CN112152810A - Safety control method, device and system - Google Patents
Safety control method, device and systemDownload PDFInfo
- Publication number
- CN112152810A CN112152810ACN201910560952.1ACN201910560952ACN112152810ACN 112152810 ACN112152810 ACN 112152810ACN 201910560952 ACN201910560952 ACN 201910560952ACN 112152810 ACN112152810 ACN 112152810A
- Authority
- CN
- China
- Prior art keywords
- authentication factor
- authentication
- user equipment
- office equipment
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034methodMethods0.000titleclaimsabstractdescription50
- 238000005096rolling processMethods0.000claimsabstractdescription65
- 238000012544monitoring processMethods0.000claimsabstractdescription42
- 238000004891communicationMethods0.000claimsabstractdescription30
- 238000012795verificationMethods0.000claimsdescription38
- 238000001514detection methodMethods0.000claimsdescription14
- 230000006870functionEffects0.000description13
- 230000001960triggered effectEffects0.000description13
- 230000005540biological transmissionEffects0.000description6
- 238000010586diagramMethods0.000description4
- 238000012905input functionMethods0.000description4
- 230000000737periodic effectEffects0.000description4
- 238000003491arrayMethods0.000description2
- 238000012545processingMethods0.000description2
- 230000004075alterationEffects0.000description1
- 125000004122cyclic groupChemical group0.000description1
- 238000005516engineering processMethods0.000description1
- 238000012986modificationMethods0.000description1
- 230000004048modificationEffects0.000description1
- 230000003287optical effectEffects0.000description1
- 230000002093peripheral effectEffects0.000description1
- 238000006467substitution reactionMethods0.000description1
- 230000001360synchronised effectEffects0.000description1
Images
Classifications
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/80—Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
- H04W76/14—Direct-mode setup
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- Biodiversity & Conservation Biology (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Telephonic Communication Services (AREA)
- Telephone Function (AREA)
Abstract
Description
Translated fromChinese技术领域technical field
本发明涉及一种电子技术领域,尤其涉及一种安全控制方法、装置及系统。The present invention relates to the field of electronic technology, and in particular, to a security control method, device and system.
背景技术Background technique
目前,为了保证办公系统的安全,传统的解决方案是在用户首次登录办公系统时,用户输入用户名和口令或密码,系统对用户输入的用户名和口令或密码进行鉴权,在鉴权通过之后,用户便可以使用办公系统,直到用户手动注销登录状态或手动锁屏,再次使用时需要再次鉴权。At present, in order to ensure the security of the office system, the traditional solution is that when the user logs in to the office system for the first time, the user enters the user name and password or password, and the system authenticates the user name, password or password entered by the user. The user can use the office system until the user manually logs out of the login state or manually locks the screen, and requires re-authentication when using it again.
采用上述的安全控制手段,在用户鉴权通过之后,无法实时监控用户的使用状态,在用户没有用户手动注销登录状态或手动锁屏的情况下,无论用户是否在现场,都不会执行安全控制,但在实际使用时,在鉴权通过之后,手动注销登录状态或手动锁屏之前,用户很可能暂时离开办公位,在这个期间,办公系统并未执行安全控制,则其他用户可能非法使用办公系统,导致信息泄漏或办公系统受到非法攻击等问题。With the above security control methods, after the user authentication is passed, the user's usage status cannot be monitored in real time. If the user does not manually log out or lock the screen, the security control will not be performed regardless of whether the user is present or not. , but in actual use, after the authentication is passed, the user is likely to leave the office temporarily before the login status is manually logged out or the screen is manually locked. During this period, the office system does not implement security control, and other users may illegally use the office system, resulting in information leakage or illegal attacks on the office system.
发明内容SUMMARY OF THE INVENTION
本发明旨在解决上述技术问题。The present invention aims to solve the above-mentioned technical problems.
本发明的主要目的在于提供一种安全控制方法。The main purpose of the present invention is to provide a security control method.
本发明的另一目的在于提供一种安全控制装置。Another object of the present invention is to provide a safety control device.
本发明的又一目的在于提供一种安全控制系统。Another object of the present invention is to provide a safety control system.
为达到上述目的,本发明的技术方案具体是这样实现的:In order to achieve the above object, the technical scheme of the present invention is specifically realized in this way:
本发明一方面提供了一种安全控制方法,包括:步骤1,办公设备与用户设备建立近距离无线通信连接;步骤2,所述办公设备与所述用户设备进行认证因子协商,至少得到初始认证因子,将所述初始认证因子作为所述办公设备当前的第一认证因子;步骤3,所述办公设备监测是否到达预定的认证因子滚动周期和认证扫描周期,在监测到达认证因子滚动周期的情况下,执行步骤4,在监测到达认证扫描周期的情况下,执行步骤5;步骤4,按照与所述用户设备约定的认证因子滚动方式,获取所述办公设备当前的第一认证因子的下一个认证因子,将所述下一个认证因子作为所述办公设备当前的第一认证因子,返回步骤3;步骤5,所述办公设备向所述用户设备发送扫描指令,扫描所述用户设备发送的第二认证因子,在扫描到所述用户设备发送的第二认证因子的情况下,执行步骤6,在没有扫描到所述用户设备发送的第二认证因子的情况下,执行步骤7;步骤6,所述办公设备判断扫描到的所述第二认证因子与所述办公设备当前的第一认证因子是否一致,在一致的情况下,返回步骤3,否则,执行步骤9;步骤7,所述办公设备判断当前距离上一次扫描到所述用户设备发送的第二认证因子的时间间隔是否超过第一预定时间,如果是,则执行步骤9,否则,执行步骤8;步骤8,所述办公设备等待第二预定时间后,向所述用户设备发送扫描指令,扫描所述用户设备发送的第二认证因子,在扫描到所述用户设备发送的第二认证因子的情况下,执行步骤6,在没有扫描到所述用户设备发送的第二认证因子的情况下,执行步骤7,其中,第二预定时间小于第一预定时间;步骤9,所述办公设备按照预定的安全策略执行相应的第一安全控制操作。One aspect of the present invention provides a security control method, including: step 1, establishing a short-range wireless communication connection between office equipment and user equipment; step 2, negotiating authentication factors between the office equipment and the user equipment to obtain at least initial authentication factor, the initial authentication factor is taken as the current first authentication factor of the office equipment; Step 3, the office equipment monitors whether the predetermined authentication factor rolling period and authentication scanning period are reached, and when the monitoring reaches the authentication factor rolling period Then, go to step 4, when the monitoring reaches the authentication scan cycle, go to step 5; step 4, according to the authentication factor rolling mode agreed with the user equipment, obtain the next one of the current first authentication factor of the office equipment authentication factor, take the next authentication factor as the current first authentication factor of the office equipment, and return to step 3; in step 5, the office equipment sends a scan instruction to the user equipment to scan the first authentication factor sent by the user equipment Two authentication factors, in the case of scanning the second authentication factor sent by the user equipment, go to step 6, and in the case of not scanning the second authentication factor sent by the user equipment, go to step 7; Step 6, The office equipment determines whether the scanned second authentication factor is consistent with the current first authentication factor of the office equipment. The device determines whether the current time interval from the last scan to the second authentication factor sent by the user equipment exceeds the first predetermined time, and if so, execute step 9, otherwise, execute step 8; step 8, the office equipment waits After the second predetermined time, send a scan instruction to the user equipment, scan the second authentication factor sent by the user equipment, and perform step 6 in the case where the second authentication factor sent by the user equipment is scanned, and if there is no second authentication factor sent by the user equipment In the case where the second authentication factor sent by the user equipment is scanned, step 7 is performed, wherein the second predetermined time is less than the first predetermined time; step 9, the office equipment performs the corresponding first security according to the predetermined security policy. Control operation.
可选地,所述步骤3还包括:所述办公设备监测是否有预定的关键事件发生,在监测到有关键事件发生的情况下,执行步骤10;步骤10,所述办公设备启动摄像装置采集用户的人脸数据,判断采集到的人脸数据与所述办公设备中存储的认证人脸数据进行是否匹配,如果是,则返回步骤3,否则,执行步骤9。Optionally, the step 3 further includes: the office equipment monitors whether a predetermined key event occurs, and in the case of monitoring the occurrence of a key event, step 10 is performed; in step 10, the office equipment starts the camera to collect data For the user's face data, it is judged whether the collected face data matches the authenticated face data stored in the office equipment, if so, go back to step 3, otherwise, go to step 9.
可选地,所述预定的关键事件包括以下至少之一:所述办公设备与所述用户设备协商认证因子完成、所述办公设备接收到加密输入指令、以及所述办公设备接收到密码输入指令。Optionally, the predetermined key event includes at least one of the following: the negotiation between the office equipment and the user equipment for an authentication factor is completed, the office equipment receives an encrypted input instruction, and the office equipment receives a password input instruction. .
可选地,按照与所述用户设备约定的认证因子滚动方式,获取所述办公设备当前的第一认证因子的下一个认证因子,包括:所述办公设备按照预设策略从认证因子池中选择所述办公设备当前的第一认证因子的下一个认证因子,其中,所述认证因子池中包括包含所述初始认证因子在内的多个认证因子;或者,所述办公设备按照与所述用户设备协商的认证因子算法,对所述办公设备当前的第一认证因子或生成所述办公设备当前的第一认证因子的预设参数进行计算,得到所述办公设备当前的第一认证因子的下一个认证因子;或者所述办公设备读取认证因子计算器的当前值,将所述认证因子计算器的当前值作为所述办公设备当前的第一认证因子的下一个认证因子。Optionally, acquiring the next authentication factor of the current first authentication factor of the office device according to the authentication factor rolling manner agreed with the user equipment includes: selecting the office device from an authentication factor pool according to a preset policy. The next authentication factor of the current first authentication factor of the office equipment, wherein the authentication factor pool includes a plurality of authentication factors including the initial authentication factor; The authentication factor algorithm negotiated by the equipment calculates the current first authentication factor of the office equipment or the preset parameters for generating the current first authentication factor of the office equipment, and obtains the lower value of the current first authentication factor of the office equipment. an authentication factor; or the office equipment reads the current value of the authentication factor calculator, and uses the current value of the authentication factor calculator as the next authentication factor of the current first authentication factor of the office equipment.
可选地,在所述办公设备按照预定的安全策略执行相应的第一安全控制操作之后,所述方法还包括:所述办公设备删除本地保存的所有认证因子。Optionally, after the office equipment performs a corresponding first security control operation according to a predetermined security policy, the method further includes: the office equipment deletes all authentication factors stored locally.
可选地,所述办公设备与所述用户设备进行认证因子协商之后,所述方法还包括:所述用户设备进入休眠状态,每隔预定唤醒周期唤醒一次,在唤醒期间,广播所述用户设备当前的第二认证因子。Optionally, after the office equipment and the user equipment negotiate the authentication factor, the method further includes: the user equipment enters a dormant state, wakes up every predetermined wake-up period, and broadcasts the user equipment during the wake-up period. The current second authentication factor.
可选地,所述办公设备与所述用户设备进行认证因子协商之后,所述方法还包括:-所述用户设备判断在所述第一预定时间内是否接收到所述办公设备发送的扫描认证指令,如果是,则所述用户设备发送所述用户设备当前的第二认证因子,否则,所述用户设备删除本地保存的所有第二认证因子。Optionally, after the office equipment and the user equipment perform authentication factor negotiation, the method further includes: - the user equipment determines whether the scanning authentication sent by the office equipment is received within the first predetermined time. instruction, if yes, the user equipment sends the current second authentication factor of the user equipment, otherwise, the user equipment deletes all the second authentication factors stored locally.
可选地,在所述步骤5中,在没有扫描到所述用户设备发送的第二认证因子的情况下,在执行步骤7之前,所述方法还包括:所述办公设备判断当前距离上一次扫描到所述用户设备发送的第二认证因子的时间间隔是否超过预定门限内,如果否,则返回步骤3,如果是,则按照预定的安全策略执行相应的第二安全控制操作,然后执行步骤7。Optionally, in step 5, in the case where the second authentication factor sent by the user equipment is not scanned, before step 7 is performed, the method further includes: the office equipment judges the current distance from the last time Scan to see whether the time interval of the second authentication factor sent by the user equipment exceeds the predetermined threshold, if not, return to step 3, if yes, perform the corresponding second security control operation according to the predetermined security policy, and then perform the steps 7.
本发明另一方面提供了一种安全控制装置,位于办公设备中,包括:通信建立模块,用于与用户设备建立近距离无线通信连接;认证因子协商模块,用于与所述用户设备进行相互认证并协商认证因子,至少得到初始认证因子,将所述初始认证因子作为所述办公设备当前的第一认证因子;周期监测模块,用于监测是否到达预定的认证因子滚动周期或认证扫描周期,在监测到达认证因子滚动周期的情况下,触发认证因子滚动模块,在监测到达认证扫描周期的情况下,触发心跳检测模块;所述认证因子滚动模块,用于按照与所述用户设备约定的认证因子滚动方式,获取所述办公设备当前的第一认证因子的下一个认证因子,将所述下一个认证因子作为所述办公设备当前的第一认证因子,触发所述周期监测模块;所述心跳检测模块,用于向所述用户设备发送扫描认证指令,扫描所述用户设备发送的第二认证因子,在扫描到所述用户设备发送的第二认证因子的情况下,触发认证因子验证模块,在没有扫描到所述用户设备发送的第二认证因子的情况下,触发回连验证模块;所述认证因子验证模块,用于判断扫描到的所述第二认证因子与所述办公设备当前的第一认证因子是否一致,在一致的情况下,触发所述周期监测模块,否则,触发安全控制模块;所述回连验证模块,用于判断当前距离上一次扫描到所述用户设备广播的第二认证因子的时间间隔是否超过第一预定时间,如果是,则触发所述安全控制模块,否则触发回连数据监测模块;所述回连数据监测模块,用于在等待第二预定时间后,向所述用户设备发送扫描指令,扫描所述用户设备发送的第二认证因子,在扫描到所述用户设备发送的第二认证因子的情况下,触发所述认证因子验证模块,在没有扫描到所述用户设备发送的第二认证因子的情况下,触发所述回连验证模块,其中,第二预定时间小于第一预定时间;所述安全控制模块,用于按照预定的安全策略执行相应的第一安全控制操作。Another aspect of the present invention provides a security control device located in office equipment, comprising: a communication establishment module for establishing a short-range wireless communication connection with user equipment; an authentication factor negotiation module for communicating with the user equipment Authenticate and negotiate an authentication factor, obtain at least an initial authentication factor, and use the initial authentication factor as the current first authentication factor of the office equipment; the cycle monitoring module is used to monitor whether a predetermined authentication factor rolling cycle or authentication scanning cycle is reached, The authentication factor rolling module is triggered when the monitoring reaches the authentication factor rolling period, and the heartbeat detection module is triggered when the monitoring reaches the authentication scanning period; the authentication factor rolling module is used for authentication according to the agreement with the user equipment In factor rolling mode, the next authentication factor of the current first authentication factor of the office equipment is obtained, and the next authentication factor is used as the current first authentication factor of the office equipment, and the period monitoring module is triggered; the heartbeat a detection module, configured to send a scan authentication instruction to the user equipment, scan the second authentication factor sent by the user equipment, and trigger the authentication factor verification module when the second authentication factor sent by the user equipment is scanned, In the case where the second authentication factor sent by the user equipment is not scanned, the connection-back verification module is triggered; the authentication factor verification module is used to determine whether the scanned second authentication factor is the same as that of the office equipment. Whether the first authentication factors are consistent, in the case of consistency, trigger the period monitoring module, otherwise, trigger the security control module; the connection verification module is used to determine the current distance from the last scan to the first broadcast of the user equipment. Whether the time interval between the two authentication factors exceeds the first predetermined time, if so, trigger the security control module, otherwise trigger the back-connection data monitoring module; the back-connection data monitoring module is used to, after waiting for the second predetermined time, Send a scan instruction to the user equipment, scan the second authentication factor sent by the user equipment, and trigger the authentication factor verification module when the second authentication factor sent by the user equipment is scanned, and the authentication factor verification module is not scanned. In the case of the second authentication factor sent by the user equipment, the connection back verification module is triggered, wherein the second predetermined time is less than the first predetermined time; the security control module is configured to execute the corresponding The first security control operation.
