Whitelist-based access control method, system, authentication module, and updating method

By using a whitelist-based access control method, and by comparing terminal information and offline validity period through the authentication module, the problem of difficulty in synchronizing whitelist data in offline environments is solved. This achieves fast and effective access control and data synchronization, ensuring the legitimacy and security of user modules.

CN115618322BActive Publication Date: 2026-06-09WUXI RONGKA TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
WUXI RONGKA TECH CO LTD
Filing Date
2022-09-30
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

In environments where devices cannot connect to the network or cannot provide real-time network access, existing whitelist and blacklist access control methods suffer from problems such as difficulty in data synchronization, large storage space requirements, and low retrieval efficiency. Especially under offline conditions, newly added user modules cannot access the data immediately, and blacklist data management efficiency is low.

Method used

A whitelist-based access control method is adopted. The terminal information of the user module is obtained through the authentication module, the whitelist version and the offline validity period are compared, and the access of user modules with the same version is allowed. When necessary, the whitelist version is updated and the user module information is improved. The whitelist data is synchronized offline using short-range communication.

Benefits of technology

It enables fast, convenient, and effective access control in offline environments, ensuring the legitimacy and security of user modules, reducing hardware performance requirements, and improving data synchronization efficiency and access control reliability.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115618322B_ABST
    Figure CN115618322B_ABST
Patent Text Reader

Abstract

The embodiment of the present application discloses a kind of white list-based access control method and white list updating method.The access control method includes: authentication module accesses multiple user modules, obtains terminal information;For any user module, if white list version 1 is greater than white list version 2, then allow the user module to access;Otherwise, compare offline valid information 1 and offline valid information 2;If they are consistent, then allow the user module to access.Implement white list access control scheme of the embodiment of the present application, and authentication module realizes access control to user module based on white list version and offline valid period of terminal information, which provides a kind of quick, convenient and effective access control means.Implement white list updating scheme of the embodiment of the present application, and white list data is updated by user module in the authentication process, without pre-installing white list data, without needing to maintain white list data specially.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of computer technology, specifically to a whitelist-based access control method, system, authentication module, storage medium, and whitelist update method. Background Technology

[0002] In various fields of computer applications, blacklists and whitelists are frequently used to control access from various devices or software programs (user terminals) to a specific device or software program (authentication terminal). For example, blacklist and whitelist strategies are widely used in operating systems, firewalls, access control systems, various application software, and everyday scenarios.

[0003] Currently, access control for target objects mainly uses the following methods:

[0004] (1) Blacklist control method: If the access target is blacklisted, requests initiated by that target will be directly rejected or restricted; if the access target is not blacklisted, requests initiated by that target will be processed. For details on the blacklist access control process, please refer to [link to relevant documentation]. Figure 1 .

[0005] (2) Whitelist control method: If the access target is in the whitelist, requests initiated by that target will be given priority in service; if the access target is not in the whitelist, the access target will be rejected or subject to other restrictions. For details on the whitelist access control process, please refer to [link / reference needed]. Figure 2 .

[0006] (3) Control method combining blacklists and whitelists: This method combines the characteristics of blacklists and whitelists and is applied to more complex software logic or usage scenarios. It allows access to whitelisted objects, denies access to blacklisted objects, and handles access to other objects according to the filtering method of the application scenario. Simultaneously, it updates the blacklist and whitelist data and sets different permissions and levels of access control. For the control flow of combining blacklists and whitelists, please refer to [reference needed]. Figure 3 .

[0007] It should be noted that the module control structure and module authentication system for the above-mentioned blacklist and / or whitelist methods for controlling client access should refer to [reference needed]. Figure 4 and Figure 5 .exist Figure 4 In Chinese, a weak connection means that a real-time network connection is not required; communication with the service is possible only under specific conditions.

[0008] Furthermore, the implementation of the aforementioned methods for controlling user access using blacklists and / or whitelists depends on the updating of the list data. For example, for a blacklist access control policy, it should be ensured that the identifier of a legitimate user terminal is not in the blacklist before the legitimate user terminal accesses the authentication terminal. For a whitelist access control policy, it should be ensured that the identifier of a legitimate user terminal already exists in the whitelist before the legitimate user terminal accesses the authentication terminal.

