Disclosure of Invention
The invention aims to provide a right management method of hotel off-line access control, a hotel off-line electronic door lock and a hotel off-line access control system, and aims to solve the technical problem that main card rights are accidentally interrupted due to the fact that associated sub-cards are complemented in the background art.
The invention provides a right management method for hotel off-line access control, which comprises the following steps:
Storing at least three identifiers for the same authority group in a memory of the hotel offline electronic door lock serving as the authority verification end, wherein the identifiers comprise a main substitution number for identifying the authority group, a first secondary substitution number for verifying a first type key card version in the authority group and a second secondary substitution number for verifying a second type key card version in the authority group;
when the hotel off-line electronic door lock receives an unlocking request from a key card to be verified, reading a primary substitution number and a secondary substitution number contained in the key card to be verified;
Judging whether the main substitute number of the key card to be verified is matched with the main substitute number stored in the hotel off-line electronic door lock;
when matching, selecting a corresponding secondary substitution number for version verification according to the role type preset by the key card to be verified:
if the key card to be verified is a first type key card, comparing the secondary substitution number with the first type secondary substitution number stored in the hotel off-line electronic door lock, authorizing unlocking when the secondary substitution number of the key card to be verified is greater than or equal to the first type secondary substitution number, and updating only the first type secondary substitution number of the hotel off-line electronic door lock by using the secondary substitution number of the key card to be verified;
if the key card to be verified is a second key card, comparing the second substitution number with the second substitution number stored in the hotel off-line electronic door lock, authorizing unlocking when the second substitution number of the key card to be verified is larger than or equal to the second substitution number, and updating only the second substitution number of the hotel off-line electronic door lock by using the second substitution number of the key card to be verified.
Optionally, the step of selecting the corresponding secondary substitution number for version verification according to the preset character type of the key card to be verified comprises the steps of reading a character code stored in the key card to be verified, and determining whether the key card is a first type key card or a second type key card according to the character code.
Optionally, the primary substitute number, the first class secondary substitute number, and the second class secondary substitute number are each time-based generated timestamps.
Optionally, the first type of secondary replacement number and the second type of secondary replacement number are both increasing sequence numbers.
Optionally, when the hotel offline electronic door lock detects that the main substitution number of the key card to be verified is greater than the main substitution number stored in the hotel offline electronic door lock, the first-class substitution number and the second-class substitution number stored in the hotel offline electronic door lock are reset to a preset initial value before the secondary substitution numbers are compared to perform unlocking authorization.
Optionally, the method further comprises the step of checking out, when a checking out instruction is received, updating the first-class secondary replacement number and the second-class secondary replacement number stored in the hotel off-line electronic door lock to a preset capping value which is larger than the maximum value which the secondary replacement number can reach in normal use.
Optionally, the first type of key card is a home card having unlocking rights to a plurality of door locks within a rights group, and the second type of key card is a parent house card having unlocking rights to only a single door lock.
Optionally, the method further comprises a door lock initialization security verification step, wherein when the main replacement number of the key card to be verified is newer than the main replacement number stored in the electronic door lock, signature data stored in the key card and generated by the card issuing system through a private key are read before the follow-up step is executed, the signature data are verified by using a public key pre-stored in the electronic door lock, and only after the verification is passed, the key card is identified as a legal card and the follow-up replacement number update and version verification are executed.
The second aspect of the invention provides a hotel off-line electronic door lock, which comprises a processor and a memory, wherein the memory stores:
a master surrogate number for identifying a rights group;
a first type secondary substitution number for verifying a first type key card version within the rights group;
a second type secondary replacement number for verifying a second type key card version within the rights group;
the processor is configured to perform the method according to any of the first aspects of the invention.
Optionally, the memory includes a non-volatile storage unit for storing the primary replacement number, the first type of secondary replacement number, and the second type of secondary replacement number.
Optionally, the memory also stores a public card issuing key for verifying the validity of the key card, and the processor is further configured to perform a signature verification step when performing door lock initialization, wherein the signature verification step uses the public card issuing key to verify signature data attached to the key card to be verified, and only after the signature verification is passed, performs subsequent replacement number update and version verification.
The third aspect of the invention provides a hotel off-line access control system, which comprises the hotel off-line electronic door lock in the second aspect of the invention, and a first key card and a second key card which are associated with a permission group of the hotel off-line electronic door lock;
Wherein, the first key card type and the second key card type are stored with:
The main substitution number is the same as the main substitution number stored in the hotel off-line electronic door lock;
secondary substitution number for version verification, and
Character codes for distinguishing card types.