可选地,还包括:人脸验证模块;所述周期监测模块还用于是否有预定的关键事件发生,在监测到有关键事件发生的情况下,触发人脸验证模块;所述人脸验证模块,用于启动摄像装置采集用户的人脸数据,判断采集到的人脸数据与所述办公设备中存储的认证人脸数据进行是否匹配,如果是,则触发所述周期监测模块,否则,触发所述安全控制模块。Optionally, it also includes: a face verification module; the periodic monitoring module is also used for whether a predetermined key event occurs, and in the case of monitoring the occurrence of a key event, the face verification module is triggered; the face verification module, used to start the camera to collect the user's face data, and determine whether the collected face data matches the authenticated face data stored in the office equipment, if so, trigger the periodic monitoring module, otherwise, Trigger the security control module.
可选地,所述认证因子滚动模块按照以下方式获取所述办公设备当前的第一认证因子的下一个认证因子:按照预设策略从认证因子池中选择所述办公设备当前的第一认证因子的下一个认证因子,其中,所述认证因子池中包括包含所述初始认证因子在内的多个认证因子;或者,按照与所述用户设备协商的认证因子算法,对所述办公设备当前的第一认证因子或生成所述办公设备当前的第一认证因子的预设参数进行计算,得到所述办公设备当前的第一认证因子的下一个认证因子;或者读取认证因子计算器的当前值,将所述认证因子计算器的当前值作为所述办公设备当前的第一认证因子的下一个认证因子。Optionally, the authentication factor rolling module obtains the next authentication factor of the current first authentication factor of the office equipment in the following manner: selecting the current first authentication factor of the office equipment from the authentication factor pool according to a preset policy the next authentication factor, wherein the authentication factor pool includes multiple authentication factors including the initial authentication factor; or, according to the authentication factor algorithm negotiated with the user equipment, the current Calculate the first authentication factor or a preset parameter that generates the current first authentication factor of the office equipment to obtain the next authentication factor of the current first authentication factor of the office equipment; or read the current value of the authentication factor calculator , taking the current value of the authentication factor calculator as the next authentication factor of the current first authentication factor of the office equipment.
可选地,还包括:密钥清空模块,用于在所述安全控制模块执行所述第一安全控制操作之后,删除所述办公设备保存的所有认证因子。Optionally, it further includes: a key clearing module, configured to delete all authentication factors saved by the office equipment after the security control module performs the first security control operation.
可选地,还包括:门限检测模块,用于在所述心跳检测模块没有扫描到所述用户设备发送的第二认证因子的情况下,在触发所述回连验证模块之前,判断当前距离上一次扫描到所述用户设备发送的第二认证因子的时间间隔是否超过预定门限内,如果未超过,则触发所述周期监测模块,否则,按照预定的安全策略执行相应的第二安全控制操作,然后触发所述回连验证模块。Optionally, it also includes: a threshold detection module, configured to determine whether the current distance is higher than the current distance before triggering the back-connection verification module when the heartbeat detection module does not scan the second authentication factor sent by the user equipment. Whether the time interval from a scan to the second authentication factor sent by the user equipment exceeds a predetermined threshold, if not, trigger the period monitoring module, otherwise, perform a corresponding second security control operation according to a predetermined security policy, Then the connection back verification module is triggered.
本发明又一方面提供了一种安全控制系统,包括办公设备和用户设备,其中,所述办公设备包括上述的安全控制装置;所述用户设备,用于:与所述办公设备建立近距离无线通信连接;与所述用户设备进行认证因子协商,得到初始认证因子,将所述初始认证因子作为所述用户设备当前的第二认证因子;接收所述办公设备发送的扫描认证指令,发送所述用户设备当前的第二认证因子;以及在监测到达认证因子滚动周期时,按照与所述办公设备约定的认证因子滚动方式获取所述用户设备当前的第二认证因子的下一个第二认证因子,将所述下一个第二认证因子作为所述用户设备当前的第二认证因子。Another aspect of the present invention provides a security control system, including office equipment and user equipment, wherein the office equipment includes the above-mentioned security control device; the user equipment is configured to: establish a short-range wireless connection with the office equipment communication connection; perform authentication factor negotiation with the user equipment to obtain an initial authentication factor, and use the initial authentication factor as the current second authentication factor of the user equipment; receive the scanning authentication instruction sent by the office equipment, and send the the current second authentication factor of the user equipment; and when monitoring the arrival of the authentication factor rolling period, acquiring the next second authentication factor of the current second authentication factor of the user equipment according to the authentication factor rolling manner agreed with the office equipment, The next second authentication factor is used as the current second authentication factor of the user equipment.
可选地,所述用户设备还用于在预定时间段内未接收到所述办公设备发送的扫描认证指令的情况下,删除本地保存所有第二认证因子。Optionally, the user equipment is further configured to delete all the second authentication factors stored locally if the scan authentication instruction sent by the office equipment is not received within a predetermined period of time.
可选地,所述用户设备还用于在与所述用户设备进行认证因子协商之后,进入休眠状态,每隔预定唤醒周期唤醒一次,在唤醒期间,广播所述用户设备当前的第二认证因子。Optionally, the user equipment is further configured to enter a dormant state after performing authentication factor negotiation with the user equipment, wake up every predetermined wake-up period, and broadcast the current second authentication factor of the user equipment during the wake-up period. .
由上述本发明提供的技术方案可以看出,本发明提供了一种安全控制方案,在本发明提供的技术方案中,办公设备与用户设备建立近距离无线通信连接,协商认证因子,按预定的认证因子滚动周期更新认证因子,按预定的认证扫描周期扫描用户设备发送的认证因子,在预定时间间隔内没有扫描到用户设备发送的认证因子的情况下,执行安全控制操作,从而可以在用户登录之后,实时监控用户是否离开办公设备,并在用户离开办公设备超过预定时间的情况下,执行安全控制操作,避免了在用户离开期间,其他用户非法使用办公系统,导致信息泄漏或办公系统受到非法攻击等问题。It can be seen from the technical solution provided by the present invention that the present invention provides a security control solution. In the technical solution provided by the present invention, the office equipment and the user equipment establish a short-range wireless communication connection, negotiate the authentication factor, and press the predetermined value. The authentication factor updates the authentication factor in a rolling cycle, scans the authentication factor sent by the user equipment according to the predetermined authentication scanning cycle, and performs the security control operation if the authentication factor sent by the user equipment is not scanned within the predetermined time interval, so that the user can log in After that, it monitors whether the user leaves the office equipment in real time, and performs security control operations when the user leaves the office equipment for more than a predetermined time, so as to prevent other users from illegally using the office system during the user’s departure, resulting in information leakage or illegal office systems. attacks, etc.
附图说明Description of drawings
为了更清楚地说明本发明实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他附图。In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without any creative effort.
图1为本发明实施例1提供的一种安全控制系统的架构示意图;FIG. 1 is a schematic structural diagram of a safety control system according to Embodiment 1 of the present invention;
图2为本发明实施例2提供的一种安全控制方法的流程图;2 is a flowchart of a security control method provided in Embodiment 2 of the present invention;
图3为本发明实施例3提供的一种安全控制装置的结构示意图。FIG. 3 is a schematic structural diagram of a safety control device according to Embodiment 3 of the present invention.
具体实施方式Detailed ways
下面结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明的保护范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, rather than all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative work fall within the protection scope of the present invention.
在本发明的描述中,需要理解的是,术语“中心”、“纵向”、“横向”、“上”、“下”、“前”、“后”、“左”、“右”、“竖直”、“水平”、“顶”、“底”、“内”、“外”等指示的方位或位置关系为基于附图所示的方位或位置关系,仅是为了便于描述本发明和简化描述,而不是指示或暗示所指的装置或元件必须具有特定的方位、以特定的方位构造和操作,因此不能理解为对本发明的限制。此外,术语“第一”、“第二”仅用于描述目的,而不能理解为指示或暗示相对重要性或数量或位置。In the description of the present invention, it should be understood that the terms "center", "portrait", "horizontal", "top", "bottom", "front", "rear", "left", "right", " The orientation or positional relationship indicated by vertical, horizontal, top, bottom, inner, outer, etc. is based on the orientation or positional relationship shown in the drawings, and is only for the convenience of describing the present invention and The description is simplified rather than indicating or implying that the device or element referred to must have a particular orientation, be constructed and operate in a particular orientation, and therefore should not be construed as limiting the invention. Furthermore, the terms "first" and "second" are used for descriptive purposes only and should not be construed to indicate or imply relative importance or quantity or position.
在本发明的描述中,需要说明的是,除非另有明确的规定和限定,术语“安装”、“相连”、“连接”应做广义理解,例如,可以是固定连接,也可以是可拆卸连接,或一体地连接;可以是机械连接,也可以是电连接;可以是直接相连,也可以通过中间媒介间接相连,可以是两个元件内部的连通。对于本领域的普通技术人员而言,可以具体情况理解上述术语在本发明中的具体含义。In the description of the present invention, it should be noted that the terms "installed", "connected" and "connected" should be understood in a broad sense, unless otherwise expressly specified and limited, for example, it may be a fixed connection or a detachable connection Connection, or integral connection; can be mechanical connection, can also be electrical connection; can be directly connected, can also be indirectly connected through an intermediate medium, can be internal communication between two elements. For those of ordinary skill in the art, the specific meanings of the above terms in the present invention can be understood in specific situations.
下面将结合附图对本发明实施例作进一步地详细描述。The embodiments of the present invention will be described in further detail below with reference to the accompanying drawings.
实施例1Example 1
本实施例提供了一种安全控制系统。This embodiment provides a safety control system.
图1为本实施例提供的一种安全控制系统的架构示意图,如图1所示,该安全控制系统主要包括:办公设备10和用户设备20。在本实施例中,办公设备10可以是电脑,也可以是具有一定处理能力的外围设备,例如,安全键盘等。用户设备20可以是方便用户随身携带的电子设备,例如,手机,或者智能卡等,用户设备20中可以存储具有唯一性的用户标识,例如,用户ID,通过用户设备20可以确定用户的身份。FIG. 1 is a schematic structural diagram of a security control system provided in this embodiment. As shown in FIG. 1 , the security control system mainly includes: office equipment 10 and user equipment 20 . In this embodiment, the office device 10 may be a computer, or may be a peripheral device with a certain processing capability, for example, a security keyboard or the like. The user equipment 20 may be an electronic device that is convenient for the user to carry around, such as a mobile phone or a smart card. The user equipment 20 may store a unique user identifier, such as a user ID, through which the user's identity may be determined.
在本实施例中,办公设备10与用户设备20建立近距离无线通信连接。在具体应用中,办公设备10与用户设备20之间可以通过蓝牙、WIFI等建立无线通信,具体本实施例中不作限定。In this embodiment, the office equipment 10 establishes a short-range wireless communication connection with the user equipment 20 . In a specific application, wireless communication may be established between the office equipment 10 and the user equipment 20 through Bluetooth, WIFI, etc., which is not specifically limited in this embodiment.
在具体应用中,在办公设备10与用户设备20之间建立无线通信连接之前,用户设备20之间可以通过刷卡、扫码等方式进行身份认证。例如,办公设备10上设置读卡模块,在用户需要登录办公系统时,用户设备20(可以为智能卡)放置在办公设备10的读卡模块处刷卡,办公设备10读取用户设备20中存储的身份认证信息,身份认证信息可以是用户名及密码等,然后办公设备10对读取的身份认证信息进行身份认证,身份认证通过之后,完成安全登录。In a specific application, before a wireless communication connection is established between the office equipment 10 and the user equipment 20, identity authentication can be performed between the user equipment 20 by swiping a card, scanning a code, or the like. For example, a card reading module is set on the office equipment 10. When the user needs to log in to the office system, the user equipment 20 (which can be a smart card) is placed at the card reading module of the office equipment 10 to swipe the card, and the office equipment 10 reads the data stored in the user equipment 20. Identity authentication information, the identity authentication information can be a user name and password, etc., and then the office device 10 performs identity authentication on the read identity authentication information, and after the identity authentication is passed, the secure login is completed.
在办公设备10与用户设备20之间建立无线通信连接时,办公设备10与用户设备20之间可以交换双方的设备信息,通过交换的设备信息建立无线通信连接,例如,如果办公设备10与用户设备20之间建立蓝牙连接,则办公设备10与用户设备20之间可以交换蓝牙连接信息,进行蓝牙配对,从而完成蓝牙连接。When a wireless communication connection is established between the office equipment 10 and the user equipment 20, the office equipment 10 and the user equipment 20 can exchange equipment information on both sides, and establish a wireless communication connection through the exchanged equipment information. For example, if the office equipment 10 and the user equipment When a Bluetooth connection is established between the devices 20, the Bluetooth connection information can be exchanged between the office device 10 and the user device 20, and Bluetooth pairing can be performed to complete the Bluetooth connection.
在建立近距离无线通信连接之后,办公设备10与用户设备20进行认证因子协商,至少得到初始认证因子,办公设备10和用户设备20分别将该初始认证因子作为办公设备10当前的第一认证因子和用户设备20当前的第二认证因子。在具体应用中,在办公设备10对用户设备20的身份认证通过之后,办公设备10与用户设备20协商认证因子。After the short-range wireless communication connection is established, the office equipment 10 and the user equipment 20 perform authentication factor negotiation to obtain at least an initial authentication factor. The office equipment 10 and the user equipment 20 respectively use the initial authentication factor as the current first authentication factor of the office equipment 10. and the current second authentication factor of the user equipment 20. In a specific application, after the identity authentication of the user equipment 20 by the office equipment 10 is passed, the office equipment 10 negotiates an authentication factor with the user equipment 20 .