[0009] Currently, updates to blacklists and whitelists are generally performed via network synchronization. For offline terminals, external interfaces (such as serial ports) are provided on the terminal to connect to devices such as PCs for updates.

[0010] In practical research, the inventors of this application discovered that the above-mentioned access control method and blacklist / whitelist data update method based on blacklists and whitelists have the following defects:

[0011] (1) Whitelist access control mechanism: It can only perform simple terminal filtering. Under offline usage conditions, the data cannot be synchronized in real time for newly added terminal modules, so the newly added user modules do not appear in the whitelist and cannot be accessed immediately.

[0012] (2) Blacklist access control mechanism: A large amount of storage space needs to be reserved to store possible blacklist data; in offline use scenarios, the management (addition and deletion) of blacklist data cannot be processed in a timely manner; when the data volume is large, the efficiency of blacklist retrieval and query is low. If data is used to improve the retrieval and query efficiency, it will place higher demands on hardware performance.

[0013] In summary, in environments where devices cannot connect to the network or cannot provide real-time network access, existing access control policies and corresponding list data updates face certain challenges. Summary of the Invention

[0014] In view of the above-mentioned deficiencies in the prior art, the purpose of this invention is to provide a whitelist-based access control method, system, authentication module, storage medium, and whitelist update method.

[0015] To achieve the above objectives, in a first aspect, embodiments of the present invention provide an access control method based on a whitelist, comprising:

[0016] The authentication module connects to multiple user modules and obtains terminal information for each user module; the terminal information includes whitelist version 1 and offline validity period information 1; the authentication module stores whitelist version 2 and offline validity period information 2.

[0017] For any of the user modules, if the whitelist version 1 is greater than the whitelist version 2, then the authentication module allows the user module to access it.

[0018] If the whitelist version is not greater than whitelist version 2, then the authentication module compares the offline valid information 1 and the offline valid information 2.

[0019] If the two match, the authentication module allows the user module to access the system.

[0020] As one specific implementation of this application, obtaining the terminal information of the user module specifically involves:

[0021] Obtain the authentication ciphertext between the user module and the authentication module;

[0022] The authentication ciphertext is validated, and the access information of the user module is parsed based on the validation result to obtain the terminal information.

[0023] In some preferred embodiments of this application, if whitelist version 1 is greater than whitelist version 2, the method further includes:

[0024] The authentication module updates the whitelist version 2 and improves the information of the current user module in the whitelist of the authentication module.

[0025] In some preferred embodiments of this application, if the offline valid information 1 and offline information 2 are consistent, or after the authentication module updates the whitelist version 2, the method further includes:

[0026] The authentication module determines whether the stored user module terminal information is complete;

[0027] If complete, the authentication module allows the user module to access it;

[0028] If the information is incomplete, the authentication module completes the information of the current user module in the internal whitelist and allows the user module to access it.

[0029] Secondly, embodiments of the present invention provide an authentication module, including:

[0030] The acquisition unit is used to access multiple user modules and acquire terminal information of each user module; the terminal information includes whitelist version 1 and offline validity period information 1; the authentication module stores whitelist version 2 and offline validity period information 2.

[0031] Access control unit, used for:

[0032] For any of the user modules, if the whitelist version 1 is greater than the whitelist version 2, then the authentication module allows the user module to access it.

[0033] If the whitelist version is not greater than whitelist version 2, then the authentication module compares the offline valid information 1 and the offline valid information 2.

[0034] If the two match, the authentication module allows the user module to access the system.

[0035] As one specific implementation of this application, the acquisition unit is specifically used for:

[0036] Obtain the authentication ciphertext between the user module and the authentication module;

[0037] The authentication ciphertext is validated, and the access information of the user module is parsed based on the validation result to obtain the terminal information.

[0038] Furthermore, in some preferred embodiments of this application, the authentication module further includes an update unit, used for:

[0039] If whitelist version 1 is greater than whitelist version 2, update whitelist version 2 and improve the information of the current user module in the whitelist of the authentication module.

[0040] Furthermore, in some preferred embodiments of this application, the authentication module further includes an information improvement unit, used for:

[0041] If the offline valid information 1 and offline information 2 are consistent, or after updating the whitelist version 2, determine whether the terminal information of the saved user module is complete;

[0042] If complete, the access control unit is notified to allow the user module to access;

[0043] If incomplete, the information of the current user module in the internal whitelist is completed, and the access control unit is notified to allow the user module to access.