According to the technical content disclosed by the invention, the method has the following beneficial effects:
The invention has obvious beneficial effects by setting mutually independent version control tracks for cards with different roles at the door lock end. The scheme fundamentally realizes an asymmetric revocation mechanism, namely, the action of supplementing a sub card (a family card) can only be used as a waste sub card, and any access authority of a main card (a main house card) to the door lock can not be influenced, so that the continuity and stability of the associated authority are perfectly ensured, and the use experience of residents is greatly improved. Meanwhile, the mechanism can still reliably cancel any lost card, the safety of the system is ensured, the whole process is finished in a pure off-line environment, the door lock is simple in structure, and the running reliability of the system is high.
Other features of the present invention and its advantages will become apparent from the following detailed description of exemplary embodiments of the invention, which proceeds with reference to the accompanying drawings.
Detailed Description
Various exemplary embodiments of the present invention will now be described in detail with reference to the accompanying drawings. It should be noted that the relative arrangement of the components and steps, numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present invention unless it is specifically stated otherwise.
The following description of at least one exemplary embodiment is merely exemplary in nature and is in no way intended to limit the invention, its application, or uses.
Techniques, methods, and apparatus known to one of ordinary skill in the relevant art may not be discussed in detail, but where appropriate, the techniques, methods, and apparatus should be considered part of the specification.
In all examples shown and discussed herein, any specific values should be construed as merely illustrative, and not a limitation. Thus, other examples of exemplary embodiments may have different values.
It should be noted that like reference numerals and letters refer to like items in the following figures, and thus once an item is defined in one figure, no further discussion thereof is necessary in subsequent figures.
The general conception of the invention is to provide an off-line access control system for hotels, which manages key cards with binding relations and different authority levels. The core innovation is the internal data structure and verification logic of the hotel off-line electronic door lock. Instead of recording only a single, global version number, a hotel offline electronic door lock maintains multiple independent version number recording tracks associated with card roles for the same "rights group". Therefore, when the card of one role in the authority group needs to be updated, the effective cards of other roles are not affected.
First embodiment timestamp-based alternative
Referring to fig. 1, in this embodiment, a hotel off-line access control system 10 includes a hotel off-line electronic door lock 100, and a first type of key card 200 and a second type of key card 300 that interact with the door lock. In this embodiment, the first type of key card 200 is a "home card" that has the right to open a plurality of associated doors (e.g., home and relatives). The second type of key card 300 is a "family card" which only has the right to open its door.
The hotel off-line electronic door lock 100 includes a processor 101 and a memory 102 therein. The memory includes a non-volatile memory unit, such as a flash memory (flash memory), for storing the replacement number to ensure that data is not lost after power is turned off. In the memory, three key alternative numbers are stored for one authority group, and in this embodiment, the three key alternative numbers are all time stamps, where:
primary substitute number a-a unique ID for identifying this rights group.
First type secondary replacement number B master-the latest version of the first type key card 200 that is dedicated to recording and verifying the association.
The second type of secondary replacement number B sub is specifically used to record and verify the latest version of the second type of key card 300 corresponding to the present door lock.
The first type of key card 200 and the second type of key card 300 each have key information stored therein, including:
A master code identical to the master code a in the door lock.
A secondary code representing its own version.
A character code for identifying the card type. In an embodiment, the character code may be a specific bit or byte of data, for example, a first type of key card represented by code "01" and a second type of key card represented by code "02". The processor of the door lock distinguishes and executes different authentication logic by reading the character code.
The workflow of the present invention is described in detail below in terms of a combination of narrative and data evolution through a series of typical scenarios.
Scene one-first-time guest check-in and door lock initialization
This scenario describes how the system efficiently and reliably configures permissions for a brand new association check-in request and completes the progressive, role-based first initialization of the door lock.
The initial state of the door lock is a hotel off-line electronic door lock 100 which is newly installed or has completed the check-out, and the memory record of the door lock is a default initial value (master: 0, B_master:0, B_sub: 0).
The front-end card issuing step, namely, in order to ensure the simplicity and robustness of logic, the card sender follows a key rule, namely, the same initial substitution number is forcedly given to all associated cards issued for the first time by the same authority group.
A current timestamp is generated as the rights group ID of the current check-in, e.g. a_new=10000.