在本发明实施例的一个可选实施方式中,认证因子可以是密钥。例如,办公设备10与用户设备20在协商认证因子时,办公设备10与用户设备20可以先建立安全通道,然后办公设备10与用户设备20协商并生成初始的传输密钥,将传输密钥作为认证因子。In an optional implementation of the embodiment of the present invention, the authentication factor may be a key. For example, when the office equipment 10 and the user equipment 20 negotiate the authentication factor, the office equipment 10 and the user equipment 20 can first establish a secure channel, and then the office equipment 10 and the user equipment 20 negotiate and generate an initial transmission key, and use the transmission key as the Authentication factor.
在具体应用中,为了保证传输密钥的安全,办公设备10与用户设备20在建立安全通道时,可以通过办公设备10和用户设备20的公私钥对进行相互的身份认证,例如,办公设备10可以产生随机数,使用办公设备10的私钥对随机数进行签名,将签名数据和随机数发送给用户设备20,用户设备20使用办公设备10的公钥,对接收到的签名数据进行验签,验签通过,则确认办公设备10的身份,而用户设备20可以使用自身的私钥对接收到的随机数进行签名,将签名得到的签名数据发送给办公设备10,办公设备10使用用户设备20的公钥对接收到的签名数据进行验签,验签通过,则确认用户设备20的身份。当然,在实际应用中,办公设备10和用户设备20之间还可以采用其它的方式进行相互的身份认证,具体本实施例中不作限定。In a specific application, in order to ensure the security of the transmission key, when the office equipment 10 and the user equipment 20 establish a secure channel, they can perform mutual identity authentication through the public and private key pairs of the office equipment 10 and the user equipment 20. For example, the office equipment 10 A random number can be generated, the random number is signed using the private key of the office equipment 10, and the signature data and random number are sent to the user equipment 20, and the user equipment 20 uses the public key of the office equipment 10 to verify the received signature data. , the signature is passed, the identity of the office equipment 10 is confirmed, and the user equipment 20 can use its own private key to sign the received random number, and send the signature data obtained by the signature to the office equipment 10. The office equipment 10 uses the user equipment The public key of 20 verifies the received signature data, and if the verification is passed, the identity of the user equipment 20 is confirmed. Of course, in practical applications, other methods may also be used for mutual identity authentication between the office equipment 10 and the user equipment 20, which is not specifically limited in this embodiment.
在本发明实施例的另一个可选实施方式中,认证因子也可以是办公设备10和用户设备20的本地时钟的时间值。在该可选实施方式中,办公设备10与用户设备20在协商认证因子时,进行时间同步,在时间同步后,办公设备10与用户设备20各自将本地时钟的当前值作为初始认证因子。In another optional implementation of the embodiment of the present invention, the authentication factor may also be the time value of the local clocks of the office equipment 10 and the user equipment 20 . In this optional embodiment, the office equipment 10 and the user equipment 20 perform time synchronization when negotiating the authentication factor. After the time synchronization, the office equipment 10 and the user equipment 20 each use the current value of the local clock as the initial authentication factor.
或者,在本发明实施例的另一个可选实施方式中,认证因子也可以是办公设备10和用户设备20的本地计数器的数值。在该可选实施方式中,办公设备10与用户设备20在协商认证因子时,确定相互间的本地计数器的初始值相同,然后办公设备10与用户设备20各自将本地计数器的当前值作为初始认证因子。在具体应用中,办公设备10和用户设备20的本地计数器用于记录相同事件发生的次数,例如,可以记录本地的认证因子的滚动次数,即每当办公设备10当前的第一认证因子的值改变一次,办公设备10的本地记数器的值就加1,同样,用户设备20当前的第二认证因子的值每变化一次,用户设备20侧的本地记数器的值也加1,从而可以保证办公设备10和用户设备20的记数器的值一致。Or, in another optional implementation of the embodiment of the present invention, the authentication factor may also be the value of the local counter of the office equipment 10 and the user equipment 20 . In this optional embodiment, when the office equipment 10 and the user equipment 20 negotiate the authentication factor, it is determined that the initial value of the local counter is the same, and then the office equipment 10 and the user equipment 20 each use the current value of the local counter as the initial authentication factor. In a specific application, the local counters of the office equipment 10 and the user equipment 20 are used to record the number of occurrences of the same event, for example, the rolling times of the local authentication factor can be recorded, that is, whenever the current value of the first authentication factor of the office equipment 10 If the value of the local counter of the office equipment 10 is changed once, the value of the local counter of the office equipment 10 is incremented by 1. Similarly, every time the value of the current second authentication factor of the user equipment 20 changes, the value of the local counter of the user equipment 20 is also incremented by 1, so that The values of the counters of the office equipment 10 and the user equipment 20 can be guaranteed to be the same.
在本发明实施例中,办公设备10在与用户设备20认证因子协商完成后,办公设备10监测是否到达预定的认证因子滚动周期和认证扫描周期:In this embodiment of the present invention, after the office device 10 completes the authentication factor negotiation with the user device 20, the office device 10 monitors whether the predetermined authentication factor rolling period and authentication scanning period are reached:
(1)在监测到达认证因子滚动周期的情况下,按照与用户设备20约定的认证因子滚动方式,获取办公设备10当前的第一认证因子的下一个认证因子,将下一个认证因子作为办公设备10当前的第一认证因子,然后继续监测是否到达预定的认证因子滚动周期和认证扫描周期。(1) When the monitoring reaches the authentication factor rolling period, according to the authentication factor rolling method agreed with the user equipment 20, obtain the next authentication factor of the current first authentication factor of the office equipment 10, and use the next authentication factor as the office equipment 10 the current first authentication factor, and then continue to monitor whether the predetermined authentication factor rolling period and authentication scanning period are reached.
(2)在监测到达认证扫描周期的情况下,办公设备10向用户设备20发送扫描指令,扫描用户设备20发送的第二认证因子,在扫描到用户设备20发送的第二认证因子的情况下,判断扫描到的第二认证因子与办公设备10当前的第一认证因子是否一致,在一致的情况下,继续监测是否到达预定的认证因子滚动周期和认证扫描周期,在不一致的情况下,办公设备10按照预定的安全策略执行相应的第一安全控制操作;在没有扫描到用户设备20发送的第二认证因子的情况下,办公设备10判断当前距离上一次扫描到用户设备20发送的第二认证因子的时间间隔是否超过第一预定时间,如果是,则办公设备10按照预定的安全策略执行相应的第一安全控制操作,否则,办公设备10等待第二预定时间后,向用户设备20发送扫描指令,扫描用户设备20发送的第二认证因子,在扫描到用户设备20发送的第二认证因子的情况下,判断扫描到的第二认证因子与办公设备10当前的第一认证因子是否一致,在一致的情况下,继续监测是否到达预定的认证因子滚动周期和认证扫描周期,在不一致的情况下,办公设备10按照预定的安全策略执行相应的第一安全控制操作,在没有扫描到用户设备20发送的第二认证因子的情况下,办公设备10返回执行判断当前距离上一次扫描到用户设备20发送的第二认证因子的时间间隔是否超过第一预定时间的操作,其中,第二预定时间小于第一预定时间。(2) When the monitoring reaches the authentication scan period, the office equipment 10 sends a scan instruction to the user equipment 20 to scan the second authentication factor sent by the user equipment 20. In the case of scanning the second authentication factor sent by the user equipment 20 , determine whether the scanned second authentication factor is consistent with the current first authentication factor of the office equipment 10, and if they are consistent, continue to monitor whether the predetermined authentication factor rolling cycle and authentication scanning cycle are reached. The device 10 performs the corresponding first security control operation according to the predetermined security policy; if the second authentication factor sent by the user device 20 is not scanned, the office device 10 determines the current distance from the second authentication factor sent by the user device 20 after the last scan. Whether the time interval of the authentication factor exceeds the first predetermined time, if so, the office equipment 10 executes the corresponding first security control operation according to the predetermined security policy; Scan instruction, scan the second authentication factor sent by the user equipment 20, and in the case of scanning the second authentication factor sent by the user equipment 20, determine whether the scanned second authentication factor is consistent with the current first authentication factor of the office equipment 10 , in the case of consistency, continue to monitor whether the predetermined authentication factor rolling period and authentication scanning period are reached, in the case of inconsistency, the office equipment 10 executes the corresponding first security control operation according to the predetermined security policy. In the case of the second authentication factor sent by the device 20, the office device 10 returns to execute the operation of judging whether the current time interval from the last scan to the second authentication factor sent by the user device 20 exceeds the first predetermined time, wherein the second predetermined time The time is less than the first predetermined time.
在本发明实施例中,第二预定时间的时长可以小于认证扫描周期的时长,即在本发明实施例中,办公设备10在某个认证扫描周期到达时,如果没有扫描到用户设备20发送的第二认证因子,则办公设备10可以缩短扫描周期,扫描用户设备20发送的第二认证因子,以及时对用户设备20的第二认证因子进行认证。In this embodiment of the present invention, the duration of the second predetermined time may be less than the duration of the authentication scan period, that is, in this embodiment of the present invention, when the office equipment 10 arrives in a certain authentication scan period, if no scan sent by the user equipment 20 is detected For the second authentication factor, the office equipment 10 can shorten the scanning period, scan the second authentication factor sent by the user equipment 20, and authenticate the second authentication factor of the user equipment 20 in time.
通过本发明实施例提供的上述安全控制系统,办公设备10与用户设备20建立近距离无线通信连接,协商认证因子,按预定的认证因子滚动周期更新认证因子,按预定的认证扫描周期扫描用户设备发送的认证因子,在预定时间间隔内没有扫描到用户设备发送的认证因子的情况下,执行第一安全控制操作,从而可以在用户登录之后,实时监控用户是否离开办公设备,并在用户离开办公设备超过预定时间的情况下,执行安全控制操作,避免了在用户离开期间,其他用户非法使用办公系统,导致信息泄漏或办公系统受到非法攻击等问题。Through the above-mentioned security control system provided by the embodiment of the present invention, the office equipment 10 establishes a short-range wireless communication connection with the user equipment 20, negotiates an authentication factor, updates the authentication factor according to a predetermined rolling period of the authentication factor, and scans the user equipment according to the predetermined authentication scanning period If the authentication factor sent by the user equipment is not scanned within a predetermined time interval, the first security control operation is performed, so that after the user logs in, whether the user leaves the office equipment can be monitored in real time, and when the user leaves the office When the device exceeds the predetermined time, the security control operation is performed to avoid other users illegally using the office system while the user is away, resulting in information leakage or illegal attacks on the office system.
在本发明实施例的一个可选实施方式中,办公设备10在没有扫描到用户设备20发送的第二认证因子的情况下,在判断当前距离上一次扫描到用户设备20发送的第二认证因子的时间间隔是否超过第一预设时间之前,可以先判断当前距离上一次扫描到用户设备20发送的第二认证因子的时间间隔是否超过预定门限,如果是,则先按照预定的安全策略执行相应的第二安全控制操作,然后再判断当前距离上一次扫描到用户设备20发送的第二认证因子的时间间隔是否超过第一预设时间。其中,预定门限所指示的时间值小于第一预设时间所指示的时间值。In an optional implementation of this embodiment of the present invention, in the case where the office device 10 does not scan the second authentication factor sent by the user equipment 20, the office device 10 determines the current distance from the last scan to the second authentication factor sent by the user equipment 20. Before the time interval exceeds the first preset time, you can first judge whether the current time interval from the last scan to the second authentication factor sent by the user equipment 20 exceeds the predetermined threshold, if so, execute the corresponding the second security control operation, and then determine whether the current time interval from the last scan to the second authentication factor sent by the user equipment 20 exceeds the first preset time. Wherein, the time value indicated by the predetermined threshold is smaller than the time value indicated by the first preset time.
在上述可选实施方式中,第一安全控制操作与第二安全控制操作是不同的安全操作,在具体应用中,第一安全控制操作可以是比第二安全控制操作更为严格的安全控制操作,例如,第一安全控制操作可以包括:向办公设备10的主处理器发送登出系统的指令和/或向办公设备10的主处理器发送关机指令。而第二安全控制操作可以包括:向办公设备10的主处理器发送锁屏指令和/或向办公设备10的报警器发送报警指令等。通过该可选实施方式,可以执行分级的安全控制策略,例如,在具体应用中,预定门限可以设置为5分钟,第一预设时间可以设置为10分钟,办公设备10在5分钟内没有扫描到用户设备20发送的第二认证因子,则执行第二安全控制操作,向办公设备10的主处理器发送锁屏指令和/或向办公设备10的报警器发送报警指令,主机锁屏和/或报警器报警,但办公设备10维持认证因子的滚动,如果在5-10分钟之间,收到用户设备20发送的第二认证因子,则对接收到的第二认证因子进行认证,在认证通过之后,继续维持认证因子滚动,并定期扫描用户设备20发送的第二认证因子,如果到10分钟还未收到用户设备20发送的第二认证因子,则执行第一安全控制操作,向办公设备10的主处理器发送登出系统的指令和/或向办公设备10的主处理器发送关机指令,办公设备10的主处理器接收到指令之后,执行相应的操作,办公设备10退出当前流程,不再执行认证因子滚动和认证因子的定期扫描。In the foregoing optional implementation manner, the first security control operation and the second security control operation are different security operations, and in a specific application, the first security control operation may be a more stringent security control operation than the second security control operation For example, the first security control operation may include sending an instruction to log out of the system to the main processor of the office equipment 10 and/or sending a shutdown instruction to the main processor of the office equipment 10 . The second security control operation may include: sending a screen lock instruction to the main processor of the office equipment 10 and/or sending an alarm instruction to an alarm of the office equipment 10, and the like. Through this optional embodiment, a hierarchical security control policy can be implemented. For example, in a specific application, the predetermined threshold can be set to 5 minutes, the first preset time can be set to 10 minutes, and the office equipment 10 does not scan within 5 minutes to the second authentication factor sent by the user equipment 20, then execute the second security control operation, send a lock screen instruction to the main processor of the office equipment 10 and/or send an alarm instruction to the alarm of the office equipment 10, the host locks the screen and/or Or the alarm alarms, but the office equipment 10 maintains the scrolling of the authentication factors. If the second authentication factor sent by the user equipment 20 is received within 5-10 minutes, the received second authentication factor will be authenticated. After passing, continue to maintain the authentication factor rolling, and regularly scan the second authentication factor sent by the user equipment 20. If the second authentication factor sent by the user equipment 20 has not been received within 10 minutes, execute the first security control operation and report to the office. The main processor of the device 10 sends an instruction to log out of the system and/or sends a shutdown instruction to the main processor of the office device 10. After the main processor of the office device 10 receives the instruction, it performs the corresponding operation, and the office device 10 exits the current process. , authentication factor rolling and periodic scans of authentication factors are no longer performed.