[0044] Thirdly, embodiments of the present invention provide another authentication module, including a processor, an input device, an output device, and a memory, wherein the processor, input device, output device, and memory are interconnected, wherein the memory is used to store a computer program, the computer program includes program instructions, and the processor is configured to invoke the program instructions to execute the method steps of the first aspect described above.

[0045] Fourthly, embodiments of the present invention also provide a computer-readable storage medium storing a computer program, the computer program including program instructions, which, when executed by a processor, cause the processor to perform the method described in the first aspect.

[0046] The whitelist access control scheme implemented in this invention provides a fast, convenient, and effective access control method by enabling the authentication module to control access to user modules based on the whitelist version and offline validity period of terminal information.

[0047] Fifthly, embodiments of the present invention also provide a whitelist-based access control system, including multiple user modules and an authentication module. The authentication module is as described in the second or third aspect above.

[0048] As a preferred implementation of this application, the user module and the authentication module adopt a short-range communication method.

[0049] Sixthly, embodiments of the present invention also provide a whitelist update method, applicable to the aforementioned access control system, comprising the following steps:

[0050] During the user module authentication process, the authentication module obtains the terminal information of the user module; the terminal information includes whitelist version 1; the authentication module stores whitelist version 2;

[0051] If whitelist version 1 is greater than whitelist version 2, the authentication module updates whitelist version 2.

[0052] Furthermore, in some preferred embodiments of this application, the access control system further includes a platform, and the method further includes:

[0053] If the identity of the user module changes, the platform obtains the latest whitelist data from the user module and the authentication module, and pushes the latest whitelist data to the user module and the authentication module.

[0054] As one specific implementation of this application, if the platform fails to push the latest whitelist data to the authentication module, the method further includes:

[0055] The user module sends the latest whitelist data to the authentication module using a short-range communication method.

[0056] Furthermore, in some preferred embodiments of this application, the terminal information includes expiration date information, and the method further includes:

[0057] The validity period information is updated according to preset conditions;

[0058] The preset conditions include when the user module's identity changes, or when the validity period information is within a set range and the user module has network access.

[0059] The whitelist update scheme implemented in this invention update the whitelist data by the user module during the authentication process, without the need for pre-setting whitelist data or special maintenance of the whitelist data.

[0060] Furthermore, even when both the user module and the authentication module are offline, this whitelist update scheme ensures the smooth execution of the authentication process through short-range communication between the two modules. Moreover, this short-range communication method also guarantees timely updates of the whitelist data within both modules even when they are offline.

[0061] Furthermore, the user module incorporates an offline validity period monitoring mechanism, which can effectively monitor and restrict the use of the user module under offline conditions, thereby ensuring the executability and high efficiency and controllability of its main functions and services. Attached Figure Description

[0062] To more clearly illustrate the specific embodiments of the present invention or the technical solutions in the prior art, the accompanying drawings used in the description of the specific embodiments or the prior art will be briefly introduced below.

[0063] Figure 1 This is a flowchart of blacklist access control in existing technology;

[0064] Figure 2 This is a flowchart of whitelist access control in existing technology;

[0065] Figure 3 It is a control flow diagram combining blacklists and whitelists in existing technology;

[0066] Figure 4 It is a module control structure diagram;

[0067] Figure 5 This is a diagram of the module authentication architecture;

[0068] Figure 6 This is a flowchart of the whitelist-based access control method provided in an embodiment of the present invention;

[0069] Figure 7 This is a diagram of the terminal information structure of the user module;

[0070] Figure 8 This is a structural diagram of an authentication module provided in an embodiment of the present invention;

[0071] Figure 9 This is another structural diagram of the authentication module provided in an embodiment of the present invention;

[0072] Figure 10 This is a flowchart of the whitelist update method provided in the embodiments of the present invention. Detailed Implementation

[0073] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0074] It should be understood that, when used in this specification and the appended claims, the terms "comprising" and "including" indicate the presence of the described features, integrals, steps, operations, elements and / or components, but do not exclude the presence or addition of one or more other features, integrals, steps, operations, elements, components and / or collections thereof.

