding wireless access point |
| CN110113747B (en)* | 2017-06-08 | 2023-05-09 | 上海掌门科技有限公司 | A method and device for connecting a hidden wireless access point |
| CN107315472A (en)* | 2017-06-15 | 2017-11-03 | 闻泰通讯股份有限公司 | A kind of split type VR data interactive methods and device |
| Publication | Publication Date | Title |
|---|---|---|
| US10645581B2 (en) | Method and apparatus for remote portable wireless device authentication | |
| US20210243603A1 (en) | Wireless network access method, apparatus, device, equipment and system | |
| CN104125216B (en) | A kind of method, system and terminal for lifting credible performing environment security | |
| US9635018B2 (en) | User identity verification method and system, password protection apparatus and storage medium | |
| US20190268770A1 (en) | Method and apparatus for remote portable wireless device authentication | |
| CN105898750A (en) | WiFi access point equipment and WiFi access authentication method and device | |
| CN105848151A (en) | WiFi access point equipment, WiFi access authentication control method and WiFi access authentication control device | |
| CN109033801B (en) | Method for verifying user identity by application program, mobile terminal and storage medium | |
| CN108881103B (en) | Network access method and device | |
| CN107437009A (en) | Authority control method and related product | |
| CN108616499B (en) | Authentication method of application program, terminal and computer readable storage medium | |
| CN106791168A (en) | Information of mobile terminal guard method, device and mobile terminal | |
| CN109416800B (en) | A kind of authentication method of mobile terminal and mobile terminal | |
| WO2021115199A1 (en) | Verification information sharing method and electronic device | |
| CN107171789A (en) | A kind of safe login method, client device and server | |
| WO2020164526A1 (en) | Control method for nodes in distributed system and related device | |
| CN110677851B (en) | Terminal network access method and network access equipment access method | |
| CN108475304A (en) | A kind of method, apparatus and mobile terminal of affiliate application and biological characteristic | |
| CN107317680B (en) | Method and system for marking safety account and computer readable storage medium | |
| CN105898749A (en) | Portable access end equipment and WiFi access authentication method and device | |
| CN107622213A (en) | A kind of data access method, terminal and computer-readable recording medium | |
| CN107135498B (en) | A file sharing method and device | |
| CN111314085A (en) | Digital certificate verification method and device | |
| CA2905373A1 (en) | Method and apparatus for remote portable wireless device authentication | |
| CN106102057A (en) | Portable control end equipment and WiFi access remote authentication method, device |
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication | Application publication date:20161026 |