在本发明实施例的一个可选实施方式中,为了保证某些关键操作的安全,办公设备10在与用户设备20完成认证因子协商之后,同时监测是否有预定的关键事件发生,在监测到有关键事件发生的情况下,办公设备10启动摄像装置采集用户的人脸数据,判断采集到的人脸数据与办公设备10中存储的认证人脸数据进行是否匹配,如果是,则继续监测,否则,执行第一安全控制操作。在该可选实施方式中,办公设备10中存储的认证人脸数据可以是用户在注册的时候输入的,也可以是在其它时候输入的,例如,用户需要开通某些特定的功能前,具体本实施例不作限定。通过该可选实施方式,办公设备10可以在执行某些关键操作之前,对当前操作人的人脸进行验证,进一步确保当前使用者的身份,避免用户的账号被盗用。In an optional implementation of this embodiment of the present invention, in order to ensure the security of some key operations, after the office equipment 10 completes the authentication factor negotiation with the user equipment 20, it simultaneously monitors whether a predetermined key event occurs. When a key event occurs, the office equipment 10 starts the camera to collect the user's face data, and determines whether the collected face data matches the authenticated face data stored in the office equipment 10. If so, continue monitoring, otherwise , to perform the first security control operation. In this optional embodiment, the authentication face data stored in the office equipment 10 may be input by the user during registration, or may be input at other times. For example, before the user needs to activate some specific functions, the specific This embodiment is not limited. Through this optional implementation, the office equipment 10 can verify the face of the current operator before performing some key operations, further ensuring the identity of the current user and preventing the user's account from being stolen.
在上述可选实施方式中,预定的关键事件包括但不限于以下至少之一:In the above-mentioned optional embodiment, the predetermined key event includes but is not limited to at least one of the following:
(1)办公设备10与用户设备20协商认证因子完成;即办公设备10在与用户设备20协商完认证因子之后,即采集用户的人脸信息,对采集的人脸信息进行认证。通过该可选实施方式,办公设备10可以在确保用户的身份之后,开始认证因子滚动和认证扫描,可以节约流程。(1) The office equipment 10 and the user equipment 20 negotiate the authentication factor; that is, after the office equipment 10 negotiates the authentication factor with the user equipment 20, the office equipment 10 collects the user's face information and authenticates the collected face information. Through this optional embodiment, the office device 10 can start authentication factor rolling and authentication scanning after ensuring the identity of the user, which can save the process.
(2)办公设备10接收到加密输入指令;在该可选实施方式中,办公系统设置了加密输入功能,即用户通过键盘输入的信息为加密的信息,当用户输入加密输入指令时,启动该功能,在用户启动该功能时,办公设备10采集用户的人脸信息,对采集的人脸信息进行认证。通过该可选实施方式,办公设备10可以在确保用户的身份的情况下,开启加密输入功能。(2) The office equipment 10 receives the encrypted input instruction; in this optional embodiment, the office system is provided with an encrypted input function, that is, the information input by the user through the keyboard is encrypted information, and when the user inputs the encrypted input instruction, the function, when the user activates this function, the office device 10 collects the user's face information, and authenticates the collected face information. Through this optional implementation manner, the office equipment 10 can enable the encrypted input function under the condition of ensuring the identity of the user.
(3)办公设备10接收到密码输入指令。即在该可选实施方式中,办公设备10在需要向办公系统输入密码(例如,PIN码等)时,先采集用户的人脸信息,对采集的人脸信息进行认证。通过该可选实施方式,办公设备10可以在确保用户的身份的情况下,再让用户输入密码,确保密码的安全性。(3) The office equipment 10 receives the password input instruction. That is, in this optional embodiment, when the office device 10 needs to input a password (eg, a PIN code, etc.) into the office system, it first collects the user's face information, and authenticates the collected face information. Through this optional implementation manner, the office equipment 10 can allow the user to input a password under the condition of ensuring the identity of the user, so as to ensure the security of the password.
在本发明实施例中,办公设备10和用户设备20在进行认证因子滚动时,可根据具体使用的不同种类的认证因子,按照不同的方式进行认证因子滚动,下面以办公设备10为例进行描述,对于用户设备20则采用与办公设备10相应的方式进行认证因子滚动。In this embodiment of the present invention, when the office equipment 10 and the user equipment 20 perform authentication factor scrolling, they can perform authentication factor scrolling in different ways according to different types of authentication factors used. The office equipment 10 is used as an example for description below. , and for the user equipment 20 , the authentication factor scrolling is performed in a manner corresponding to the office equipment 10 .
在本发明实施例的一个可选实施方式中,办公设备10可以按照以下方式之一进行认证因子滚动:In an optional implementation manner of this embodiment of the present invention, the office device 10 may perform authentication factor rolling in one of the following manners:
(1)按照预设策略从认证因子池中选择办公设备10当前的第一认证因子的下一个认证因子,其中,所述认证因子池中包括包含所述初始认证因子在内的多个认证因子;即在该实施方式中,在办公设备10和用户设备20中各设置了一个相同的认证因子池,预设策略中约定了认证因子滚动的方式,例如,按照认证因子在认证因子池中的排序,循环顺序滚动,或者间隔一个认证因子循环滚动等方式,办公设备10和用户设备20根据该预设策略,可以获得当前的认证因子的下一个认证因子。(1) Select the next authentication factor of the current first authentication factor of the office equipment 10 from the authentication factor pool according to a preset policy, wherein the authentication factor pool includes a plurality of authentication factors including the initial authentication factor ; That is, in this embodiment, an identical authentication factor pool is set in the office equipment 10 and the user equipment 20, and the authentication factor rolling method is stipulated in the preset policy, for example, according to the authentication factor in the authentication factor pool. Sorting, cyclically scrolling, or cyclically scrolling at intervals of one authentication factor, the office equipment 10 and the user equipment 20 can obtain the next authentication factor of the current authentication factor according to the preset policy.
例如,假设认证因子池中存储的认证因子如表1所示,认证因子滚动的预设策略是间隔一个认证因子循环滚动。若当前的认证因子为M2,则当前的认证因子的下一个认证因子为M4。若当前的认证因子为M8,则当前的认证因子的下一个认证因子为M1。For example, assuming that the authentication factors stored in the authentication factor pool are as shown in Table 1, the preset strategy of the authentication factor rolling is to cyclically roll each authentication factor. If the current authentication factor is M2, the next authentication factor of the current authentication factor is M4. If the current authentication factor is M8, the next authentication factor of the current authentication factor is M1.
表1.认证因子池Table 1. Authentication Factor Pools
在该实施方式中,认证因子池中的各个认证因子可以是办公设备10与用户设备20在进行认证因子协商时协商出来,即以表1为例,办公设备10与用户设备20在进行认证因子协商时,协商出来9个认证因子,其中M1为初始认证因子。或者,办公设备10与用户设备20也可以在进行认证因子协商时,只协商出初始认证因子,然后办公设备10和用户设备20按照相同的算法,计算出认证因子池中的其它认证因子,具体采用哪种方式可以根据实际应用确定,具体本实施例中不作限定。In this embodiment, each authentication factor in the authentication factor pool may be negotiated between the office equipment 10 and the user equipment 20 during the authentication factor negotiation. During negotiation, 9 authentication factors are negotiated, among which M1 is the initial authentication factor. Alternatively, the office device 10 and the user device 20 may negotiate only the initial authentication factor when negotiating the authentication factor, and then the office device 10 and the user device 20 calculate other authentication factors in the authentication factor pool according to the same algorithm. Which mode to adopt may be determined according to practical applications, which is not specifically limited in this embodiment.
(2)办公设备10按照与用户设备20协商的认证因子算法,对办公设备10当前的第一认证因子或生成办公设备10当前的第一认证因子的预设参数进行计算,得到办公设备10当前的第一认证因子的下一个认证因子;即在该实施方式中,办公设备10和用户设备20每到一个认证因子滚动周期,对当前使用的认证因子进行更新,得到新的认证因子,将新的认证因子作为当前的认证因子。在具体应用中,办公设备10可以对当前的第一认证因子进行计算得到当前第一认证因子的下一个认证因子,例如,对当前的第一认证因子进行MAC运算,或者对当前的第一认证因子+当前时间进行MAC运算等。或者,办公设备10也可以对生成办公设备10当前的第一认证因子的预设参数进行计算,例如,假设,办公设备10当前的第一认证因子Mi=f(xi),xi为预设参数,在认证因子滚动周期到达时,对预设参数进行更新,可以设置xi=g(xi),然后使用更新后的xi计算新的认证因子,从而得到当前的第一认证因子的下一个认证因子。(2) The office equipment 10 calculates the current first authentication factor of the office equipment 10 or the preset parameter for generating the current first authentication factor of the office equipment 10 according to the authentication factor algorithm negotiated with the user equipment 20, and obtains the current first authentication factor of the office equipment 10. The next authentication factor of the first authentication factor of the authentication factor as the current authentication factor. In a specific application, the office device 10 may calculate the current first authentication factor to obtain the next authentication factor of the current first authentication factor, for example, perform MAC operation on the current first authentication factor, or perform a MAC operation on the current first authentication factor. Factor + current time for MAC operation, etc. Alternatively, the office equipment 10 may also calculate the preset parameters for generating the current first authentication factor of the office equipment 10. For example, it is assumed that the current first authentication factor Mi=f(xi) of the office equipment 10, and xi is a preset parameter , when the authentication factor rolling period arrives, update the preset parameters, you can set xi=g(xi), and then use the updated xi to calculate the new authentication factor, so as to obtain the next authentication factor of the current first authentication factor .
(3)办公设备10读取认证因子计算器的当前值,将所述认证因子计算器的当前值作为所述办公设备10当前的第一认证因子的下一个认证因子。在该可选实施方式中,认证因子计算器可以是计时器,也可以是计数器等,具体本实施例不作限定。办公设备10与用户设备20可以在进行认证因子协商时,计时器记录相同的起始时间或者计数器记录相同的数值,在认证因子计算器为计数器的情况下,办公设备10与用户设备20的计数器用于记录相同的事件发生的次数,例如,认证因子滚动次数。(3) The office equipment 10 reads the current value of the authentication factor calculator, and uses the current value of the authentication factor calculator as the next authentication factor of the current first authentication factor of the office equipment 10 . In this optional implementation manner, the authentication factor calculator may be a timer, a counter, or the like, which is not specifically limited in this embodiment. When the office equipment 10 and the user equipment 20 negotiate the authentication factor, the timer records the same start time or the counter records the same value. If the authentication factor calculator is a counter, the counter of the office equipment 10 and the user equipment 20 Used to record the number of times the same event occurs, e.g. authentication factor rollovers.
在上述可选实施方式中,计时器可以是办公设备10的本地时钟和用户设备20的本地时钟,在这种情况下,办公设备10与用户设备20在进行认证因子协商时,可以进行时钟同步;或者,计时器也可以专门办公设备10和用户设备20专门为认证因子设置的,用于记录当前认证因子的值,在这种情况下,办公设备10与用户设备20在进行认证因子协商时,可以双方用于记录当前认证因子的计时器的起始时间置为相同值。In the above optional embodiment, the timer may be the local clock of the office equipment 10 and the local clock of the user equipment 20. In this case, the office equipment 10 and the user equipment 20 can perform clock synchronization when negotiating the authentication factor. Alternatively, the timer may also be specially set for the authentication factor by the office equipment 10 and the user equipment 20 to record the value of the current authentication factor. In this case, when the office equipment 10 and the user equipment 20 negotiate the authentication factor , the start time of the timer used by both parties to record the current authentication factor can be set to the same value.
在本发明实施例中,办公设备10在第一预定时间内没有扫描到用户设备20发送的第二认证因子的情况下,则说明用户设备20远离办公设备10的时间已超过第一预定时间,由于用户设备20随身携带在用户身上,因此,可以判定用户已远离办公设备10,因此,在本发明实施例中,办公设备10按照预定的安全策略执行相应的第一安全控制操作,从而可以保证在用户远离办公设备10超过一定时间之后,执行第一安全策略,从而可以避免办公系统被其他人非法使用的问题。在本发明实施例的一个可选实施方式中,为了方便用户下一次使用,在办公设备10按照预定的安全策略执行相应的第一安全控制操作之后,办公设备10可以删除本地保存的所有认证因子,从而方便办公设备10后续被使用。In this embodiment of the present invention, if the office equipment 10 does not scan the second authentication factor sent by the user equipment 20 within the first predetermined time, it means that the user equipment 20 has been away from the office equipment 10 for longer than the first predetermined time. Since the user equipment 20 is carried on the user, it can be determined that the user has been away from the office equipment 10. Therefore, in this embodiment of the present invention, the office equipment 10 executes the corresponding first security control operation according to a predetermined security policy, thereby ensuring that After the user is away from the office equipment 10 for a certain period of time, the first security policy is executed, so that the problem of illegal use of the office system by others can be avoided. In an optional implementation of this embodiment of the present invention, in order to facilitate the next use by the user, after the office device 10 performs the corresponding first security control operation according to the predetermined security policy, the office device 10 may delete all the locally stored authentication factors , thereby facilitating the subsequent use of the office equipment 10 .
在本发明实施例中,用户设备20可以在接收到办公设备10发送的扫描指令的情况下,广播用户设备20当前的第二认证因子。或者,在本发明实施例的一个可选实施方式中,为了节约用户设备20的电能,用户设备20可以在与办公设备10进行认证因子协商之后,进入休眠状态,然后每隔预定唤醒周期唤醒一次,在唤醒期间,广播用户设备20当前的第二认证因子,在该可选实施方式中,唤醒周期小于办公设备10的认证扫描周期,一个认证扫描周期可以包含多个唤醒周期,具体设置可以根据实际使用设置。通过该可选实施方式,可以节省用户设备20的电能,提高用户设备20的电池的使用时间。In this embodiment of the present invention, the user equipment 20 may broadcast the current second authentication factor of the user equipment 20 in the case of receiving the scan instruction sent by the office equipment 10 . Or, in an optional implementation of the embodiment of the present invention, in order to save the power of the user equipment 20, the user equipment 20 may enter a sleep state after negotiating the authentication factor with the office equipment 10, and then wake up once every predetermined wake-up period , during the wake-up period, the current second authentication factor of the user equipment 20 is broadcast. In this optional embodiment, the wake-up period is less than the authentication scan period of the office equipment 10, and one authentication scan period may include multiple wake-up periods. The specific settings can be set according to Actual usage settings. Through this optional implementation manner, the power of the user equipment 20 can be saved, and the usage time of the battery of the user equipment 20 can be improved.