[0075] To better understand the embodiments of the present invention, the relevant content is explained as follows:

[0076] This invention provides a software data access control strategy based on a whitelist mechanism, which mainly involves:

[0077] I. Related parties of this whitelist mechanism

[0078] 1. The object being operated on: user information, which can be terminal attribute data to be updated, including but not limited to time data, permission data, key data, and certificate data.

[0079] 2. Potential application scenarios

[0080] (1) User information data is stored on the user module terminal device, and corresponding module information can be added and updated on the authentication module terminal device;

[0081] (2) Only one valid authentication module terminal and one valid user module terminal can interact with the business at the same time;

[0082] (3) The only valid authentication module terminal needs to verify / admit / confirm the data matching status from the only valid business terminal.

[0083] 3. Mechanism-related elements

[0084] (1) Assign a unique identifier ID to the user module information for use as a unique whitelist identifier for the data.

[0085] (2) Set an internal validity period for the software data to control its timeliness (it becomes invalid after expiration).

[0086] II. Update Strategy

[0087] 1. Whitelist ID Update Strategy

[0088] (1) When the data is stored for the first time, a unique version ID is set for each module terminal, and the user module has only one valid terminal for interaction.

[0089] (2) When the identity (business identity account, etc.) of the only legitimate and valid user module terminal changes:

[0090] A. It will pull the latest whitelist data from the platform and update it to the user module terminal for storage. At the same time, the platform will try to push the synchronized whitelist data to the authentication module terminal.

[0091] B. When the authentication module terminal has no network, the whitelist push on the platform side will fail, but it can be updated by interacting with the authentication module terminal through short-range communication (including but not limited to NFC, BLE, UWB) of the user module terminal.

[0092] 2. Internal validity period update strategy

[0093] (1) Prerequisites: Set the internal validity period to X days, and automatically renew / update the internal validity period under the following conditions.

[0094] (2) Element rules: The validity period format is YYMMDDHHMMSS (year, month, day, hour, minute, second).

[0095] (3) Update rules

[0096] A. When logging in via the internet on the user module terminal (business identity account, etc.)

[0097] B. When the internal validity period is X-1 days (1 day can be flexibly set), the user module terminal has network access.

[0098] III. Strategies Used:

[0099] In both network-connected and offline scenarios, the validity / legitimacy of user module terminal software data is verified / admissioned / confirmed.

[0100] 1. First, match the whitelist ID: When the whitelist ID of the user module terminal is greater than the whitelist ID of the authentication module terminal, the whitelist ID of the authentication module terminal is updated to the value of the whitelist ID of the user module terminal, and the terminal attribute data and whitelist list in the user module terminal are updated and saved in the authentication module terminal.

[0101] If it is less than or equal to the authentication module terminal whitelist ID, proceed to step 2.

[0102] 2. Rematching internal validity period: When the internal validity period of the user module terminal is less than the validity period of the user module terminal currently identified in the authentication terminal whitelist, the user module terminal cannot conduct subsequent business with the authentication module terminal.

[0103] Please refer to Figure 6 The whitelist-based access control method provided in this embodiment of the invention may include the following steps:

[0104] S101, the authentication module connects to multiple user modules.

[0105] It should be noted that in this embodiment, the authentication module and the user module have a one-to-many relationship, such as... Figure 5 As shown. For example, the user modules connected here include A, B, and C.

[0106] S102, Obtain terminal information for each of the user modules.

[0107] Specifically, the authentication module obtains the authentication ciphertext between the user module and the authentication module, verifies the validity of the authentication ciphertext, and if it is valid, it parses the access information of the user module to obtain the terminal information; if it is invalid, it denies access.

[0108] Among them, such as Figure 7 As shown, the acquired terminal information includes, but is not limited to: module identifier, offline validity period, start validity period, end validity period, other information, whitelist version, module 1 identifier, module 2 identifier, etc.

[0109] It should be noted that the authentication module stores terminal information for multiple user modules, and the structure of its terminal information is similar to that of other modules. Figure 7 As shown. To distinguish them, in this embodiment, the terminal information in the user module includes whitelist version 1 and offline validity period information 1, while the authentication module stores whitelist version 2 and offline validity period information 2.