An initial version number is generated, e.g., b_initial=50.
A master room card (first class key card 200 example) is generated that writes information { master: 10000, secondary: 50, character: "01" }.
A family card (second type key card 300 example) is generated in which information { primary: 10000, secondary: 50, character: "02" }.
Door lock initialization process:
Case one: main house card first swipes door lock for relatives and friends
Operation the guest holds the main house card (10000,50, "01") to swipe the door lock 100 for the first time.
The processing flow is that the door lock detects the card main substitution number (10000) > the main substitution number (0) in the lock, and triggers initialization. The door lock updates its own master code with 10000. According to card role "01", the processor updates the first class secondary replacement number B master with only the card secondary replacement number 50. The second type of secondary substitution number B _ sub remains 0.
Data state change-in-lock record changes from (0, 0) to (master: 10000, B_master:50, B_sub: 0).
Subsequently, the guest swipes the lock with the parent house card (10000,50, "02") and verifies that it is passed by 50>0 and updates the second type of secondary replacement number b_sub to 50. The final recording becomes (master: 10000, B_master:50, B_sub: 50).
In the second case, the family card firstly swipes the family door lock
Operation of the guest holding the friendly house card (10000,50, "02") first swipes the friendly house door lock 100.
The door lock triggers initialization as well. According to role "02", the processor updates the second class secondary replacement number b_sub with only the card secondary replacement number 50. The first type of secondary substitution number B master remains 0.
Data state change-in-lock record changes from (0, 0) to (master: 10000, b_master:0, b_sub: 50).
Subsequently, the guest then swipes the lock with the home card (10000,50, "01") and verifies that it is passed by 50>0 and updates the first class secondary replacement number B master to 50. The final recording also becomes (master: 10000, B_master:50, B_sub: 50).
The result is that the progressive logic initialized strictly according to the roles ensures that the system can reach a unique and correct stable working state no matter how the card swiping sequence is, and the robustness of the scheme is embodied.
Scene two, rights verification in everyday use
After initialization is complete, the record in lock stabilizes to (Master: 10000, B_master:50, B_sub: 50).
The main room card opens the main room door, the main room card swipes the main room door lock, the door lock is used as the 'main room card' for verification, the character '01' is identified, the 'first-class secondary substitution number' of the main room card is compared, the number is more than or equal to 50, and the verification is passed.
The main room card opens the door of the relatives and friends, the main room card swipes the door lock of the relatives and friends, the door lock recognizes the role '01', and the next substitution number 50 is compared with the first-class next substitution number (B_master, the value is 50) stored in the lock. 50. And (5) the verification is passed, wherein the verification is more than or equal to 50.
The relatives and friends house card opens the relatives and friends house door, the relatives and friends house card swipes the relatives and friends house door lock, the door lock identifies the role '02', and the next substitution number 50 is compared with the second-class substitution number (B_sub, the value is 50) stored in the lock. 50. And (5) the verification is passed, wherein the verification is more than or equal to 50.
The relatives and friends house card tries to unlock the main house door, and the processor of the main house door lock checks if the card (or its character code "02") is granted the right to unlock the main house door. And the unlocking is refused because the card is not granted when the card is issued.
Scene three, key card loss and repair
This scenario fully demonstrates the "asymmetric revocation" mechanism of the present invention.
The family card (second type key card) is lost to make up:
The current status, parent house door lock 100, is recorded as (master: 10000, B_master:50, B_sub: 50).
And (3) the supplementing operation, namely, the foreground is used for manufacturing a new relatives and friends house card, and the information is { main: 10000, secondary: 90, and the role is '02').
Card swiping and status change when the new card (10000,90, "02") is held to swipe the parent door lock, the door lock recognizes that the role is "02", and finds that the version number 90 is higher than the B_sub (50) recorded in the lock. The door lock authorizes the door to be opened, and only updates the second type of secondary substitution number.
Data change-in-lock records change from (10000,50,50) to (10000,50,90).
As a result, the lost old parent house card (secondary: 50) is disabled. The verification track B master of the main house card (secondary: 50) is unaffected and its right to open the door of the relatives and friends is perfectly preserved.
Main room card (first class key card) loss compensation:
The current status is recorded as (Master: 10000, B_master:50, B_sub: 90).
And (3) supplementing operation, namely manufacturing a new main room card by a foreground, wherein the information is { main: 10000, secondary: 80, and the role is '01'.