在本发明实施例的一个可选实施方式中,用户设备20也可以判断用户是否远离办公设备10,在该可选实施方式中,在办公设备10与用户设备20进行认证因子协商之后,用户设备20可以判断在预定时间段内是否接收到办公设备10发送的扫描认证指令,如果是,则用户设备20发送用户设备20当前的第二认证因子,否则,用户设备20删除本地保存的所有第二认证因子。在该可选实施方式中,预定时间段的时长可以与上述办公设备10判断的第一预设时间的时长相同,这样,用户设备20侧可以与办公设备10侧的保持一致,当然,预定时间段的时长也不一定必须与第一预设时间的时长一致,只要两者相差不大即可。In an optional implementation of the embodiment of the present invention, the user equipment 20 may also determine whether the user is far away from the office equipment 10. In this optional implementation, after the office equipment 10 and the user equipment 20 negotiate the authentication factor, the user equipment 20 can determine whether the scan authentication instruction sent by the office equipment 10 is received within a predetermined period of time, and if so, the user equipment 20 sends the current second authentication factor of the user equipment 20, otherwise, the user equipment 20 deletes all the second authentication factors stored locally. Authentication factor. In this optional embodiment, the duration of the predetermined time period may be the same as the duration of the first preset time determined by the office equipment 10, so that the user equipment 20 side can be consistent with the office equipment 10 side. Of course, the predetermined time The duration of the segment does not necessarily have to be the same as the duration of the first preset time, as long as the difference between the two is not large.
在实际应用中,用户可能在使用办公系统的过程,暂时离开,离开的时长可能小于第一预定时间,为了保证这段时间内,办公系统的安全,还可以设置一个预定门限,该预定门限的时长小于第一预定时间的时长,例如,第一预定时间的时长为5分钟,预定门限的时长为1分钟,在用户离开超过预定门限的情况下,为了保证办公系统的安全,用户设备10可以执行第二安全控制操作,例如,锁屏等。因此,在本发明实施例的一个可选实施方式中,办公设备10在没有扫描到用户设备20发送的第二认证因子的情况下,在判断距离上一次扫描到用户设备20发送的第二认证因子的时间间隔是否超过第一预定时间前,办公设备10先判断当前距离上一次扫描到用户设备20发送的第二认证因子的时间间隔是否超过预定门限内,如果否,则继续监测是否到达下一个认证扫描周期,否则,按照预定的安全策略执行相应的第二安全控制操作,然后再判断距离上一次扫描到用户设备20发送的第二认证因子的时间间隔是否超过第一预定时间,并根据判断结果执行相应的操作。在本实施例中,第二安全控制操作与第一安全控制操作不同,由此,可以根据用户离开的时间不同,设置不同的安全控制策略,执行多级的安全控制,以在保证安全的同时,为用户提供便利性。In practical applications, the user may temporarily leave during the process of using the office system, and the time of leaving may be less than the first predetermined time. In order to ensure the security of the office system during this period, a predetermined threshold can also be set. The predetermined threshold The duration is less than the duration of the first predetermined time, for example, the duration of the first predetermined time is 5 minutes, and the duration of the predetermined threshold is 1 minute. Perform a second security control operation, eg, lock the screen, etc. Therefore, in an optional implementation manner of this embodiment of the present invention, in the case where the office equipment 10 does not scan the second authentication factor sent by the user equipment 20, the office equipment 10 determines the distance from the last scan to the second authentication factor sent by the user equipment 20. Whether the time interval of the factor exceeds the first predetermined time, the office equipment 10 first determines whether the current time interval from the last scan to the second authentication factor sent by the user equipment 20 exceeds the predetermined threshold, and if not, continues to monitor whether the next authentication factor is reached. One authentication scan cycle, otherwise, perform the corresponding second security control operation according to the predetermined security policy, and then judge whether the time interval from the last scan to the second authentication factor sent by the user equipment 20 exceeds the first predetermined time, and according to According to the judgment result, the corresponding operation is performed. In this embodiment, the second security control operation is different from the first security control operation. Therefore, different security control policies can be set according to the different time when the user leaves, and multi-level security control can be performed, so as to ensure security at the same time. , providing convenience for users.
实施例2Example 2
本发明实施例提供了一种安全控制方法,该方法可以通过实施例1所述的安全控制系统实现。An embodiment of the present invention provides a security control method, and the method can be implemented by the security control system described in Embodiment 1.
图2是本发明实施例提供的一种安全控制方法的流程图,如图2所示,该方法主要包括以下步骤:FIG. 2 is a flowchart of a security control method provided by an embodiment of the present invention. As shown in FIG. 2 , the method mainly includes the following steps:
步骤201,办公设备与用户设备建立近距离无线通信连接。Step 201, the office equipment establishes a short-range wireless communication connection with the user equipment.
在具体应用中,办公设备与用户设备之间可以通过蓝牙、WIFI等建立无线通信,具体本实施例中不作限定。In a specific application, wireless communication may be established between the office equipment and the user equipment through Bluetooth, WIFI, etc., which is not specifically limited in this embodiment.
在具体应用中,在办公设备与用户设备之间建立无线通信连接之前,用户设备之间可以通过刷卡、扫码等方式进行身份认证。例如,办公设备上设置读卡模块,在用户需要登录办公系统时,用户设备(可以为智能卡)放置在办公设备的读卡模块处刷卡,办公设备读取用户设备中存储的身份认证信息,身份认证信息可以是用户名及密码等,然后办公设备对读取的身份认证信息进行身份认证,身份认证通过之后,完成安全登录。In a specific application, before a wireless communication connection is established between the office equipment and the user equipment, identity authentication can be performed between the user equipment by swiping a card, scanning a code, or the like. For example, a card reader module is set on the office equipment. When the user needs to log in to the office system, the user equipment (which can be a smart card) is placed at the card reader module of the office equipment to swipe the card, and the office equipment reads the identity authentication information stored in the user equipment. The authentication information can be a user name and password, etc., and then the office equipment performs identity authentication on the read identity authentication information. After the identity authentication is passed, the secure login is completed.
在办公设备与用户设备之间建立无线通信连接时,办公设备与用户设备之间可以交换双方的设备信息,通过交换的设备信息建立无线通信连接,例如,如果办公设备与用户设备之间建立蓝牙连接,则办公设备与用户设备之间可以交换蓝牙连接信息,进行蓝牙配对,从而完成蓝牙连接,其中,用户设备的设备信息可以存储在用户设备中,办公设备通过其读卡模块从用户设备中读取,进而与用户设备建立无线通信连接,或者,用户也可以将用户设备和办公设备的无线通信功能均打开,用户设备广播其设备信息,办公设备扫描到该设备信息之后,与用户设备建立无线连接,具体方式本实施例中不作限定。When a wireless communication connection is established between the office equipment and the user equipment, the office equipment and the user equipment can exchange the equipment information of both parties, and establish a wireless communication connection through the exchanged equipment information. For example, if a Bluetooth connection is established between the office equipment and the user equipment connection, then the Bluetooth connection information can be exchanged between the office equipment and the user equipment, and Bluetooth pairing can be performed to complete the Bluetooth connection. Read, and then establish a wireless communication connection with the user equipment, or, the user can also turn on the wireless communication functions of the user equipment and the office equipment, the user equipment broadcasts its equipment information, and the office equipment scans the equipment information and establishes a connection with the user equipment. The specific manner of wireless connection is not limited in this embodiment.
步骤202,办公设备与用户设备进行认证因子协商,至少得到初始认证因子,将初始认证因子作为办公设备当前的第一认证因子。Step 202, the office equipment and the user equipment perform authentication factor negotiation to obtain at least an initial authentication factor, and use the initial authentication factor as the current first authentication factor of the office equipment.
在具体应用中,办公设备与用户设备进行认证因子协商,办公设备与用户设备均至少得到初始认证因子,办公设备和用户设备分别将该初始认证因子作为办公设备当前的第一认证因子和用户设备当前的第二认证因子。在具体应用中,可以在办公设备对用户设备的身份认证通过之后,办公设备与用户设备协商认证因子。In a specific application, the office equipment and the user equipment conduct authentication factor negotiation, both the office equipment and the user equipment obtain at least an initial authentication factor, and the office equipment and the user equipment respectively use the initial authentication factor as the current first authentication factor of the office equipment and the user equipment. The current second authentication factor. In a specific application, after the identity authentication of the user equipment by the office equipment is passed, the office equipment may negotiate an authentication factor with the user equipment.
在本发明实施例的一个可选实施方式中,认证因子可以是密钥。例如,办公设备与用户设备在协商认证因子时,办公设备与用户设备可以先建立安全通道,然后办公设备与用户设备协商并生成初始的传输密钥,将传输密钥作为认证因子。In an optional implementation of the embodiment of the present invention, the authentication factor may be a key. For example, when the office equipment and the user equipment negotiate the authentication factor, the office equipment and the user equipment can first establish a secure channel, and then the office equipment and the user equipment negotiate and generate an initial transmission key, using the transmission key as the authentication factor.
在具体应用中,为了保证传输密钥的安全,办公设备与用户设备在建立安全通道时,可以通过办公设备和用户设备的公私钥对进行相互的身份认证,例如,办公设备可以产生随机数,使用办公设备的私钥对随机数进行签名,将签名数据和随机数发送给用户设备,用户设备使用办公设备的公钥,对接收到的签名数据进行验签,验签通过,则确认办公设备的身份,而用户设备可以使用自身的私钥对接收到的随机数进行签名,将签名得到的签名数据发送给办公设备,办公设备使用用户设备的公钥对接收到的签名数据进行验签,验签通过,则确认用户设备的身份。当然,在实际应用中,办公设备和用户设备之间还可以采用其它的方式进行相互的身份认证,具体本实施例中不作限定。In specific applications, in order to ensure the security of the transmission key, when the office equipment and the user equipment establish a secure channel, they can perform mutual identity authentication through the public and private key pairs of the office equipment and the user equipment. For example, the office equipment can generate random numbers, Use the private key of the office equipment to sign the random number, and send the signature data and random number to the user equipment. The user equipment uses the public key of the office equipment to verify the received signature data. If the signature is passed, the office equipment is confirmed. The user equipment can use its own private key to sign the received random number, and send the signature data obtained by the signature to the office equipment. The office equipment uses the public key of the user equipment to verify the received signature data. If the verification is passed, the identity of the user equipment is confirmed. Of course, in practical applications, other ways may also be used for mutual identity authentication between the office equipment and the user equipment, which is not specifically limited in this embodiment.
在本发明实施例的另一个可选实施方式中,认证因子也可以是办公设备和用户设备的本地时钟的时间值。在该可选实施方式中,办公设备与用户设备在协商认证因子时,进行时间同步,在时间同步后,办公设备与用户设备各自将本地时钟的当前值作为初始认证因子。In another optional implementation of the embodiment of the present invention, the authentication factor may also be the time value of the local clocks of the office equipment and the user equipment. In this optional embodiment, the office equipment and the user equipment perform time synchronization when negotiating the authentication factor, and after the time synchronization, the office equipment and the user equipment each use the current value of the local clock as the initial authentication factor.
或者,在本发明实施例的另一个可选实施方式中,认证因子也可以是办公设备和用户设备的本地计数器的数值。在该可选实施方式中,办公设备与用户设备在协商认证因子时,确定相互间的本地计数器的初始值相同,然后办公设备与用户设备各自将本地计数器的当前值作为初始认证因子。在具体应用中,办公设备和用户设备的本地计数器用于记录相同事件发生的次数,例如,可以记录本地的认证因子的滚动次数,即每当办公设备当前的第一认证因子的值改变一次,办公设备的本地记数器的值就加1,同样,用户设备当前的第二认证因子的值每变化一次,用户设备侧的本地记数器的值也加1,从而可以保证办公设备和用户设备的记数器的值一致。Or, in another optional implementation manner of the embodiment of the present invention, the authentication factor may also be the value of the local counters of the office equipment and the user equipment. In this optional embodiment, when negotiating the authentication factor, the office equipment and the user equipment determine that the initial value of the mutual local counter is the same, and then the office equipment and the user equipment each take the current value of the local counter as the initial authentication factor. In a specific application, the local counters of the office equipment and the user equipment are used to record the number of occurrences of the same event. For example, the rolling times of the local authentication factor can be recorded, that is, whenever the current value of the first authentication factor of the office equipment changes once, The value of the local counter of the office equipment is incremented by 1. Similarly, every time the current value of the second authentication factor of the user equipment changes, the value of the local counter of the user equipment is also incremented by 1, so that the office equipment and the user can be guaranteed. The value of the device's counter is the same.
步骤203,办公设备监测是否到达预定的认证因子滚动周期和认证扫描周期,在监测到达认证因子滚动周期的情况下,执行步骤204,在监测到达认证扫描周期的情况下,执行步骤205。
在具体应用中,办公设备和用户设备可以预先约定认证因子滚动周期,并监测是否到达认证因子滚动周期和认证扫描周期,对于办公设备,在监测到认证因子滚动周期的情况下,执行步骤204,在监测到达认证扫描周期的情况下,执行步骤205。In a specific application, the office equipment and the user equipment can pre-determine the authentication factor rolling period, and monitor whether the authentication factor rolling period and the authentication scanning period are reached. For the office equipment, when the authentication factor rolling period is monitored, step 204 is executed, Step 205 is executed when the monitoring reaches the authentication scan period.
在本发明实施例的一个可选实施方式中,为了保证某些关键操作的安全,办公设备在与用户设备完成认证因子协商之后,同时监测是否有预定的关键事件发生,在监测到有关键事件发生的情况下,办公设备启动摄像装置采集用户的人脸数据,判断采集到的人脸数据与办公设备中存储的认证人脸数据进行是否匹配,如果是,则继续监测,否则,执行第一安全控制操作。在该可选实施方式中,办公设备中存储的认证人脸数据可以是用户在注册的时候输入的,也可以是在其它时候输入的,例如,用户需要开通某些特定的功能前,具体本实施例不作限定。通过该可选实施方式,办公设备可以在执行某些关键操作之前,对当前操作人的人脸进行验证,进一步确保当前使用者的身份,避免用户的账号被盗用。In an optional implementation of the embodiment of the present invention, in order to ensure the security of some key operations, after the office equipment completes the authentication factor negotiation with the user equipment, it simultaneously monitors whether a predetermined key event occurs. In the case of occurrence, the office equipment starts the camera to collect the user's face data, and determines whether the collected face data matches the authenticated face data stored in the office equipment. If so, continue monitoring, otherwise, execute the first step. Safe control operation. In this optional implementation manner, the authentication face data stored in the office equipment may be input by the user during registration, or may be input at other times. For example, before the user needs to activate some specific functions, the specific The embodiment is not limited. Through this optional implementation, the office equipment can verify the face of the current operator before performing some key operations, further ensuring the identity of the current user and preventing the user's account from being stolen.
在上述可选实施方式中,预定的关键事件包括但不限于以下至少之一:In the above-mentioned optional embodiment, the predetermined key event includes but is not limited to at least one of the following:
(1)办公设备与用户设备协商认证因子完成;即办公设备在与用户设备协商完认证因子之后,即采集用户的人脸信息,对采集的人脸信息进行认证。通过该可选实施方式,办公设备可以在确保用户的身份之后,开始认证因子滚动和认证扫描,可以节约流程。(1) The authentication factor negotiation between the office equipment and the user equipment is completed; that is, after the office equipment negotiates the authentication factor with the user equipment, it collects the user's face information and authenticates the collected face information. Through this optional implementation, the office equipment can start authentication factor rolling and authentication scanning after ensuring the identity of the user, which can save the process.