[0110] from Figure 7 As can be seen, this embodiment sets the start and end times of user module usage and the offline usage time, thereby enabling monitoring and effective management of these parameters. This ensures that the user module remains within a safe, controllable, and legal usage range. If the validity period of a user module exceeds the limit, its use will be restricted.

[0111] S103. Determine whether whitelist version 1 in the user terminal module is greater than whitelist version 2 in the authentication module. If yes, proceed to step S104; otherwise, proceed to step S107.

[0112] S104, Update key data and update the whitelist version 2 of the authentication module.

[0113] S105, Improve the information of the current user module in the whitelist of the authentication module.

[0114] It should be noted that, for example, if user module A is selected for whitelist version comparison in step S103, then the current user module in step S105 refers to A.

[0115] S106, the authentication terminal module allows user terminal modules to access [the system].

[0116] Specifically, for any user terminal module, such as A, it is determined whether the whitelist version of A is greater than the whitelist version of the authentication module. If it is greater, steps S104-S106 are executed. When retrieving the whitelist versions from the user terminal module and the authentication module, they are associated through user identifiers. For example, if user terminal module A has the identifier "A" in both modules, then the authentication terminal module can obtain the user identifier and whitelist version of A from its own module based on the accessed user terminal module information. Similarly, apart from the whitelist version, all other information between the two modules is also associated through user identifiers.

[0117] S107. Determine whether the offline valid information 1 in the user terminal module is consistent with the offline valid information 2 in the authentication module. If yes, proceed to step S108; otherwise, proceed to step S109.

[0118] S108. Determine whether the information of the user module in the authentication terminal module is complete. If yes, proceed to step S106; otherwise, proceed to step S105.

[0119] Please refer to this again. Figure 7 The "Module 1" identifier, "Module 2" identifier, and so on, all refer to user modules. Each user module carries its own complete data, as well as partial data from other modules. Therefore, if the authentication terminal module detects that the user terminal module data it has saved is incomplete, it will complete the data for the current user terminal module.

[0120] S109, Access Denied.

[0121] As can be seen from the above description, the whitelist access control scheme implemented in this embodiment of the invention enables the authentication module to control access to the user module based on the whitelist version and offline validity period of the terminal information, providing a fast, convenient and effective access control method.

[0122] Based on the same inventive concept, and corresponding to the aforementioned whitelist-based access control method, this embodiment of the invention provides a control system including multiple user modules and an authentication module. As a preferred implementation of this application, the user modules and the authentication module employ short-range communication methods, including but not limited to NFC, BLE, and UWB.

[0123] Specifically, in this embodiment, such as Figure 8 As shown, the authentication module includes:

[0124] The acquisition unit 10 is used to access multiple user modules and acquire terminal information of each user module; the terminal information includes whitelist version 1 and offline validity period information 1; the authentication module stores whitelist version 2 and offline validity period information 2.

[0125] Access control unit 11, used for:

[0126] For any of the user modules, if the whitelist version 1 is greater than the whitelist version 2, then the authentication module allows the user module to access it.

[0127] If the whitelist version is not greater than whitelist version 2, then the authentication module compares the offline valid information 1 and the offline valid information 2.

[0128] If the two match, the authentication module allows the user module to access the system.

[0129] Furthermore, the acquisition unit 10 is specifically used for:

[0130] Obtain the authentication ciphertext between the user module and the authentication module;

[0131] The authentication ciphertext is validated, and the access information of the user module is parsed based on the validation result to obtain the terminal information.

[0132] Furthermore, such as Figure 8 As shown, the authentication module also includes:

[0133] The update unit 12 is used to update the whitelist version 2 if the whitelist version 1 is greater than the whitelist version 2, and to improve the information of the current user module in the whitelist of the authentication module.

[0134] Information improvement unit 13 is used for:

[0135] If the offline valid information 1 and offline information 2 are consistent, or after updating the whitelist version 2, determine whether the terminal information of the saved user module is complete;

[0136] If complete, the access control unit is notified to allow the user module to access;

[0137] If incomplete, the information of the current user module in the internal whitelist is completed, and the access control unit is notified to allow the user module to access.