Card swiping and status change when the new main house card swipes the parent house door lock, the lock recognizes its role as "01", and finds its version number 80 higher than the B_master (50) recorded in the lock. After the verification is passed, the first class of secondary substitution numbers are updated to 80.
Data change-the relatives and friends door lock record becomes (10000,80,90).
As a result, the lost old main house card (secondary: 50) is disabled. The verification track b_sub of the valid parent house card (secondary: 90) is unaffected and the rights are not disturbed.
Scene four other management operations
If a same-party card is needed to be added for the relatives and friends house, the card sender only needs to copy all information of the current effective relatives and friends house card, namely { main: 10000, secondary: 90, role: 02 } information of the card is written into a new card. The same number as the replacement number can be used with the original card. The new add-on line card can occur during check-in or at any time after check-in.
After the guests are released, special work cards (release cards) with the authority of 'initialization' or 'release' are needed to be held by staff (such as cleaning staff) to execute the release operation on the physical door locks for ensuring the safety. The card will instruct the door lock to update the internal primary surrogate number to a new, current timestamp (e.g., z=20000) whose time node is the time node recorded on the physical door lock instead of the personnel's refund card, and zero the two secondary surrogate number tracks.
Data change-in-lock recording changes from (10000,80,90) to (master: 20000, b_master:0, b_sub: 0).
And as a result, all cards based on the old primary substitute number 10000 are completely invalid, and the door lock is restored to a safe and clean initial state to serve the next new guest.
Second embodiment alternative number scheme based on sequence number
The invention also provides a preferred embodiment for adapting to the electronic door lock hardware with limited storage space and sensitive power consumption. In this embodiment, the secondary replacement number does not use a time stamp, but rather a smaller sequence number (e.g., an integer starting at 1) that occupies memory, and the door lock state management and reinitialization logic after guest room exit is optimized.
The main difference between this embodiment and the first embodiment is that:
the secondary substitution number is characterized in that the first type secondary substitution number B_master and the second type secondary substitution number B_sub are simple sequence numbers.
And the zero clearing logic of the secondary substitution number, namely automatically clearing the two secondary substitution number tracks by the door lock every time a new guest checks in. The triggering condition of zero clearing is that the door lock detects that the main substitution number A_new of the key card to be verified is larger than the old main substitution number A_old stored in the lock. This marks the beginning of a new check-in period.
The workflow is described below in connection with a specific scenario.
Scene one new guest stays in (based on sequence number)
The previous state of the door lock, that the previous guest has been taken out of the house, the record in the lock may be (master: 10000, B_master:999, B_sub: 999) (the cause of this state is see "taken out of the house" scenario below).
And the foreground sends out cards to check in for new guests.
The card issuing system generates a new master surrogate number greater than 10000, e.g., a_new=10001 (the master surrogate number may still be generated based on a time stamp or other incrementing algorithm).
An initial sequence number is assigned to the newly issued main and parent cards, for example starting at 1.
New Main Room card (first class): write information { Primary: 10001, secondary: 1, role: "01" }.
New relatives and friends house card (second type) is written with information { primary: 10001, secondary: 1, role: 02' }.
Card swiping and initializing:
The guest holds a new main house card (10001,1, 01) to be swiped for the first time.
The door lock processor detects the card main substitution number (10001) > the main substitution number (10000) in the lock, and recognizes that the card main substitution number is a brand new check-in request.
The processor performs "change initialization" in which the master surrogate number in the lock is updated to 10001.
Both the first type secondary substitution number b_master and the second type secondary substitution number b_sub are automatically cleared or reset to an initial value (e.g., 0).
Then, normal validation logic is performed, validating pass, authorizing unlocking, and updating B_master with 1, due to card number of times alternate (1) > B_master (0) in lock.
Data state change-in-lock record is changed from (10000,999,999) to (Master: 10001, B_master:1, B_sub: 0). Then the parent Fang Kashua card, the record will eventually become (master: 10001, B_master:1, B_sub: 1).
Scene two, loss and repair of family cards (based on sequence number)
The current state is recorded as (Master: 10001, B_master:1, B_sub: 1) in the lock.
And (3) supplementing operation, namely manufacturing a new relatives and friends house card by the foreground, and increasing the sequence number. The information is { primary: 10001, secondary: 2, role: 02' }.