(2)办公设备接收到加密输入指令;在该可选实施方式中,办公系统设置了加密输入功能,即用户通过键盘输入的信息为加密的信息,当用户输入加密输入指令时,启动该功能,在用户启动该功能时,办公设备采集用户的人脸信息,对采集的人脸信息进行认证。通过该可选实施方式,办公设备可以在确保用户的身份的情况下,开启加密输入功能。(2) The office equipment receives the encrypted input instruction; in this optional embodiment, the office system is provided with an encrypted input function, that is, the information input by the user through the keyboard is encrypted information, and when the user inputs the encrypted input instruction, the function is activated , when the user activates this function, the office equipment collects the user's face information, and authenticates the collected face information. Through this optional implementation manner, the office equipment can enable the encrypted input function under the condition of ensuring the identity of the user.
(3)办公设备接收到密码输入指令。即在该可选实施方式中,办公设备在需要向办公系统输入密码(例如,PIN码等)时,先采集用户的人脸信息,对采集的人脸信息进行认证。通过该可选实施方式,办公设备可以在确保用户的身份的情况下,再让用户输入密码,确保密码的安全性。(3) The office equipment receives a password input instruction. That is, in this optional embodiment, when the office device needs to input a password (eg, PIN code, etc.) into the office system, it first collects the user's face information, and authenticates the collected face information. Through this optional implementation manner, the office equipment can allow the user to input a password under the condition of ensuring the identity of the user, so as to ensure the security of the password.
步骤204,按照与用户设备约定的认证因子滚动方式,获取办公设备当前的第一认证因子的下一个认证因子,将下一个认证因子作为办公设备当前的第一认证因子,返回步骤203。Step 204: Acquire the next authentication factor of the current first authentication factor of the office equipment according to the authentication factor rolling method agreed with the user equipment, use the next authentication factor as the current first authentication factor of the office equipment, and return to step 203.
同样,用户设备在与办公设备认证因子协商完成后,将协商得到的初始认证因子作为用户设备当前的第二认证因子,并监测是否到达预定的认证因子滚动周期,在监测到达认证因子滚动周期时,按照与办公设备约定的认证因子滚动方式获取用户设备当前的第二认证因子的下一个第二认证因子,将下一个第二认证因子作为用户设备当前的第二认证因子,以确保用户设备侧的第二认证因子与办公设备侧的第一认证因子同步。Similarly, after completing the negotiation with the office equipment authentication factor, the user equipment uses the initial authentication factor obtained through negotiation as the current second authentication factor of the user equipment, and monitors whether the predetermined authentication factor rolling period is reached. , obtain the next second authentication factor of the current second authentication factor of the user equipment according to the authentication factor rolling method agreed with the office equipment, and use the next second authentication factor as the current second authentication factor of the user equipment to ensure that the user equipment side The second authentication factor is synchronized with the first authentication factor on the office equipment side.
在本发明实施例中,办公设备和用户设备在进行认证因子滚动时,可根据具体使用的不同种类的认证因子,按照不同的方式进行认证因子滚动,下面以办公设备为例进行描述,对于用户设备则采用与办公设备相应的方式进行认证因子滚动。In the embodiment of the present invention, when the office equipment and user equipment perform authentication factor scrolling, they can perform authentication factor scrolling in different ways according to different types of authentication factors used. The office equipment is used as an example for description below. The device rolls the authentication factor in the manner corresponding to the office device.
在本发明实施例的一个可选实施方式中,办公设备可以按照以下方式之一进行认证因子滚动:In an optional implementation of the embodiment of the present invention, the office equipment may perform authentication factor rolling in one of the following manners:
(1)按照预设策略从认证因子池中选择办公设备当前的第一认证因子的下一个认证因子,其中,所述认证因子池中包括包含所述初始认证因子在内的多个认证因子;即在该实施方式中,在办公设备和用户设备中各设置了一个相同的认证因子池,预设策略中约定了认证因子滚动的方式,例如,按照认证因子在认证因子池中的排序,循环顺序滚动,或者间隔一个认证因子循环滚动等方式,办公设备和用户设备根据该预设策略,可以获得当前的认证因子的下一个认证因子。(1) Selecting the next authentication factor of the current first authentication factor of the office equipment from the authentication factor pool according to a preset policy, wherein the authentication factor pool includes a plurality of authentication factors including the initial authentication factor; That is, in this embodiment, an identical authentication factor pool is set in the office equipment and the user equipment, and the authentication factor rolling method is stipulated in the preset policy. For example, according to the order of authentication factors in the authentication factor pool, the By means of sequential scrolling, or cyclic scrolling at intervals of one authentication factor, the office equipment and the user equipment can obtain the next authentication factor of the current authentication factor according to the preset policy.
例如,假设认证因子池中存储的认证因子如表1所示,认证因子滚动的预设策略是间隔一个认证因子循环滚动。若当前的认证因子为M2,则当前的认证因子的下一个认证因子为M4。若当前的认证因子为M8,则当前的认证因子的下一个认证因子为M1。For example, assuming that the authentication factors stored in the authentication factor pool are as shown in Table 1, the preset strategy of the authentication factor rolling is to cyclically roll each authentication factor. If the current authentication factor is M2, the next authentication factor of the current authentication factor is M4. If the current authentication factor is M8, the next authentication factor of the current authentication factor is M1.
表1.认证因子池Table 1. Authentication Factor Pools
在该实施方式中,认证因子池中的各个认证因子可以是办公设备与用户设备在进行认证因子协商时协商出来,即以表1为例,办公设备与用户设备在进行认证因子协商时,协商出来9个认证因子,其中M1为初始认证因子。或者,办公设备与用户设备也可以在进行认证因子协商时,只协商出初始认证因子,然后办公设备和用户设备按照相同的算法,计算出认证因子池中的其它认证因子,具体采用哪种方式可以根据实际应用确定,具体本实施例中不作限定。In this embodiment, each authentication factor in the authentication factor pool may be negotiated between the office equipment and the user equipment during authentication factor negotiation. There are 9 authentication factors, among which M1 is the initial authentication factor. Alternatively, the office equipment and the user equipment can also negotiate only the initial authentication factor when negotiating the authentication factor, and then the office equipment and the user equipment can calculate other authentication factors in the authentication factor pool according to the same algorithm. It can be determined according to practical applications, and is not limited in this embodiment.
(2)办公设备按照与用户设备协商的认证因子算法,对办公设备当前的第一认证因子或生成办公设备当前的第一认证因子的预设参数进行计算,得到办公设备当前的第一认证因子的下一个认证因子;即在该实施方式中,办公设备和用户设备每到一个认证因子滚动周期,对当前使用的认证因子进行更新,得到新的认证因子,将新的认证因子作为当前的认证因子。在具体应用中,办公设备可以对当前的第一认证因子进行计算得到当前第一认证因子的下一个认证因子,例如,对当前的第一认证因子进行MAC运算,或者对当前的第一认证因子+当前时间进行MAC运算等。或者,办公设备也可以对生成办公设备当前的第一认证因子的预设参数进行计算,例如,假设,办公设备当前的第一认证因子Mi=f(xi),xi为预设参数,在认证因子滚动周期到达时,对预设参数进行更新,可以设置xi=g(xi),然后使用更新后的xi计算新的认证因子,从而得到当前的第一认证因子的下一个认证因子。(2) The office equipment calculates the current first authentication factor of the office equipment or the preset parameters for generating the current first authentication factor of the office equipment according to the authentication factor algorithm negotiated with the user equipment, and obtains the current first authentication factor of the office equipment The next authentication factor; that is, in this embodiment, the office equipment and user equipment update the currently used authentication factor every time an authentication factor rolling cycle arrives, obtain a new authentication factor, and use the new authentication factor as the current authentication factor. factor. In a specific application, the office equipment may calculate the current first authentication factor to obtain the next authentication factor of the current first authentication factor, for example, perform MAC operation on the current first authentication factor, or perform a MAC operation on the current first authentication factor + Current time for MAC operation, etc. Alternatively, the office equipment may also calculate the preset parameters for generating the current first authentication factor of the office equipment. For example, it is assumed that the current first authentication factor of the office equipment Mi=f(xi), and xi is a preset parameter. When the factor rolling period arrives, the preset parameters are updated, and xi=g(xi) can be set, and then the updated xi is used to calculate a new authentication factor, so as to obtain the next authentication factor of the current first authentication factor.
(3)办公设备读取认证因子计算器的当前值,将所述认证因子计算器的当前值作为所述办公设备当前的第一认证因子的下一个认证因子。在该可选实施方式中,认证因子计算器可以是计时器,也可以是计数器等,具体本实施例不作限定。办公设备与用户设备可以在进行认证因子协商时,计时器记录相同的起始时间或者计数器记录相同的数值,在认证因子计算器为计数器的情况下,办公设备与用户设备的计数器用于记录相同的事件发生的次数,例如,认证因子滚动次数。(3) The office equipment reads the current value of the authentication factor calculator, and uses the current value of the authentication factor calculator as the next authentication factor of the current first authentication factor of the office equipment. In this optional implementation manner, the authentication factor calculator may be a timer, a counter, or the like, which is not specifically limited in this embodiment. When the office equipment and user equipment negotiate the authentication factor, the timer records the same start time or the counter records the same value. If the authentication factor calculator is a counter, the counter of the office equipment and user equipment is used to record the same value. The number of times the event occurred, for example, the number of authentication factor rollovers.
在上述可选实施方式中,计时器可以是办公设备的本地时钟和用户设备的本地时钟,在这种情况下,办公设备与用户设备在进行认证因子协商时,可以进行时钟同步;或者,计时器也可以专门办公设备和用户设备专门为认证因子设置的,用于记录当前认证因子的值,在这种情况下,办公设备与用户设备在进行认证因子协商时,可以双方用于记录当前认证因子的计时器的起始时间置为相同值。In the above optional implementation manner, the timer may be the local clock of the office equipment and the local clock of the user equipment. In this case, the office equipment and the user equipment may perform clock synchronization when negotiating the authentication factor; or, timing The device can also be specially set for the authentication factor of the office equipment and the user equipment to record the value of the current authentication factor. In this case, when the office equipment and the user equipment negotiate the authentication factor, both parties can use it to record the current authentication factor. The start time of the factor's timer is set to the same value.
步骤205,办公设备向用户设备发送扫描指令,扫描所述用户设备发送的第二认证因子,在扫描到所述用户设备发送的第二认证因子的情况下,执行步骤206,在没有扫描到所述用户设备发送的第二认证因子的情况下,执行步骤207。In step 205, the office equipment sends a scan instruction to the user equipment to scan the second authentication factor sent by the user equipment. In the case of scanning the second authentication factor sent by the user equipment, step 206 is executed. In the case of the second authentication factor sent by the user equipment,
在本发明实施例中,用户设备可以在接收办公设备发送的扫描认证指令时,发送用户设备当前的第二认证因子。或者,在本发明实施例的一个可选实施方式中,为了节约用户设备的电能,用户设备可以在与办公设备进行认证因子协商之后,进入休眠状态,然后每隔预定唤醒周期唤醒一次,在唤醒期间,广播用户设备当前的第二认证因子,在该可选实施方式中,唤醒周期小于办公设备的认证扫描周期,一个认证扫描周期可以包含多个唤醒周期,具体设置可以根据实际使用设置。通过该可选实施方式,可以节省用户设备的电能,提高用户设备的电池的使用时间。In this embodiment of the present invention, the user equipment may send the current second authentication factor of the user equipment when receiving the scan authentication instruction sent by the office equipment. Or, in an optional implementation of this embodiment of the present invention, in order to save the power of the user equipment, the user equipment may enter a sleep state after negotiating an authentication factor with the office equipment, and then wake up every predetermined wake-up period. During this period, the current second authentication factor of the user equipment is broadcast. In this optional embodiment, the wake-up period is shorter than the authentication scan period of the office equipment. One authentication scan period may include multiple wake-up periods, and the specific settings can be set according to actual use. Through this optional implementation manner, the power of the user equipment can be saved, and the usage time of the battery of the user equipment can be improved.
步骤206,办公设备判断扫描到的第二认证因子与办公设备当前的第一认证因子是否一致,在一致的情况下,返回步骤203,否则,执行步骤209。Step 206 , the office device determines whether the scanned second authentication factor is consistent with the current first authentication factor of the office device.
办公设备判断扫描到的第二认证因子与办公设备当前的第一认证因子一致的情况下,说明当前使用的办公设备的用户与办公设备当前绑定的一致,且用户没有离开办公设备,因此,办公设备返回步骤203,继续监测认证因子滚动周期和认证扫描周期是否到达,如果不一致,则说明当前使用的办公设备的用户与办公设备当前绑定的不一致,因此,办公设备执行步骤209,执行第一安全控制操作。If the office equipment determines that the scanned second authentication factor is consistent with the current first authentication factor of the office equipment, it means that the user of the currently used office equipment is bound to the current office equipment, and the user has not left the office equipment. Therefore, The office equipment returns to step 203, and continues to monitor whether the authentication factor rolling period and the authentication scanning period are reached. If they are inconsistent, it means that the user of the currently used office equipment is inconsistent with the current binding of the office equipment. Therefore, the office equipment executes
步骤207,办公设备判断当前距离上一次扫描到所述用户设备发送的第二认证因子的时间间隔是否超过第一预定时间,如果是,则执行步骤209,否则,执行步骤208。
步骤208,办公设备等待第二预定时间后,向用户设备发送扫描指令,扫描用户设备发送的第二认证因子,在扫描到用户设备发送的第二认证因子的情况下,执行步骤206,在没有扫描到所述用户设备发送的第二认证因子的情况下,执行步骤207,其中,第二预定时间小于第一预定时间。Step 208: After waiting for the second predetermined time, the office equipment sends a scan instruction to the user equipment to scan the second authentication factor sent by the user equipment. If the second authentication factor sent by the user equipment is scanned, step 206 is executed. When the second authentication factor sent by the user equipment is scanned,
即在本发明实施例中,办公设备在某个认证扫描周期到达时,如果没有扫描到用户设备发送的第二认证因子,则办公设备可以缩短扫描周期,扫描用户设备发送的第二认证因子,以及时对用户设备的第二认证因子进行认证。That is, in this embodiment of the present invention, if the office equipment does not scan the second authentication factor sent by the user equipment when a certain authentication scanning period arrives, the office equipment can shorten the scanning period and scan the second authentication factor sent by the user equipment, The second authentication factor of the user equipment is authenticated in time.