[0138] Alternatively, in another preferred embodiment of the invention, such as Figure 9 As shown, the authentication module may include one or more processors 101, one or more input devices 102, one or more output devices 103, and a memory 104. The processors 101, input devices 102, output devices 103, and memory 104 are interconnected via a bus 105. The memory 104 stores a computer program, which includes program instructions. The processor 101 is configured to invoke the program instructions to execute the method described in the above-described method embodiment.

[0139] It should be understood that, in this embodiment of the invention, the processor 101 may be a central processing unit (CPU), but it may also be other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor may be a microprocessor or any conventional processor.

[0140] Input device 102 may include a keyboard, etc., and output device 103 may include a display (LCD, etc.), a speaker, etc.

[0141] The memory 104 may include read-only memory and random access memory, and provides instructions and data to the processor 101. A portion of the memory 104 may also include non-volatile random access memory. For example, the memory 104 may also store device type information.

[0142] In specific implementations, the processor 101, input device 102, and output device 103 described in the embodiments of the present invention can execute the implementation methods described in the embodiments of the whitelist-based access control method provided in the embodiments of the present invention, which will not be repeated here.

[0143] It should be noted that for the specific workflow of the control system and authentication module in this embodiment, please refer to the aforementioned method embodiment section, which will not be repeated here.

[0144] Accordingly, embodiments of the present invention provide a computer-readable storage medium storing a computer program, the computer program including program instructions, which, when executed by a processor, implement the above-described whitelist-based access control method.

[0145] The computer-readable storage medium can be an internal storage unit of the system described in any of the foregoing embodiments, such as the system's hard disk or memory. The computer-readable storage medium can also be an external storage device of the system, such as a plug-in hard disk, Smart Media Card (SMC), Secure Digital (SD) card, or Flash Card. Furthermore, the computer-readable storage medium can include both internal storage units and external storage devices. The computer-readable storage medium is used to store the computer program and other programs and data required by the system. The computer-readable storage medium can also be used to temporarily store data that has been output or will be output.

[0146] Those skilled in the art will recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both. To clearly illustrate the interchangeability of hardware and software, the components and steps of the various examples have been generally described in terms of functionality in the foregoing description. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementations should not be considered beyond the scope of this invention.

[0147] In the several embodiments provided in this application, it should be understood that the disclosed apparatus and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative. For instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be indirect coupling or communication connection through some interfaces, devices or units, or may be electrical, mechanical or other forms of connection.

[0148] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of the embodiments of the present invention, depending on actual needs.

[0149] Furthermore, the functional units in the various embodiments of the present invention can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.

[0150] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0151] Please refer to this again. Figure 10 This invention also provides a whitelist update method, applicable to the aforementioned access control system, which may include:

[0152] S201, During the user module authentication process, the authentication module obtains the terminal information of the user module. The terminal information includes whitelist version 1; the authentication module stores whitelist version 2.

[0153] S202, if the whitelist version 1 is greater than the whitelist version 2, the authentication module updates the whitelist version 2.

[0154] Furthermore, the aforementioned access control system also includes a platform, and the method further includes:

[0155] If the identity of the user module changes, the platform obtains the latest whitelist data from the user module and the authentication module, and pushes the latest whitelist data to the user module and the authentication module.

[0156] If the platform fails to push the latest whitelist data to the authentication module, the method further includes:

[0157] The user module sends the latest whitelist data to the authentication module using a short-range communication method.

[0158] Furthermore, the terminal information includes validity period information, and the method further includes:

[0159] The validity period information is updated according to preset conditions;

[0160] The preset conditions include when the user module's identity changes, or when the validity period information is within a set range and the user module has network access.

[0161] As can be seen from the above description, in implementing the whitelist update scheme of this invention, the whitelist data is updated by the user module during the authentication process, without the need for pre-setting whitelist data or special maintenance of the whitelist data.

[0162] Furthermore, even when both the user module and the authentication module are offline, this whitelist update scheme ensures the smooth execution of the authentication process through short-range communication between the two modules. Moreover, this short-range communication method also guarantees timely updates of the whitelist data within both modules even when they are offline.

[0163] Furthermore, the user module incorporates an offline validity period monitoring mechanism, which can effectively monitor and restrict the use of the user module under offline conditions, thereby ensuring the executability and high efficiency and controllability of its main functions and services.