And (3) card swiping and state changing, namely when a new card (10001,2, 02) is held to swipe a lock, the door lock identifies the role '02', and the door is authorized to be opened due to the fact that the first type of the card replaces the number B_sub (2) > the second type of the card replaces the number B_sub (1) in the lock, and only the second type of the card replaces the number at the lock end is updated.
Data change-in-lock records change from (10001,1,1) to (10001,1,2).
As a result, the second type of replacement number with a lost old parent's house card value of "1" is disabled. The verification track B_master with the primary room card value of 1 and the first type of secondary substitution number is unaffected and the authority is reserved. Because the number of card replenishment and card loss is limited in one check-in period, the sequence number is not accumulated too much.
Scene three-reinitialization of guest's return to room and door lock
This method aims to immediately and reliably invalidate all resident cards without replacing the main substitute number.
The current state assumes that the guest has been replete with cards during accommodation, recorded in lock as (Master: 10001, B_master:5, B_sub: 8).
The operation of returning to the room, that is, the staff (such as cleaning staff) holds the work card lock with special 'returning to the room' authority. The card functions to give the door lock an instruction to override the values of the two secondary alternate number tracks with a preset capping value (e.g., 999) that is much greater than the normal range of use.
Card swiping and state change:
After the card swiping lock, the door lock executes the instruction.
Data change-in-lock record is changed from (10001,5,8) to (Master: 10001, B_master:999, B_sub: 999).
As a result, any previously valid resident card (e.g., master card number 5 and parent card number 8) will be rejected when the lock is swiped again because its version number is much smaller than 999 recorded in the lock. The method skillfully utilizes a version comparison mechanism, places the door lock in a safe intermediate state of 'the room is returned but the guest is not replaced', and effectively prevents the reentry of the guest who is returned. This state will be maintained until the next guest initiates with a new card having a higher host code.
The embodiment not only reduces the requirement on the hardware resources of the door lock by using the sequence number and the optimized annealing/initializing logic, but also forms a safe and efficient closed-loop management flow by two actions of 'automatic clearing after changing guests' and 'annealing writing capping value'.
Further, in another preferred embodiment, the primary surrogate number itself may be a sequence number or a string of values generated by a particular rule, without being associated with a timestamp, so long as it is guaranteed to increment each time it is new.
Further, in some embodiments, to further enhance the security of the system, and in particular to prevent fraudulent occupation by any unauthorized issued card during door lock initialization, the present invention may further include an asymmetric encryption-based "hairpin signature" mechanism. This mechanism, as a preferred enhancement to the above embodiments, exists independently, without affecting the integrity of the foregoing.
The hotel background card issuing system holds a globally unique card issuing private key. And (3) when leaving the factory, the hotel off-line electronic door locks 100 write in the public card issuing key matched with the private card issuing key in advance.
In the initial card issuing step of the first scenario, the card issuer performs an additional step of digitally signing the core information (or the hash value thereof) with the card issuing private key while writing { primary substitution number, secondary substitution number, character code } etc. information into the key card, generating a string of signature data, and writing the signature data into the card together.
In the initialization process of the door lock in the first scene, the door lock processor firstly executes a forced signature verification step after detecting that the card main substitution number is larger than the initial value recorded in the card main substitution number:
it uses the card issuing public key stored in itself to verify whether the "signature data" attached to the card is valid for the core information on the card.
Only if the signature verification is successful, confirming that the card was issued by an official authorized channel, the door lock will continue to perform subsequent initialization operations. If the signature verification fails, the door lock will reject the card directly.
The signature-signature verification mechanism establishes a firm trust root for the whole offline access control system. The attack path of any fake card for maliciously initializing a 'no-master' door lock can be thoroughly eradicated, and only legal resident can be ensured to become a 'first opener' of a room authority, so that the safety of the system is improved.
In summary, the invention establishes a complete, closed-loop and reliable asymmetric authority management and revocation mechanism by innovatively setting the main substitution number for identifying the authority group and the first-class and second-class substitution numbers for recording the versions of key cards with different roles in the hotel offline electronic door lock and combining the role codes stored in the key cards. The detailed explanation of each scene shows how to accurately cancel the appointed lost card on the premise of guaranteeing the continuity of the associated rights, thereby solving the industry problems of safety and convenience.
It should be understood that the foregoing is only a preferred embodiment of the present invention and is not intended to limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit of the invention, such as extending the two roles to more roles, or adjusting the specific coding modes of the alternative numbers, and such equivalent substitutions and modifications are intended to be included in the scope of the present invention.