步骤209,办公设备按照预定的安全策略执行相应的第一安全控制操作。
在本发明实施例的一个可选实施方式中,办公设备在没有扫描到用户设备发送的第二认证因子的情况下,在判断当前距离上一次扫描到用户设备发送的第二认证因子的时间间隔是否超过第一预设时间之前,可以先判断当前距离上一次扫描到用户设备发送的第二认证因子的时间间隔是否超过预定门限,如果是,则先按照预定的安全策略执行相应的第二安全控制操作,然后再执行步骤S207判断当前距离上一次扫描到用户设备发送的第二认证因子的时间间隔是否超过第一预设时间。其中,预定门限所指示的时间值小于第一预设时间所指示的时间值。In an optional implementation of this embodiment of the present invention, in the case that the office equipment does not scan the second authentication factor sent by the user equipment, the office equipment determines the current time interval from the last scan to the second authentication factor sent by the user equipment. Before whether it exceeds the first preset time, you can first determine whether the current time interval from the last scan to the second authentication factor sent by the user equipment exceeds a predetermined threshold, and if so, first execute the corresponding second security according to the predetermined security policy. The control operation is performed, and then step S207 is executed to determine whether the current time interval from the last scan to the second authentication factor sent by the user equipment exceeds the first preset time. Wherein, the time value indicated by the predetermined threshold is smaller than the time value indicated by the first preset time.
在上述可选实施方式中,第一安全控制操作与第二安全控制操作是不同的安全操作,在具体应用中,第一安全控制操作可以是比第二安全控制操作更为严格的安全控制操作,例如,第一安全控制操作可以包括:向办公设备的主处理器发送登出系统的指令和/或向办公设备的主处理器发送关机指令。而第二安全控制操作可以包括:向办公设备的主处理器发送锁屏指令和/或向办公设备的报警器发送报警指令等。通过该可选实施方式,可以执行分级的安全控制策略,以在保证安全的同时,为用户提供便利性,例如,在具体应用中,预定门限可以设置为5分钟,第一预设时间可以设置为分钟,办公设备在5分钟内没有扫描到用户设备发送的第二认证因子,则执行第二安全控制操作,向办公设备的主处理器发送锁屏指令和/或向办公设备的报警器发送报警指令,主机锁屏和/或报警器报警,但办公设备维持认证因子的滚动,如果在5分钟之间,收到用户设备发送的第二认证因子,则对接收到的第二认证因子进行认证,在认证通过之后,继续维持认证因子滚动,并定期扫描用户设备发送的第二认证因子,如果到分钟还未收到用户设备发送的第二认证因子,则执行第一安全控制操作,向办公设备的主处理器发送登出系统的指令和/或向办公设备的主处理器发送关机指令,办公设备的主处理器接收到指令之后,执行相应的操作,办公设备退出当前流程,不再执行认证因子滚动和认证因子的定期扫描。In the foregoing optional implementation manner, the first security control operation and the second security control operation are different security operations, and in a specific application, the first security control operation may be a more stringent security control operation than the second security control operation For example, the first security control operation may include sending an instruction to log out of the system to the main processor of the office equipment and/or sending a shutdown instruction to the main processor of the office equipment. The second security control operation may include: sending a screen lock instruction to the main processor of the office equipment and/or sending an alarm instruction to an alarm of the office equipment, and the like. Through this optional embodiment, a hierarchical security control policy can be implemented to provide convenience for users while ensuring security. For example, in a specific application, the predetermined threshold can be set to 5 minutes, and the first preset time can be set to If the office equipment does not scan the second authentication factor sent by the user equipment within 5 minutes, the second security control operation is performed, and a screen lock instruction is sent to the main processor of the office equipment and/or to the alarm of the office equipment. Alarm instruction, the host computer locks the screen and/or the alarm alarm, but the office equipment maintains the scrolling of the authentication factor. If the second authentication factor sent by the user equipment is received within 5 minutes, the received second authentication factor will be processed. Authentication, after the authentication is passed, continue to maintain the authentication factor rolling, and periodically scan the second authentication factor sent by the user equipment, if the second authentication factor sent by the user equipment has not been received within minutes, execute the first security control operation, and send The main processor of the office equipment sends an instruction to log out of the system and/or sends a shutdown instruction to the main processor of the office equipment. After the main processor of the office equipment receives the instruction, it executes the corresponding operation, and the office equipment exits the current process and does not stop. Perform authentication factor rolling and periodic scans of authentication factors.
在本发明实施例中,办公设备在第一预定时间内没有扫描到用户设备发送的第二认证因子的情况下,则说明用户设备远离办公设备的时间已超过第一预定时间,由于用户设备随身携带在用户身上,因此,可以判定用户已远离办公设备,因此,在本发明实施例中,办公设备按照预定的安全策略执行相应的第一安全控制操作,从而可以保证在用户远离办公设备超过一定时间之后,执行第一安全策略,从而可以避免办公系统被其他人非法使用的问题。在本发明实施例的一个可选实施方式中,为了方便用户下一次使用,在办公设备按照预定的安全策略执行相应的第一安全控制操作之后,办公设备可以删除本地保存的所有认证因子,从而方便办公设备后续被使用。In this embodiment of the present invention, if the office equipment does not scan the second authentication factor sent by the user equipment within the first predetermined time, it means that the user equipment has been away from the office equipment for longer than the first predetermined time. It is carried on the user, therefore, it can be determined that the user is far away from the office equipment. Therefore, in this embodiment of the present invention, the office equipment performs a corresponding first security control operation according to a predetermined security policy, so as to ensure that the user is far away from the office equipment for more than a certain period of time. After the time, the first security policy is executed, so that the problem of illegal use of the office system by others can be avoided. In an optional implementation of this embodiment of the present invention, in order to facilitate the next use by the user, after the office device performs the corresponding first security control operation according to the predetermined security policy, the office device can delete all the locally stored authentication factors, thereby It is convenient for the subsequent use of office equipment.
在本发明实施例的一个可选实施方式中,用户设备20也可以判断用户是否远离办公设备10,在该可选实施方式中,在办公设备10与用户设备20进行认证因子协商之后,该方法还可以包括:用户设备判断在第一预定时间内是否接收到办公设备发送的扫描认证指令,如果是,则用户设备发送用户设备当前的第二认证因子,否则,用户设备删除本地保存的所有第二认证因子。在该可选实施方式中,预定时间段的时长可以与上述办公设备10判断的第一预设时间的时长相同,这样,用户设备侧可以与办公设备侧的保持一致,当然,预定时间段的时长也不一定必须与第一预设时间的时长一致,只要两者相差不大即可。In an optional implementation of the embodiment of the present invention, the user equipment 20 may also determine whether the user is far away from the office equipment 10. In this optional implementation, after the office equipment 10 and the user equipment 20 negotiate the authentication factor, the method It may also include: the user equipment determines whether a scan authentication instruction sent by the office equipment is received within the first predetermined time, and if so, the user equipment sends the current second authentication factor of the user equipment, otherwise, the user equipment deletes all locally saved first authentication factors. Two authentication factors. In this optional embodiment, the duration of the predetermined time period may be the same as the duration of the first preset time determined by the office equipment 10, so that the user equipment side can be consistent with the office equipment side. The duration does not necessarily have to be the same as the duration of the first preset time, as long as the difference between the two is not large.
通过本发明实施例提供的安全控制方法,办公设备与用户设备建立近距离无线通信连接,协商认证因子,按预定的认证因子滚动周期更新认证因子,按预定的认证扫描周期扫描用户设备发送的认证因子,在预定时间间隔内没有扫描到用户设备发送的认证因子的情况下,执行第一安全控制操作,从而可以在用户登录之后,实时监控用户是否离开办公设备,并在用户离开办公设备超过预定时间的情况下,执行安全控制操作,避免了在用户离开期间,其他用户非法使用办公系统,导致信息泄漏或办公系统受到非法攻击等问题。With the security control method provided by the embodiment of the present invention, the office equipment and the user equipment establish a short-range wireless communication connection, negotiate the authentication factor, update the authentication factor according to the predetermined authentication factor rolling period, and scan the authentication sent by the user equipment according to the predetermined authentication scanning period. If the authentication factor sent by the user equipment is not scanned within a predetermined time interval, the first security control operation is performed, so that after the user logs in, whether the user leaves the office equipment can be monitored in real time, and when the user leaves the office equipment for more than a predetermined time In the case of time, security control operations are performed to avoid problems such as information leakage or illegal attacks on the office system caused by other users illegally using the office system while the user is away.
实施例3Example 3
本实施例提供了一种安全控制装置,该装置可以设置在实施例1所述的办公设备中,用于执行实施例2所述的安全控制方法。This embodiment provides a security control device, which can be set in the office equipment described in Embodiment 1, and used to execute the security control method described in Embodiment 2.
图3为本实施例提供的一种安全控制装置的结构示意图,如图3所示,该安全控制装置主要包括:通信建立模块301、认证因子协商模块302、周期监测模块303、认证因子滚动模块304、心跳检测模块305、认证因子验证模块306、回连验证模块307、回连数据监测模块308和安全控制模块309。下面主要对安全控制装置的各个模块的功能进行说明,其它相关事宜可以参见实施例1和实施例2的描述。FIG. 3 is a schematic structural diagram of a security control device provided in this embodiment. As shown in FIG. 3 , the security control device mainly includes: a communication establishment module 301 , an authentication factor negotiation module 302 , a period monitoring module 303 , and an authentication factor rolling module 304 , a heartbeat detection module 305 , an authentication factor verification module 306 , a back-connection verification module 307 , a back-connection data monitoring module 308 and a security control module 309 . The following mainly describes the functions of each module of the safety control device. For other related matters, please refer to the description of Embodiment 1 and Embodiment 2.
在本发明实施例中,通信建立模块301,用于与用户设备建立近距离无线通信连接;认证因子协商模块302,用于与所述用户设备进行相互认证并协商认证因子,至少得到初始认证因子,将所述初始认证因子作为所述办公设备当前的第一认证因子;周期监测模块303,用于监测是否到达预定的认证因子滚动周期或认证扫描周期,在监测到达认证因子滚动周期的情况下,触发认证因子滚动模块304,在监测到达认证扫描周期的情况下,触发心跳检测模块305;所述认证因子滚动模块304,用于按照与所述用户设备约定的认证因子滚动方式,获取所述办公设备当前的第一认证因子的下一个认证因子,将所述下一个认证因子作为所述办公设备当前的第一认证因子,触发所述周期监测模块303;所述心跳检测模块305,用于向所述用户设备发送扫描认证指令,扫描所述用户设备发送的第二认证因子,在扫描到所述用户设备发送的第二认证因子的情况下,触发认证因子验证模块306,在没有扫描到所述用户设备发送的第二认证因子的情况下,触发回连验证模块307;所述认证因子验证模块306,用于判断扫描到的所述第二认证因子与所述办公设备当前的第一认证因子是否一致,在一致的情况下,触发所述周期监测模块303,否则,触发安全控制模块309;所述回连验证模块307,用于判断当前距离上一次扫描到所述用户设备广播的第二认证因子的时间间隔是否超过第一预定时间,如果是,则触发所述安全控制模块309,否则触发回连数据监测模块308;所述回连数据监测模块308,用于在等待第二预定时间后,向所述用户设备发送扫描指令,扫描所述用户设备发送的第二认证因子,在扫描到所述用户设备发送的第二认证因子的情况下,触发所述认证因子验证模块306,在没有扫描到所述用户设备发送的第二认证因子的情况下,触发所述回连验证模块307,其中,第二预定时间小于第一预定时间;所述安全控制模块309,用于按照预定的安全策略执行相应的第一安全控制操作。In the embodiment of the present invention, the communication establishment module 301 is used to establish a short-range wireless communication connection with the user equipment; the authentication factor negotiation module 302 is used to perform mutual authentication with the user equipment and negotiate the authentication factor, and obtain at least the initial authentication factor , the initial authentication factor is used as the current first authentication factor of the office equipment; the period monitoring module 303 is used to monitor whether a predetermined authentication factor rolling period or an authentication scanning period is reached. , triggering the authentication factor rolling module 304, and triggering the heartbeat detection module 305 when the monitoring reaches the authentication scanning period; the authentication factor rolling module 304 is used to obtain the The next authentication factor of the current first authentication factor of the office equipment, the next authentication factor is used as the current first authentication factor of the office equipment, and the period monitoring module 303 is triggered; the heartbeat detection module 305 is used for Send a scan authentication instruction to the user equipment, scan the second authentication factor sent by the user equipment, in the case of scanning the second authentication factor sent by the user equipment, trigger the authentication factor verification module 306, if not scanned In the case of the second authentication factor sent by the user equipment, the connection back verification module 307 is triggered; the authentication factor verification module 306 is used to determine whether the scanned second authentication factor is the same as the current first authentication factor of the office equipment. Whether the authentication factors are consistent, in the case of consistency, trigger the period monitoring module 303, otherwise, trigger the security control module 309; the connection verification module 307 is used to determine the current distance from the last scan to the user equipment broadcast Whether the time interval of the second authentication factor exceeds the first predetermined time, if so, trigger the security control module 309, otherwise trigger the back-connection data monitoring module 308; the back-connection data monitoring module 308 is used to wait for the second After a predetermined time, send a scan instruction to the user equipment, scan the second authentication factor sent by the user equipment, and trigger the authentication factor verification module 306 when the second authentication factor sent by the user equipment is scanned , in the case where the second authentication factor sent by the user equipment is not scanned, the connection back verification module 307 is triggered, wherein the second predetermined time is less than the first predetermined time; the security control module 309 is used for The predetermined security policy executes the corresponding first security control operation.
通过本发明实施例提供的安全控制装置,与用户设备建立近距离无线通信连接,协商认证因子,按预定的认证因子滚动周期更新认证因子,按预定的认证扫描周期扫描用户设备发送的认证因子,在预定时间间隔内没有扫描到用户设备发送的认证因子的情况下,执行安全控制操作,从而可以在用户登录之后,实时监控用户是否离开办公设备,并在用户离开办公设备超过预定时间的情况下,执行安全控制操作,避免了在用户离开期间,其他用户非法使用办公系统,导致信息泄漏或办公系统受到非法攻击等问题。Through the security control device provided by the embodiment of the present invention, a short-range wireless communication connection is established with the user equipment, the authentication factor is negotiated, the authentication factor is updated according to the predetermined authentication factor rolling period, and the authentication factor sent by the user equipment is scanned according to the predetermined authentication scanning period. If the authentication factor sent by the user equipment is not scanned within a predetermined time interval, the security control operation is performed, so that after the user logs in, whether the user leaves the office equipment can be monitored in real time, and when the user leaves the office equipment for more than a predetermined time. , perform security control operations, and avoid problems such as information leakage or illegal attacks on the office system caused by other users illegally using the office system while the user is away.
在本发明实施例的一个可选实施方式中,该装置还可以:人脸验证模块;周期监测模块303还用于是否有预定的关键事件发生,在监测到有关键事件发生的情况下,触发人脸验证模块;人脸验证模块,用于启动摄像装置采集用户的人脸数据,判断采集到的人脸数据与所述办公设备中存储的认证人脸数据进行是否匹配,如果是,则触发所述周期监测模块303,否则,触发所述安全控制模块309。In an optional implementation of the embodiment of the present invention, the device may further: a face verification module; the period monitoring module 303 is also used for whether a predetermined key event occurs, and when a key event is detected, trigger the A face verification module; the face verification module is used to start the camera to collect the user's face data, and to determine whether the collected face data matches the authenticated face data stored in the office equipment, and if so, trigger the The period monitoring module 303, otherwise, the safety control module 309 is triggered.