[0164] The above description is merely a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any person skilled in the art can easily conceive of various equivalent modifications or substitutions within the technical scope disclosed in the present invention, and these modifications or substitutions should all be covered within the scope of protection of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims

1. A whitelist-based access control method, characterized in that, include: The authentication module connects to multiple user modules and obtains terminal information for each user module; the terminal information includes whitelist version 1 and offline validity period information 1. The authentication module stores whitelist version 2 and offline validity period information 2; For any of the user modules, if the whitelist version 1 is greater than the whitelist version 2, then the authentication module allows the user module to access it. If the whitelist version 1 is not greater than the whitelist version 2, then the authentication module compares the offline validity information 1 and the offline validity information 2. If the two match, the authentication module allows the user module to access the system. If the whitelist version 1 is greater than the whitelist version 2, the authentication module updates the whitelist version 2 and improves the information of the current user module in the whitelist of the authentication module; the user module and the authentication module use a short-range communication method. The authentication module determines whether the stored user module terminal information is complete; If complete, the authentication module allows the user module to access it; If the information is incomplete, the authentication module completes the information of the current user module in the internal whitelist and allows the user module to access it.

2. The whitelist-based access control method as described in claim 1, characterized in that, The specific steps for obtaining the terminal information of the user module are as follows: Obtain the authentication ciphertext between the user module and the authentication module; The authentication ciphertext is validated, and the access information of the user module is parsed based on the validation result to obtain the terminal information.

3. An authentication module, characterized in that, include: The acquisition unit is used to access multiple user modules and acquire terminal information of each user module; the terminal information includes whitelist version 1 and offline validity period information 1; the authentication module stores whitelist version 2 and offline validity period information 2. Access control unit, used for: For any of the user modules, if the whitelist version 1 is greater than the whitelist version 2, then the authentication module allows the user module to access it. If the whitelist version 1 is not greater than the whitelist version 2, then the authentication module compares the offline validity information 1 and the offline validity information 2. If the two match, the authentication module allows the user module to access the system. The authentication module further includes an update unit for: If whitelist version 1 is greater than whitelist version 2, update whitelist version 2 and improve the information of the current user module in the whitelist of the authentication module; the user module and the authentication module use a short-range communication method. The authentication module also includes an information completion unit, used for: If the offline validity period information 1 and offline validity period information 2 are consistent, or after updating the whitelist version 2, determine whether the terminal information of the saved user module is complete; If complete, the access control unit is notified to allow the user module to access; If incomplete, the information of the current user module in the internal whitelist is completed, and the access control unit is notified to allow the user module to access.

4. The authentication module as described in claim 3, characterized in that, The acquisition unit is specifically used for: Obtain the authentication ciphertext between the user module and the authentication module; The authentication ciphertext is validated, and the access information of the user module is parsed based on the validation result to obtain the terminal information.

5. An authentication module, characterized in that, The system includes a processor, an input device, an output device, and a memory, which are interconnected. The memory is used to store a computer program, which includes program instructions. The processor is configured to invoke the program instructions to perform the steps of the method as described in claim 1 or 2.

6. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program, the computer program including program instructions that, when executed by a processor, cause the processor to perform the steps of the method as described in claim 1 or 2.

7. A whitelist-based access control system, comprising multiple user modules and an authentication module, characterized in that, The authentication module is as described in claim 5.

8. A whitelist update method, characterized in that, The whitelist update method is applicable to the access control system as described in claim 7; the method includes: During the user module authentication process, the authentication module obtains the terminal information of the user module; the terminal information includes whitelist version 1; the authentication module stores whitelist version 2; If whitelist version 1 is greater than whitelist version 2, the authentication module updates whitelist version 2.

9. The whitelist update method as described in claim 8, characterized in that, The access control system also includes a platform, and the method further includes: If the identity of the user module changes, the platform obtains the latest whitelist data from the user module and the authentication module, and pushes the latest whitelist data to the user module and the authentication module.

10. The whitelist update method as described in claim 9, characterized in that, If the platform fails to push the latest whitelist data to the authentication module, the method further includes: The user module sends the latest whitelist data to the authentication module using a short-range communication method.

11. The whitelist update method as described in claim 10, characterized in that, The terminal information includes validity period information, and the method further includes: The validity period information is updated according to preset conditions; The preset conditions include when the user module's identity changes, or when the validity period information is within a set range and the user module has network access.