在本发明实施例的一个可选实施方式中,认证因子滚动模块304可以按照以下方式获取所述办公设备当前的第一认证因子的下一个认证因子:In an optional implementation of the embodiment of the present invention, the authentication factor rolling module 304 may acquire the next authentication factor of the current first authentication factor of the office equipment in the following manner:
按照预设策略从认证因子池中选择所述办公设备当前的第一认证因子的下一个认证因子,其中,所述认证因子池中包括包含所述初始认证因子在内的多个认证因子;或者,Select the next authentication factor of the current first authentication factor of the office equipment from the authentication factor pool according to a preset policy, wherein the authentication factor pool includes a plurality of authentication factors including the initial authentication factor; or ,
按照与所述用户设备协商的认证因子算法,对所述办公设备当前的第一认证因子或生成所述办公设备当前的第一认证因子的预设参数进行计算,得到所述办公设备当前的第一认证因子的下一个认证因子;或者According to the authentication factor algorithm negotiated with the user equipment, the current first authentication factor of the office equipment or the preset parameters for generating the current first authentication factor of the office equipment are calculated to obtain the current first authentication factor of the office equipment. The next authentication factor of an authentication factor; or
读取认证因子计算器的当前值,将所述认证因子计算器的当前值作为所述办公设备当前的第一认证因子的下一个认证因子。The current value of the authentication factor calculator is read, and the current value of the authentication factor calculator is used as the next authentication factor of the current first authentication factor of the office equipment.
在本发明实施例的一个可选实施方式中,该装置还可以包括:密钥清空模块,用于在所述安全控制模块309执行所述第一安全控制操作之后,删除所述办公设备保存的所有认证因子。In an optional implementation manner of the embodiment of the present invention, the apparatus may further include: a key clearing module, configured to delete the stored data of the office equipment after the security control module 309 performs the first security control operation. All authentication factors.
在本发明实施例的一个可选实施方式中,该装置还可以包括:门限检测模块,用于在心跳检测模块305没有扫描到所述用户设备发送的第二认证因子的情况下,在触发回连验证模块307之前,判断当前距离上一次扫描到所述用户设备发送的第二认证因子的时间间隔是否超过预定门限内,如果未超过,则触发周期检测模块303,否则,按照预定的安全策略执行相应的第二安全控制操作,然后触发回连验证模块307。In an optional implementation manner of this embodiment of the present invention, the apparatus may further include: a threshold detection module, configured to, when the heartbeat detection module 305 fails to scan the second authentication factor sent by the user equipment Before connecting to the verification module 307, it is judged whether the current time interval from the last scan to the second authentication factor sent by the user equipment exceeds the predetermined threshold, if not, the cycle detection module 303 is triggered, otherwise, according to the predetermined security policy A corresponding second security control operation is performed, and then the connection-back verification module 307 is triggered.
流程图中或在此以其他方式描述的任何过程或方法描述可以被理解为,表示包括一个或更多个用于实现特定逻辑功能或过程的步骤的可执行指令的代码的模块、片段或部分,并且本发明的优选实施方式的范围包括另外的实现,其中可以不按所示出或讨论的顺序,包括根据所涉及的功能按基本同时的方式或按相反的顺序,来执行功能,这应被本发明的实施例所属技术领域的技术人员所理解。Any description of a process or method in the flowcharts or otherwise described herein may be understood to represent a module, segment or portion of code comprising one or more executable instructions for implementing a specified logical function or step of the process , and the scope of the preferred embodiments of the invention includes alternative implementations in which the functions may be performed out of the order shown or discussed, including performing the functions substantially concurrently or in the reverse order depending upon the functions involved, which should It is understood by those skilled in the art to which the embodiments of the present invention belong.
应当理解,本发明的各部分可以用硬件、软件、固件或它们的组合来实现。在上述实施方式中,多个步骤或方法可以用存储在存储器中且由合适的指令执行系统执行的软件或固件来实现。例如,如果用硬件来实现,和在另一实施方式中一样,可用本领域公知的下列技术中的任一项或他们的组合来实现:具有用于对数据信号实现逻辑功能的逻辑门电路的离散逻辑电路,具有合适的组合逻辑门电路的专用集成电路,可编程门阵列(PGA),现场可编程门阵列(FPGA)等。It should be understood that various parts of the present invention may be implemented in hardware, software, firmware or a combination thereof. In the above-described embodiments, various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, it can be implemented by any one or a combination of the following techniques known in the art: Discrete logic circuits, application specific integrated circuits with suitable combinational logic gates, Programmable Gate Arrays (PGA), Field Programmable Gate Arrays (FPGA), etc.
本技术领域的普通技术人员可以理解实现上述实施例方法携带的全部或部分步骤是可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,该程序在执行时,包括方法实施例的步骤之一或其组合。Those skilled in the art can understand that all or part of the steps carried by the methods of the above embodiments can be completed by instructing the relevant hardware through a program, and the program can be stored in a computer-readable storage medium, and the program can be stored in a computer-readable storage medium. When executed, one or a combination of the steps of the method embodiment is included.
此外,在本发明各个实施例中的各功能单元可以集成在一个处理模块中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。所述集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing module, or each unit may exist physically alone, or two or more units may be integrated into one module. The above-mentioned integrated modules can be implemented in the form of hardware, and can also be implemented in the form of software function modules. If the integrated modules are implemented in the form of software functional modules and sold or used as independent products, they may also be stored in a computer-readable storage medium.
上述提到的存储介质可以是只读存储器,磁盘或光盘等。The above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, and the like.
在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本发明的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不一定指的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任何的一个或多个实施例或示例中以合适的方式结合。In the description of this specification, description with reference to the terms "one embodiment," "some embodiments," "example," "specific example," or "some examples", etc., mean specific features described in connection with the embodiment or example , structure, material or feature is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
尽管上面已经示出和描述了本发明的实施例,可以理解的是,上述实施例是示例性的,不能理解为对本发明的限制,本领域的普通技术人员在不脱离本发明的原理和宗旨的情况下在本发明的范围内可以对上述实施例进行变化、修改、替换和变型。本发明的范围由所附权利要求及其等同限定。Although the embodiments of the present invention have been shown and described above, it should be understood that the above embodiments are exemplary and should not be construed as limiting the present invention. Variations, modifications, substitutions, and alterations to the above-described embodiments are possible within the scope of the present invention without departing from the scope of the present invention. The scope of the invention is defined by the appended claims and their equivalents.
Claims (16)
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910560952.1ACN112152810B (en) | 2019-06-26 | 2019-06-26 | Safety control method, device and system |
| PCT/CN2020/093218WO2020259203A1 (en) | 2019-06-26 | 2020-05-29 | Security control method, apparatus and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910560952.1ACN112152810B (en) | 2019-06-26 | 2019-06-26 | Safety control method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112152810Atrue CN112152810A (en) | 2020-12-29 |
| CN112152810B CN112152810B (en) | 2022-02-22 |
Family
ID=73869849
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910560952.1AActiveCN112152810B (en) | 2019-06-26 | 2019-06-26 | Safety control method, device and system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN112152810B (en) |
| WO (1) | WO2020259203A1 (en) |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101872392A (en)* | 2009-04-23 | 2010-10-27 | 陶梦曦 | Computer dynamic security certification method |
| CN102047708A (en)* | 2008-05-28 | 2011-05-04 | 微软公司 | Techniques to provision and manage a digital telephone to authenticate with a network |
| WO2011054044A1 (en)* | 2009-11-06 | 2011-05-12 | Emue Holdings Pty Ltd | A method and a system for validating identifiers |
| CN102685330A (en)* | 2012-05-15 | 2012-09-19 | 江苏中科梦兰电子科技有限公司 | Method for logging in operation system by taking cell phone as authentication tool |
| CN103488932A (en)* | 2013-10-16 | 2014-01-01 | 重庆邮电大学 | Desktop security intercommunication system for mobile device and personal computer and implementation method thereof |
| CN104363226A (en)* | 2014-11-12 | 2015-02-18 | 深圳市腾讯计算机系统有限公司 | Method, device and system for logging in operating system |
| EP2925037A1 (en)* | 2014-03-28 | 2015-09-30 | Nxp B.V. | NFC-based authorization of access to data from a third party device |
| CN105681328A (en)* | 2016-02-26 | 2016-06-15 | 安徽华米信息科技有限公司 | Electronic device controlling method and device as well as electronic device |
| CN105744468A (en)* | 2016-02-03 | 2016-07-06 | 重庆邮电大学 | Attendance monitoring method and system based on Bluetooth communication technology |
| CN105893802A (en)* | 2016-03-29 | 2016-08-24 | 四川效率源信息安全技术股份有限公司 | Method for locking/unlocking computer screen based on Bluetooth |
| CN106792436A (en)* | 2016-11-21 | 2017-05-31 | 深圳市金立通信设备有限公司 | A kind of method of switch mode, first terminal and second terminal |
| CN108322507A (en)* | 2017-12-28 | 2018-07-24 | 天地融科技股份有限公司 | A kind of method and system executing safety operation using safety equipment |
| US20190087591A1 (en)* | 2017-09-18 | 2019-03-21 | Beijing Xiaomi Mobile Software Co., Ltd. | Method, device and storage medium for printing information |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7877790B2 (en)* | 2005-10-31 | 2011-01-25 | At&T Intellectual Property I, L.P. | System and method of using personal data |
| CN102136048B (en)* | 2011-03-28 | 2012-12-19 | 东南大学 | Mobile phone Bluetooth-based ambient intelligent computer protection device and method |
| WO2015116166A1 (en)* | 2014-01-31 | 2015-08-06 | Hewlett-Packard Development Company, L.P. | Authentication system and method |
| CN108846270A (en)* | 2018-06-30 | 2018-11-20 | 常州大学 | A kind of computer security login safeguards system |
| CN109583160A (en)* | 2018-11-21 | 2019-04-05 | 安徽云融信息技术有限公司 | Computer opening identity authentication system and its authentication method |
- 2019
- 2019-06-26CNCN201910560952.1Apatent/CN112152810B/enactiveActive
- 2020
- 2020-05-29WOPCT/CN2020/093218patent/WO2020259203A1/ennot_activeCeased
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102047708A (en)* | 2008-05-28 | 2011-05-04 | 微软公司 | Techniques to provision and manage a digital telephone to authenticate with a network |
| CN101872392A (en)* | 2009-04-23 | 2010-10-27 | 陶梦曦 | Computer dynamic security certification method |
| WO2011054044A1 (en)* | 2009-11-06 | 2011-05-12 | Emue Holdings Pty Ltd | A method and a system for validating identifiers |
| CN102685330A (en)* | 2012-05-15 | 2012-09-19 | 江苏中科梦兰电子科技有限公司 | Method for logging in operation system by taking cell phone as authentication tool |
| CN103488932A (en)* | 2013-10-16 | 2014-01-01 | 重庆邮电大学 | Desktop security intercommunication system for mobile device and personal computer and implementation method thereof |
| EP2925037A1 (en)* | 2014-03-28 | 2015-09-30 | Nxp B.V. | NFC-based authorization of access to data from a third party device |
| CN104363226A (en)* | 2014-11-12 | 2015-02-18 | 深圳市腾讯计算机系统有限公司 | Method, device and system for logging in operating system |
| CN105744468A (en)* | 2016-02-03 | 2016-07-06 | 重庆邮电大学 | Attendance monitoring method and system based on Bluetooth communication technology |
| CN105681328A (en)* | 2016-02-26 | 2016-06-15 | 安徽华米信息科技有限公司 | Electronic device controlling method and device as well as electronic device |
| CN105893802A (en)* | 2016-03-29 | 2016-08-24 | 四川效率源信息安全技术股份有限公司 | Method for locking/unlocking computer screen based on Bluetooth |
| CN106792436A (en)* | 2016-11-21 | 2017-05-31 | 深圳市金立通信设备有限公司 | A kind of method of switch mode, first terminal and second terminal |
| US20190087591A1 (en)* | 2017-09-18 | 2019-03-21 | Beijing Xiaomi Mobile Software Co., Ltd. | Method, device and storage medium for printing information |
| CN108322507A (en)* | 2017-12-28 | 2018-07-24 | 天地融科技股份有限公司 | A kind of method and system executing safety operation using safety equipment |
Non-Patent Citations (2)
| Title |
|---|
| SOHUM MISRA: ""A very simple user access control technique through smart device authentication using Bluetooth communication"", 《INTERNATIONAL CONFERENCE ON ELECTRONICS, COMMUNICATION AND INSTRUMENTATION (ICECI)》* |
| 祁树壮: ""基于蓝牙模块的双因子身份认证机制的设计与实现"", 《中国优秀硕士学位论文全文数据库 信息科技辑》* |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112152810B (en) | 2022-02-22 |
| WO2020259203A1 (en) | 2020-12-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4679205B2 (en) | Authentication system, apparatus, method, program, and communication terminal | |
| CN106780901A (en) | A kind of intelligent door lock system and its application based on mobile phone MAC Address | |
| CN110476399B (en) | Mutual authentication system | |
| CN104380775B (en) | Method and apparatus for network node and isomery or isomorphism wireless network for the operation for controlling the technology specific button configuration session in isomery or isomorphism wireless network | |
| CN101563881A (en) | Establishment of ad-hoc networks between multiple devices | |
| CN103838992A (en) | Fingerprint identifying method and terminal | |
| CN109920100B (en) | Unlocking method and system of intelligent lock | |
| WO2013166844A1 (en) | Method, system and device for unlocking mobile terminal | |
| WO2022001832A1 (en) | 5g authentication method, 5g account opening method and system, and electronic device and computer-readable storage medium | |
| WO2015055807A1 (en) | Method and network node device for controlling the run of technology specific push-button configuration sessions within a heterogeneous or homogeneous wireless network and heterogeneous or homogeneous wireless network | |
| CN112102524A (en) | Unlocking method and unlocking system | |
| CN106664652A (en) | A method and terminal for waking up wireless fidelity network | |
| CN112153642B (en) | Equipment authentication method in office environment, office equipment and system | |
| CN105611036A (en) | Method, system and terminal for unlocking verification | |
| CN112152810B (en) | Safety control method, device and system | |
| CN100484292C (en) | Method, system and base station for locking illegal copied mobile terminal | |
| CN1705263B (en) | Validity verification method of mobile terminal user and mobile terminal thereof | |
| US9876792B2 (en) | Apparatus and method for host abstracted networked authorization | |
| CN207458149U (en) | Optical cross box smart lock control device and its system based on Bluetooth communication | |
| WO2018006318A1 (en) | Method and system for using intelligent entrance guard on basis of mobile terminal | |
| WO2015081738A1 (en) | Method and smart card for processing transaction data | |
| CN112152960B (en) | Office system safety control method, device and system | |
| CN112149082B (en) | Office system safety control method, device and system | |
| CN112149098B (en) | Office system safety control method, device and system | |
| CN104782154A (en) | Method and apparatus for disabling algorithms in device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |